Episode #6: Risk Management in the Third Sector
In this episode I have the pleasure to be speaking to Sabrina Segal. We discuss risk assessments and Sabrina shares an alternative approach to the risk register. Sabrina is a licensed US attorney, certified fraud examiner and government specialist with almost 20 years of experience working in the risk, ethics and integrity field. Her focus is on the third sector and she has worked at every level from direct implementation of humanitarian activities in the field to the development of organizational risk and compliance environments. And she's also the host of the Tolerable Risk Podcast, which focuses on threats and opportunities in the third sector.
Information about this episode and other industry news and insight can be found here on our blog, the Trubshaw Tribune. If you'd like to be kept up to date about future episodes, please subscribe to our newsletter.
Audio Transcription
[00:00:43] Sean: Hi Sabrina. Thanks for joining us. How are you doing?
[00:00:46] Sabrina: I'm all right. Thank you so much for having me today. I'm excited to be here.
[00:00:49] Sean: Wonderful. So, Sabrina, today we are chatting about risk assessments in the third sector, and that love it or hate it tool, the risk register. What are your thoughts about it and where do you stand on the topic?
[00:01:01] Sabrina: Well, for anybody who's read what I've been posting on LinkedIn, they probably already know but I'm happy to share it now on the podcast. So, you know, I've been in the third sector and the third sector for people who aren't familiar with it represents charities, non-profits, NGOs. It's a term that evolved because you have the private sector, you have the public sector, which are typically governments and government organizations and then you have the third sector. The third sector is usually behind in the development of any emerging management approach, technology, whatever it is, simply because of the fact that they are low or no resourced. So, in the area of risk management, third sector organizations are really reading and absorbing what has already been developed for the private sector mostly and a lot of risk tools and approaches are developed for highly regulated organizations. So, if you think about banks, if you think about insurance companies, if you think about pharmaceutical, manufacturing, aeronautical, chemical. Those are pretty highly regulated and so the risk tools and approaches that have been developed for those sectors and industries are usually built upon the need for strong compliance and regulation awareness. Also, these organizations tend to have access to more robust data, historical data, clean and vetted data, and they tend to use a lot more quantitative tools than qualitative tools. Although there is a big comeback now around qualitative tools in some of these segments.
So, the third sector then trying to absorb and trying to consume some of these approaches that have been developed for the private sector, are finding that it's not really a good fit. It's not a good fit because when it comes to regulation, there's not a lot in this area. When it comes to compliance there is but it's a very specific type of compliance. It's typically funder and donor compliance. So, your large private sector or even government donors, while usually have quite a long list of compliance elements, whether it has to do with how you procure something, whether it has to do with the type of due diligence that you do. And what third sector organizations find is that they end up really just doing a tick box exercise against their donor's compliance requirements and then they call it a risk management program or something like that. Some third sector organizations are starting to use sort of the heat map, risk matrix approach, red, yellow, green boxes. That approach, in my opinion, doesn't work for so many reasons, but the key reasons why I don't think that works is because risk is dynamic, and those tools are static. Using a risk matrix for a proposal submission might be okay because you are demonstrating to the funder that you are aware of the risks at the snapshot in time that your proposal was submitted. But moving forward and going into implementation of a humanitarian or a development program using a risk matrix approach is going to be really, really, not providing a lot of value to what you're trying to do. Ideally, risk management is going to inform decision making and risk matrices, risk registers, risk appetite statements do none of the sort. None of those are dynamic enough to be able to influence decision making. So, there's an approach that, that I developed, we'll, I'm sure we'll talk about it in a second. That I think works a lot better for NGOs. It is more integrated into their ways of working. It is more dynamic; it is more efficient. It really helps to drive risk into decision making and it doesn't rely on static and backward-looking tools like these risk matrices, risk registers, heat maps and all of that, tend to do, right now.
[00:04:55] Sean: I couldn't agree more with what you're saying. Going through the risk assessment process, it's time consuming, it's resource consuming. It is important so that someone's actually had a look at what is happening around them and they're not just blithely going into things but, as you say, it's static and people tend to just do it and then put it in a box and then crack on with however they do things normally. So, I mean, clearly, you've given this a lot of thought and you've been practicing a methodology. What's the alternative? What's the solution?
