Archive for category risk management
By Leslie White on August 2, 2011
During the CommPartners’ Learning Socially: Associations at the Crossroads Seminar, Susan Robertson, CAE executive vice president of ASAE and president of ASAE Foundation, mentioned a speech by Barry C. Melancon, CPA, chief executive officer, American Institutes of CPAs about risk. Association TRENDS selected Mr. Melancon, as its 2011 Association Executive of the Year. According to Association TRENDS Melancon said that “association executives ‘have an obligation to drive our individual associations forward,’ noting that this cannot happen without taking risks, finding an appropriate balance, and communicating effectively.” You can view his speech here (risk discussion begins around 16:00).
My heart warms when an association executive talks about risk especially one that practices good risk management. Melancon shared his view that an association’s board and key volunteers need to be willing to take risks. The association leaders have to recognize that not every effort will be successful or get the results expected. When an association tries something new and gets unexpected results it is not “failure” but rather an opportunity to learn and move forward.
Innovation and Risk
I’ve written about Innovation and Risk before that an association has to take risks to be creative but be smart about the risks it takes. Risk involves uncertainty; we don’t know the outcomes of our efforts. A lot of us are uncomfortable with uncertainty we still hold the illusion of control. We don’t know if that new service, program, membership model will have the results we want (or expect)? As Jamie Notter tweeted during the seminar
Jamie was talking about social media but the statement holds true for other activities. Some associations are still offering the same arguments against social media – what if someone says something bad about? An employee or member misbehaves? In my first guest post for SocialFish, The Hidden Risks of Social Media: It’s Not What You Think, I declared the greatest social media risk is not being an active participant. If you use social media you are aware negative comments and can respond accordingly. Therefore,
The greatest threat to an association’s survival is to not take any risks; not trying something new or moving forward.
Or another way to say it is failure to take risks leads to failure. Albert Einstein defined insanity as doing the same thing over and over again expecting different results. If you don’t change what you are doing the results won’t change either. The downward spiral will continue until your association becomes completely obsolete and out of business.
Risk Management as Change Agent
So how do we get out of this insanity loop? How do we start taking some risks? A risk averse association isn’t going to change simply by a board or CEO edict; this requires a cultural change. Change doesn’t come quickly to many people or associations but the practice of risk management provides techniques to facilitate change and address people’s fears.
Risk management is about learning to deal with uncertainty; not knowing how people will receive a new initiative or when something bad may happen such as an auto accident, office fire, employee injury, or anything else that goes wrong. You first need to know how your management team and board feel about risk – their appetite for risk, tolerance for uncertainty. If risk averse, you have a bigger challenge to get them comfortable with risk and uncertainty.
Another way risk management is a change agent is by putting risks into perspective. Our first reaction to an idea is its too risky but after evaluating the potential outcomes we realize it is not so bad. The risk may be acceptable or can be mitigated effectively. A part of implementation is to set up the metrics to measure the impact of the change. Through the metrics you find if the results are what you expected or if you need to change some aspect of the project.
Remember everything has its risks but each decision also has the possibility of reward. The new membership model, chapter re-organization, or volunteer management tools may be successful, even exceed expectations. But you won’t know until you do something. Push through the fear and inertia by managing risks. You’ll be amazed at the results.
Many consider risk management the language of “NO.” “No we cannot do X because it is too dangerous or risky.” But this decision is usually made too early in the risk management process before the organization has analyzed its risks to decide if they truly threaten your association. To be effective in managing risks you have to follow all the steps in the risk management process starting with (1) risk identification and (2) risk analysis and prioritization.
Identifying risks seems pretty easy where you just sit around and brainstorm everything that can go wrong with an idea. However the brainstorming approach is limiting and less effective. People’s personal knowledge and worldviews restrict their ability to discern when a good idea is stopped or a more dangerous project goes forward.
