How should charities manage risk?
Michala Liavaag and Sabrina Segal talk about risk management in the not-for-profit sector: how it intersects with cybersecurity; cultural elements to risk; doing objective centred risk management; risk as opportunity; and more.
Sabrina is currently the Global Head of Integrity, Risk, and Compliance Support Services at JA Worldwide, a nonprofit focused on supporting entrepreneurship, financial literacy, and work skills readiness to young people around the globe.
Sabrina is a licensed attorney, Certified Fraud Examiner, and has more than 15 years of experience in the nonprofit sector in various leadership roles across support services and program design and delivery.
Sabrina's LinkedIn: https://www.linkedin.com/in/smsegal/
👉 Cited in this episode:
Tim Leech LinkedIn: https://www.linkedin.com/in/tim-leech-01950013/
Warren Black LinkedIn: https://www.linkedin.com/in/warren-black-62546415/
Elliot S. Schreiber LinkedIn: https://www.linkedin.com/in/elliot-s-schreiber-ph-d-17858510/
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
(automatic transcription )
00:00:00:11 - 00:00:27:21
Cybility Savvy the quickest way to go from cyber confused to cyber savvy
hello and welcome to Cybility savvy the show that demystifies cyber security for not-for-profit boards and leaders I’m your host Michala Liavaag our guest today is Sabrina Segal who is the global head of integrity risk and compliance support services at JA worldwide a not-for-profit organisation
00:00:28:14 - 00:00:31:01
Hi Sabrina. Thank you so much for joining us today.
00:00:31:16 - 00:00:34:08
hi Michala thank you so much for having me today
00:00:34:20 - 00:01:00:22
JA worldwide is a non-profit focused on supporting entrepreneurship financial literacy and work skills readiness to young people around the globe Sabrina is a licensed attorney certified fraud examiner and has more than 15 years of experience in the non-profit sector in various leadership roles across support services and program design and delivery so for those in our audience that don't know you would like to tell us a bit about yourself?
00:01:01:11 - 00:01:32:19
as you mentioned I’m a licensed attorney by training but please don't hold that against me I know a lot of people who look at risk in a slightly different way feel that this profession is overwhelmed with auditors accountants professional services you know consultants and lawyers but what I have learned is that being able to fall back on my legal background particularly reading writing thinking kind of challenging positions a little bit in a more tactful way have really helped me um in risk
00:01:32:20 - 00:02:02:07
so I worked as a traditional lawyer for several years before I left and moved into the non-profit area which is where I’ve spent the rest of my career and it's been fantastic I’ve been a legal advisor on rule of law programs I have been a country director focusing on capacity strengthening for small NGOs and now I’m working with a fantastic non-profit where we're helping young people um chase down their dreams of entrepreneurship all over the world but risk and compliance and integrity has been a common theme throughout all of the work I’ve done and it's something that I really really enjoy doing and particularly bringing the voice of the third sector now non-profits to the risk conversation is something I feel is really important and we need to do a lot more
00:02:19:22 - 00:02:27:23
thank you I completely agree with you have integrity in your job title and I don't tend to see that around much do you want to talk to us a little bit about that
00:02:27:24 - 00:02:51:03
when JA reached out to me the position that was originally offered was you know chief risk officer and I said I want to change the title in my opinion if your title is chief risk officer or you know head of risk or whatever you know the organisation will look at you and say oh well you are the risk person so I don't have to do anything right so Sabrina is here no one else has to worry about risk and I specifically requested my title be the global head of integrity risk and compliance in that order because that's the order that I personally believe is the most important and then I specifically asked for support services at the end to communicate to the organisation that I am here to support you I’m a facilitator I am here to help you improve your skills in these three areas I’m here to hold your hand as we go through these challenges but you all are the ones that need to actually do it junior achievement has over you know 300 I think almost 350 locations across 117 countries we reach a hundred million young people every year it's a massive organisation and there's no way one of me could do all of that so integrity um is where it all starts and that's why it's the first thing in the title
00:03:43:14 - 00:04:03:23
yeah that's brilliant thank you for that and I also think it's also I suppose in a way very timely as well because the not-for-profit sector has taken a little bit of a battering over the past few years from that integrity point of view you just mentioned that you know you transitioned into the not-for-profit sector and what was it that sort of drove you to do that?
