 So welcome everybody to our TechSoup event. We are excited to have Omar here with us today and I believe we're talking about risk management today. I'm a little bit about TechSoup before we get started and then I'll hand it over to Omar to introduce himself. TechSoup, I'm your TechSoup host for Ontario Meetups. I got involved with TechSoup just before the pandemic hit. I was hoping to do in-person events but it's ended up being online but I got involved with TechSoup as I also run a nonprofit and I was looking for resources for our nonprofit. And because of my love for technology and helping others I ended up becoming an event host here so I'm excited to get connected with lots of interesting people and help bring some great tech resources your way. We are a global network so there's a whole bunch of chapters across the world and because of the great technology we have you can actually go and attend sessions like this for other chapters in provinces and countries. A little bit about me, if you haven't met me yet my name is Sandra Amar and I'm a digital workplace expert. I do work full-time in IT as a project manager, product manager, but I also run all about systems where I help smaller businesses and nonprofits use technology more efficiently to help build more efficient digital workplaces. I do a lot of work with Google Workspace which is I do a lot for more, so for the nonprofit side since the Google workspace for nonprofits is free for nonprofits. I do a whole bunch of other things as well but we're not here to talk about me, we're here to talk about what OMR has to share so I'm gonna keep going. These are our community values and I'll quickly go through them. We welcome everybody. Obviously we put our community first and we're all here to support each other so if you have something to share either reach out to me, put it in the chat. We want to build stronger nonprofits and tech is why we're here and one of the tools that we use to help you build nonprofits. The way I look at it is if I can help bring tech to you then you can help do good in the world and hopefully by a little bit of six degrees of separation I'm also helping the world in that way. We would love your participation. We all have something to learn and contribute from each other. If you have ideas for other sessions or if you have something you wanna present some ideas even if you are a nonprofit and you've done something really well or maybe you've implemented a new tool that you think other nonprofits would really love to hear about I'd be happy to set up an event like this where we can each share our stories. That would be a great way to learn and share from each other as well. And it goes without saying but sometimes it needs to be said we treat each other with kindness and respect. I already mentioned we are a nonprofit so we run with volunteers. I volunteer my time to help put these events together. If you have any suggestions or you want to plan an event obviously we would love to hear from you. And hopefully at some point we can get back to in-person events and actually take advantage of that whole welcoming crew for in-person events. But for now we're here and TechSoup is as some of you may already know helps connect you with donated and discount technology products everything from software to hardware in between and some of the projects that they offer or that you can get through TechSoup. These are some examples. And again, the Google workspace for nonprofit program is access through TechSoup by validating your nonprofit status through TechSoup. That's how you can get that. So a little bit of a comparison as to how much you can actually save through TechSoup depending on kind of what products and tools you need to run your nonprofit. There can be a significant savings by being part of the TechSoup program. We also have forums that you can access to ask questions and get answers. And you can visit that at this website address here. And finally, this is the event page for our events which is you would likely already know this because this is where you would have found out about this event most likely or at least had to register for it. All right, so I'm done talking a mile a minute and I will pass this along to Omer to take over and to share a lot of great information with us. Thank you very much Sandra and hello everyone. So my name is Omer. I'm the founder of Vectors Institute and Vectors Group but I'm also a passionate follower of nonprofit sector. So everything I do is to add value to the nonprofit sector. So a couple of years ago just before the pandemic we published a book on risk management for nonprofit organizations with a professor from Dalhousie University. It was a nice coincidence from this aspect because it provides the powerful tool to deal with the challenges and the opportunities of the COVID. And today I'm going to introduce this framework and in the meantime we had a chance to work with several nonprofit organizations and it's a framework but we also had a chance to practice it and see some significant results. I'm going to start with my presentation but if you have any questions or comments please feel free to jump in and don't wait until the end of the presentation. Unless you want to, I will answer the questions at the end of the presentation as well. So Rick Mason, this is the other guy I was talking about. He's like Einstein. He had been working with financial institutions for on risk management. He's a global guru in risk management and with all of his previous research was on risk management for private sector. So he agreed to do something for the nonprofit organizations and this is the cover of our page. You can find it on Amazon or easily. It's published in the United States. So the book starts with a simple question actually. What is risk and what is risk management and why does it matter? So do we really need risk management? For many nonprofit organizations risk management doesn't seem like a necessary activity. I know some of them have risk plans but they are not active and risk management is not only about managing negative risk. So managing positive risk in other words, managing opportunities can also be very critical, very strategic for the nonprofit organizations. So the definition of risk is an uncertain event or condition that if it occurs it has a positive or negative effect. So this is really important to understand