The Nitty Gritty of a Risk Committee
By Melanie Lockwood Herman
“Let’s form a committee!” is the frequent battle cry of nonprofit leaders facing a complex problem for which there are no obvious, immediate or cheap solutions. When more than one brain is needed to ponder a perplexing problem, forming a committee seems to be a good first step. But are risk committees worth the time and nurturing they require? At the Nonprofit Risk Management Center we answer this question with a resounding, “Yes!” That’s not to say that we haven’t heard about some ineffective and nearly useless committees in our many years as an advisor to nonprofits. But the concept is sound and with a little finesse, every nonprofit can recruit and deploy a committee that will strengthen, support and help sustain a strong and effective risk management program.
Steer Clear of the Traps
To help your committee chart a meaningful and sustainable course, it might be helpful to understand the traps that some of those who have come before you have fallen into. Here are the most common traps:
- Unrealistic Goals — If you’re forming a Risk Management Committee to eliminate risk in your nonprofit, you might as well “call the whole thing off.” No organization can hope to achieve a charitable, community-serving mission without taking risk. If you’re planning to close your doors, you need a winding down plan, not a risk management committee.
- Lip Service — If you’re forming a Risk Management Committee so that you can “tic the box” on an insurance or accreditation application, or to tell your national organization that you have a committee, think again. You’d be better off identifying a few practical steps to take to improve risk awareness, enforce existing risk policies, and finally tackle that long overdue Risk Management Plan. (If you need help with the latter, try www.MyRiskManagementPlan.org.)
- Lack of Vision — I recently read that the focus of a school board should be on policies and activities that will provide the best possible educational experience for the students’ children. That’s right, the future (not current) students at the school. Although an effective risk management committee should consider how the nonprofit learns from mistakes and prior losses, the bulk of its energy should be spent thinking about risk taking and risk management on the future horizon.
- “Sometimes a committee formed somewhat organically winds up being more diverse and effective than a hand-picked team.” Groupthink — There’s nothing like being a member of a group of people with similar backgrounds and worldviews. And that may be great when it’s time to decide what TV show you’ll be watching at home tonight, but it’s a recipe for disaster in a risk management committee. Risk is lurking behind every good idea and every harebrained scheme at your nonprofit. A risk management committee that brings a shared worldview and similar backgrounds (e.g., finance, insurance-buying, workplace safety) is more likely to overlook some of the diverse risks that could ensnare your mission.
Risk Committee Success Formula
- Determine the process and approach for appointing or recruiting members — One of the common misconceptions many leaders have about risk management committees is that very few people will be crazy enough to want to participate. Recently I had the opportunity to help an international nonprofit launch its brand new risk management committee. The leaders at the nonprofit were surprised (shocked?) at the response they received when they solicited volunteers to serve as inaugural committee members. Representatives from offices around the world contacted the risk manager to express their interest and gratitude for the opportunity! While it’s always possible to round up the usual suspects for a risk committee—reps from most operational departments, someone from the executive team, etc.—in our experience it is far better to take a risk and invite volunteers. Sometimes a committee formed somewhat organically winds up being more diverse and effective than a hand-picked team. And remember that your risk committee needs and deserves an effective leader.
- Draft a committee charter — A committee charter is a tool for helping those who appoint the committee and those who serve on it and support it develop a shared understanding of the purpose, scope, goals and authority of the committee. An effective charter has the following characteristics:
- Statement of overarching purpose — The charter should begin with a clear statement of purpose. For example: The purpose of the Risk Management Committee is to provide oversight across the organization for all categories of risk in order to ensure that proper practices are in place to surface, understand, and manage priority risks.
- OR -
- The Risk Management Committee exercises shared responsibility for surfacing and managing the operational risks facing the organization. Staff throughout the organization are invited to participate in the Committee.
- Frequency of meetings — The charter might indicate that the Committee will meet 4, 6 or more times per year for 90-120 minutes per meeting, depending on the agenda. Ideally, the committee will meet on a consistent date and time (e.g., second Thursday of the month at 10 am). Don’t meet too often or unless there is something to do or discuss.
- Specific goals and responsibilities — Outline the committee’s specific goals and responsibilities.
- Committee composition — Indicate who is eligible to participate, and how long members are expected or asked to serve.
- Committee authority — Note the committee’s authority, such as: ‘The Committee makes recommendations to the CEO or the Board of Directors,’ or ‘The Committee is authorized to adopt new internal policies related to risk management.’
- Statement of overarching purpose — The charter should begin with a clear statement of purpose. For example: The purpose of the Risk Management Committee is to provide oversight across the organization for all categories of risk in order to ensure that proper practices are in place to surface, understand, and manage priority risks.
- Develop realistic goals and a practical plan — Nothing kills good intentions faster than unrealistic plans. One way to give a boost and a protective vaccine against failure to a risk committee—or any committee—is to develop a set of clear goals or projects for the group’s first year. Brainstorming those reasonable goals and an accompanying timetable can be a key outcome for the kick-off meeting. Throughout the life of the committee it’s vital to show where you are headed, what you’ve accomplished, and what remains to be done. There’s nothing better than seeing on paper at the midyear point that half of the projects or tasks have been accomplished and there is a reasonable workload remaining. Keep the momentum going with a plan that goes beyond the start-up or “honeymoon” phase.