Instead of just brainstorming possible negative outcomes you should be identifying all potential events (positive or negative) that affect the organization. To increase your chance for success use a more systematic identification method. The process starts with identifying the values exposed to loss (people, property, income, business operations). Then look at the possible events that can cause a loss. The cause or peril can be natural, human or economic coming from an internal or external source. There are risk checklists and other means of identifying risk available based upon your association’s needs and operations.
The second step of the risk management cycle is to analyze and prioritize the identified risks. Many overlook this step and make decisions based solely on their personal perception of the risk. Without analysis, risk becomes an emotional issue; we are considering the loss of something of value. Each person perceives risk differently (Read Risk and Fear: How Do You Perceive Risk?) and reacts based upon their beliefs. Human beings are not rational; we don’t always act in our own best “rational” interest but our emotions. Many exposures especially liability generate fear that equates to risk for many folks. Fear affects your decisions that may or may not be in the best interests of your organization.
Risk analysis offers a practical and rational approach to counter the emotional responses to risk. In this phase we decide how likely and often an identified event will occur, its potential “frequency.” If you live on the Atlantic or Gulf Coasts there is a higher probability of a hurricane than in the Midwest.
After assigning the level of frequency of an event, you have to rank the potential severity when it happens. Severity is usually evaluated in financial terms – how much it will cost – but can also consider non-financial factors such as reputational damage.
The process of assigning frequency and severity rankings helps people to recognize their fears and perceptions of risk. For example you may be a risk-taker in a group of risk-averse people so you need to acknowledge and address their concerns.
After analyzing the risks we can set our priorities for managing these risks. Not all risks are equal some are more important than others. Through frequency and severity analysis you decide which risks need to be addressed first. Generally any risk with a high severity ranking has to be managed or avoided. An exposure with both high frequency and high severity should be first on your priority list. A low-frequency – low severity risk can perhaps be ignored. By setting priorities attention is focused on managing the most important risks improving your chances for success.
Don’t just identify your risks. Without analysis and setting priorities you can’t be confident you will manage the right exposures and make the best decisions. Analysis enables a full understanding of the risk and selecting the most proper management techniques. Anything less leads to bad decisions and possible harm to your association.
With apologies to my more liberal-minded friends . . .
Risk management is one of those nebulous terms that we all interpret personally. Some think it is a complex, time-consuming process that is only helpful to larger organizations. Others believe it is impractical and/or not worth the effort. You may think it’s valuable but have no idea how to apply its practices and principles to your daily operations. Finally a few have incorporated risk management into their organizational culture and use its concepts daily.
Risk management is simply what you do to prepare for the unexpected. No matter where you are on this continuum, risk management is a part of your daily life if you wear your seatbelt, lock your doors, use passwords or do other everyday tasks. You don’t know if you any of these events are going to occur but you are prepared. The same principle applies to your association.
But how do you prepare for the unexpected – it’s unexpected? Donald Rumsfeld’s “Unknown unknowns” speech offers an explanation.
Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.
Rumsfeld went on to say, “The absence of evidence is not evidence of absence, or vice versa.” He expanded on this in a speech at NATO Headquarters in June 2002:
There’s another way to phrase that and that is that the absence of evidence is not evidence of absence. It is basically saying the same thing in a different way. Simply because you do not have evidence that something exists does not mean that you have evidence that it doesn’t exist. And yet almost always, when we make our threat assessments, when we look at the world, we end up basing it on the first two pieces of that puzzle, rather than all three.
People minimize the need for risk management by the absence of evidence (nothing bad has happened yet). However that doesn’t mean it won’t happen (not evidence of absence). Your association may not yet have had a fire, an auto accident, a social media nightmare, a disruption to your annual meeting or the sudden loss of a key person but that doesn’t mean it can’t happen.
For associations, the “unknown unknowns” are a serious threat because you don’t plan for the unknown event. There will always be “unknown unknowns,” new risks arise, but other people are familiar with these unknowns. A formal or structured risk assessment can help you uncover some of the “unknown unknowns” and plan accordingly.