00:04:04:01 - 00:04:29:16
I started out of law school working as a civil servant in the U.S government so I worked at the U.S department of state I worked at USAID I worked at a few other agencies in oversight and legal roles um so you know I never was really you know in the private sector so to speak I had one role where I was working in a private sector consultancy focusing on international development but you know other than that I’ve been in the public sector or the third sector for me it was sort of what I always wanted to do I never went to law school because I wanted to go be a partner at a big law firm I was always much more interested in public service I was able to get a fellowship into the us government which was really exciting for me and then um while particularly I was with the department of state and USAID I just got so much more exposure to implementing partners and while I was there I was able to travel a little bit I was able to travel out to different missions and offices and see how the programs were being implemented but there was always that part of me that said I really want to go out and implement these programs and so I was able to transition really out of the government and into the third sector I guess would be the transition when I left Washington dc and I moved to Rome and that was my first overseas role and haven't been back to the us since
00:05:17:22 - 00:05:27:21
wow excellent just thinking the fact that you have worked these different geographies do you see much difference in the approach to risk across them you know?
00:05:27:21 - 00:05:59:10
it's an interesting question you can break risk down a lot of different ways you can slice and dice it I mean there's cultural elements there are core objective elements depending on the organisation that you're working for and there's also kind of maturity and sophistication elements too where you know certainly industries like banking medical sector major manufacturing are much more sophisticated and mature in the area of risk than you would have in in a non-profit an NGO one of the things I like to say though is there is not one charity on the face of the earth that decided to become a charity because they wanted to meet the donors compliance requirements right like no one is ever going to do that um you know charities and non-profits and NGOs become what they are because they see a need in their community and they see a way to serve the people in their community and that's their focus and it should be one of the things that I have seen that's been really challenging in the different environments I’ve worked in is the level of sophistication of the entity of the non-profit entity is where you end up with challenges with risk um you know you have large international NGOs and they have more resources they have the ability to throw more resources at the risk issue and then you have small ones who are extremely valuable when it comes to program impact because they have access to underserved communities but you know a procurement policy is the last thing that they ever thought that they would need to write what I think we need to do in the non-profit sector particularly around risk is you know help the smaller organisations raise their capacity strengthen their capacity because we know that strong risk management produces more better quality outcomes so we want to help them raise their ability to do objective-centred risk management which is what I like to practice but so many times donors and large organisations confuse that with compliance and a large organisation will say well we're raising the capacity of this small you know community-based organisation because we've taught them how to do our tick tock exercise on procurement or our tick box exercise on financial management and in reality all you're teaching them how to do is fill out your own forms you're not really getting them to understand the concepts behind what you're asking them to do so it's a long way of answering you know in the different places I’ve been it all depends
00:07:59:20 - 00:08:22:14
it's really interesting you raise the point about the compliance focus um because certainly I see that a lot from a cyber security point of view that people are kind of like what's something the moment I need to do to be compliant with xyz rather than thinking about the actual risks to the organisation in terms of achieving what they're there to deliver and you mentioned a moment there about objective-centred risk management for those who aren't familiar with this concept would you like to just tell us a little bit about it?
00:08:30:14 - 00:09:12:03
so objective-centred risk management it's an approach that I’ve developed based on some of Tim Leech's writing if you if you're on LinkedIn definitely check out Tim Leech he has been focusing for many many many decades on how to move people away from that tick exercises and you know red yellow and green boxes heat maps all of that junk into more actionable and applicable really useful risk management and so what I’ve developed over my time working in the NGO world is a process that is integrated into project management so my PMs love this approach it's not a bolt-on it's a built-in is what I like to say and basically when you do your analysis throw away your risk matrices throw away your risk appetite statements throw away your risk registers they're useless you start with your objectives so if you're an NGO you're designing a program and you've got your logical framework your log frame you're going to go to your outcome or your output level because that's about approximately where you're going to find your objectives you're going to pull out what the objectives are of your program now support services can do the same thing but you'll do it slightly differently but from a program point of view you're going to pull out those objectives and you're going to put them right in the middle of a modified mind map around your objective then you're going to identify the risks you're going to ask yourself what are the risks that will prevent me from achieving this objective from your risks then you will have little dots that will be your causes what are the things that cause these risks that will prevent me from achieving my objectives and then from those little dots out there you'll have dots on the outside and you then have little lines that's connect your preparation steps to your causes to your risks to your objective the key here then is because you're starting with your objective you're not starting with a long list of all the horrible things that might happen on a heat map or a risk register you're starting with your objective when you end up managing all of this at the other end you're managing the objective you're not just managing a long list of risks the other thing about this approach too is that the preparation steps that you have around the outside of your mind map what you're going to do is take each one of those put them into a spreadsheet and price them and you're going to say this is how much each preparation step will cost us whether it's staff time whether it's new software hardware whatever it is this is what each one's going to cost us that then actually becomes your risk appetite statement you are going to take that price list give it to your management and say if you want us to achieve this objective we need to be sure we have these resources are you a go or a no-go it operationalizes risk it really ties it very very closely it ties it directly into decision making and it makes it much more useful for NGOs don't run a Monte Carlo simulation don't bother with heat maps if you follow through on this mind map when it comes to objective-centred risk management you know half of the work is done for you
