PART III RISK FINANCING FOR NONPROFITS 249 Chapter 13 Fundamental Objectives and Alternatives

Step 2: Appraise Risks

The second step in a nonprofit’s risk management journey is the systematic identification and evaluation of the risks the organization faces. This process can involve examination of a single program or activity or an in- depth review of the entire organization. For example, a nonprofit cultural institution may wish to give special attention to the risks and opportunities associated with a proposed fundraising event. The interest in risk manage- ment stems from the institution’s concern that it has never conducted a gala open to the general public. Its goals for the event include raising enough money to fund the purchase of several new exhibits, attracting media at- tention for the organization’s educational programs for elementary school students, and showcasing the organization’s current exhibits and displays while avoiding damage to the facility and assets. A nonprofit providing res- idential treatment for adults with a history of drug or alcohol abuse may embark on a risk management process to both strengthen the organization and enable it to meet the criteria for accreditation. In order to achieve these goals the treatment center may embark on a process that will uncover risks in client counseling, administrative operations, fundraising, governance, staff recruitment and supervision, and facility management. The same tech- niques and approaches to risk identification can be used in a narrow effort focused on a single program or activity or in a more comprehensive, organization-wide effort.

As is true with the risk management process, there is no single accept- able or advisable method for risk identification. The selection of ap- proaches to uncovering risks may be based on or sensitive to the culture of the organization. For example, a nonprofit that tends to operate informally, relying on consensus building for key decisions, may elect to brainstorm its risks using a committee of staff members from all levels of the organization.

A nonprofit with a traditional top-down bureaucratic decision-making

the risk management process 17

style may task all members of its senior management team with responsi- bility for identifying risks falling within their sphere of influence and ac- tivity. In both cases the risks identified through these very different processes should include opportunities (upside risks) as well as threats to mission fulfillment (downside risks). Both approaches are likely to lead to the identification of long lists of risks. Some of these risks will be deemed to require immediate attention, whereas others will be less significant or even negligible. The task of sorting the serious risks from the less so is an- other activity under Step 2.

There are additional approaches to risk identification aside from infor- mal brainstorming by a risk management committee or the tasking of se- nior managers with responsibility for risk identification in their areas of influence. These include:

■ Reviewing the agency’s history and experience in order to identify risks that have materialized in the past

■ Reviewing the experience or data from other nonprofit organizations

■ Conducting interviews or focus groups

■ Conducting inspections of programs and equipment in order to spot exposures

■ SWOT analysis (review of an organization’s strengths, weaknesses, op- portunities and threats—typically conducted as part of a strategic plan- ning exercise)

The risk identification step requires that members of the risk manage- ment committee ask two very different questions. First, what risks do we face, or what could happen? Second, how might the risk materialize in the nonprofit? The second question forces the discussion to move beyond sim- ple statements such as “a client gets hurt” to identify more specific expo- sures, such as “a client could be dropped while a volunteer is helping him or her leave the wheelchair-accessible van.”

Possible sources of risk that may be helpful to consider in this phase of the process include:

■ People risks. People risks are those that result from the behavior of paid and volunteer staff, clients, and members of the general public. These risks might materialize when staff follow or disregard instructions or act

in the absence of instruction. Some risks might be based on the back- grounds or other characteristics of the nonprofit’s client population. In some cases a nonprofit may be concerned about what people it does not know or serve directly—the general public—will do.

■ Management risks. Certain risks relate to the failure of controls the non- profit has established to protect its assets and operations. For example, a nonprofit might adopt internal controls to reduce the risk of embez- zlement. The failure of the control system could lead to a theft. In an- other example, a nonprofit seeking to hire people without criminal records for teaching positions might decide to forgo background and reference checks because a top applicant is a relative of a major donor.

Later the nonprofit learns that forgoing its regular screening process was a mistake.

■ Economic conditions. Every nonprofit exists as a small institution in a larger, dynamic economy. Nonprofit managers spend a great deal of time securing funding for operations and accounting for the use of these funds, but economic conditions and events beyond the non- profit’s control can have serious effects on the organization’s ability to achieve its mission. During the economic downturn of the early twenty-first century, countless foundations saw the value of their en- dowments shrink to record low levels because of stock performance.

As a direct result of these investment losses, foundations began reduc- ing their targets for grant-making, in some cases eliminating entire el- igible program areas. With fewer dollars available to support nonprofit organizations, managers faced the difficult tasks of curtailing programs, laying off staff, and spending more time cultivating alternative sources of funding for critical programs.

■ Political change. The fortunes of many nonprofits are affected by chang- ing political conditions, election results, and the policies of chief exec- utives at the city, county, state, and federal level.

