Risk and Risk Management

Risk can be defined as the combination of the probability of an event and its
consequences. In all types of undertaking, there is the potential for events and
consequences that constitute opportunities for benefit (upside) or threats to success
(downside).
Risk Management is increasingly recognized as being concerned with both positive
and negative aspects of risk. Therefore this standard considers risk from both
perspectives. In the safety field, it is generally recognized that consequences are
only negative and therefore the management of safety risk is focused on prevention
and mitigation of harm.
Risk is anything that can derail your nonprofit from accomplishing its mission. Risk
management is a discipline for identifying risks, assessing how serious or severe the
risks are, and determining ways to address that uncertain future with a goal of
avoiding or minimizing harm and financial losses. Risk management focuses on those
events or occurrences that may cause injury or harm to a nonprofits clients, its
assets (including employees and volunteers) and its reputation.
Risk and Risk Management
Risk-uncertainty of the outcome
Risk can bring unexpected gains. It can also cause unforeseen losses, even
catastrophes. Risks are common and inherent in the financial markets and
commodity markets: asset risk (stocks...), interest rate risk, foreign exchange risk,
credit risk, commodity risk and so on. There are two totally different attitudes toward
risks:

1.

Risk aversion: quantify an identified risk and control it, i.e., to devise a plan to
manage the exposed risk and convert it into a desired form. Basically, two
kinds of plans are available: a. Replace the uncertainty with a certainty to avoid
the risk of adverse outcomes even if this requires giving up the potential
gaining opportunity. Be willing to pay a certain price for the potential gaining
opportunity, while avoiding the risk of adverse outcomes.

Risk seeking: willing to take the risk with one's money, in hope of reaping risk

2.

profits from investments in risky assets out of their frequent price changes.
Acting in hope of reaping risk profits from the market price changes is called
speculation.
The most common risks facing nonprofits:
The frequency of a particular risk will depend on what activities your nonprofit is
engaged in. Youth-serving organizations and those serving vulnerable persons are
always concerned about the safety of their clients in the hands of volunteers or staff
who provide services. Yet, the most common risk for those organizations may be
related to the fact that the clients are being transported every day in vans, exposing
them and the driver to a possible motor vehicle accident. A serious risk that every
nonprofit faces is the risk that its reputation or good will in the community could be
eroded by any number of circumstances, from a surly receptionist to financial
improprieties. Each nonprofit needs to conduct an assessment of its activities to
determine what its own most common risks may be. Statistically, if your nonprofit
has any employees, it is probable that at some point the organization will be faced
with an employment-related claim. Common claims in the property and casualty area
include slips, trips and falls and motor vehicle accidents.
Sorts of events which cause us to lose our tax-exempt status:
Your organizations articles of incorporation probably mirror the IRS regulations under
Code Section by providing a fairly specific checklist of what to avoid:
(i)

Operating so that more than an insubstantial part of the nonprofits activity

(ii)
(iii)
(iv)

furthers a purpose(s) other than its charitable purpose

Conferring private benefit (usually financial) on other entities or individuals
Supporting or opposing a candidate for public office
Upon dissolution, distributing remaining assets to someone, or something,
other than the government or another tax-exempt organization.

Many times the first enforcement step is for the IRS to impose penalties, called
intermediate sanctions against the nonprofit, the person who received the
excess benefit and board members who approved the nonprofits actions.
However, in egregious situations the IRS will move directly to revoke an

organizations status. Some specific circumstances that can cause a charity to

lose its tax-exempt status are:

Taking out an ad in the paper encouraging readers to vote for a particular

candidate

Running a commercial activity through the nonprofit that has no relation to the
mission and/or that takes up more than an insubstantial amount of time,
energy and resources, so that it overshadows the charitable activities of the
organization.

Engaging in a transaction that results in compensation to an individual or to

another organization that exceeds the fair market value of the goods or
services rendered to the nonprofit.

Failure to file the organizations annual report, IRS Form 990.

Prioritize all the possible risks facing our organization:

To prioritize your risk management to do list, you need to determine which risks are
most likely to occur, as well as which risks will result in the most severe harm. This
exercise is called a risk assessment. For some organizations, losing power or water
damage due to severe weather may be a frequent occurrence that has been
successfully managed so that if it happens in the future there may be minimal
disruption and financial impact; while for others, a catastrophic loss such as a child
drowning, may be extremely unlikely given the supervision and safety procedures in
place, but, because of the severity of the loss, risk management procedures at the
waterfront/poolside are a high priority for that nonprofit.

