When I ask my clients if they have a formal risk management process and plan, the discussion often goes to insurance. I get a “Yes, our buildings and other fixed assets are insured; we have liability coverage; our technology firewalls are up-to-date,” and so on. I also often hear that the executive committee of the board of trustees discusses risks as does the management team from time to time. I don’t usually hear “Yes Sherry, we have a risk management committee that monitors where we stand on our risk priorities that were developed during our annual risk assessment. Would you like to see the minutes of the risk committee and/or our annual risk assessment?”
I am often surprised when larger organizations do not have a formal risk process in place (let’s call larger $10-20 million or higher revenue) but not surprised by the smaller entities. I believe that every entity, no matter how large or small, should formalize its risk assessment process.
There are many resources available on the internet that can help guide an organization to execute an annual assessment; and certain trade and professional associations have created robust typical risk factors and inventories to give their members a head start. For example, as I was working with one of my healthcare provider agencies, I pointed them to the American Society for Healthcare Risk Management, a personal membership group of the American Hospital Association. This association mapped out what the risk assessment process typically looks like and gave the main categories of risk typically found in the healthcare provider world. As you do your research, you will find that there are business risks that are common to all organizations, as well as those that only come into play should you have certain types of programs or transactions.
In a nutshell, the typical risk assessment process looks like this:
This is certainly an oversimplification of the process, but it does show the key elements.
Who should take on the charge of risk management in your organization? I suggest that responsibility lies with the board of trustees. At the end of the day, they are the fiduciaries who need to ensure that all major risks are identified, understood, prioritized and mitigated to the highest extent possible. Risk management should either reside in its own committee, or as part of the audit committee, finance committee, or executive committee of the board. Periodically and consistently, a risk assessment should be performed with the appropriate constituents present at the table who come together to discuss their views of the top risks in the organization. Together, the group will create your risk inventory and then the committee can rank the risks as low, medium and high, and bubble up to the top those high risks that require the most attention during the year. A risk mitigation plan is then developed, and periodic reporting by the risk committee to the board of trustees is done.
If you need assistance getting your risk assessment process in place, reach out to me and my colleagues at Mercadien. We welcome the opportunity to help you help your organization find solutions to mitigate risk. I can be reached at email@example.com or 609-689-2344.