The foundation of a risk management program is a risk assessment (where you identify and analyze the risks). Through the process you decide if the risks are manageable or significant enough to change your plans. You may decide that your association is not ready to develop that new service until you gather the knowledge and resources needed to do it correctly.
Risk management is not only concerned about “unknown unknowns” but also the other two types of “knowns.” Among the “known knowns” which ones have you addressed? Is your business continuity plan current? Have you assessed and managed the risks associated with volunteers, people driving their cars on your behalf, or employee theft? Employment-related incidents still plaque associations, so what’s the condition of your employee handbook and supervisory training?
“Known unknowns” often cloud our decision-making. Social media terrified many associations because it was a big unknown. Some associations decided to identify, analyze and manage the risks while others just stayed away or prohibited its employees from participating. My assessment of social media risks determined it was manageable and the greatest business risk was to not participate in social media.
You can only be ready to respond to outcomes (good or bad) of a potential event if you have identified what could go wrong (or right) and what you are going to do to try to prevent or respond to the event. Jump in and explore both the “knowns” and “unknowns” to advance your association.
I love ah-ha moments when I learn something new or see things in a different light. I recently had such a moment while working on an insurance review (conduct an abbreviated risk assessment and evaluate the quality of the client’s insurance program). After doing this for over 10 years the thrill has faded, becoming a rather rote exercise. But last week while reading an insurance policy (I know what a nerd) I found something I hadn’t recognized before. Unfortunately I can’t remember what caused my ah-ha but suddenly the insurance review project took on a new life for me. There still were things for me to discover and learn about insurance to help my clients.
An insurance policy is a puzzle I need to solve, figure out what is or is not covered. However the puzzle’s complexity keeps increasing. Prior to 1986, policies were rather straightforward but with “ policy simplification” the size of policies increased exponentially. A package or portfolio policy might have been 50 pages or so but now I am reviewing a 232 page package with only property and general liability coverages (imagine if it also included business auto and crime). The client’s other policies range from 50 to 150 pages long. No wonder no one reads their insurance policies. Even if you did read it would you understand it?
The insurance companies don’t even know what their policies cover or exclude. Too often anything other than a simple straightforward claim (e.g., auto physical damage) requires you and your insurance agent to argue with the claims adjuster about coverage. The rate of changes to policies has gone into hyper-drive so it is hard for the adjusters and underwriters to stay current. They are behind the curve as insurance companies (like many organizations) dramatically cut their training dollars.
So what does this mean to you? Insurance policies are complex so you have to depend upon your insurance agent, broker or consultant for advice. But don’t be a passive partner in this insurance relationship, you need to know what you are buying and why. Take the time to meet with your insurance professional and review the association’s operations, programs and services of your association or nonprofit. The agent can’t recommend a coverage if she doesn’t know about a new program so keep her in the information loop when developing new initiatives. I know you are busy but insurance is the backbone of your risk management program – your association’s survival may depend upon it. So talk to your insurance professional every once in a while and not just at renewal time. It will be good for both of you.
I recently attended a risk management seminar for sports and recreation facilities, businesses with a high potential for big liability losses. The tone of the seminar bothered me. The speakers were a loss control professional, two defense attorneys and a representative of the trade association hosting the event. The attendees were well aware of the risky nature of their operations but only one or two were professional risk managers so they had to depend upon the information presented.
The disturbing message I heard was that a facility needs lots of policies and procedures but shouldn’t write them down. The speaker while discussing the need for a policy for handling children using the facilities, said to have a policy, make sure all employees know it but don’t write it down. What? How do you run a business, association or nonprofit without having written policies and procedures especially on children? How will your employees and volunteers know how to do their jobs?
The theory behind this “no written policy” belief is that if your policy says that employees must do X you have created a standard or duty of care. If the employee didn’t do X and someone got hurt the organization has breached its duty and may be liable. BUT if you don’t have a policy then you don’t have a duty to perform (not true). Consequently without a standard you can’t breach it and without a breach of duty you can’t be liable. Interesting theory but it’s not practical in the real world.