00:11:42:21 - 00:11:51:00
it's a really interesting approach that I think can work really well especially for the smaller organisations who don't have the resources
00:11:51:00 - 00:12:13:20
so you know when you were mentioning how cyber has become just such a tick box exercise you know the first thing that came to mind was GDPR people get so scared and get so kind of you know oh it's digital it's electronic it's cyber I don't understand it and what I try and do when I’m in in a risk role or in a country direct role or anything like that would say how does it practically apply again to our programming take it back to our programming take it back to our objectives and one of the things that I always make sure I do particularly on activity risk assessments is you know we ask about number one are we taking pictures of people how do we protect people's privacy protect their identity right it's for me it's more about that because you're dealing with vulnerable populations children vulnerable adults we need to be good stewards of that sensitive information so how do we do it you know how are we getting permissions do people understand the permissions when they give us permissions to take their pictures use a quote use a recording whatever it is if they change their mind later have we if we made it easy for them to get back in touch with us so we can pull these things down because they've changed their mind but the number one question that I always ask my program team is can somebody continue to participate in this activity if they say no because the scary thing right put yourself in the position of a refugee who wants to engage in you know a livelihoods program and get a micro grant in order to start a business you are at the bottom of that power structure and you're given this permission slip in your mind you're saying well I have to agree to this or I can't participate in all of my risk assessments and with my PMs I was always very clear I said number one do we have a way for these people to participate in these activities if they say no and the answer for that should always be yes and they need to know that they can say no and still participate it empowers them it levels the power dynamic playing field it also makes sure that we understand what their wishes are and we're honouring them and so for me particularly when it came to privacy and images quotes and recordings I had to really get my PMs and my field teams to think about it level when it comes to power dynamics and not necessarily just GDPR compliance
00:14:02:09 - 00:14:29:16
you know thank you for that um it's really interesting the point that you raise around again it's that thinking it's the changing the way of thinking about something um that I think is so crucial not just in the sort of data protection and privacy space but also from a cyber security perspective when would you say was your kind of aha moment about the importance of cyber security and including that as a risk for an organisation?
00:14:29:16 - 00:14:56:24
when I was working in the us government I was supporting um cyber security audits so I really understood it from that end but I think the most aha moment I had was I was working with an organisation I won't mention which one to protect their privacy there's working with an organisation that was a victim of a ransomware attack luckily because I was sort of away from the HQ we were running kind of a separate almost a separate network and we had I had put in place on our network a particular kind of security and we weren't really affected but a lot of other offices and headquarters were and they couldn't get to their files they couldn't do their work I knew always knew that that could happen but it was just a really heart-breaking wake-up call and also to me saying you know look these guys that are out there they're just doing this for money they don't care if they're going after charities they don't care if what your organisation does is to help people right they don't care and that was a wake-up call for me which made me realize that non-profits and NGOs and charities are really low-hanging fruit and this is an area that we have got to get our arms around and I also then at that point embraced the phrase do what you do best and outsource the rest and the good news is that there are a lot of organisations out there that that help non-profits improve on just the basics right making sure they've got firewalls making sure they're changing their passwords every 90 days making sure that they're patched right I mean all the basic stuff but again I challenge you to find a charity that established themselves because they wanted to do cyber security all day you know I mean again this is not why a charity you know invents itself but it's an important thing now and especially because so much is moving to digital for me that was sort of my wake-up call was when it came so close to my office but then seeing just the suffering that was going through and the organisations really trying to figure out how do they move forward and continue their work do they pay the ransom do we have insurance I mean what does that mean and it was just it was heart-breaking more than anything else because it's not like we were a bang we barely had any money but it really froze our operations and it was tough
00:16:41:16 - 00:17:13:11
one of the things I hear quite a bit is you know that why would anybody hack us or target us the reality of the situation is quite often they're just collateral damage it's just so easy for the criminals to throw stuff out there and see who bites sort of easy money maker for them and I agree with you it's absolutely heart-breaking which is one of the reasons that we're stability really keen on you know helping people sort of up you know their sort of cyber security risk protections and awareness about you know what they can do to help themselves so no it's a difficult one for the sector it really is think back to your first role when you took the lead for risk management what sort of challenges did you have to overcome in that or was the organisation already fully bought into it?
