2. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
2
Essential Questions Senior Management
Must Consider
I
n the past few decades, the business landscape
for the larger, more complex, not-for-profits
that provide social services has changed
dramatically. In addition, the integration of
social values within for- profit companies has
further blurred the line between for-profit and
not-for-profit organizations, resulting in greater
competition in the social services sector, and
more choices for consumers of those services.
Furthermore, the Internet has made the number
and nature of those offerings more visible and
accessible, and as a result consumers have become
more savvy, and more demanding.
These changes, as much philosophical as
practical, have also led not-for-profit companies
to provide more of their services through
‘contracted’ programs—that is, programs with
far more stringent terms, in an attempt to reduce
costs and alleviate fiscal deficits. Even more
importantly, there has been a major philosophical
shift away from contracts that pay for services
rendered, and toward contracts that pay based on
achieved goals, outcomes, or measurable impact.
If, for example, your agency was once paid to
provide job training skills, it is now more likely
to be paid based on how many clients in your
program actually secure employment. Thus, the
need to achieve measurable objectives—whether
those objectives are commercial or social—is
now as much a requirement for not-for-profit as
it has long been for for-profit organizations. This,
in turn, has exponentially increased not only the
day-to-day risks of not-for-profits, but in some
cases threatened their very survival.
As a result, senior management of not-for-
profits is faced with a somewhat new and
daunting challenge—i.e., the need to create
an infrastructure capable of synthesizing vast
amounts of information, connecting the dots
across a myriad of programs, and simultaneously
integrating business strategy, goals, and risk
management. The failure to do so—at least
historically—was usually due to a pervasive fear-
based approach that was primarily backward-
looking, and focused on flat financial metrics
and ratios. As a result, hidden risks were often
left uncovered, problems that kept organizations
from achieving their goals were not anticipated,
and risk mitigation strategies, if any, were
ineffective. Risk management, in fact, whether
adapted to for-profit or not-for-profit enterprises,
requires a forward looking approach—one that
is integrated with business strategies and goals
to achieve measurable results in a continually
changing environment.
Therefore, the new risk paradigm for not-for-
profits forces management to consider two
separate aspects of risk management—the
first strategic, and the second organizational.
Succeeding in the former requires thinking about
risks throughout the organization. Succeeding
in the latter entails the creation of a risk-centric
culture, both empowering management and
employees to effectively deal with risk, and
demanding that they execute enterprise-wide
initiatives related to those risks.
Turning first to Strategic Risks, management
must begin with a short inquiry into the most
fundamental aspects of the not-for-profit business
model.
3. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
3
1. Do we fully understand our risk exposures?
2. Are our risk exposures appropriate
to our objectives, our appetite for risk,
our resource levels, and our desire for
long-term sustainability?
F
irst and foremost, senior managers must
ensure that all risks facing the enterprise
have been properly identified and measured.
This process should start at the business unit
level, where program managers intimately
familiar with their individual landscapes
can adopt an appropriate risk management
framework, and establish an ongoing risk-based
dialog with the senior management. Together
they can then discuss current and emerging risks
in detail, establish risk limits, and put specific
action triggers into place.
The next critical step is a holistic enterprise-wide
view of risk—one that transcends individual
business segments and/or programs—established
at the senior executive and board level. Once
defined, the strategic implications of each type of
risk must be contrasted with resource adequacy
and availability, leading to a clear understanding
of how each risk can and ought to be managed.
I
n addition to proper risk identification and
measurement, strategic deliberations by senior
management must establish an explicit link
between risk, resources, and strategy. To avoid
surprises and ensure that a not-for-profit does not
respond to pressures through
Given the complexity of the modern world—
again, in both the private and public sectors—
senior management must also regularly devote
time to discussing the so-called unknown
unknowns — that is, events and risks beyond
the scope of traditional discovery processes and
systems, in addition to business-as-usual risks.