Policies are a double-edged sword. Your policy may create a standard of care which exceeds the basic requirements and put you at risk. However whether you have a policy or not society has its own opinion on the expected duty of care. Your behavior during a loss will be examined on the legal concept of the “reasonable or prudent person.” Under the prudent person rule the court will judge your behavior against the conduct of a hypothetical prudent person with similar background and experience under similar circumstances. So the legal system will get you either way. In the extreme, a court could rule that it was negligent to not have a policy for handling certain types of situations especially if similar organizations have established policies to address the issue. For example, the public expects organizations serving children to have a staff screening program. If your organization doesn’t have a screening program, your defense is a lot harder since the plaintiff’s attorney will argue a prudent organization would have such a program. Aside from the legal aspects, don’t you want to protect children from predators?
The issue isn’t whether or not you should have written policies, procedures and guidelines (you should) but that these documents need to be written properly. You don’t want your policies to exceed but rather meet the prudent person standard. Once you decide the need for a policy, it should:
- Support your organizational culture and values so the information is somewhat intuitive.
- Be practical and enforceable (and you enforce it).
- Be flexible so you have some discretion in interpreting the policy and the proper discipline.
- Be consistent throughout the organization.
Once you have written the policy you need to design a training and education program to make sure all personnel know and understand the policy. It is really bad to have a policy that no one follows – the plaintiff’s attorney love that since you just made it easier for them to win.
So my risk management advice is to have well-written policies and monitor their usefulness and enforcement. Don’t be afraid to change or drop a policy that isn’t working. Your employees, volunteers, members, customers, clients and service recipients will benefit from your efforts.
Innovation requires risk taking. Taking risks requires informed, fact-based decision-making.
This is my favorite risk management quote although I don’t know the author but credit my friend, David Mair for sharing it. People are always talking about innovation and association leaders are striving to design the association of the future. I’m not creative enough to answer that question but I do have some thoughts on the innovation process.
The problem with innovation is you don’t know the outcome until you try something. Your results will fall somewhere between total failure and complete success. Although we talk about the need for failure (fail fast, fail often) no one likes to fail particularly when your boss or board are watching. However as Sir Winston Churchill said, “Success is the ability to go from failure to failure without losing your enthusiasm.” We need to try many things to figure out what works best.
It is risky to be innovative, to change things up but using risk management techniques may make these risks, well, manageable. Risk management is a way to deal with uncertainty – the possibility that a future event will affect the organization. The event’s effect can be positive, negative or neutral. The risk may be a show stopper or can be easily managed to make the new idea successful. The dilemma is knowing how to tell the difference; to decide which risks are manageable. Many people think risk management is the school of “no” but it can make an idea even better. How? During the planning and design process if you assess the risks you can take steps to improve your chances for success. Unfortunately, most people don’t analyze and manage the risks early enough in the process.
Several years ago while helping a client decide whether to develop a captive insurance program, some senior managers shared a new initiative. The new program was a radical departure from their normal operations and a stretch for their mission. They were going to collect and sort used clothing to sell to another party (no retail sites). The idea was close to the implementation before anyone thought to identify and evaluate the risks associated with this new venture. I offered a short list of the risks I saw and the insurance implications (encouraging them to talk to their insurance agent). During our brief discussion the client recognized the need for a risk assessment. I thought the idea was a little crazy (too far from their mission) but the risks were manageable with the right resources committed to the project. I wasn’t involved in any further discussions of this initiative but the organization never pursued it. I like to think my little intervention helped improve their decision-making.
Since innovation is all about risk taking:
- How do you decide which risks to take?
- What is the risk appetite of your association?
- How much risk will your senior management and/or board tolerate?
- Does your risk tolerance and appetite vary by program/service/department?
- Have you ever asked these questions?
