Archive for category risk

Risk Management as Change Agent: Adopting a Culture of Risk

By Leslie White on August 2, 2011

During the CommPartners’ Learning Socially: Associations at the Crossroads Seminar, Susan Robertson, CAE executive vice president of ASAE and president of ASAE Foundation, mentioned a speech by Barry C. Melancon, CPA, chief executive officer, American Institutes of CPAs about risk. Association TRENDS selected Mr. Melancon, as its 2011 Association Executive of the Year. According to Association TRENDS Melancon said that “association executives ‘have an obligation to drive our individual associations forward,’ noting that this cannot happen without taking risks, finding an appropriate balance, and communicating effectively.” You can view his speech here (risk discussion begins around 16:00).

My heart warms when an association executive talks about risk especially one that practices good risk management. Melancon shared his view that an association’s board and key volunteers need to be willing to take risks. The association leaders have to recognize that not every effort will be successful or get the results expected. When an association tries something new and gets unexpected results it is not “failure” but rather an opportunity to learn and move forward.

Innovation and Risk
I’ve written about Innovation and Risk before that an association has to take risks to be creative but be smart about the risks it takes. Risk involves uncertainty; we don’t know the outcomes of our efforts. A lot of us are uncomfortable with uncertainty we still hold the illusion of control. We don’t know if that new service, program, membership model will have the results we want (or expect)? As Jamie Notter tweeted during the seminar

Jamie was talking about social media but the statement holds true for other activities. Some associations are still offering the same arguments against social media – what if someone says something bad about? An employee or member misbehaves? In my first guest post for SocialFish, The Hidden Risks of Social Media: It’s Not What You Think, I declared the greatest social media risk is not being an active participant. If you use social media you are aware negative comments and can respond accordingly. Therefore,
The greatest threat to an association’s survival is to not take any risks; not trying something new or moving forward.

Or another way to say it is failure to take risks leads to failure. Albert Einstein defined insanity as doing the same thing over and over again expecting different results. If you don’t change what you are doing the results won’t change either. The downward spiral will continue until your association becomes completely obsolete and out of business.

Risk Management as Change Agent
So how do we get out of this insanity loop? How do we start taking some risks? A risk averse association isn’t going to change simply by a board or CEO edict; this requires a cultural change. Change doesn’t come quickly to many people or associations but the practice of risk management provides techniques to facilitate change and address people’s fears.

Risk management is about learning to deal with uncertainty; not knowing how people will receive a new initiative or when something bad may happen such as an auto accident, office fire, employee injury, or anything else that goes wrong. You first need to know how your management team and board feel about risk – their appetite for risk, tolerance for uncertainty. If risk averse, you have a bigger challenge to get them comfortable with risk and uncertainty.

Photo: Renaissancechambara

Another way risk management is a change agent is by putting risks into perspective. Our first reaction to an idea is its too risky but after evaluating the potential outcomes we realize it is not so bad. The risk may be acceptable or can be mitigated effectively. A part of implementation is to set up the metrics to measure the impact of the change. Through the metrics you find if the results are what you expected or if you need to change some aspect of the project.

Remember everything has its risks but each decision also has the possibility of reward. The new membership model, chapter re-organization, or volunteer management tools may be successful, even exceed expectations. But you won’t know until you do something. Push through the fear and inertia by managing risks. You’ll be amazed at the results.


Leave a comment

Analyze This!

Many consider risk management the language of “NO.” “No we cannot do X because it is too dangerous or risky.” But this decision is usually made too early in the risk management process before the organization has analyzed its risks to decide if they truly threaten your association. To be effective in managing risks you have to follow all the steps in the risk management process starting with (1) risk identification and (2) risk analysis and prioritization.

Risk Identification
Identifying risks seems pretty easy where you just sit around and brainstorm everything that can go wrong with an idea. However the brainstorming approach is limiting and less effective. People’s personal knowledge and worldviews restrict their ability to discern when a good idea is stopped or a more dangerous project goes forward.

