Evaluating Impact: Continually shape and refine your ERM program
For as much as nonprofit leaders have a healthy respect for risk and a desire to implement leading-edge enterprise risk management (ERM) programs, many still struggle with translating the theory they find in literature into a practical and effective program. There is no single, correct way to implement ERM, which leaves managers to their own devices in interpreting ERM concepts as they attempt to adopt risk management protocols.
This often leads to suboptimal efforts that fall short of achieving their objectives – – or worse, to abandonment of ERM initiatives altogether. However, effective implementation of ERM can indeed be achieved, and the common pitfalls that organizations face when designing an ERM program from scratch can be overcome.
Success comes from utilizing a comprehensive, structured methodology, informed by the experience of others, to identify, evaluate, report and mitigate key risks to your organization. Here are best-practices strategies — from organizations that have recently successfully deployed ERM or those that are currently in the midst of successful implementation — to overcome the challenges you will face and translate theory into meaningful, practical action. Recognize that risks do not all have the same impact.
Even the most introductory primer on ERM will tell you that you have to evaluate the impact of a risk. Put simply, risk impact is the degree to which you will be affected by a risk if it were to happen. However, not all risks will affect an organization in the same way. While senior leaders are typically adept at identifying their organization’s top risks, they often perceive the impact of each risk, and what therefore constitutes an appropriate response, quite differently.
Example: A chief financial officer (CFO) might not perceive a significant impact associated with inaccurate reporting of nonfinancial data (e.g., program impact data) because it would not cause an appreciable change in revenue or expense. The vice president of communications, on the other hand, would be highly attuned to the consequences of negative press associated with such an incident. The key is to recognize that impact has many different facets.
To align discussions around why risks are significant and what should be done about them, we advocate dividing your analysis into types of impact:
• Strategic — Causes a strategic objective to fail;
• Financial — Incurs unanticipated cost or reduces revenues;
• Operational — Affects the quality or effi- ciency of how work gets done;
• Reputational — Creates negative media attention:
• Environmental, health and safety — Jeopardizes staff, volunteer or others’ well-being;
• Technology — Exposes applications, data, operating systems, network or infrastructure to inappropriate access/change; and,
• Legal — Triggers arbitration or litigation against your organization.
When evaluating risks, you should consider the resulting impact. One risk might have a high financial and technology impact, while another might be more reputational in nature. At times, one or more of the impact types won’t apply at all. While these are typical impact categories, management may decide that other types of impact apply.
Calibrate your discussion
Begin by creating guidelines for your risk evaluation framework. Whether you use a simple high/medium/low scale or a more complex numeric rating, document what qualitatively differentiates one risk rating from another. While business judgment is still an integral part of evaluating risk, setting parameters helps level the discussion and resolve differences of opinion by applying objective criteria.
Example: The chief compliance officer is concerned about the risk of failing to comply with a regulation. She argues that it has a high impact on reputation and finances. Her research shows that when fines are imposed, they are usually between $25,000 and $50,000.
The ERM committee refers to their calibrated risk evaluation framework and sees that they have previously determined that in terms of reputation, a risk would have to be noted on a national scale and/or cause their constituents to distance themselves from the organization for it to be considered to have a high reputational risk — an unlikely result in this case. They also note that a risk would have to deplete their reserves by $200,000 or more before they would consider it a high risk. Since there were no other discernible types of impact that apply, they decide that the risk of this lapse in compliance would have, at most, a medium impact on the organization.
Align your mitigation strategies
Successful ERM programs strive to ensure that the organization’s risk management activities directly address the types of impacts expected. Example: A particular risk event may have significant financial, reputational and operational impacts. A comprehensive risk mitigation strategy should address all three areas.
Financial impact mitigation may involve obtaining insurance, creating a reserve fund, etc. Reputational impact mitigation may include developing clear communication and media relations plans. Operational impact may be mitigated through creation or revision of disaster recovery and business continuity plans. Other risk management strategies may, of course, apply.
One of the common mistakes leaders make is ending the discussion after identifying a single mitigation strategy. This limits identification of additional mitigation strategies that can further reduce risk impact by addressing other potential outcomes of a risk event.
Establish your risk tolerance
Risk tolerance, or risk appetite, is the willingness to accept uncertain outcomes. Leadership tends to create broad statements about organizational attitude toward risk in an attempt to define their risk tolerance to avoid either taking on too much risk or being unnecessarily cautious.
While there seems to be very little written about how to define risk tolerance, the practical experience of organizations where this process is being done effectively is that such definitions need to be less broad and more nuanced. It is not helpful to declare “we are risk-avoiders” or “we are risk-takers.”
To get started, you should establish a risk tolerance scale. For example:
• Averse –– Low tolerance for uncertainty; prefer the lowest risk option;
• Cautious — Prefer to avoid risks but will accept some uncertainty if benefits are significant; and,
• Accepting — Uncertainty is expected; prefer the option that maximizes benefits.
There is no single risk posture for an organization to take. Rather, tolerance for risk will vary, depending on the nature of its impact. You can then establish your organizational risk tolerance along each of the types of impact. For example, you might be:
• Cautious about strategic risks;
• Accepting of financial risks;
• Averse to reputational risks;
• Averse to health and safety risks.
Assessment of tolerance serves as an important lens to determine if enough is being done when considering risk mitigation strategies. Aligning your risk mitigation strategy with risk tolerance can be further informed by gleaning lessons learned when risk events actually happen. You can answer questions like: “Did we accept more risk than we wanted?” and “Were we too conservative in our reaction to risk?”
These answers will help you to continually shape and refine your ERM program.
Matt Lerner is director, Advisory Services, Not-for-Profit and Higher Education practices at Grant Thornton LLP. His email is matthew. Lerner@us.gt.com. Paul Klein was managing director, Advisory Services, Not-for-Profit and Higher Education practices at Grant Thornton.