00:17:30:14 - 00:17:58:16
I don't think any organisation is fully bought into risk even the mature ones the number one challenge I think we have with risk and the landscape is shifting because I think when people started when sort of the CRO role and like you know risk as a thing kind of like appeared on the scene it was very siloed it was very you know well this is risk and we're going to do these Monte Carlo simulations and we're going to do these heat maps and here's your risk register and right and I think very quickly and I’m glad very quickly organisations realize that risk cannot be siloed it has to be cross-functional and so for me the biggest challenge is making sure that the organisation understands that you are not the risk person and particularly in the non-profit sector having somebody who's dedicated to risk is very unusual because we don't have the resources risk is usually thrown under finance the program design team is asked to fill in a risk checklist by the donor and so they just kind of do it based on what they know so lots of non-profits do not actually have risk roles and so I think one of the challenge if you know there's non-profits out there who are listening to this and saying we actually think we really do need a risk role is make sure that your organisation understands that when you establish this role this role is going to be cross-cutting not it's going to be horizontal not vertical you have to set the expectations within the organisation so that when that person sits in that seat whether they come from outside or they come from inside people understand that that role is going to be interacting and overlapping a big challenge that risk managers have there's a lot of turf wars and there's a lot of people within organisations who have set up kingdoms and they don't necessarily like it when you knock on their door or when things overlap but what people have to realize is that for risk to be done really well it has to overlap and the risk person is not there to take your work away from you the risk person is there to be an extension of your team and that's something that I say a lot and I say it over and over again and I get tired of hearing myself say it but I know I need to keep saying it whenever I talk to my regional offices my country offices whoever it is program information implementation team to say think of me as an extension of your team I am another set of hands I am not here to tell you what to do I mean I don't have a budget I don't have any authority I can't tell you what to do even if I wanted to but what I’m here to do is be a facilitator I’m here to support I’m here to provide tips and tools and tricks that are going to make your life easier but I myself I’m not going to be able to do risks it's you all that need to do risk when I was with save the children my former employer I and my team made up these stickers and we had this six different stickers and they said things like you know I’m a risk manager too you know got risk I’m here to help you know all these little things and it was in English and Arabic and it was great and we got people to stick it on their laptops to stick it on their shirt I mean whatever and everybody was a risk manager it wasn't just our team and so that that to me was probably the biggest challenge moving into risk was getting the organisation to understand that this is a cross-functional it is not a silo and leadership has to set that expectation with the existing units before you introduce risk or else you're going to be fighting those turf wars before you even get into your subject matter
00:21:05:15 - 00:21:29:13
yeah I’m just thinking back I’ve seen exactly what you've described quite a few times and again you know we suffer the same thing in cyber security you have some people's cyber security and they're like okay yeah that person is dealing with cyber security none of the rest of us need to worry about it now but fundamentally in cyber security certainly in the GRC space that I specialize in it is absolutely all about risk day in day out and you have to operationalize it which is exactly what you're saying as well about you getting it down to the people who do doing they're the ones who can identify the risks and think about what to do about them it's not all down to this particular individual
00:21:44:19 - 00:21:58:21
absolutely I mean if one of the if one of the people in the organisation finds a usb stick in the parking lot decides to plug it into the networked computer at work I mean you're done right you're done everybody is a cyber security expert right everybody is part of this as part of this team
00:21:58:23 - 00:22:23:13
yeah yeah one of the things I’d always say when we had that huge transition with Covid and people working from home was that you know you can't rely on the central security team anymore you all need to become your own security teams in the home one of the things about cyber security um is it's always changing day in day out there's new things coming along you know that we have to address and think about and I’m just doing how do you sort of stay up to date with risk what's the sort of pace of change like?