For example, an acknowledged but unknowable
unknown in a not-for-profit might involve
apolitical or philosophical change in the way
state and local governments view their funding,
emerging business models, or changes in the
competitive environment (including for-profit
service providers). Another unknown unknown
might concern the not-for-profit’s long-term
sustainability.
Finally, questions pertaining to clarity of purpose,
strategic responsiveness, and engagement of key
stakeholders should also be regularly discussed so
that unknown unknowns show up at the table.
blind risk and leverage, the organization’s risk
appetite must be fully aligned with funding and
service targets, and vice versa. In other words,
senior management must fully understand and
approve the amount of risk required to achieve
the organization’s stated objectives and goals.
4. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
4
3. Is our organization adequately dynamic
from the viewpoint of risk management?
4. How do risk and uncertainty factor into
our strategic decisions?
T
he lack of organizational dynamism—i.e.,
a company’s ability to detect coming crises
and environmental changes, understand
their potential impact, and develop the agility
to react in a timely fashion—was a common
feature of for-profit companies that failed during
the recent financial crisis, and not-for-profit
companies whose traditional approach no longer
worked in the post-crisis environment.
Senior management can and should play an
important role in ensuring that a company is
well-prepared to withstand volatility, crises,
T
he recent financial crisis revealed profound
disconnections between executive
decision-making and risk management.
Nor were not-for-profits immune to this way of
thinking, since they generally thought of risk
management from a largely defensive perspective.
Furthermore, because not-for-profits have not
traditionally been associated with corporate
agility, they have tended not to develop the sort of
resiliency on which commercial ventures depend.
For that reason, strategic decisions—again, in
the public as well as the private sectors—have
often been focused on business and customer
strategies, new product development, and
disruptive technologies, and other changes in the
market, and in its competitors. An integrated risk
management framework, early warning systems,
and comprehensive contingency plans must be
continually reviewed by Senior Management
and the Board of Directors, and included in all
strategic discussions.
Finally, questions pertaining to clarity of purpose,
strategic responsiveness, and engagement of key
stakeholders should also be regularly discussed so
that unknown unknowns show up at the table.
pursuit of market share, with risk management
remaining an afterthought—that is, a sort of
police function used to check on safety and
soundness only after strategic and investment
decisions had already been made. To remedy this
after-the-fact approach, the role of risk in a not-
for-profit’s business model must be continually
reevaluated by senior management, thus making
risk management an input into strategic decisions
and governance. Continually asking fundamental
questions in rigorous yet practical ways vastly
improves the effectiveness of senior management,
helping them steer their not-for-profits through
the ever more difficult conditions of the modern
global environment.
5. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
5
1. Do we have an integrated firm-wide risk
management process?
2. Are professionals at all levels empowered
to manage risk?
E
ffective risk management is achieved
through comprehensive risk reporting,
governance policies and limits, escalation
procedures, action triggers, and dynamic and
integrated firm-wide processes. As a pre-requisite
to all of the above, the not-for-profit must
possess an analytical system capable of properly
identifying, measuring, and aggregating all
risks across the enterprise. Equally important,
an appropriate ‘risk mindset’ must be adopted
throughout the organization. Furthermore, once
that mindset is in place, risk exposures and the
risk analysis of key business initiatives must be
routinely discussed. Senior Management must
also ensure that relevant risk measures are among
the key metrics monitored by program managers
on a daily basis. Lastly, senior management must
ensure that risk issues are handled proactively,
and communications across program units
F
or the risk management of a large, complex
not-for-profit to be effective, it must be built
not only into every part of the decision-
making process, but also every into control
mechanism throughout the organization. Toward
that end common risk management language
must be established throughout the organization,
are open and effective. In this regard, red flags
to be watched and immediately addressed
include 1) excuses that specific risks do not lend
themselves to quantitative measurement, 2) that
certain risks are the “nature of the business” and
therefore should not be monitored or managed,
and 3) that phrases like “don’t worry,” “this is
a low probability event,” or “local managers
have it all under control” are stricken from the
organization’s vocabulary. Instituting a rigorous
firm-wide risk process also ensures that directors
do not start questioning senior managers about
risks that the corporation has undertaken only
after it is too late. The White House situation
room, to give but one example, employs a
‘tripwire system’ that monitors pre-determined
events to ensure that strategists continually
reassess the changing environment.
along with clearly delegated responsibilities for
managing risk at all levels. Finally, leadership and
risk management structures must be correctly
aligned with the not-for-profit’s business model,
and the right balance established between
competing priorities and constituencies.