■ Technology. Advances in technology have led to unprecedented oppor- tunities for nonprofits. Nonprofits regularly use computers to raise funds, reach and serve clients, and keep stakeholders informed. With the power of information technology come risks for which many non- profits are ill-prepared. The exposure to claims alleging the nonprofit

the risk management process 19

failed to protect an individual’s privacy is just one example of the dan- gers that accompany the use of information systems.

■ Relationships. To accomplish their missions, nonprofits rely on rela- tionships with other nonprofits, with government agencies, and with private businesses. Many nonprofits enter into these relationships with high expectations, assuming that the parties to an agreement (too often not committed to writing) will do all they have promised to do. The possibility of a partner failing to live up to its promises is a risk non- profits should consider.

■ Inherent program issues. Certain programs sponsored by nonprofits have inherent exposures. For example, a nonprofit that provides after-school tutoring as well as instruction in tennis faces the risk that its clients may suffer injuries while playing tennis. While the risk cannot be eliminated altogether without discarding an important part of the nonprofit’s mis- sion, it should be identified as a risk so that it can be considered thoughtfully.

When a group of nonprofit personnel completes a risk identification process—even when that process focuses on a single area of operations or a single activity—they are likely to have a long list of possibilities. For ex- ample, a group working to identify the risks of a nonprofit’s 10K walkathon might identify several dozen risks, including:

■ The possibility that attendance will fall significantly below the expected 250 walkers and 500 observers

■ The possibility that extreme weather will force the nonprofit to post- pone or cancel the event

■ The possibility that a participant will suffer a serious injury or die while participating in the walk

■ The possibility that attendance will surpass the nonprofit’s expectations and supplies of water and T-shirts will be inadequate.

Without a secondary review to determine relative significance, the orga- nizers of the 10K are likely to be frustrated—how will they determine what risks require immediate attention? Are there risks for which mitigation measures are available but are beyond the financial means of the nonprofit?

The second step in the risk management process reminds us to take a systematic approach to assigning values to risks in order to create a list of priorities for decision-making. The focus of this phase of the process is to examine two important dimensions of each risk: likelihood and magnitude.

The likelihood dimension answers the question of how often will this risk materialize, and magnitude addresses how detrimental or how beneficial the risk could be. Both dimensions are critical to deciding what action is ap- propriate. Here are several methods for further analyzing the nonprofit’s identified risks.

■ Brainstorming. The simplest approach to this task is to rank-order the risks identified under Step 2 based on the team’s brainstorming and in- stinctive feelings about what the nonprofit’s first concerns should be.

For example, using the four risks listed above for the 10K walkathon, the organizers may agree that while all risks could materialize, the most likely risk is that attendance will fall below the ambitious goals estab- lished for the event. With this in mind, the committee focuses its at- tention and efforts on increasing attendance at the event.

■ Quantitative approach. Large nonprofits and large umbrella or parent or- ganizations of nonprofits can draw on their long experience with risk and loss and use a quantitative approach to appraising risks. These or- ganizations can examine claims data and loss costs to predict the likeli- hood of risks materializing and the estimated costs of these risks. Most small and midsize nonprofits do not have such detailed data available for the simple reason that they have experienced few minor losses. A quantitative approach is also available to a group of nonprofits that have banded together for the purpose of establishing and operating an in- surance program. Claims information from the program is invaluable in predicting both the magnitude and frequency of future losses.

■ Review of past experience and failure/success analysis. This approach calls for a systematic review of the nonprofit’s past experience with similar events or activities in order to identify past outcomes that can be help- ful in predicting the future. Using the example of the 10K walkathon, if the event were an annual undertaking, the planning group might list outcomes from prior years. For an event held regularly over a decade or more, the list might include both minor events and those requiring management attention and financial resources. For example, the group

the risk management process 21

might determine that over the past decade, one year the event was rained out, twice attendance fell below the expected number, once at- tendance was 20% more than expected due to last-minute radio ads, and another time the contracted supplier of water did not deliver the water bottles on time. Using this information the group can estimate the probability of these risks materializing. If this is the first year of the event, the group might look to the experiences of other nonprofits op- erating in different parts of the country or similar groups holding sim- ilar events in the same community.

■ Risk mapping. Another approach to evaluating risk is to map risks using a chart that depicts an assessment of frequency along the vertical axis and an assessment of magnitude along the horizontal axis.

Using the risks identified for the 10K walkathon, a risk map might look like the one in Exhibit 1.2.

■ Scenario analysis. Scenario analysis is a technique the planning group could use to identify possible outcomes and determine their potential effect on the organization. For example, the group might examine the scenario of a participant having a serious or fatal injury during the event: How quickly will we be able to call for medical assistance? Is the entire route accessible to medical personnel? Would this type of oc- currence attract local media attention? If so, what level of media atten- tion can we expect?