00:22:28:23 - 00:23:00:05
you know I think the pace of change in risk can be in in a matter of nanoseconds or it can be glacial depending on your approach there are definitely people in the risk profession who love you know their risk registers and you know you will pry them from their cold dead hands even though we know that the further away your tools get from your objectives and your decision making the worse your outcomes are people are still they just it's their security blanket they love them right now I do think that it is moving in the right direction I see a lot of people particularly on LinkedIn you know writing a lot of really interesting thoughts and theories and approaches there's more people doing you know for example academic research and writing in the area of risk that's not something that you've see even so I think five years ago it just wasn't a thing to do so it's great that we're getting so much more data but the risk practitioners have to be open to it you know like every other profession you know and skill set it has to change and it's and it's changing for the better you can't just take the same approach to risk across all sectors across all industries because it's contextual and it's different and so while a Monte Carlo stimulation might work really well in the aviation industry it's not going to work well in non-profits we're actually really lucky we have so many approaches and tools that we can use there's so much out there I mean I love reading on LinkedIn I love reading academic journals now um you know and even just reading the news and seeing things that are happening in in banks you know in NGOs fraud and corruption all that you see it's happening and then you see how people are responding to it
00:24:21:04 - 00:24:32:18
what traits do you think help a risk management professional and do you think that the professional industry bodies have a role to play here?
00:24:32:22 - 00:24:52:04
okay so the first question is what skill set do I think would be or flexibility and skill set so I mean yes to flexibility absolutely right I mean because one of the things that I always like to say is risk is dynamic risk is not static part of the reason why I really abhor these old approaches and tools is because they're static a heat map is only as good as the minute that you put it together the next minute it's out of date and imagine if you only pull that matrix down once a quarter and you update it for your project I mean what's the use why bother right so risk is dynamic and so flexibility is absolutely really important I like to talk a lot about being agile and I know Agile is a big thing in tech right but I’m not necessarily talking about agile in the project management sense but being able to pivot being able to adapt and being able to accelerate when you need to we are not going to be able to predict everything that's going to happen but if we have our three r's in place if we are able to recognize and kind of see what's going on in our landscape if we're able to have some responses ready to go we're not going to be able to develop responses for 100 of those situations but if we can develop responses even for 40 or 50 of those situations we're doing really well and then finally we need to build in that resilience and that's where that flexibility comes from and that's where that agility comes from and you know in a non-profit world I actually think we are at an advantage because we are so chronically underfunded understaffed and under-resourced that we have to be creative we have to be resilient we have to be agile every single day so we are actually in a really strong position when it comes to responding to risk because we have to do it not necessarily respond to risk but we have to be creative all the time where I do think we can improve in the non-profit sector is looking at it in a bit of a more formal way let's actually sit down and think about our approach to risk incorporating all of these other wonderful creative things that we have the ability to do but let's think about it in a little bit more of a structured way if we can bring more structure to the risk conversation we're going to be in a better place so skill sets any and all so I’m actually right now in the process of creating a community of practice at JA worldwide and I’m asking for representatives from all of our member offices and at first people were saying well you know I mean do you want our CFO do you want someone from our finance office and I had two criteria my first criteria was I want somebody who's passionate and interested in integrity risk and compliance I don't care where they come from but I want them to have an interest and a curiosity and number two I want them to be in a position where they can take what they're learning in the community of practice back to their organisation and start to implement it the more diverse the better it is but those are my two requirements so you know I think that everybody can be a risk manager everyone needs to be a risk manager and so I don't necessarily think that there has to be a particular skillset to get into risk now your third question was the regulatory body so I’ll get to that one too yeah absolutely I think that regulatory bodies but let me actually take this from less regulatory bodies and more donor sides right so it's relevant to non-profits what I would love donors to do is two things one genuinely take risk management seriously don't just add it don't to your you know say in your proposals add an appendix that tells gives us your risk assessment I mean that that's fine any organisation could do that but that doesn't really genuinely communicate that the donor kind of has their arms around what risk really is and fund it fund capacity strengthening not only for your prime and your implementing partners but for yourselves all of this talk about localization and engaging you know the local partners on the ground is all well and good but donors are not choosing to accept more risk they are continuing to do the risk transfer to the larger kind of middleman larger NGOs and saying we want you to work with more smaller partners but you still have to meet our compliance requirements and you can't have your cake and eat it too and so you know if donors are serious about localization and about getting smaller and more on the ground partners engaged donors will have to accept a higher risk because simply you know again no charity establishes itself because they say they want to meet the USAID or the diffid you know or whatever compliance requirements and they're ridiculous donors not so much regulatory bodies in the third sector space but donors need to genuinely have a real frank conversation among themselves about what it means to accept more risk if they want to have more localized and impactful programming so that's who I would talk to more than regulators
00:29:41:15 - 00:29:49:20
I’m just thinking is there any particular you know where would you go to reach that donor audience to get that message out to them?