the positive effect. This is what we are looking. So the COVID was terrible and it brought lots of negative things to our societies but also it brought some opportunities for growing nonprofit organizations and for new ideas for innovative projects. So we hopefully we pass the most challenging part. Now it's time to focus on the opportunities and by opportunities, ways of helping more people, ways of improving our impact and ways of growing so we can help more people. Risk management is to support the objective. So it shouldn't be a burden on your already overwhelmed workloads. It has to have a strategic input to your objective. It has to be a practical tool that makes a difference for your organization. If this is the case, you don't need a strategic plan. Risk management is like funding or visibility, social media marketing. Risk management is also something that can really benefit your organization. So risk is always there. We either manage it or not. So let me give you an example. So I have two sons and one of them recently he got his G2 driver license. And when he drives the car, he pays attention to traffic signs. He's a good driver, he's a careful driver, but he doesn't have a long-term objective. He just enjoys traveling randomly in the city. So I call this operation. So he's really good at operations, but in the long-term, he doesn't have any long-term objectives. But when my wife drives the car, we have a clear objective. We also pay attention to the operations, but we also have a strategic goal. And assume that there are two friends that they would travel from Toronto to Ottawa. Okay, so one of them is careless and she doesn't pay attention to any traffic signs and the other drivers. And the second person, she is very careful. She put her safety belt and she follows the traffic signs. And after five hours, they both safely arrived to Ottawa. So one of them literally managed the risk and the other one ignored the risk. And the outcomes were exactly the same. So we need risk management on this until we don't need risk management until there was an extraordinary incident either positive or negative. So that was a good scenario, but imagine that there were accidents. Both of them had accidents. The one who used risk management properly could be in good condition, whereas the other one might have some consequences. So it's same for the non-profit organizations. Your organization can survive without risk management, but it means that you are open to incidents, negative incidents, and you cannot benefit from the positive opportunities. So lots of things are happening. Many non-profit organizations grow much faster than before by becoming digital and by leveraging the advantages of this era where many other non-profit organizations, they have no clue how to adapt to the new world. And the reason for this misalignment is the lack of proper risk management tools. So positive risk management can introduce opportunities and there are tons of opportunities. Okay, so we are surrounded with opportunities, but if we don't have the right filter, we cannot see them. And the right filter is having positive risk management approach. Risks that can be anticipated or risks that emerge during the course. So we basically face two types of risk. And the anticipated risk, we know it's gonna snow tomorrow morning, so we can be prepared for this. We know that the government is going to release some funds in April, so we must be prepared for this. If they are looking for collaborations, we need to develop some ideas, build some relationships and be ready for this upcoming positive risk. But there are also some risks that emerge during the course. So we cannot predict them, but we can be prepared for them. What we need to have a risk plan, just in case if something happens, we should know how to react at all levels. Anticipated risk can arise from two principle sources. The first one, risk related to management and it is you, the nonprofit leaders. Risk residing in the wider external environment. And this is the environment and our funders, our stakeholders, the society, the COVID, everything around us that we cannot control with that kind of effects on performance. So the risk related to the management, this is the simplest one to solve if you have the intention. So insufficient or non-existing planning. So if you don't have a risk plan, we cannot complain about the negative impacts of risks. First, we need to have a proper plan. Inappropriate stakeholder management. I know you know this very well, but yes, it is part of risk management too. So getting your stakeholders on the board and getting their support to mitigate risk or increase your chances and opportunities. This functional communication for selection of team members, those are just examples of management related risks and that they can easily be controlled. Those risks are also called internal risks. Anything related to the organization because they are caused by the organization itself. So we create our own risks, but there is a positive side in that one too. So we can also solve them easily because it's internal. Risks residing in the wider external project environment, this is some kind of challenging. And real approach organizations can find ways to benefit from those risks as well. They need to monitor the environment and make the right decisions when needed. They are only controllable by distance stakeholders, let's say politicians, researchers, or global companies that affect the overall society or other decision makers and they are partially predictable, okay? Not fully predictable, but partially predictable. Emergent risks that we don't forecast, we cannot predict. In addition, emergent risks stem from sources that are by nature unpredictable, which is the COVID outbreak of pandemics, natural disasters or political revolutions. We don't experience severe political changes in Canada, but again, even the minor tiny changes in the political road maps can influence the non-profit organizations significantly. So what do we need to do? First step is to acknowledge the existence of risk, okay? So we cannot ignore. If there is a risk, we have to do something about it and knowing about potential differences in attitude towards risk. So we know that if you ignore the risk, the consequences may be severe and you may miss the opportunities. And those two items is a good foundation for properly