We do a proper inventory of supplies and goods for sale – but what about an organization’s risks? Shouldn’t we prioritize knowing our inventory of assumed risks more than knowing how much ink cartridges and toilet paper we have on hand?
A risk register is a very important strategic resource for organizations to help them identify and mitigate risks. It helps internal stakeholders look at the entire organization holistically and identify any internal or external risks. Examples of risk may include employee turnover (internal) or new competitor (external-for profit) or cancellation of core funding (external-not for profit). Presence of a risk register can be sought after on grant applications for not-for-profit firms or charities to help secure funding. Having an inventory of risks internally signals to your external partners that your Board and Executive staff understand risk is a natural part of providing service to your communities and that you have plans in place to monitor or mitigate that risk.
It’s important to note that not all risks need to be mitigated. It is up to the organization to decide which risks are either high enough likelihood or high enough impact that they require mitigation or if monitoring the risk on a regular basis is enough to meet your own internal best practices.
How to start?
1) Break your business down by risk categories
The best place to start is by breaking the organization down into risk categories. Internal and External are a good place to start, and for small firms that may be enough. But for more complex organizations, it’s good to break the risks further: by department, by function, by program offering. Whatever level of granularity that will help staff and board brainstorm thoroughly about all the risks that threaten the business.
2) Identifying the risks
It’s good for the Executive Director/CEO to do this exercise in conjunction with board members and possibly even having discussions with senior staff prior to the brainstorming session to ensure full coverage of the entire organization. There will be risks that are generally shared by all organizations like financial misconduct and funding issues, but there will be risks that are unique to specific organizations and perhaps a particular part the organization. These will be related to program delivery (do you interact with children or other vulnerable peoples?) or supply chain (do you have a key supplier or customer that accounts for a majority portion of the supply or demand?), or any other area that is specialized. At this stage, you also want to identify any and all risks regardless of likelihood. Pay particular attention to sociopolitical risks and any other risks that may pose a threat from external influences.
3) Classifying the risks
Next, it’s important to classify your risks by likelihood and impact to the organization. It’s important for everyone involved in the process to identify a scale you want to use: Low/Medium/High or 1(low)-5(high), and have a discussion on what each of those classifications mean on an abstract level. Define each of the levels and assign a designation to each risk. You’ll have something like this (see other examples online that expand on this basic template, but this is the high level the detail you’ll want to capture):
4) Rank the risks by priority
It should be obvious now that a certain pattern is emerging. Risks that are both Low impact and Low likelihood are risks the business needs to be aware of, but not necessarily risks that need to be assigned an abundance of resources to solve. Similarly, risks that are either high impact or high likelihood are risks that require consideration and some mitigating activities. As a group, you will need to decide what level of risk you are willing to tolerate with regards to the risks ranked Low-Medium, but regardless of the priority, give each risk proper consideration.
5) Determining mitigating or management activities.
For this step, you’ll need to consider each risk individually. Start with the High/High risks and continue through the list towards the Low/Low. Some of the highest priority risks might warrant special projects or committees. For example, if one of your High/High risks is a lack of written policies, you’ll want to assign staff to a project to develop formal policies. Some risks you won’t be able to eliminate, but there is always a way to mitigate risks to a manageable level. If the majority of your revenue is tied to one grant or customer, you can negotiate more lengthy cancellation clauses the next time your contract renewal period comes up or work directly with that funder to secure a greater notice period. The point is though, you want to consider each risk separately with the goal of decreasing the Impact to the organization, the Likelihood, or decreasing both. Some risks will always be High in either Impact or Likelihood, so mitigation activities should be focused on keeping the controllable factor as low as possible.
6) Revisit annually (or more frequent) to analyze any required changes
You’ll want to do this exercise at least once a year. You may have new risks to add, or may want to adjust the likelihood/impact level based on successful mitigation activities.
The purpose of this exercise is to have conversations around risk and ensure risks to the organizations are transparent instead of shrouded in mystery. When everyone is aware of risk, it’s easier to implement mitigation activities into the daily operations of a firm.
Feel free to reach out to us if you want to talk about risk and how best to mitigate your organization’s risks.