Instead of just brainstorming possible negative outcomes you should be identifying all potential events (positive or negative) that affect the organization. To increase your chance for success use a more systematic identification method. The process starts with identifying the values exposed to loss (people, property, income, business operations). Then look at the possible events that can cause a loss. The cause or peril can be natural, human or economic coming from an internal or external source. There are risk checklists and other means of identifying risk available based upon your association’s needs and operations.

Risk Analysis
The second step of the risk management cycle is to analyze and prioritize the identified risks. Many overlook this step and make decisions based solely on their personal perception of the risk. Without analysis, risk becomes an emotional issue; we are considering the loss of something of value. Each person perceives risk differently (Read Risk and Fear: How Do You Perceive Risk?) and reacts based upon their beliefs. Human beings are not rational; we don’t always act in our own best “rational” interest but our emotions. Many exposures especially liability generate fear that equates to risk for many folks. Fear affects your decisions that may or may not be in the best interests of your organization.

Risk analysis offers a practical and rational approach to counter the emotional responses to risk. In this phase we decide how likely and often an identified event will occur, its potential “frequency.” If you live on the Atlantic or Gulf Coasts there is a higher probability of a hurricane than in the Midwest.

After assigning the level of frequency of an event, you have to rank the potential severity when it happens. Severity is usually evaluated in financial terms – how much it will cost – but can also consider non-financial factors such as reputational damage.
The process of assigning frequency and severity rankings helps people to recognize their fears and perceptions of risk. For example you may be a risk-taker in a group of risk-averse people so you need to acknowledge and address their concerns.

After analyzing the risks we can set our priorities for managing these risks. Not all risks are equal some are more important than others. Through frequency and severity analysis you decide which risks need to be addressed first. Generally any risk with a high severity ranking has to be managed or avoided. An exposure with both high frequency and high severity should be first on your priority list. A low-frequency – low severity risk can perhaps be ignored. By setting priorities attention is focused on managing the most important risks improving your chances for success.

Don’t just identify your risks. Without analysis and setting priorities you can’t be confident you will manage the right exposures and make the best decisions. Analysis enables a full understanding of the risk and selecting the most proper management techniques. Anything less leads to bad decisions and possible harm to your association.


Knowns and Unknowns – The Core of Risk Management

With apologies to my more liberal-minded friends . . .

Risk management is one of those nebulous terms that we all interpret personally. Some think it is a complex, time-consuming process that is only helpful to larger organizations. Others believe it is impractical and/or not worth the effort. You may think it’s valuable but have no idea how to apply its practices and principles to your daily operations. Finally a few have incorporated risk management into their organizational culture and use its concepts daily.

Risk management is simply what you do to prepare for the unexpected. No matter where you are on this continuum, risk management is a part of your daily life if you wear your seatbelt, lock your doors, use passwords or do other everyday tasks. You don’t know if you any of these events are going to occur but you are prepared. The same principle applies to your association.

But how do you prepare for the unexpected – it’s unexpected? Donald Rumsfeld’s “Unknown unknowns” speech offers an explanation.

Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.

Rumsfeld went on to say, “The absence of evidence is not evidence of absence, or vice versa.” He expanded on this in a speech at NATO Headquarters in June 2002:

There’s another way to phrase that and that is that the absence of evidence is not evidence of absence. It is basically saying the same thing in a different way. Simply because you do not have evidence that something exists does not mean that you have evidence that it doesn’t exist. And yet almost always, when we make our threat assessments, when we look at the world, we end up basing it on the first two pieces of that puzzle, rather than all three.

People minimize the need for risk management by the absence of evidence (nothing bad has happened yet). However that doesn’t mean it won’t happen (not evidence of absence). Your association may not yet have had a fire, an auto accident, a social media nightmare, a disruption to your annual meeting or the sudden loss of a key person but that doesn’t mean it can’t happen.

For associations, the “unknown unknowns” are a serious threat because you don’t plan for the unknown event. There will always be “unknown unknowns,” new risks arise, but other people are familiar with these unknowns. A formal or structured risk assessment can help you uncover some of the “unknown unknowns” and plan accordingly.

The foundation of a risk management program is a risk assessment (where you identify and analyze the risks). Through the process you decide if the risks are manageable or significant enough to change your plans. You may decide that your association is not ready to develop that new service until you gather the knowledge and resources needed to do it correctly.