managing risk. It is basically the first step. Now, Vista risk management framework that we developed for non-profit organizations. So Vista stands for vision, strategies, and actions. So we basically suggest an alignment between vision, strategies, and activities. And it's rule of thought, but in practice, when you look at the lots of unrelated activities and strategies, which causes to raise the limited resources of non-profit organizations. So this is the overall framework and I'm going to introduce briefly what they mean. We have five layers and on the top, we have some subcategories. The top starts with the Vista circle. As I explained, Vista stands for vision, strategies, and actions. So this is the first rule for successful risk management. There has to be an alignment with your vision, strategies, and actions. So when I ask you, if I ask you, do you think Royal Canadian Navy shall buy a farm in Nova Scotia? Probably all of you will say no because it has nothing to do with the strategies of Royal Canadian Navy. But on the other hand, when you look at the practices of non-profit organizations, you can do this test in your organization as well. Check all of your grants, check all of your activities, and do some matching with your vision. Are they correlated? Do they support each other? Or are there actions that support all of your strategies? Or are there some strategies that are not touched? They are in strategy plans, but nothing has been done about it. So Vista, this is the Vista circle. In the second phase, you see this triangle in the outer side of the Vista circle. And we call it risk management triangle. And we basically focus on three parameters. What is the probability of the risk? What is the impact of the risk? Sorry, Omar, we don't see, I think I'm not sure if there was a change in slides or not. So we still see just the first part of the first sentence, acknowledging the existence of risks. Is there another diagram on that side? Oh, I moved a lot actually once again. I don't know why you can't see it. Can you see it now? Yes, now I see it. Okay, I just go out and stop sharing and then reshape it and it seems okay. Okay, so this is the framework. This is really what I want you to see. This is the framework. And the first one is this Vista circle, vision, strategies, and actions. And then the next one is the control, impact, and probability. You can see it, right? Sandra? Sorry, I was trying to find my mute button. Yes, we can see it now. Okay, perfect. So the second level is risk management triangle. And we measure this, control, probability, and impact. And I'm going to show you how we measure. And you may be used to this impact and probability from the other risk management tools. But in our model, we add another parameter, the level of control. Can we control it or not? So this is an important parameter in risk management. And the third level is the stakeholder trio. So whatever you do in risk management, you have to coordinate it with your beneficiaries, with your sponsors and regulators, and with the service providers. Your staff, your partners, and your volunteer. And finally, we have these five stages. We start with the risk identification, risk analysis, risk treatment, risk mapping, and risk governance. So far, it looks like a conceptual framework, but it is not. It's a quantitative numerical model. And it's simplified on purpose because we want nonprofit organizations to be able to use it without expert assistance. And those are easy steps. You identify the risk, you consult with your team and say, what are the risks? And then you prioritize, you analyze them, and the outcome of the analysis is the short list of risks. And then you treat them, how you determine how we're going to treat them. You map it, and I will show you, you put all risk components on a single chart, and that's really important for decision makers to see everything on one slide. And then risk governance, which basically highlights the importance of including your board in risk management. So how can we successfully implement risk management? That was the framework, and now I'm going to show you some practical steps of how to implement it. So this is the risk map that we use. And as you see, we have those three parameters, the probability of risk, the impact of risk, and the level of control. So the level of control is the size of the circle. It's indicated with the size of the circle. And as you can see in this example, we have two risks. One of them is on the positive side. So it may have a positive impact or a negative impact. So B is on the positive side, so it's an opportunity. It's a small circle, which means we have limited control over it. And if you look at the probability, it's around 50%. And when you look at the other risk, it's on a negative side, the probability is very high. The potential impact is very high. And the size of the circle is big, which means, yes, I'm going to provide you a template that you can use. And I will show you a real-life example that we developed for a nonprofit organization. So if you have those two rescued and assume that there were more circles on this chart, you can easily prioritize which one is more important. So in this particular case, risk A is the one that we need to focus because this is something we can control. And then you can use color coding after plotting all of your risks on this chart. So red means be careful, prioritize the risks in that area. And green areas try to push all of the risks to those green areas if you can control them. And you can also repeat this measurements every year or in six month periods and see the progress. What was our risk six months ago? Now, what is our risk? Because I know you experienced this continuously. Everything changes almost in a monthly basis, right? So V phase, a totally different world than January. And then you can group them and say, so those are human resources management related risks. So if you are from a big nonprofit organization where you have an HR department, you can give those risks to the HR department. And those are financial risk components. You can task them to someone else. Now, this is a real example. We have done with a couple of organizations. So we started with the risk identification. We identified six categories. So they are applicable for most of the nonprofit organizations, but you can have your own categories too. The