Lynda S. Ramirez-Blust
Without a process in place, managing risks can be as confusing as navigating through a maze. Such a process often becomes a priority only when an association faces damage to its reputation or financial well-being. Yet the rewards of having an ongoing and sustainable risk management plan are well worth the time and effort. Consider taking the following five actions:
1. Define the association risk management objective. Your board and executive management team have to agree on what is to be accomplished by managing risk. Is the goal to prevent injury to the organization, its employees, themselves? Is it about taking calculated risks to remain innovative and entrepreneurial in meeting the organizational mission? Maybe it’s a combination of both or something completely different. By having open conversations, you define the risk tolerance of the organization’s leaders—critical to ensuring that your risk management policies, processes, and procedures will meet the organization’s needs.
2. Identify your risks. Sounds simple, I know. But you can create an endless list of risks to be managed—and find yourself practicing list management instead of risk management. When identifying your risks, take a top-down, organizationwide perspective, and focus on the things external and internal to the association that will prevent you from achieving your strategic objectives. This process requires input from your board and executive management team, but it is invaluable to getting everyone speaking the same language.
3. Agree that buying insurance is not a comprehensive risk management strategy. While insurance can be an effective response to certain common risks to your organization, such as its employees, directors, event participants, and so forth, it is only one of many approaches to mitigate risks. For many insurance policies to be in effect, other risk management responses must be in place, such as policy statements, training, and background checks.
4. Create a risk map. A risk map is a grid consisting of four quadrants derived from the impact and likelihood of risk occurrence, with high impact/high likelihood in the upper-right quadrant and low impact/low likelihood in the lower-left quadrant. The other two are the combinations of high/low that create the “grey” area. Once you have your risks identified, assign them to a quadrant as appropriate and agree that the upper right gets immediate attention, the lower left gets minimal attention, and the risks in the middle get prioritized based on organizational capacity and strategic objectives.
5. Do a deep dive on the upper-right quadrant. Now that you have identified the vital few, evaluate what the organization is doing to reduce the likelihood or impact of these risks. What policies are in place? How are you enforcing the policies? How will you know if the risk is becoming reality?