00:29:51:06 - 00:30:10:17
it's a great question you know I mean when the grand bargain came down several years ago and localization was kind of part of that conversation during the grand bargain you know they were all sitting there around the table the Scandinavian countries are actually pretty good about kind of moving in the right direction but overall you know on the grand scheme of things they're kind of smaller donors I really think that you'd have to have the Americans the Aussies um the un for example I mean the UN compliance requirements are crazy you'd really have to have almost another summit on localization which you know we have a lot we have a lot of summits on localization in the humanitarian and the international development sphere but risk is not on the agenda and risk transfer isn't on the agenda and I’ll tell you why because donors I don't think want to be put on the spot and I get it um they're fighting their own battles with their own funders you know and it's really hard for them to go to these budget holders and say give us more money and we can't guarantee impact we can't guarantee output and oh yeah the risk might be higher so I get it but then at the same time if you're going to you know have these big statements about localization and how we want to engage the global south more how we want to decolonize aid I mean all of these really valuable conversations you have to have risk on that agenda too and I just haven't seen an honest conversation about putting risk on the agenda so that at least we're all on the same page the other thing too if you flip it on its head if donors aren't willing to accept more risk than donors should put more resourcing and funding into capacity strengthening right so if you don't want to accept more risk then go downstream and raise the capacity of the smaller organisations that you want to work with but don't just say we're not going to give you more money for that and you still have to meet all these compliance requirements and oh by the way we want you to work with this to your partners you know where would we go to talk to them I think some of these localization summits some of these global fundraising summits you could probably bring this topic up in any humanitarian or international conference why not why not at risk on the agenda?
00:31:57:17 - 00:32:14:12
and I suppose the answer to that might be people find it scary they don't like the potential negative outcomes that could arise um so they just like to sort of focus on the positives to get things through yeah that's difficult one that one isn't it really?
00:32:14:16 - 00:32:39:15
but that's a great point Michala that you just raised about how people think of risk as it's being very negative and challenging the international definition of risk is the effect of uncertainty on objectives it's six words right it doesn't say horrible things that could happen how your program's gonna crash and burn it's the effect of uncertainty on objectives so when we think about risk the scary risks are threats but risk can also be opportunity right risk can be positive you know corporations often say there's no reward without risk because risk is an opportunity we actually could look at this from a donor point of view and the donor could position themselves in a way that says we actually have an opportunity to strengthen these smaller organisations and make them more sustainable by helping them understand how to manage risk
so that could be an opportunity so we need to think of it in a positive way and not just a negative thought
00:33:09:15 - 00:33:57:01
yeah as human beings we are wired towards negative rather than positive aren't we so it is a difficult thing but obviously the professionals like yourselves who are able to help refrain and that's the thing isn't it you need people in the organisations who are able to actually help with the reframing I’d like to bring the conversation back specifically to trustees um because cybility savvy is for you know trustees and the leaders to you know get them thinking about their own organisation and so I’d be interested in knowing what your kind of thoughts are on where trustees should be in relation to risk and the specifically the sort of decision making how risk can help with that decision-making?
