“This is the LEAST of my worries right now.”
A number of years ago, I’d been working with a business to assess the risk impact of a technology process and determined we needed to tighten controls to prevent large dollar losses. But when the executive in charge heard the recommendations, he told his team to do nothing. Despite reports demonstrating a large potential financial exposure, the executive couldn’t be convinced. He had a more pressing matter at hand.
The business was in the middle of an acquisition and the risks associated with the transaction dwarfed our project. The executive and I agreed to table the technology risk project—in effect, accept the risks—until the acquisition was completed.
As we recommended in a previous post, managing every possible risk imaginable is neither prudent nor effective as it requires resources to design, build and implement the controls necessary to reduce risk. Nonprofits too are bombarded with financial and reputational exposures that can distract from the key mission. That’s why once an organization has identified its risks, it needs to prioritize a short list of risks to manage. Now how to do that…
Risks are typically assessed according to two factors.
- Severity – This describes degree of pain or pressure that results from a particular risk. Severity can be expressed as a financial, physical or human loss. For example, the risk could result in increased expenses, a decrease in revenue or maybe even fines or legal fees. It could also refer to property damage, personal injury or fatalities.
- Likelihood – This describes the probability that the risk will result in a financial, physical or human loss over a specific period of time. Is the damage likely to happen daily, annually, or once over a period of years
Information about the individual risks informs how severe or likely the effects of a risk “event” on an organization could potentially be. This information can be hard data, (e.g. donor records, response time, number of errors, foot traffic, etc.) or it can be anecdotal evidence, based on the experience of staff, board members, partners and sometimes customers. But most importantly, the more information an organization can obtain about its risks, the easier it can assess Severity and Likelihood to prioritize those risk. With those assessments complete, we now only need to analyze the risks to see which ones stand out.
One easy mechanism to prioritize risks is to plot them against a matrix with Likelihood on the bottom axis (x-axis) from “Rare” to “Certain” and Severity on the left-hand axis (y-axis) from “Negligible” to “Catastrophic”.
Risks that land in the red area of the plot—indicated with a #1—should be addressed first. These are risks that are potentially severe AND have a high likelihood of occurring if nothing is done to limit or prevent the resulting damage. For example, organizations with one major donor that props up the organization are highly likely to be left with a significant funding gap.
Risks that land in the amber area of the plot—indicated with #2—are next to be considered. These risks are potentially severe but have a lower chance of occurring or have a smaller financial or operational impact but are very likely to occur.
By separating risks in this way, the organization can take a planned and deliberate approach to managing risks without having to guess what makes the most sense from a financial, time or mission perspective.
Now that we know the risks we care about, what do we do to manage and prevent the damage from occurring. Watch for our article on risk control.
Talk to the financial experts at Fairlight Advisors to learn more about managing your nonprofit’s investments. Schedule a free consultation today!
Fairlight Advisors
Latest posts by Fairlight Advisors (see all)
- Ways to Improve Your Nonprofit’s Cyber Security Strategy - October 31, 2024