Risk management is not only concerned about “unknown unknowns” but also the other two types of “knowns.” Among the “known knowns” which ones have you addressed? Is your business continuity plan current? Have you assessed and managed the risks associated with volunteers, people driving their cars on your behalf, or employee theft? Employment-related incidents still plaque associations, so what’s the condition of your employee handbook and supervisory training?

“Known unknowns” often cloud our decision-making. Social media terrified many associations because it was a big unknown. Some associations decided to identify, analyze and manage the risks while others just stayed away or prohibited its employees from participating. My assessment of social media risks determined it was manageable and the greatest business risk was to not participate in social media.

You can only be ready to respond to outcomes (good or bad) of a potential event if you have identified what could go wrong (or right) and what you are going to do to try to prevent or respond to the event. Jump in and explore both the “knowns” and “unknowns” to advance your association.

1 Comment

Who’s In? Association Volunteer Management

April 11th is National Volunteer Week and Peggy Hoffman’s post, Someone Tell Associations it is National Volunteer Week, got me thinking. She highlighted the differences between community-serving organizations’ and associations’ view of volunteers. Most community-serving organizations (nonprofits) are celebrating the week with activities and recognition of their volunteers while only a few associations are acknowledging it. Since Peggy wrote her post, ASAE issued a thank you as a part of the annual call for volunteers (you’re welcome). Also the weekly Twitter “Association Chat” (#assnchat) focused on association volunteer management this week.

My risk management consulting career began working almost exclusively with nonprofit organizations. While at the Nonprofit Risk Management Center (an organization that provides risk management assistance and resources for community-serving nonprofit organizations), I spent a lot of time addressing volunteer risk management issues and solutions. I wrote articles and books, helped develop online training programs, presented workshops and training and provided technical assistance to nonprofits of all sizes.

Nonprofits view volunteer management as a profession. Volunteer managers have created international, national and local associations and at least one certification program (Council of Certification in Volunteer Administration). Because volunteerism is so important in the United States, quasi-governmental organizations and other private-public partnership such as Corporation for National and Community Services (CNCS) and Points of Light Institute were created to improve volunteer management. Through CNCS, every state has a council on volunteerism and many communities have volunteer centers that are a clearinghouse to match people with volunteer opportunities.

Formal nonprofit volunteer management grew out of concern for the safety and well-being of both service recipients and volunteers (I see everything through the prism of risk). There are risks associated with using volunteers (and program employees) that are not a consideration for associations. Nonprofit volunteers provide direct services to clients and participants who are vulnerable (youth, elderly, victims of violence, have disabilities, or sick) and need to be protected. Volunteers also have to be safe from harm by the clients or the nature of their service (construction, conservation, clean-ups). Volunteer selection (especially screening), training and supervision is key to a nonprofit’s success since having the wrong person in a position can have awful consequences. Association volunteers don’t face the same risks so the need for volunteer management is not being driven by risk management considerations.

Associations need volunteers to prosper and achieve their mission but few have a dedicated volunteer manager. Each department that uses volunteers is responsible for its own volunteers.  Often these people have little training or experience in managing volunteers so the volunteer experience can vary greatly within an association depending upon the staff liaison.

One exception is the component or chapter relations professionals (CRPs). CRPs are responsible for managing chapter leaders most of who are volunteers. However CRPs are also accountable for how chapters operate and perform. The dual function of a component relations person’s job (volunteer and program management) is challenging. In contrast, nonprofits separate volunteer management from program management.

My point is it’s time for associations to professionalize (is that a word?) its management of volunteers. Everybody says volunteers are important so isn’t it time for associations to commit more resources to managing this precious asset? We can learn (steal) from the nonprofit sector while developing a body of knowledge for association volunteer managers. So who’s in? What can your association do to improve its management of volunteers?

And don’t forget to thank your volunteers – not just during National Volunteer Week but every day as they go about the important business of your association.


