Many NFP boards need to be doing more to formally manage risk, not just so it can be mitigated, but also so that appropriate risks can be taken, the 2017 NFP Governance and Performance Study found.
There is a widely-held view that the NFP sector is more risk-averse than the for-profit sector. The perception is that NFPs lag in terms of innovation because they are more conservative in their approach, less open to new ideas and, as a result, less likely to experiment.
The 2017 Governance and Performance Study found the issue is considerably more complex. Many NFPs operate in high-risk environments, such as those providing services to vulnerable people, administering complex healthcare systems or working within heavily regulated contexts. Factors such as these can significantly influence the risk-taking attitudes of NFPs and their directors.
Others are faced with intractable problems and have no choice but to take risks in pursuit of achieving their missions.
Setting and overseeing the risk policy of an organisation is among the fundamental responsibilities of a board. Boards must make sure there is appropriate risk oversight to identify, mitigate and respond to risks if they materialise.
Risk is inherent in operating an organisation, and being unwilling to take appropriate risk may limit an organisation’s capacity to achieve its mission.
For many NFPs their ability to achieve their purpose relies upon them showing they have appropriate risk management controls, systems and processes in place. For example, some NFPs may be required to achieve certain standards in risk management to be accredited for the delivery of certain services.
There may also be legal, financial and compliance obligations that require NFPs to approach risk management in a certain way.
NFPs are involved in an incredibly diverse variety of work, from sporting clubs to hospitals, religious congregations to theatre companies – there are few parts of our community in which the sector is not involved. Accordingly, the types of risk faced by NFPs and their approach to managing these risks varies significantly.
To gauge the level of risk NFPs are taking, the survey for the study asked directors to place their organisation on a risk spectrum from zero to ten, with zero being absolutely intolerant of any risk and ten being willing to take on maximum risk.
Around half of the directors (49 per cent) placed their NFPs around the middle values (between 4 and 6), while just over a quarter (28 per cent) of directors considered their organisation as risk-averse (3 or lower) and just under a quarter (23 per cent) saw their organisations as risk-willing (7 or above).
The focus groups painted a similar picture with many directors frustrated by the idea that NFPs take on lower levels of risk than their for-profit counterparts. “To provide the services we do in the places we do involves risk that many companies would never dream of,” one director said.
At the same time, there were directors who said their organisations were very hesitant to take risks. “With a board chair that changes every two years, and a regular two yearly turnover of directors, there is a constant fear of ‘not on my watch’,” said another.
Could do better
Although many NFP directors (48%) reported that risk is defined and overseen by the board, there are a large number that are not taking a formal and systematic approach to managing risk.
Half of directors said their NFP had no formal risk management statement, while 36 per cent said there was only some formal risk management oversight at board level relating to discrete risk factors, such as work health and safety. A further 11 per cent of directors said their NFPs had only informal risk management processes, or no risk management processes at all.
“Significant financial risk has been taken but is being well managed. Other risks are less significant but are not well identified or managed,” said one director in the focus groups. As would be expected, larger organisations tend to have a more sophisticated approach to risk management. Seventy-one per cent of directors of organisations with over $50m in annual revenue said that risk is defined and overseen by the board and they have a fully-developed risk management process, compared to only 36 per cent with less than $5m in revenue.
It appears that work needs to be done across the sector to help smaller organisations and their boards define, identify and mitigate risk. “I think we struggle to define risk effectively to guide management,” commented one director of a small NFP.
Directors of larger organisations, particularly those working in complex operational environments, described sophisticated risk management policies, including formal risk appetite statements, expansive risk management frameworks, as well as highly-developed strategies for mitigation.
“We identify risks and monitor compliance through a risk committee that meets around every five weeks. A risk management matrix is used and reported to the board,” said one director.
Unsurprisingly, the survey found that formal risk management processes are correlated with higher levels of risk taking at NFPs. This could be because organisations that take higher levels of risk also need to develop more sophisticated risk management practices, or it could be that formal risk management practices embolden directors to accept greater risks.
Either way, boards implementing more thorough and systematic risk management statements can only be beneficial for the sector, either allowing organisations to move to a more appropriate level of risk, or to more effectively manage the risks inherent in everyday operation.
To read more from this year's NFP Governance and Performance Study, click here.
Already a member?
Login to view this content