00:33:57:09 - 00:34:17:07
so this is a great question and obviously boards and trustees have um the a major role to play when it comes to risk you know they say tone at the top mood in the middle buzz at the bottom right well the tone at the top comes from the board I’ve been talking to Tim Leech and I mentioned him earlier but I talked to Tim Leech a lot about board engagement and one of the things he you know was saying to me and he was just like Sabrina it's so frustrating we you know boards are so much more focused on the oversight role the you know kind of again box tick are we doing our financial audit reporting to the charities commission in the UK if we need to do that much more compliance than it comes to risk and Tim has some really great thinking and writing that I have um I’ve also kind of really internalized and I think is super interesting to think about purposeful organisations and purposeful boards and boards helping organisations identify purpose and there was a great thing that I read the other day and it was it was saying an organisation's purpose should have nothing to do with their goals but everything to do with their values you know and again integrity values you know trickles down to risk trickles down to compliance if a board sees its role as opportunity identification and value protection tied in with the organisation's purpose they're going to be so much more valuable than if they are simply taking a box about the financial audit I also want trustees to feel empowered to ask for the right information an organisation is never really going to engage in dynamic risk management if the board is not asking for something if the board continues to ask for a risk register and continues to ask for a quarterly heat map nothing is going to change if I was a trustee I would be asking your organisation to demonstrate how their risk management program is dynamic and see what you get don't give them any hints just say I want you to explain to me how you know you ensure dynamic risk management see what they say the other question that boards can ask is how does your risk management program tie directly direct line to objectives and how does your risk management program tie directly to the decision making if you have to go through a few other areas it's not direct and it's not worth your time so boards need to be having regular conversations if you if the organisation has a risk role invite that risk roll to come and talk to them you know and invite that risk role if you simply ask those questions and all you're getting back is these standard documents then you know you have a problem but it's a great opportunity to open that dialogue and get them to think differently about things
00:36:52:05 - 00:37:21:21
yeah and I love that about if the board don't ask the organisation aren't going to make that change one of the things we do like to do here is think about any of those questions they should be challenging the executive with so thank you for giving them some really practical things that they can take away you talked about value protection is there anything so specific in the way that trustees can help do that?
00:37:22:04 - 00:37:55:08
you know of course there's all the traditional things that trustees can do you know trustees can be good advocates for their organisation you know engage in inappropriate appropriate advocacy obviously appropriate fundraising um you know I remember all trustees should also be donors using your position as a trustee to open doors for your organisation and identify value-creating opportunities right where are some synergies between your organisation and a sector that might not have thought about it before trustees can definitely you know using where they see them you know at their level and say are there some really creative ways that we can overlap with what our organisation does with a sector that maybe would be a non-traditional one but could create a lot of value depending on what comes out of that relationship
00:38:13:21 - 00:38:26:06
do you think there is a role for sort of mentorship between say large organisations small organisations risk buddies or something like that
00:38:26:14 - 00:38:54:09
risk buddies that's like a really interesting concept I had never thought about that before I’m a big believer in mentorship right regardless of whatever it is I mean I think mentorship and coaching and all that stuff is really important I mean to me it comes down to capacity strengthening whether it's individual capacity strengthening organisational capacity strengthening whatever it is the challenge would be pairing up the right individuals and organisations again because risk is really contextual and it's quite particular to the environment that you're working in I’m not sure actually the developments in risk in the non-profit sector are even mature enough to have a coaching I think we are all coaching each other and I think right now at this point there's still a lot of chaos in our universe so you know we're like right after the big bang things haven't settled down yet planets are smashing into each other we've got all sorts of things going on which is exciting um but I think you could probably learn from smaller organisations you know as much as you could learn from larger organisations because we're still figuring it out I think it's a great idea I’m just not sure if we're ready for that yet in a cyber sector absolutely I do think that you could benefit from larger more mature risk entities you know companies being able to mentor and support smaller NGOs because a ransomware attack is a ransomware attack is a ransomware attack whether or not you are a bank a chemical corporation or you are doing child and maternal health programming in upper Egypt so in that area where I think we have subject matter that is quite settled yes I absolutely do think that you could benefit from that
00:40:03:13 - 00:40:12:19
I normally ask people about sort of three things and I understand for you that rather than going for books you've opted for something different do tell
00:40:12:19 - 00:40:33:21
so I have three people that I would recommend people to follow on LinkedIn from a risk point of view because I think that they're doing some really interesting stuff so I’ve mentioned Tim Leech a lot but I will mention him again Tim Leech he is the guy that has really come up with the core um of objective-centred risk management as I’ve developed it he has a great and a lot of materials online about how organisations can switch to thinking more about putting your objectives at the centre of risk and then working around there the other person that I would say is a guy named Warren Black he writes a lot about complex wicked problems they are problems that are multifaceted and dynamic so once you find the problem it continues to change and the last guy that I would say um to follow is his name is um Elliot Schreiber s-c-h-r-e-i-b-e-r he wrote a book on reputational risk you've got three main risk categories right in general you've got financial risk legal risk and reputational risk for non-profits the number one risk that we have to be aware of at all times is reputational risk if we lose our reputation we're done our reputation not only helps us with funders but it's what gets us in the door with vulnerable populations it helps guests build trust with the beneficiaries that we're trying to reach the participants in our programs and as soon as you have an incident safeguarding incident child protection incident a data protection and privacy incident you know any of those things that happen you're done for and so I strongly suggest following Elliot he wrote a book about it but he's got really interesting thoughts
00:42:04:11 - 00:42:13:14
yeah no that's great thank you I’ll definitely be doing that what's one question that you wish I’d asked you that I haven't and if I had how would you have answered?