Everyone’s a Risk Manager

As a risk management consultant, I should be happy everyone thinks they are a risk manager. But often the person’s sense of risk and liability is more of a weapon than a tool. She convinces others that a course of action is too risky due to liability. The activity may be risky but that shouldn’t be the only reason not to pursue the idea. Liability is just one exposure to consider when assessing risk.

While it is true in the United States anyone can sue anybody for any reason whether or not the case has merit but you should not fear every liability exposure. Filing a claim or lawsuit is not the same as winning although insurance companies spend a lot of money defending you for such claims which is why you buy insurance. But having insurance does not negate your need to assess and manage your risks.

Understanding liability and negligence will help with your risk assessment efforts. I am not an attorney so I view liability from an insurance and risk management perspective. Consult with your legal counsel on the law but remember an attorney’s opinion is just one factor to consider in your analysis. You can manage most liability risks if you’re willing to expend the time and resources to do so.


Society considers a person or organization liable when an individual is legally responsible for damages (financial consequences) due to negligence. Not all types of liability (such as criminal, statutory or strict) require the presence of negligence but that is what worries association executives the most.


You are deemed negligent when you fail to perform the standard of care that society expects of a reasonable person under similar circumstances. “Negligence is an unintentional of a legal duty causing damage reasonably foreseeable without which breach the damage would not have occurred” (van der Smissen, Betty, Legal Liability and Risk Management for Public and Private Entities, (Anderson Publishing Company, Cincinnati, 1990, p. 65).

Standard of Care

Negligence is tricky because your actions are judged by the “standard of care” a reasonable person would exercise. There is no Standard of Care Manual detailing society’s expectations for your behavior a judge or jury decides if you are negligent by what they think you should have done. Many attorneys argue against associations setting standards or best practices since the association is possibly creating the standard of care required of your industry or profession.

Reasonable Person

The “reasonable person” is another ambiguous term defined by the judge or jury. The standard is based upon what someone with the same level of training and experience would do under similar circumstances. Your actions are judged by what another person with similar training and experience would have done in that situation. A doctor is held to a higher standard than someone with basic first aid training.

Elements of Negligence

A negligent act has to meet four elements for the claimant to be successful. If any one of these elements is missing you aren’t negligent.

  • Existence of a duty – You must have a duty of care to the person injured. If you have no duty, you can’t be negligent. Entire books have been written and endless court cases cited to define the legal tenets of duty of care. In most cases an association will have some type of duty to its employees and members.
  • Breach of duty – You have to breach or violate your duty of care to another person. You can do something wrong, do nothing, or you do the right thing incorrectly. Negligence involves sins of both of omission and commission.
  • Actual harm or damage – The other person has to suffer some type of injury or harm. As the saying goes “No harm, no foul.”
  • Reasonably close relationship between the breach and harm – The breach of duty has to be the proximate cause of the harm. There needs to be a direct causal relationship between the breach and harm. Your failure to check the driving record of someone driving on your behalf may be the proximate cause of an auto accident when the driver has an unsatisfactory driving record.

Your defense attorney will contend the claimant has not met these four elements of negligence while the plaintiff attorney will dispute those arguments.

Now What?

Now you have a rudimentary knowledge of negligence to use when assessing risks. Before you dismiss or go blindly into a new idea, program, and product or service consider the nature and potential consequences of the exposure. Liability is a major concern for associations. The key is to decide the desired level of risk and whether you can mitigate the risk, modify the activity, to make it acceptable in an effective and cost-effective way. Too many good ideas can be lost because no one took the time to evaluate and manage the risks.

Leave a comment

Policies and Liability: Helpful or Harmful?

I recently attended a risk management seminar for sports and recreation facilities, businesses with a high potential for big liability losses. The tone of the seminar bothered me. The speakers were a loss control professional, two defense attorneys and a representative of the trade association hosting the event. The attendees were well aware of the risky nature of their operations but only one or two were professional risk managers so they had to depend upon the information presented.

The disturbing message I heard was that a facility needs lots of policies and procedures but shouldn’t write them down. The speaker while discussing the need for a policy for handling children using the facilities, said to have a policy, make sure all employees know it but don’t write it down. What? How do you run a business, association or nonprofit without having written policies and procedures especially on children? How will your employees and volunteers know how to do their jobs?

