Risk management is a cycle. That means it’s a continuous activity — it’s not something that gets checked off a “to do” list and put on a shelf. Having a risk management process means that your organization knows and understands the risks it’s exposed to. It also means your organization has deliberately evaluated the risks and has strategies in place to reduce the likelihood of the risk happening, to minimize harm if something happens, or to remove the risk altogether.
At a basic level, risk management focuses you on three fundamental questions:
- What can go wrong?
- What are we doing to prevent harm from occurring?
- What’s our response to harm or loss if it happens?
Identify the risks
Ask yourself what can go wrong. Every activity of an organization poses a risk, so brainstorm and document the risks. Consider both general risks, which could happen to any organization, and risks specific to your organization.
Risks can be put in broad categories such as:
- Financial risks: either related to compensation or financial mismanagement by employees or supervisors
- Health and safety risks: harassment, unsafe work practices and/or work environment
- Reputational risks: coming from discriminatory practices, unfavourable media coverage, scandal
- Operational risks: inability to deliver your mandate because there are not enough resources or resources are mismanaged
- Technological risks: arising when staff do not follow appropriate use of technology guidelines or through exposure to cybersecurity threats such as ransomware
- Resource risks: when the organization cannot acquire or retain appropriate resources, including human, financial, material, and technical resources.
- Strategic risks: strategic objectives are not communicated or understood by staff or not reflected in performance indicators
- Governance risks: unethical management of an organization by its board, non compliance with policies and procedures
- Environmental risks: political or community environment in which your organization functions
Involve staff, volunteers, and board members in the risk identification process to create a comprehensive picture of the risks based on different people’s involvement in different areas of the organization. You may also wish to engage the services and opinions of an accountant and/or lawyer.
Assess the risks
The next step is to assess each of the risks based on the likelihood or frequency of the risk occurring and the severity of the consequences. Using a risk map to plot the likelihood of occurrence and the severity of the consequences will help you prioritize your next steps. It's important to assess this map regularly as some risk may decrease with time if proper mitigation strategies are implemented while others risk may arise. The board of directors should be informed of the critical risks on a regular basis.
Develop strategies for managing risks
Consider the most appropriate risk management strategies for each identified risk. Risk management strategies include:
- Avoidance: Stop providing the service or doing the activity because it's too risky.
- Acceptance: Some risky activities are central to the mission of an organization and an organization will choose to accept those calculated risks.
- Modification: Change the activity to reduce the likelihood of the risk occurring or reduce the severity of the consequences. Policies and procedures are an important part of this risk management strategy because they communicate expectations and define boundaries.
- Transfer or sharing: Purchase insurance or transfer the risk to another organization through signing a contractual agreement with other organizations to share the risk (for example, having a contractual agreement with a bus company to transport clients rather than staff driving clients).
In some organizations, the board will put together a Statement of Risk Appetite in which the directors will identify their comfort level with certain risks. In general, boards tend to be risk averse or moderately averse especially when it comes to reputational risk or financial risk, both of which have strong human resources connections.
Implement the risk management plan
When you have decided which risk management strategies will be the most effective and affordable for your organization:
- Practically outline the steps and who is responsible for each step in the risk management plan.
- Communicate the plan and ensure that there is buy-in from all who are involved in the organization (staff, volunteers, clients, other relevant stakeholders).
- Provide training for all organizational staff and volunteers so they understand the rationale of the risk management plan as well as the expectations, procedures and forms.
Monitor the risk management plan
Consider the following questions and document any changes to the plan:
- Is your plan working?
- Have your risks changed?
- Have you expanded or reduced your programs and services?
- Are changes or updates required?
- Are staff and volunteers following the risk management plan?
- Do they need re-training on the details?
- Do we need to better communicate the plan?
Risk management is an evolving field. Therefore, it's a good practice to keep current and re-evaluate your organization’s risk management system on an annual basis.
Who is involved in the risk management process?
There must be commitment from the board to secure the financial and human resources required in the plan. In larger organizations, a risk management committee, team or department may be formed to handle the risk management process.
In small and medium-sized organizations, the responsibility for developing and implementing a risk management process will likely fall on the executive director. However, paid staff, volunteers — and potentially clients and other stakeholders — will be very helpful partners in identifying risks and developing effective strategies to deal with them.
Once the risk management process is in place, everyone in the organization has a role to play — including identifying risks related to policies and procedures and completing forms and reports.