[00:05:22] Sabrina: So, there is a methodology that I have developed, well, I've developed based on some of the work by a guy called Tim Leech. You can find him on LinkedIn. He’s TIM LEECH. But he's developed an approach called Objective Centered Risk and Certainty Management. And I've basically taken a lot of the work that he's done and simplified it and, really made it a tool that non-profits, low resource, no resource organizations can use. And I've just called it Objective Centered Risk Management. And what this approach does is instead of creating a long list of horrible things that might happen to your organization, everything from the building burns down to there's violence in the areas where we're working. It really puts objectives at the centre of the analysis, and then it moves outward from there. So, what you want to do is, if you're a non-profit organization, typically we develop our program design, or we do our strategies on tools called logical frameworks or theories of change. I'm most familiar using logical framework. So, if you look at your logical framework for your program design and you look at the outcome or the output level, that's usually about the right area where you'll find your objectives. So, you put your objective at the centre and then you use what I have sort of developed like a modified mind map tool. You put your objective at the centre and then from your objective you say, what are all of the things that might happen that will prevent us from achieving this objective? And if you have the right group of people around the table who are your project managers, your subject matter experts, the folks who have worked in the field who have implemented these before, they can come up with a pretty good list of the risks that are going to prevent that activity or that program from achieving its objective. From there, then once you have the risks, you then say what causes those risks? And you draw some little lines and bubbles out from each risk, and you say, these are the causes of these risks. Now, some of the causes may be in your control and some of them may be out of your control and that's okay.
The ones that are in your control, then sort of think about it as concentric rings. You have, your objective in the middle, your risks around that, your causes around that. And then the last ring around the outside are your preventative actions. And so, you basically take each cause, and you say, well, what are some of the preparations that we can do to be aware of this cause? So, either actively monitor it, or mitigate it if it's something that's in our control, so that we can prevent the risk from happening so we can achieve our objective. It all comes back to managing the objectives, not just managing the risks. So, you want to list out then your active monitoring elements, so you know if it's something that's outside of your control. For example, if you need to get government approval to do an activity in a particular region of a country, and you know that there is high turnover within that government office. Being able to monitor that and know if there's a new person sitting in that seat behind that window, you might need to have more time to get that approval than if it's somebody that you've already worked with in the past.
It's not something you could do anything about, but it's something that your field team can flag and raise up to your project manager, and then your project manager can best decide how to manage that risk. Or for example, it might be, let's use the same scenario where you have to get pre-approval. It might be that your team is not submitting the paperwork on time, and that's something that you absolutely have within your ability to control.
So, your project manager may need to have a closer eye on that particular team. Asking the team leads if they've submitted the approval paperwork in time to ensure that you get the approvals you need so that you can run that activity. So active monitoring and mitigation are the two main elements that I usually advise non-profits on that they can do something about when it comes to managing the causes to prevent the risks so they can achieve their objectives.
[00:09:29] Sean: That's really interesting. I'm just trying to put it alongside how something may have been assessed using a risk register. So, if I think about, let's say an NGO operating a water NGO or wash NGO operating say in South Sudan. Prior to the project, they may be asked to do a risk assessment and they might realize that road banditry is a huge threat in their area. Traditionally going from a risk register, they would decide road banditry as the risk. They might say try determine the likelihood of it occurring and then the impact and then put in control measures of say, do journey management or only drive in convoys. But that might be in January 2021 and it's now January 2023. Whereas what you're saying, which is quite cool, is okay, so we want to do a project in South Sudan, what are the things that are going to prevent us from being successful? Well, it might be road banditry on the way to the water project. Okay, so, what are the things that we need in place? Well, in addition to journey management, we also need to be able to monitor the situation, and so, the day-to-day act of maybe, doing a journey application where you can see, okay, well what is the threat assessment today before I do this journey? And put in control measures in place for that specific journey. That's a part of the ongoing dynamic risk assessment as opposed to a static risk register at the beginning of the project. Sorry, that's just me trying to kind of put it into a security context where it would normally be put into a risk register.
The other thing I just wanted to kind of point out to that springs to mind, which I think is great when you use a risk register as opposed to Objective Centered Risk Assessment. Is it takes me back to I don’t know if you've ever read Good Strategy Bad Strategy by Richard Rumelt, which if anyone's interested, they should really, it's probably the best strategy book hands down you'd ever, ever read, but in the book, he says, good strategy is not about a set of goals that you want to achieve. You need to look at what you want to achieve, how are you going to do it, but then also what are the obstacles that are going to prevent you from achieving that? And then focus on that prevention and find a way to overcome those preventions and all of a sudden you have a strategy. Which talks a lot about what you're saying with Objective Centered Risk Assessment. Objective - What are the risks to achieving that? What are the causes of that risk? And then what do we need to overcome those causes?
