Different risks warrant different risk mitigation strategies. For example, you can put a policy and staff training in place to address the risk of bullying and harassment; but that same strategy would not work on preventing impact to your business from COVID-19.
The process to address one type of risk is not necessarily the appropriate one to address a different type of risk. Risks about future products or services might have significant open ended discussion around the board table; but it would be an inefficient use of the wrong resources for the full Board to discuss identifying and treating all the operational and service delivery risks. This is best left to management and those closer to the level of work being undertaken to go through a ISO31000 style risk process.
There are some risks best managed at an operational level and others that should be more a governance focus. For example, management are best left to make sure that electrical equipment is regularly tested and tagged, whereas risks about how key market dynamics are changing would usually be discussed at board level.
To help us better identify how to manage different types of risk, we will consider the learnings from an article in Harvard Business titled Managing Risks: A New Framework. Authors Robert S. Kaplan and Anette Mikes identified three different types of risk:
Preventable risks are the usual focus of a risk management program or process. It includes risks around safety, environment, cyber attack, human resources and service delivery risks, to name but a few.
Usually these are internal risks documented in a risk register and the goal is that they ought to be controlled and eliminated or avoided.
These risks can be managed through a range of generally operational and administrative processes including:
- risk policy and procedure
- risk register
- risk mitigation plans
- identifying the ownership of each risk, communicating and monitoring the mitigation plans
- insurance coverage
- other organisational policies and procedures (e.g. operations, IT, HR, safety).
In my experience, this is the main focus of most organisational risk policies, risk registers and practices. It is also the area of risk that the international standard ISO 31000 addresses best. However, risk mature organisations also address the other types of risks.
Key topical, preventable risks for not for profit organisations to address include: managing risks of working with vulnerable people , service delivery risks (depending on the nature of your services), health and safety, IT/cyber attack and regulatory compliance.
External risks are those which are outside your sphere of influence or control. As we have seen in 2020, this can include events such as a health pandemic, economic slow down, societal shutdowns or restrictions of movement. It can also include competition and market disruption.
Because these risks are outside your sphere of influence, you cannot control or prevent them from occurring.
Often, these are a low likelihood/high consequence event; therefore the only thing you really can do is to focus on early identification and mitigation of the impact.
Risk treatments that you will need in place to address external risks are:
- monitoring of new and emerging risks
- business continuity plan
- scenario planning.
Whereas most strategic plans only include one direction and one desired outcome for the future, scenario planning can help you consider the risks and opportunities to achieving your objectives if different scenarios played out. Would it be a benefit or detriment if the NDIS price guide was removed? What impact will it have if government supports are withdrawn, or restrictions of movement continue for one month, three months, 12 months?
Key topical, external risks for not for profit organisations to address include: how new and emerging risks are reported to Board, COVID-19 response planning, fundraising risk, cyber attack or local disaster (e.g. fire, flood) emergency response and business continuity plans.
Strategic risks are undertaken in order to generate value, deliver your objectives or grow the business. In many cases, these are the risks that arise under your strategic plan. These are the risks associated with your business model – and they are not inherently undesirable.
It’s the risk that a disability provider takes on when they send a staff member on their own in to provide services in a client’s home, without having been there before. It’s also the risk of adding on a new product or service you haven’t done before.
In the example given, it is possible to set some policy and procedure to reduce risk when you send a staff member in to a client’s home. However, many strategic risks can’t be managed by standard rules-based risk management.
Strategic risks often need a lot of constructive discussion at a management and Board level about those risks related to strategic choices as part of the strategy formulation and implementation processes.
In other cases, it is important that strategically tactical decisions get made at the lowest level practicable, so having a robust system of delegations and reporting is important to shift decision making to the most appropriate level.
Risk treatments that you will need in place to address strategic risks are:
- developing an appropriate risk culture
- understanding and communicating the risk appetite
- risk structure
- strategic planning process.
Key topical, strategic risks for not for profit organisations to address include: proactively addressing risk in the strategy planning, implementation and reporting processes; ensuring adequate Board discussion of strategic risks and understanding the culture you set from the top, with regards to the risk culture.
To really embed the learnings from this article in to your own practice or organisation, why not stop for a couple of minutes now and reflect on what you should do differently moving forward. Perhaps it’s time to dust off the risk register and do an update; maybe the risk policy/procedure need review; maybe you’re about to start the strategic planning process and it’s important to consider how risk will be incorporated to the strategy process.