Organizational Risk Management by senior leadership is equally critical, since it is no longer enough to assume that
risk is being properly measured and managed as strategies are set, and certain results are sought. For those reasons
successful organizational risk management entails its own set of important questions.
6. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
6
3. Does the Not-for-Profit have an
appropriate risk management culture?
A
ccording to Jim Collins, the author
of Built to Last and Good to Great,
“companies that survive periods of great
tumult and duress have an incredible fabric of
values.” Given that it is precisely these values
that help successful companies fulfill their
missions and strategic visions—and in so doing
create lasting value—senior managers must be
committed to the creation of an effective risk
culture. There are specific signs that a not-for-
profit is on the right track in this regard, and that
risk management has become part and parcel of a
not-for-profit’s DNA and immune system.
First, the board assumes the ultimate
responsibility for risk oversight responsibility.
Second, the board declares its ethical stance.
And third, the board, establishes clear measures
of success, using well understood metrics for
risk appetite, and risk limits. Toward those ends,
the board also delegates responsibility to the
appropriate authorities for risk management
across the enterprise. Risk training and
awareness programs are also in place throughout
the organization, with senior line managers
and risk professionals responsible for formal
post-mortems of major mistakes. Senior
management also ensures that management
incentives encourage responsible and value-
added risk taking, and emphasize the
importance of embedded risk management
processes in the organization’s decision-making
and communications. Rewards must also
be consistent with desirable behaviors, and
employees must know what is expected and
what will not be tolerated.
With such a risk culture in place, silos will be
broken down, open communication will be
encouraged, and risk successes will be publicized
and imitated. And when this happens, employees
will make better decisions, keep their not-for-
profit out of harm’s way, and reduce potential
legal liabilities and reputational risks.
7. NEWRISK
PARADIGM
FOR
NOT-FOR-
PROFITANIZATIONS
NOT-FOR-
PROFIT
ONS
THENEWRISKPARADIGMFORNOT-FOR-PROFIT
The Power of Possible
7
Conclusion
R
isk management is the most efficient
framework for critical strategic and
investment decisions, not merely a policing
function. Therefore, the new risk paradigm for
not-for-profit governance presents visionary
senior managers with a unique opportunity.
In normal economic environments, strategic
management of risk leads to lasting social value
creation. During crises, it limits losses and
ensures survival. Along with that opportunity,
however, comes the need for unrelenting
hard work, constant vigilance, and inspired,
enthusiastic leadership.
This article, specifically adapted for not-for-profits, is based on an article by Martin and Tillman published in
Chief Executive Magazine in 2011.
Christine McMahon is President and CEO of Fedcap Rehabilitation Services, Inc., a national nonprofit
committed to creating opportunities for people with barriers to economic well-being, is a highly regarded
national presenter on nonprofit leadership, and is a member of the U.S. Secretary of Labor’s Advisory Committee
for Individuals with Disabilities.
David X Martin is a former Chief Risk Officer, as well as Founding Chair of the Investment Company Institute’s
Risk Committee. He is an Adjunct Professor, Author, Special Counselor to the Center for Financial Stability, and
currently consults for a number of financial institutions, and provides expert witness testimony.
Put another way, risk management must be
transformed into a cornerstone of effective
strategic decision-making and corporate
governance in not-for-profits—a critical element
of the organization’s foundation that fully
supports operations, organizational structures,
and corporate culture.
Of course there is another solution, as W. Edward
Deming famously noted: “It is not necessary to
change. Survival is not mandatory.” It is up to
senior management of not-for-profits to make
that decision.