[00:11:56] Sabrina: I think your security example is actually a really good one because people tend to think about it as black and white, right? I mean, is it your security manager doing perimeter checks? Do your guest houses have life support boxes? Are there fire extinguishers in your offices? I mean, has everybody received HEAT training? You know, do you have somebody who is CPR and First Aid certified? A lot of times people think of security as really tick box, but you know, and I know, we've both worked in some pretty interesting locations around the world. It's super dynamic. It's super dynamic. You may have a red zone but really there's only a very small quadrant of that red zone where hot stuff is happening, and you really need to take it in a nuanced approach. And so, you know, making sure that those support functions. You know, security is a support function. HR is a support function. Finance is a support function. Procurement is a support function. Making sure that the support functions are part of the conversation, not only when it comes to program and project design, but also program and project management. Making sure those support functions are constantly in the conversation is going to help you manage risk because you don't want to shut down an activity just because a county or a section of a country is considered in a red zone if in reality it's in a very remote part of that area and there's really no threat to your activities.
[00:13:19] Sabrina: You know, again, taking it back to your objectives and then saying what are the risks? What are the causes, and what's your preparation elements is going to help you remain dynamic. So, yeah, I really love your security example. It's a perfect one. It's spot on.
The other thing I did want to raise when it came to sort of how to respond to risks has to do with engaging with funders and donors. A lot of times non-profits are super scared and nervous to raise serious concerns with their funders and donors for fear of the funders and donors just saying, well, okay, fine we're going to pull all our money, right? And so, implementing partners tend to really want to make their funders and donors happy. And so, they may be hesitant to raise concerns about risk, but with this approach, with an Objective Centered approach, you are much more likely to have the data necessary to have an intelligent conversation with your funders and donors about why you may not be able to achieve this objective because of X, Y, Z reason. And, making sure that third sector organizations feel empowered to have these conversations is another thing I like to talk about. As long as you're going back to your funder and you're saying, look, when our proposal was submitted a year and a half ago, because we all know how long it takes to get these things through, we did a risk matrix, and this was our point of view on the operating environment. Well, it has changed. And so now we've done this objective centered risk assessment. We've taken all of our preparation elements. We've priced them, which I like to say. If you go through this tool, this mind map, and you take all of your preparation elements, put them in a spreadsheet, price them, whether it's staff time, whether it's security, technology that you need, whether it's a new software platform, whatever it is, price out everything that you put in the preparation steps that then actually becomes your risk appetite statement. That becomes your go, no-go to management, because if management is not willing to put the resource against what is needed to mitigate and manage risk, then it should be a no-go, right? It doesn't have anything to do with abstract words and an appetite statement. It has everything to do with the resources that are available.
[00:15:29] Sean: That's probably the most intelligent description of how to address risk appetite in the third sector that I've actually heard. Absolutely. You know, these are risk, this is what we need to do to be able to mitigate these risks, and this is what it's going to cost. And, if you're not willing to fund that, then well, that's beyond our risk tolerance and it's beyond your risk tolerance. So that's, that's a wonderful way of describing it.
[00:15:53] Sabrina: Exactly, and so, then an NGO is armed with the data that they need to go back to the funder and say, this is the reality of the operating environment. Now the funder can then do, three things, but it's usually like one of two things, right? One, they can say, well shut down shop. We're done working with you, you know, halas, leave. Okay, fine. Usually what happens is they go, thank you for this information. We're not going to give you any more money. We want you to continue implementing. And so, if they do that, then you can say, okay, thank you very much. You have a documented then conversation where you told them you weren't going to be able to achieve objectives. And if you get to the end of the program and you haven't achieved the objectives, you at least have this data where you showed them when you knew that you were aware of this and why it wasn't going to happen. But you know, best case scenario is the funder comes back to you and says, wow, thanks for doing this very dynamic review. It looks like, yeah, we're not going to achieve the objectives, so how can we reprogram these resources to achieve similar objectives? And that is the best possible outcome. And I believe that if non-profits and charities and NGOs can become better at identifying, being risk aware and articulating their risk awareness they're going to have a more mature conversation with their funders and donors. So even though I say when we do this mind mapping exercise that it is active monitoring and mitigation that are on the table. You can always, always, always go back and say, we need to change these objectives because here's why it's not going to work. But you have to go through that exercise. You have to have the data to have a really good conversation about it. And I really want non-profits and third sector entities to feel more empowered to have those conversations because I think they're important.
[00:17:36] Sean: I think an alternative phenomenon that I've seen is something I've just labelled the risk trap. Where NGOs will not have that conversation, can't articulate it, and then effectively become risk seeking and they take on more risk than they should take on and the people who speak up about it and aren't willing to take on that risk they're then jettison from the organization and the people who remain have a high tolerance of risk. And they recruit people in their like who also have high tolerance of risks. And then all of a sudden, very quickly you've got an organization that is just not really taking things in a safe manner and putting not only their objectives at risk, but their funders objectives and reputation at risk. It's so important that we empower small organizations and NGOs, as you're saying, to be able to talk on a level platform to their clients, their funders about this, and it needs to be okay. And I think, yeah, what you're talking about is a wonderful tool to be able to do that.