Establishing a risk management policy or strategy is a great place to start as you tackle innovation within your association. Let me know how you do with this task.
In addition to being a risk management consultant extraordinaire, I am a passionate skier who also teaches people with disabilities how to ski. So it’s important to me for people with disabilities to have the opportunity to take part in snowsports and other aspects of daily life. I get annoyed when businesses (associations, stores, restaurants, movie theatres and ski resorts) are not accessible to people with disabilities. I experienced this frustration in December when I co-presented a session on mainstreaming children with special needs into traditional snowsports lessons. The audience included snowsports schools’ directors, managers, staff trainers and program directors of adaptive programs
The workshop began with what we thought would be a brief overview of the Individuals with Disabilities Education Act (IDEA) and the American with Disabilities Act (ADA). However we spent 2 hours explaining how the ADA applies to snowsports schools (click here for information on public accommodation requirements). Most people know the ADA as a civil rights, employment anti-discrimination law not as it applies to accessibility.
Maybe I shouldn’t have been surprised almost 18 years after the Department of Justice issued its regulations (January 1992) many people still don’t know or understand the public accommodation requirements of the ADA. After all it took over 20 years after the 1954 Brown v Board of Education of Topeka decision for public schools to be desegregated. Stereotypes take a very long time to change.
Naturally I have to look at this non-compliance issue from a risk management perspective. First I recognize that very few associations or businesses have formal risk management programs with goals, objectives and policy statements. Therefore employees and key volunteers only occasionally consider the risk implications of their decisions and usually as an excuse to not do something (too risky). However my business mission is to get associations to consider risk when making both strategic and operational decisions so I am using this as a teachable moment.
A risk assessment of the ADA and similar state laws could lead an organization to decide it is acceptable to be non-compliant. The possibility of a public accommodation discrimination complaint being filed against you is probably remote and a chance you may be willing to take. Further, some ski area staff (and other organizations) justify their non-compliance by the “safety” exception that people with disabilities participating in snowsports or other activities present an unacceptable danger to themselves and others. However the cost to defend against a discrimination complaint can be expensive. Disability attorneys, depositions, meetings, and potential public relations issues are costly. Your association may also be subject to fines such as $55,000 for the first ADA violation. Finally, if you lose, the government (federal, state or local) will require immediate, strict accommodation compliance including staff disability training which will be more expensive than implementing the proper programs and services now.
From an economic perspective, non-compliance may be a valid business decision but short-sighted. There are non-economic reasons to consider such as being legal and more importantly doing the right thing. Even without a formal risk management program your association has corporate goals and values which hopefully include valuing your members. Your association no doubt has people with disabilities as members, employees of member companies and perhaps some of your employees. Have you thought about how accessible your office, web site, meetings, benefits and other events to people with disabilities? Providing access often involves additional costs – deaf interpreters, lift buses, materials printed in Braille or large print, and closed captioning. However many accommodations cost nothing but a little extra effort –wider aisles, wheelchair seating (other than in the back of the room), help at a buffet for people in a wheelchair, visually impaired, uses crutches or other assistive devices, ensuring the restaurant or facility is accessible (a lot still aren’t) and simple paper and pencil to ease communication.
For most temporarily able-bodied people (known as TABS since we are only one accident or illness away from a disability, we just don’t think about accessibility. Even as an adaptive instructor I don’t always think about it. While traveling with a friend who uses a wheelchair at his suggestion I had to call restaurants and other public places to make sure they were accessible. Accessibility is an issue of personal dignity and common decency for people with disabilities – not just a legal requirement.
So I’ll get off my soapbox but ask you to think about the ways your association provides accommodations to people with disabilities. There are many disability discrimination laws in addition to the ADA that you need to be in compliance but regardless of the legal issues I urge you to find the barriers your association has for full participation by people with disabilities. It is in your best interest to make sure your association is “disability friendly.” Make the accommodations because it is the right thing to do not just to avoid fines and defense costs. It is good risk management and best business practices.