- Plan a dynamic kick-off meeting and stick to your schedule — Never start any committee meeting by apologizing for having to meet or blaming someone for the existence of the committee. The discipline of risk management has a bad rap as it is; don’t contribute to that by making excuses, blaming your insurers or accrediting bodies, or worse, insinuating that anticipating future events is unrelated to the mission of your nonprofit. If risk management isn’t mission related in your nonprofit, maybe it’s time to use the endowment fund balance on a gaming table in Las Vegas! The sidebars offers two sample agendas for a kick-off or orientation meeting of the risk committee. Note that neither sample includes a dreary, hours-long review of an insurance policy.
- Resolve to involve — In Start With Why, author Simon Sinek writes that “The single greatest challenge any organization will face is… success.” Sinek is referring to the fact that as organizations grow, decision-making necessarily becomes dispersed. CEOs of large organizations can’t personally screen every applicant or approve every purchase. The same holds true in risk management. As a nonprofit grows and succeeds, many different people need to make risk-informed decisions, sometimes every day. The risk takers in a growing, vibrant nonprofit fill auditoriums, not a small conference room. Which means an effective risk management program can’t be “owned” by a small group of staff who meet monthly. Critical questions the committee should visit on a regular basis include:
- Who else should be involved in our risk assessment and risk management work?
- Who needs training in this area but hasn’t received it?
- What points of view are missing on the committee, but are critical to being as risk aware and risk savvy as we aspire to be?
- How can we effectively communicate the “WHY” as well as the “WHAT” and “HOW” in our risk management program to every staff member and volunteer who needs to know?
- Are we hitting the mark with our meeting agendas and background material? Are pre- and post-meeting materials being shared on a timely basis?
Risk committees should be celebrated examples of mission-focused collaboration rather than punch-lines in office jokes about endless meetings and depressing topics. A high energy, well-run, and goal-orientated committee can set the tone and pace for other collaborative efforts in a nonprofit. The keys to success aren’t that hard to understand: avoid the traps that suffocate the best intentions, and embrace a reasonable plan and approach to emphasizing the great mission-advancing work to be done.
Melanie Herman is Executive Director at the Nonprofit Risk Management Center. She welcomes your feedback and questions about the topic of risk management committees at Melanie@nonprofitrisk.org or 703.777.3504.
Sample #1 — Risk Management Committee Agenda
15 minutes
Welcome and Introductions
We will begin by going around the table and introducing ourselves. Tell us what you’re looking forward to learning and contributing during your service on the Risk Management Committee.
15 minutes
Draft Committee Charter Review
What makes sense? What doesn’t? What changes do we want to propose?
30 minutes
Our Goals for This Year
We will continue by brainstorming mission-advancing goals for our Committee, for the year ahead. What projects and activities might we undertake to advance our shared vision of fortifying the risk management function? After blue-sky brainstorming, we’ll jointly agree on five or six specific goals or projects.
15 minutes
Committee Calendar
We’ll review our proposed calendar for the year, including meeting dates, times and locations. Do we need to make any adjustments? Next, we will review our goals and decide which topics and priorities will take center-stage at each of the meetings on our annual calendar.
15 minutes
Committee Norms
We will close by discussing meeting norms and preferences. Cell phones turned off? Meetings open to staff or volunteers who want to sit in and join our conversation? Rotating responsibility for follow-up, action-oriented notes and reminders?
Sample #2 — Risk Management Committee Agenda
15 minutes
Meeting Overview
Overview of meeting agenda and work product goals for our inaugural meeting, including reports to Board of Directors at its next meeting.
30 minutes
Risk Management Lessons and Insights
During this segment we will briefly review our recent risk management journey. We will then ask each member to share something about their hopes for the Committee, such as:
- What I hope to learn while serving on the Committee
- What I hope I’ ll be able to contribute while serving on the Committee
- How I’ ll know we have been successful or made a difference
30 minutes
Critical Risks Discussion
Our role and responsibilities will evolve as we work together, but it’ s important to acknowledge that we are NOT responsible for unearthing and documenting every possible action or event that could impair our mission, strategies and objectives. There is an expectation, however, that we will be talking about and learning as much as we can about critical risks. With that in mind, during this segment we will discuss top risks identified in last year’ s risk assessment.
- What have we learned from trying to better understand and manage these risks?
- What has changed?
- Have any of these risks been addressed effectively, such that they are no longer priorities?
30 minutes
Risk Accountability
How should we report and share our discussions, proposed actions and recommendations? What can we do to more effectively communicate with people throughout the nonprofit?
15 minutes
Action Steps and Assignments
During this wrap-up segment we will review what we discussed, decided and identified as action steps for the Committee. We will invite each member to identify how they propose to move one or more components of our agenda forward in the weeks ahead.