Strategic planning is a useful exercise in providing guidance in fulfilling a mission. Unfortunately, most strategic plans ignore risks and have no visible or clearly articulated connection to the organization’s strategy. Risk management and strategy-setting are not separate and distinct activities.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines enterprise risk management as:
“A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Risk Management and Strategic Planning are intertwined: It is well recognized that nonprofits must take certain risks to achieve their mission. Boards are showing a growing interest in developing a more robust risk management protocol. One in which senior management and the board together identify major risks and establish a process for mitigating them. Your board plays a critical role in overseeing how senior management approaches organization-wide risk management, formulating high-level strategies, and approving broad-based resource allocations.
Management’s Responsibility: A key responsibility for the senior management of a nonprofit is to manage risk throughout the organization. Boards expect senior management to be forward thinking about risks and opportunities beyond the generic mission statement or strategic plan. Oftentimes, a board’s perception is that senior management is unaware of hidden or unknown risks they are taking, and could do more to prepare for potential downside risks.
Engaging the Board and Financial Oversight Committee: Risk management should be a collaborative process between the board or its financial oversight committee, and senior management. When risks are clearly articulated and quantified, second guessing and the “we never saw this coming” syndrome can be avoided.
Types of Risks: Risks can be economic, political, regulatory, technological, social, or even environmental in nature and must be considered in strategy setting.
Don’t Ignore Opportunities: All organizations have wish lists – those strategic investments of capital that might ensure continuing or enhanced relevance to its constituents. They are unbudgeted and unplanned and represent a sort of “If we only had the funding” expenditure for such things as technology and human capital.
Minimize the Reserves Controversy: Nonprofit boards struggle with issue of reserves adequacy and accumulation and often default to an arbitrary ratio that has no relationship to the organization’s unique strategic risks, and so the controversy continues. When reserves are determined based on an enterprise-wide view of risks and strategic investments that are understood and accepted by the board, reserve management becomes logical and defensible.
Enterprise risk management enables nonprofits to effectively deal with uncertainty and associated risk and opportunity. A mission is more likely to be achieved when boards and management set strategy and objectives to strike an optimal balance between growth goals and related risks, and then efficiently and effectively deploy resources in pursuit of those goals.