Show Notes

Un-risky Business

In this episode of the Service Game podcast, host Julie Krieger explores the critical topic of risk management for not-for-profit associations. Julie, with her extensive experience in helping associations grow, discusses the importance of good governance and fiduciary responsibility, emphasizing that risk management should not be just a compliance exercise. She introduces a straightforward, three-part risk management plan comprising a risk appetite statement, a risk matrix, and a risk register. Julie provides practical tips and examples, illustrating how different organizations might adopt varying levels of risk tolerance based on their unique missions. She underscores the importance of deep thinking, collaboration, and continuous monitoring in effective risk management. Listeners are encouraged to download a risk management plan kit from the Ensemble website for further guidance.

00:00 Introduction to the Service Game Podcast

01:03 Understanding Risk Management

04:11 Components of a Risk Management Plan

05:03 Risk Appetite Statement

07:17 Risk Matrix Explained

08:54 Creating a Risk Register

11:58 Importance of Risk Management

13:30 Resources and Support

14:37 Conclusion and Call to Action

Links:

www.onsomble.com.au

Show transcript

Welcome to the Service Game podcast. Brought to you by Onsomble. I'm your host, Julie Krieger. For the past 14 years, I've been helping associations to grow and thrive, establishing systems, writing policies and procedures, implementing membership and sponsorship. Strategies, setting up operations, undertaking complete governance, restructures, developing strategies, and advising CEOs, presidents, and boards.

I am driven to support the hardworking people who give their time, heart and soul in the service of their members and in the pursuit of the greater good. Join me as we delve deep into this innovative, creative, values-based and mission-driven thing. I call the service game. Let's get going with today's episode. 

Hello, hello, and welcome to [00:01:00] today's episode of the Service Game Podcast.

Today we're talking about risk management. One of those aspects of running a not-for-profit association that is essential, but often something that people avoid or ignore, but it is a critical element of managing your association. With a very focused eye on good governance. to do some really deep thinking. So we're gonna jump into that today and give you some really practical, easy to follow tips for how you can set up a great risk management plan for your not-for-profit. 

It is easy to put risk management down to being a compliance issue, or in other words, a bit of a box ticking exercise. But without a genuine desire and effort to do the thinking and then take practical steps to identify and manage the risks that you might face, you are [00:02:00] missing the point. We have spoken previously about fiduciary responsibility and risk management is absolutely A part of that. Okay. And fiduciary responsibility, as we know, is about putting the interests of your organisation first, before your personal interests, before your other business interests, and when we talk about risk, we're essentially talking about all the things that could go wrong for your not-for-profit. It is absolutely one of the key elements of good governance, and it is worth taking some time to do the thinking, the heavy thinking, if you like upfront,

that will help to protect your organisation, protect those who are responsible, and of course, offer the best that you can possibly offer to your members. So who is involved in risk management? Well, ultimately the risk buck stops with the board. The board is [00:03:00] responsible, but a lot of the work around your risk management plan might be done by your finance and risk committee.

For example, if you have one or by a subcommittee of your board, and it might also be done in conjunction with and with the support of your management. So whether you've got an executive officer, A CEO, or a whole team of people in that executive management space, it definitely can be informed by a broader group of people.

But the ultimate sign off and the ultimate responsibility is with the board.

When it comes to real time risk management, beyond the establishment of the written plan and the policies and the systems. It becomes every person's role to support effective risk management. So that's your management, that's your paid team, that's your volunteers. It's obviously your board. It's everybody that's involved in working in your [00:04:00] organisation or on your organisation for the service of your members.

Everyone has to take responsibility for actually managing. Risks in real time. But today we're really focusing on the risk management plan. And the risk management plan is the key to managing risk. I've seen risk management plans that are very long and very complex. But as part of our mission to make your job of running your not-for-profit association easy, we opt for a very straightforward approach. We've developed a simple three part risk management plan. And incidentally, you can download that from our website, which [email protected] au slash resources.

You can find that risk management plan kit in that set of resources that will help you run your association with ease. And the plan, as I've said, consists of three key [00:05:00] elements.  

The first is your risk appetite statement. Now, this is a document which outlines the organisation's approach to the various types of risk that it might face.

It identifies those potential types or categories of risk. It maybe gives an example or two of what that might look like. It states the organisation's tolerance level. And gives a brief reason for that rating. And when I talk about tolerance I'm literally meaning a zero tolerance through to say a mild, moderate, or high tolerance level for any particular area of risk.

And we'll come to some examples shortly. This document, this risk appetite statement. Sets the scene and paints a really clear picture of what's critical in your business. It's almost a bit of a cultural statement for your organisation, but also one that very [00:06:00] much should be informed by your mission, your vision, your values, and your aims in relation to what it is you're going to be doing and what it is you do for your membership.

What's important to them informs this document. Very deeply. So as an example, a tech-based association might place high value on innovation and that broad thinking mindset. Therefore, they might have a high tolerance for risk associated with trying new systems or adopting new technology. For example, the use of AI in its day-to-day operations.