00:42:13:20 - 00:42:33:17
I think maybe one question it's a hard question I’m kind of glad you didn't answer it but I’ll put it out there is you know how do you win over the blue birds right how do you win over the naysayers how do you win over the people that don't think risk needs to be there or the ones who are feel threatened by risks one of the things that I’ve learned is there is a benefit to being a compliance person too right but again compliance and I’ve got my little you know I’ve got my triangle right you've got integrity at the top of triangle risk is at the middle but compliance is the foundation and as much as people hate policies and procedures and bureaucracy and all that stuff and I hate it too you need to have that there in order to manage your risk to have integrity because it comes down to accountability and unless you don't if you don't have things written down then you're gonna have a really hard time with accountability one of the things I found is the people who are going to challenge you fall into one of two counts one they're challenging you because they don't like change they don't understand why you're there they don't understand the value of having a policy or a process around a certain thing you can win those people over it takes time you have to talk to them you have to explain how you're there actually to make their life easier let's work on this together I promise you won't be reinventing the wheel a thousand times once we get this down on paper the other camp are the ones that love having this chaos because they're able to get away with things that they otherwise would those are the ones that are the challenge depending on how sophisticated they are you may never win them over but what I have also found is the people that work around those people tend to appreciate having those processes and procedures in place because then it gives them something to sort of hide behind when they're trying to do the right thing so if you have an individual who is a bit manoeuvring and manipulative and likes to have this left and right but you have people around them that's driving them crazy or it's not going to help them at all do their jobs giving them a written process to point to right because then it's not them saying hey we can't do it this way then it's them to say this is the process this is where your policies your processes and procedures are important now you are going to have those people that are going to say I don't want a bureaucratic state I want to have you know it's going to stifle innovation we're not going to be able to be creative and I go please tell me how writing down your process for submitting your reimbursement receipts is going to stifle innovation I’ll wait the other thing too is I am a big advocate of a strong um and frequently used waiver process there is no way you can ever write policies and procedures and processes that are going to cover 100 of what you're doing every one of them should have a statement in there that says this can be waived by using the following process right have a process for your waivers make sure it's documented but allow for it right for god's sake don't stuck people with a process that doesn't work I mean for the situation have a waiver just document it that's all I ask right so we're not stifling creativity what we're doing is we're creating repeatable efficient effective processes for 80% of what we do and with waivers
00:45:32:04 - 00:45:44:19
You know that's great lots of the useful tips there just thinking then about again the trustees and what they can take away what would be your sort of one key message to them?
00:45:44:19 - 00:46:15:15
throw away your risk matrices the thing about risk matrices and risk appetite statements and risk registers is it is a false sense of security you may have those documents but those documents are not doing anything for you make sure that risk is integrated into your ways of working the other dangerous thing too and this is me with my lawyer have on is you know if you have your risk matrix and your risk register and your escapade statement and you know the proverbial poop hits the fan which you don't we know it's going to happen it's not a question of if it's a question of when you have all of these really shiny fancy documents but you're not actually doing anything with them it's going to be double the problem for you because not only now are you going to be dealing with whatever went wrong when the auditors the investigators come in they're going to be looking at all these fancy documents going but you had all of this here why didn't you follow it again trustees need to get reporting and we talked about this earlier trustees can ask dynamic questions to get dynamic answers don't just ask for the risk matrix to be updated every quarter it doesn't do anything ask your leadership team to explain to you what has changed in your landscape how have you changed how you're implementing your programs in response to what's going on in your operating or contextual operating environment ask them to describe to you what has changed in your operating environment
00:47:10:18 - 00:47:18:23
yeah say there's a trustee listening at right now that wants to get in contact with you to understand a little bit more what's the best way of doing that?
00:47:19:08 - 00:47:24:15
I’m on LinkedIn yeah I’d love to connect with people I’ve had so many amazing conversations with people
00:47:24:15 - 00:47:27:12
Well, thank you so much, Sabrina. It's been absolutely lovely to talk.
00:47:27:21 - 00:47:38:13
I hope so. Thank you so much for this. It's been so much fun.