EXHIBIT 1.2 Risk Map for a 10K Walkathon F

R

E Poor attendance

Q U E

N Supplies exhausted

C Event canceled

Y Serious injury

Low Medium High

M A G N I T U D E

■ Semiquantitative analysis. Some planning groups might prefer to use a quantitative method for differentiating the risks they have identified, yet it is difficult, if not impossible, to accurately assign numeric values to the likelihood of a risk materializing (its frequency measure) or the magni- tude of the risk (how much? how big? how significant?). One approach to a semiquantitative analysis of risks is to apply a scoring system such as high, medium, or low to a list of risks with respect to both frequency and magnitude. The scores assigned to each factor are added together to produce a total score for each risk. This enables the planning group to rank the identified risks using total score as the ranking system.

One approach to defining a scoring system with high, medium, and low values follows:

Frequency

(likelihood, probability) Magnitude

High Likely to happen Serious disruption of the event or serious impact on the organization Medium Might happen Moderate effect on the event or

organization

Low Unlikely Negligible effect on the event or

organization, if it happens

The following chart depicts the application of the simple semiquanti- tative scoring system to the risks of the 10K walkathon.

Frequency Magnitude Total

Risk Rating Rating Score

Low attendance Medium High Medium-high

Adverse weather

cancellation Low High Medium

Serious injury or

death Low High Medium

Supplies exhausted Low Medium Medium-low

What the results of the above exercise suggest is that the risk man- agement team should consider working on the risk of low attendance before devoting attention to the other risks associated with the event.

The semiquantitative approach can be expanded to include addi- tional descriptive categories for frequency and magnitude. By includ-

the risk management process 23

ing descriptive language in addition to a level or grade label, a planning group may find it easier to associate identified risks with frequency and magnitude scores. Keep in mind that these scores are not intended to be precise measures of risk, but they are helpful in comparing dissimi- lar risks in order to rank and prioritize exposures for decision-making.

The following examples are adapted from Guidelines for Managing Risk in the Australian and New Zealand Public Sector.

measuring frequency

The first example uses six categories to define frequency. The nonprofit’s risk management committee examines each risk in turn and chooses the ap- propriate frequency measure, using the description of each level as a guide.

Level Description

A Almost certain—is expected to occur in most circumstances and may occur once a year or more often

B Likely—is likely to occur in most circumstances and has actually occurred in recent years

C Possible—might occur at some time in the future, perhaps once every 10 years

D Unlikely—has not occurred in the past but could occur at some time in the future

E Rare—may occur but only under extraordinary conditions; has perhaps happened elsewhere

F Very rare—has never happened to the nonprofit’s knowledge G Incredible—would only happen under extraordinary

circumstances, perhaps once every 1,000 years

measuring magnitude

The magnitude measure represents the committee’s prediction of the con- sequences the nonprofit will face when a risk materializes. As shown in Ex- hibit 1.3 the Australian Risk Management Standard uses a five-part table to describe the possible consequences of risk.

By assembling the two dimensions—frequency and magnitude—into a single chart, it is possible to see how a nonprofit might approach deciding what to do about a particular risk. Exhibit 1.4, also adapted from the

EXHIBIT 1.3 Describing the Magnitude of Risk Magnitude Description

Catastrophic The consequences would threaten the survival of the program or activity as well as the nonprofit itself. The risk might cause significant problems for service recipients, for the paid and volunteer staff of the nonprofit, for stakeholders such as funders, and perhaps for the general public. The nonprofit would face a significant loss of revenue.

Major The consequences would threaten the ability of the nonprofit to continue the program or activity. The nonprofit is likely to face a loss of revenue and the event/circumstances would require attention by senior management.

Moderate The consequences may not threaten the organization or program’s survival but would require some changes in structure or delivery.

Some revenue loss may occur.

Minor The consequences threaten only the efficiency or effectiveness of the program and organization, not its survival. The consequences can be handled by mid- to senior-level managers, and clients are likely to be affected.

Insignificant The consequences would have a negligible impact on the nonprofit, and the risks can be handled by existing routine procedures.

EXHIBIT 1.4 Evaluating the Level of Risk

Consequences

Frequency Insignificant Minor Moderate Major Catastrophic

A Almost certain H H E E E

B Likely M H H E E

C Possible L M H E E

D Unlikely L L M H E

E Rare L L M H H

F very rare L L L M H

G incredible L L L L M

Legend:

E = extreme risk; immediate action by senior management is required H = high risk; senior management attention needed

M = moderate risk; management responsibility should be assigned

L = low risk; routine procedures to address issue represent sufficient response

the risk management process 25

Australian Standard, suggests a way to consider frequency and magnitude in relation to each other.