Whereas a medical society, for example, might place greater importance on the privacy of their members' data And it therefore might take a very conservative approach to using AI or new technology. They might therefore have a zero tolerance or a low tolerance to tech-based risk, whereas the society that's [00:07:00] serving a tech or innovation-based membership base is probably going to have a moderate or high tolerance for those sorts of risks.

So that's risk appetite statement. The next item in this three part kit. Is a risk matrix, and that is a graphic which enables classification of risk based on two things. Firstly, its likelihood to occur and secondly, its potential impact on your organisation should it occur. It's laid out as a graph with these two elements on the X and Y AEs, and then gradings across the space of the graph.

So for example. Something that's unlikely to occur, and that would cause minimal impact if it did, would be, for example, A one A on the graph. It would be done in that bottom left hand corner of risk. So it's [00:08:00] really, it's not a huge issue should that occur, and it's actually pretty unlikely to occur in any case.

Whereas something that is highly likely to occur and which would be catastrophic, should, it might be at the opposite end In that top right, it would be in that top right corner of the matrix, and you might classify that as a four D, for example, and you can apply your own scaling to these. The scaling is.

There is a reference point and a quick way to see what that risk means to your organisation when you come to the next part, which we'll get to in a second. So this particular element of the kit, this risk matrix, is a document that remains pretty static and it is the third and final part of this overall three-part plan, which.

Gives the matrix meaning in the context of your individual business. And so that third part is the risk register. This [00:09:00] is a table which lists the specific risks your organisation could potentially face. So this is really personal to your organisation. Now the table will group risk into areas such as, for example, security risk or reputational risk or financial risk.

And there are lots of very common risk areas, that most risk management plans will identify, but the risks that sit then within each of those areas will be specific to your organisation or more specific. Anyway. So then within each of those areas, you will list any and all risks that you can possibly identify for your organisation working across the table to outline things like what that risk is.

Which classification in your risk matrix applies to that risk? You know, the one A or the four D [00:10:00] or somewhere in between. Is it likely to occur or how likely is it to occur and what would its impact be if it did, and give it that coded grading, if you like, that at a glance allows you, your board, your risk committee to be able to identify quickly.

Those risks that are most critical for you to pay attention to. It will also then in this risk register outline who's responsible for managing each area of risk, the potential impacts that might occur, should that risk eventuate. So actual detail, flesh on the bone, if you like, around. If this risk came to fruition, if something terrible happened in this regard, these are the sorts of impacts that would actually happen within our organisation or for our members, or for our board, or for whoever the stakeholders are.

The table. The risk register [00:11:00] table might actually even identify the specific groups of people within your organisation who would be impacted. And importantly, it will also outline how you might respond in the event that, that occurs. So the potential impact should it eventuate how you might respond in that event.

So that's your risk register, and that really is the bit where the deep thinking needs to occur and the consultation will occur as well. This is the bit that takes some deep thought and some deep work and some time to understand well,

and it's in doing this piece of the work that you'll gain the biggest. Real tangible value. This is a bit where it ceases to be just a box ticking compliance based exercise and actually a tool that will help you implement good governance practice and protect your stakeholders, whoever they may be.   

Why [00:12:00] undertake. Risk management practice. Why implement a risk management plan? Well, the process of creating your risk management plan forces that deep thought about your organisation, your systems, the policies that you have or that you don't have and need, and the people that are impacted in doing that deep thinking and creating your plan, you understand your business better.

And can minimise the likelihood of any nasty surprises. Also, your members expect it. It's their money that you are dealing with and you exist to serve them. You as an organisation exist to serve them. You owe them an obligation to take care and to serve them well and. Managing risk has to be part of that process.

Further, [00:13:00] directors are responsible under law. If the proverbial hits a fan, your directors are liable showing that the work has been done to create, to monitor and to implement ongoing review of a risk management plan is in itself a risk mitigation measure. It is simply good governance and it is irresponsible not to do it.   

If you want to jumpstart the process, you can download our risk management plan kit. As I mentioned before, you can go to our website, which is at onsomble O-N-S-O-M-B-L e.com au. And you can jump straight into our resources area with a forward slash resources at the end of the website address. And in there you will find amongst other great resource kits our risk management plan [00:14:00] kit if you then want some personalised help.

To develop the detail in the plan that's relevant and specific to your organisation. We also offer that as a service. You can find more information on that again at our website, And it would be our pleasure to help you to set this up well for your organisation so that we take the hard work out of it upfront.

Make it easy for you to manage risk in a way that protects your stakeholders and gives your members some certainty that they are in good, safe, stable hands.

Thanks for listening in today. I hope you've found this information about risk management useful. I would love to hear from you. If there's anything you'd like me to cover on a future episode of the service game.

And any topics in particular that we can bring to you that will help to make your job of running your not-for-profit association [00:15:00] easy. Until next time.

Thanks for listening to the Service Game podcast by onsomble. If you enjoyed this episode, please like and subscribe and write us a quick review. It helps us to reach more people, and we really appreciate your support. To access our downloadable resources and tailored support options designed for nfps, head to onsomble.com au.

Or look us up on social media. You'll find all our links in the show notes for this episode. Chat next time.