The Nonprofit Risk Management Center offers risk assessment consulting

services to assist nonprofits with an overall assessment of their unique risks.
Often a review of a nonprofits insurance program is completed simultaneously
so that the nonprofit has a better idea of whether its various risks are
adequately addressed through insurance.

Risk Management

Risk management is a central part of any organizations strategic management. It is

the process whereby organizations methodically address the risks attaching to their
activities with the goal of achieving sustained benefit within each activity and across
the portfolio of all activities.
The focus of good risk management is the identification and treatment of these risks.
Its objective is to add maximum sustainable value to all the activities of the
organization. It marshals the understanding of the potential upside and downside of
all those factors which can affect the organization. It increases the probability of
success, and reduces both the probability of failure and the uncertainty of achieving
the organizations overall objectives.
Risk management should be a continuous and developing process which runs
throughout the organizations strategy and the implementation of that strategy. It
should address methodically all the risks surrounding the organizations activities
past, present and in particular, future. It must be integrated into the culture of the
organization with an effective policy and a programmed led by the most senior
management. It must translate the strategy into tactical and operational objectives,
assigning responsibility throughout the organization with each manager and
employee responsible for the management of risk as part of their job description. It
supports accountability, performance measurement and reward, thus promoting
operational efficiency at all levels.

Risk Management Plan:

Just as a nonprofit might design a strategic plan to address its goals and outline how
to achieve them, similarly, a risk management plan is a way to identify risk
management goals, strategies to achieve them, measurable outcomes, as well as
who will be accountable. A risk management plan may include policies that the
nonprofit already has, or articulate goals to adopt in the future. Generally the risk
management plan is developed by a committee that includes staff and board and
adopted by the board as part of the boards overall commitment to good governance.
Risk Management Plan
There are four stages to risk management. They are:
Risk Identification
Risks Quantification
Risk Response

 Risk Monitoring and Control

Risk Identification
In this stage, we identify and name the risks. The best approach is a workshop with
bbusiness and IT people to carry out the identification. Use a combination of
brainstorming and reviewing of standard risk lists. There are different sorts of risks
and we need to decide on a project by project basis what to do about each type.
Business risks are ongoing risks that are best handled by the business. An example is
that if the project cannot meet end of financial year deadline, the business area may
need to retain their existing accounting system for another year. The response is
likely to be a contingency plan developed by the business, to use the existing system
for another year. Generic risks are risks to all projects. For example the risk those
business users might not be available and requirements may be incomplete. Each
organization will develop standard responses to generic risks.
Risks should be defined in two parts. The first is the cause of the situation (Vendor
not meeting deadline, Business users not available, etc.). The second part is the
impact (Budget will be exceeded, Milestones not achieved, etc.). Hence a risk might
be defined as "The vendor not meeting deadline will mean that budget will be
exceeded". If this format is used, it is easy to remove duplicates, and understand the
risk.
Risk Quantification
Risk need to be quantified in two dimensions. The impact of the risk needs to be
assessed. The probability of the risk occurring needs to be assessed. For simplicity,
rate each on a 1 to 4 scale. The larger the number, the larger the impact or
probability.
By using a matrix, a priority can be established.

Note that if probability is high, and impact is low, it is a Medium risk. On the other
hand if impact is high, and probability low, it is High priority. A remote chance of a
catastrophe warrants more attention than a high chance of a hiccup.
Risk Response
There are four things you can do about a risk. The strategies are:
Avoid the risk. Do something to remove it. Use another supplier for example.
Transfer the risk. Make someone else responsible. Perhaps a Vendor can be
made responsible for a particularly risky part of the project.
Mitigate the risk. Take actions to lessen the impact or chance of the risk
occurring. If the risk relates to availability of resources, draw up an agreement
and get sign-off for the resource to be available.
Accept the risk. The risk might be so small the effort to do anything is not
worthwhile.
A risk response plan should include the strategy and action items to address the
strategy. The actions should include what needs to be done, who is doing it, and
when it should be completed.
Risk Control
The final step is to continually monitor risks to identify any change in the status, or if
they turn into an issue. It is best to hold regular risk reviews to identify actions

outstanding, risk probability and impact, remove risks that have passed, and identify
new risks.