[00:18:38] Sabrina: Well, I think Sean, particularly from your point of view in the security sector but then I would also expand it more to also the safeguarding area, right? And, and particularly safeguarding of humanitarian staff, right? I mean, we've seen a lot in the past, 6, 7, 8, 9 years, a focus on organization's duty of care to their staff. You know, you can no longer send a 26-year-old out to Yemen with a security briefing that consists of your security manager grunting at them. You know what I mean? Like that is not something that's going to fly anymore. And, and also, unfortunately, we have seen a lot of people get injured, and we've seen people die because organizations have not taken their duty of care seriously. And so, what you're talking about as people who are jettisoned because they're raising questions. If we're just talking about duty of care here, because other folks have a higher risk tolerance. Look, if you're running an organization, you can have whatever risk tolerance you want, but you need to be aware of the repercussions of that, right? And we have seen some smaller organizations completely fizzle out and go away because of things like this. And we've seen larger organizations really face funding and fundraising challenges because their duty of care is being questioned. And whether again, it comes down to physical safety in a crisis area or whether it comes down to sexual harassment and bullying in the workplace, both of these things are risks that can really damage an organization. And the other thing I like to say about third sector is, you know, a third sector organizations face the three major risks that everyone faces, right? We've got legal, financial, and reputational. But more than anything, third sector organizations focus on reputational because if that reputation is gone, they're done. They can't raise more money. They can't access underserved and vulnerable communities. They lose trust in those communities that they're trying to serve. And, and they might as well go away. And I'm okay with that, right? Like, organizations that aren't managing this well, that are not taking their duty of care seriously, that are not taking care of their staff and their participants and beneficiaries shouldn't be around, frankly. And so, what, you know, what I try and do, and I think you know, what you're trying to do too, is try and help these organizations raise their capacity and raise their risk awareness so that everything they do is risk aware and they're really delivering the best, most impactful activities and programs that they can for their participants and beneficiaries.
[00:21:20] Sean: So, Sabrina, what advice would you give to NGOs wanting to start implementing this? And maybe it's not an NGO, maybe it's just a, a person in the NGO that thinks actually there's a be better way to go about this. What advice would you give them?
[00:21:33] Sabrina: Well, the first thing is you have to make sure your organization is genuinely ready for this. I have found recently that a lot of organizations are thinking more, sort of programmatically and structurally about integrating risk and compliance and integrity and ethics into their sort of organizational structure. Whether it's hiring an individual, whether it is establishing a committee, label the risk committee or whatever it is, they are thinking in a more tangible way, which I think is great, but you have to be sure your organization is ready for this. A lot of times organizations say yes. We're ready. We're going to implement risk management. We're happy to do more compliance work, and they are ready in theory, and they are ready in words but when it comes down to it and the rubber meets the road, they're really not ready. Staff aren't really prepared for what this means. People can get very defensive about the work that they do, and it can really crumble quickly. So, the first thing that you have to do is make sure your organizational culture is genuinely ready to have a real conversation. Again, non-threatening, non-accusatory, but a real conversation about what is risk? Where is risk in everything we do? How can we manage it? Because it's just going to make everything better. It's going to make everything better within the organization. It's going to make your programs better. Once you are confirmed that your organization really genuinely is ready to do this heavy lifting and this hard work. Then what I would recommend is exploring something like Objective Centered Risk Management.
I've done a lot of writing. You can find a lot of writing that I've done about this approach on my LinkedIn page. I'm always happy to talk. I'm not selling anything. This is all just my kind of knowledge share. Always happy to talk to people about how they can apply it. I've talked to large INGOs, I've talked to very small community-based organizations, and everyone's really interested in it because it's a slightly different way of managing risk and they find that it's very practical.
[00:23:35] Sabrina: So, Objective Centered Risk Management. You can find my writing about it. I also have a podcast myself. It's called Tolerable Risk, and it's specifically about managing opportunities and threats in the third sector. We talk a lot about objective centered risk management. We also talk about different risks that third sector organizations may apply as well.
So, you can do some reading about it. I'm happy to share my tools and materials with anybody who's interested and yeah, and really just make sure your organization is genuinely ready for it, because if you try and do this, it's like any other type of change management and people aren't ready then it's going to fall flat. So, make sure you're ready. And then, yeah, it's not really hard to implement from there.
[00:24:15] Sean: Wonderful. Sabrina, thank you so much for that. I've really enjoyed that conversation and all of what you're saying just makes sense. So, if anyone is interested in that, I would really encourage you to connect with Sabrina, listen to her podcast, and see if this is a fit for your organization, because the advantages are just self-evident.
Thank you very much Sabrina. I really appreciate it.
[00:24:35] Sabrina: Thank you so much, Sean. It was great chatting with you. I hope we can do it again.
[00:24:39] Sean: Hope so too. Fantastic.