The theory behind this “no written policy” belief is that if your policy says that employees must do X you have created a standard or duty of care. If the employee didn’t do X and someone got hurt the organization has breached its duty and may be liable. BUT if you don’t have a policy then you don’t have a duty to perform (not true). Consequently without a standard you can’t breach it and without a breach of duty you can’t be liable. Interesting theory but it’s not practical in the real world.

Policies are a double-edged sword. Your policy may create a standard of care which exceeds the basic requirements and put you at risk. However whether you have a policy or not society has its own opinion on the expected duty of care. Your behavior during a loss will be examined on the legal concept of the “reasonable or prudent person.” Under the prudent person rule the court will judge your behavior against the conduct of a hypothetical prudent person with similar background and experience under similar circumstances. So the legal system will get you either way. In the extreme, a court could rule that it was negligent to not have a policy for handling certain types of situations especially if similar organizations have established policies to address the issue. For example, the public expects organizations serving children to have a staff screening program. If your organization doesn’t have a screening program, your defense is a lot harder since the plaintiff’s attorney will argue a prudent organization would have such a program. Aside from the legal aspects, don’t you want to protect children from predators?

The issue isn’t whether or not you should have written policies, procedures and guidelines (you should) but that these documents need to be written properly. You don’t want your policies to exceed but rather meet the prudent person standard. Once you decide the need for a policy, it should:

  • Support your organizational culture and values so the information is somewhat intuitive.
  • Be practical and enforceable (and you enforce it).
  • Be flexible so you have some discretion in interpreting the policy and the proper discipline.
  • Be consistent throughout the organization.

Once you have written the policy you need to design a training and education program to make sure all personnel know and understand the policy. It is really bad to have a policy that no one follows – the plaintiff’s attorney love that since you just made it easier for them to win.

So my risk management advice is to have well-written policies and monitor their usefulness and enforcement. Don’t be afraid to change or drop a policy that isn’t working. Your employees, volunteers, members, customers, clients and service recipients will benefit from your efforts.

1 Comment

Assessing Risk – Sadie the Risk Dog

Sadie teaches me about assessing risk. . .

Sadie learned how to dock dive recently; it was harder on me than her. The process included her personal risk assessment and concluding that it is a cool thing to do (and a good way for us to tire her out).

Sadie is ball obsessed, any ball, which she will chase as long as you are willing to throw it. Sadie also loves to swim to retrieve balls but we weren’t sure if she would enjoy dock diving (think of a running long jump into a pool). What fools we were.

Sadie dives off the dock

She did her risk assessment, Sadie was cautious, gathered information, and walked down the ramp the first time to get in the pool. That went OK so then she jumped off the dock to retrieve the ball. Next we tested her willingness to take a running jump into the pool – success! Now we are working on increasing her jumping distance so she can go professional.

Sadie decided after evaluating the risks that dock diving was a safe and fun activity. Other dogs are afraid of the water and may never go in. A few dogs can be coaxed into the pool (not all dogs know how to swim intuitively) and then may or may not jump off the dock. Some dogs, like Sadie, took to it quickly.

But Sadie has one fear that no amount of risk assessment or coaxing will convince her she is not in danger. She is terrified of thunderstorms or any loud noise (door slamming, dropping a heavy object, firecrackers or fireworks). Her fear of thunder is so bad that a rain shower sends her into hiding. We are working on de-sensitizing her to loud sounds but that’s another post.

In spite of Sadie’s deep love of swimming and chasing balls, it there is a distant rumble of thunder or loud noise while dock diving, she drops the ball and runs to us. So what sends you running for shelter? What stops you from doing some things? Your fears and perceptions of risk affect your decisions which stop you from making a change (hopefully for the better). The fear or risk may be valid but can be assessed (use the ramp to enter the pool) and subsequently managed to the point of being acceptable. Or the risk can be so great that you shouldn’t go there now. Remember: if you risk nothing, you get nothing. But you also don’t want to lose everything. Be smart about which risks to take you need to jump off the dock occasionally.  Sadie would be happy to join you for a swim.


%d bloggers like this: