Strategic Realism

 

There are many small non-profits which have no staff, or only part-time office support. These associations, clubs, and charities are almost entirely dependent on their volunteer workforce, both for governance, and for program and service delivery. Often, the same people who already give hours each week to their involvement with the organisation, not only approve the strategy, but are expected to achieve the targeted outcomes.

In working with some of these smaller organisations, I have sometimes found that while board members recognise their strategy is something important to have, it is not something they pay much attention to outside of an annual or triennial planning exercise. Once that exercise was completed, the strategy stayed ‘on the shelf‘, and was rarely (if ever) addressed at board meetings or in committees and working groups.

Not surprisingly, boards which did not ‘operationalise’ their strategy, usually found that goals set in the previous plan had not been progressed or achieved.

Reviewing the factors underlying such strategy ‘failure‘ or ‘slippage‘, certain common elements can be identified (amongst others). Before adopting your strategy, considering these suggestions (the 5A’s of strategy execution) may help you to avoid these pitfalls:

Avoid

• too many goals
• overly ambitious goals

Assess

• your organisation’s capacity to achieve the goal
  – How many hours of work might be involved in achieving each goal in the strategy, and does the organisation have sufficient volunteers willing to contribute this time? (See chart below)
  – Are the volunteers equipped to do the work required to achieve the goal, or might they need training, guidance, or other resources?
  – What funding and technological support might be required to facilitate goal achievement?
  – Is external support required (e.g. advocacy, legal, technical), and is this available within your network or will it require third party engagements?
• the likelihood and severity of risks associated with the activities required to achieve the goal, then develop and apply risk controls (e.g. policies, procedures, authority limits, supervision, guidelines, etc.)
• progress towards goal achievement at intervals throughout the year (or plan period)
• the need for goal or execution plan adjustments in the light of further insights or changed circumstances

Assign

• responsibility for execution of the action (steps) required to achieve the goal
• a director with responsibility for acting as goal sponsor (mentor), liaising between the board and those executing action on behalf of the board
• milestones (progress goals) and timelines for the action plan

Allocate

• priority ranking to goals, so that where a new or emerging priority requires escalation, or resource scarcity becomes a problem, the strategy can be adjusted accordingly
• sufficient resources to support the volunteer/s expected to achieve the goal
• time on your board meeting agenda for goal progress reports from the responsible person or group (say once or twice during the year)

Advise

• escalation triggers requiring that a matter be brought back for Board advice or decision
• what outcomes and impact the achievement of the goal will provide, and who the intended beneficiaries are (consider a Theory of Change or logic model for major projects).

https://polgovpro.blog/

Sharing Risk while avoiding a Blame Game

 

Responsibility and Accountability in Risk Governance

My previous post highlighted governance issues associated with multiple parties sharing certain risk management responsibilities around the disembarkation of passengers from the Ruby Princess, at a time when COVID-19 infections were on the rise. The importance of establishing shared understandings about the risk perspectives of affected and involved parties was highlighted, along with enhanced coordination and communication.

In this further reflection on the theme of ‘boundaries, borders and bridges‘ (referenced in the previous post), the issues of third party risk for non-profit organisations are in focus.

Third Party Risk

Third party risk relates to hazards arising from your relationships with contractors, service providers, and joint venture partners. Some part of their risk inventory intersects with yours (crosses your boundary), and as illustrated in the header image above, this means people in each organisation share certain responsibilities. Comment on the RACI ‘bridge‘ which spans the shared responsibility space appears below.

When engaging contractors or tendering for services, risk is a central concern of the selection process, and associated due diligence activities. Service standards, including risk controls and escalation measures, will usually be documented in the contract or service agreement. For potentially serious and catastrophic risks, more care needs to be taken to align expectations of those performing key roles, as the ‘cracks’ and ‘gaps’ often occur in the grey zone where the two entities have overlapping responsibilities.

Project Managers have developed useful measures to manage risk in projects involving contributors from more than one organisation, or from multiple functional areas within a larger organisation. They use the RACI model of assigning responsibility and accountability, identifying who needs to be consulted before a decision or action is taken, and who needs to be informed afterwards. This model can also be usefully applied to any third party relationship in which the allocation of risk management roles and responsibilities needs to be clear.

The nature of each of the roles in the RACI model is outlined in the image below, and the distinctions between each must be well understood if finger pointing is to be avoided following an adverse incident. Distinguishing between responsibility and accountability is often an issue. We can see ample evidence of that in the NSW and Victorian COVID-19 inquiries.

The chart below illustrates how each of the four roles could be assigned to the steps and tasks involved in managing a shared risk, and includes some useful notes from the authors at simplilearn.com.

Advocacy Partners and Allies

Some partnerships will be subject to formal agreements, and in that sense the risks involved are similar to those shared with contractors and service providers, especially where they are acting in your name.

Others alliances are somewhat informal, especially where the focus of the relationship is an advocacy campaign. Agreeing to issue a joint media release, or to authorise use of your logo alongside others on a joint submission or poster, are not in the same league as going into business together to deliver a service to a target group of members or consumers. Understanding each other’s risk appetite and sensitivities is nevertheless important to such an alliance.

Often the key issues to be considered are the ‘no-go’ zones, on which there are known differences of opinion or policy. These will be avoided during the course of the campaign, and neither party will imply the agreement or support of the other, when in fact they hold different views. The emphasis is on areas of agreement, not difference. A breach of this commitment would not only damage the campaign, but would probably inhibit any future alliance.

Federated risk

The coordination of risk management within a federated structure (still used by many associations) has some similarity to third party shared risk governance. As there are also other issues involved however, I will reserve comment on these for a future post.

https://polgovpro.blog/

The Incident ‘Post Mortem’: Facts, Causes and Factors

 

Most non-profit boards rightly focus their risk governance on identifying and assessing risks before developing a set of escalating controls to prevent an adverse event. They then consider how their organisation should respond should the hazardous event actually occur, and how those measures can best mitigate the damage that arises.

Some also consider their incident response methodology, recognising that this is their opportunity to add value as directors by improving future risk management plans. Maintaining an incident register is merely a bureaucratic exercise in record keeping unless your risk committee reflects on the pattern of incidents, and digs deeper into the causes and contributing factors which allowed adverse events to occur.

The effort required to do incident analysis can be considerable, and allocation of the necessary time and other resources to do this formally may only be required by your board in ‘severe’ cases, involving critical or catastrophic outcomes. Informal review processes may be used for less severe ‘incidents’, so that these too are remedied. Some organisations use a critical incident report template to capture relevant data, and to record the analysis of the root cause and contributing factors.

Most adverse events demonstrate an array of coinciding factors that allowed things to ‘go wrong’. Understanding the root cause is essential to preventing recurrence, but identifying other contributing factors can also be very helpful in refining prevention and mitigation measures.

The definitions offered above may assist your interpretation of the Risk Event Analysis chart which appears in the header image. This is a simplified outline of the steps used in determining causes and contributing factors as part of your adverse event ‘post mortem‘.

Incident Analysis Process

A more detailed procedure is outlined in the larger chart below, and this emphasises the importance of moving beyond simply confirming what happened and why. Identifying what can be done to prevent a similar event occurring in future, and to respond more effectively should it recur despite those enhanced preventive measures, are essential to the ‘value adding’ process.

The factor analysis step (Step 7) suggests that it will be beneficial to classify contributing factors according to type. The chart below suggests seven categories, and depending on which of these were involved, different responses would be required to enhance risk management of processes, people, and systems/technology.

If your non-profit risk committee has not yet considered its approach to incident analysis, they may find some of the ideas covered in this post of interest.

https://polgovpro.blog/