beauty of the model is it's flexible. So you can use the template and you can make some modifications if you need. So we identified the six main categories, operational, human resources, legal, financial, strategic and infrastructure and equipment. And then we consulted with the board members and the staff members. They identified a list of 700 risk items. Okay, it was a big organization. They had 300 employees and we asked everyone to share their opinion. And then we filtered this because there were some overlaps and we came up with this short list, okay? So operational, we had seven for human resources. We have six and probably most of them are applicable for your organization as well. And then we have, we plotted them and for every single prioritized risk, we developed a plan. So for this one, for example, the probability is high. The impact is very high. How can we move it to the lower right corner? So we talked with the team and we developed a strategy. And same for the positive risk, how can we increase the positive impact risk? How can we leverage the opportunities? Another tool that we use was, you don't have to use that one, but it's a good classification tool for the risk management. We have two categories here. Human-related risk and other risks and on the horizontal axis, we have the internal risks and external risks. Most of the risks are human-related. Most of the occurring risks, let's say. So we had four categories and then we tried to put all every single risk component in one of those boxes. But some of the risks items didn't belong to us. So they had some internal components, some external components, some human factors and some other factors. So you don't need to limit yourself with the boundaries. You can put them anywhere you want. So what we have done, once we identified the list of risks, we asked decision makers and the people who are familiar with the organization to mark them, to create them between zero and 10. Now look at the first one. So security, safety and health risks. So we asked the direct question and we said, what is the probability of the risks you foresee? We don't need the details yet. We don't need to clarify what it means for now. We just asked everyone to identify the probability they have in their mind, the impact, the control and we give them a chance to share their comments, what they see as security, safety and health risks. And if there is too much misalignment then we organize meetings with team members and agreed on the definitions of those risks. So this was the survey we used and then we collected data from decision makers. We took the averages and once we have those three numbers, we were able to plot them on the charts that I showed you. So this one, so probability impact and the size of the circle indicates the level of control and we were able to plot all of the risks on one single chart. And this was a powerful communication tool because when we went to the decision makers and the board members, they could easily see where they need to focus because everything was on a single chart. But on the other hand, the staff, the executive director and the rest of the staff had the details, right? So they were ready to respond to any of those risks but this was for the risk identification. The missing components and which is quite new, none of the models you have seen so far have this. We have a plan, but what are we gonna do? So usually we have a risk plan and we just identified the risk, we identified the probability and the potential impact but we don't determine how to react to the risk. So that component was missing, also missing in the literature. So we developed a new methodology called active. It's the initials of six stages, as you can see. We start with the activation, we analyze the case, we form a team. Sometimes it can be the existing team. For example, if you have a fundraising team and if the risk is related to fundraising that team can take it. But in some scenarios, let's say there was a cybersecurity threat and you don't have an IT team. You need to form an adult team to respond to the risk. So T is the team formation. And during the case analysis, you also determine your plan. And at the fourth phase and implementation phase, you implement that plan. No plan is perfect, right? So we continuously need to revisit the plan and make sure that we are on the right track and everything works as planned. So we verify the plan. And if it is not working, we go back to the C stage, case analysis. And if necessary, we change the team and we start implementing the new plan. And finally, after everything is finished in a timeframe and we strongly suggest to have a timeframe, there is no endless risk management. You need to have a timeframe. And at the end of this timeframe when the risk procedure is finished, you have this ending phase. Ending phase is ending an evaluation phase, actually. You look at the past, you determine what worked well, what didn't work, what can be better in the future and how can you prevent negative risks or how can you benefit more from positive risks in the future? And you record it. So for the following, for the future, employees of the nonprofit organization, this will be a good guideline. And sometimes even for Europe because we can easily forget what we have done in the past, but we can always revisit those documents and get a clue how to react. So activation is the first step of the risk management process. So somebody has to announce it. Usually it's just the board or the executive director or a director who says, okay, there is a risk we have to do something about it. And this we call this as an activation stage. Why is it important? Like safety is a risk, right? And there is no timeframe. We say, okay, everybody has to pay attention to safety, but this is not the proper risk management. We need to activate the process and say, okay, from now on until the end of the year, safety is one of our primary risk factors. And then as suggested in the model, then we go to the next stage and we analyze the case analysis once the process is activated, the project manager or the risk case manager with the staff and the decision makers when needed and outline the scope of the risk management. How are we gonna response this? What resources do we need? How can we collaborate with other organizations? What are the outcomes that we expect? So it's literally preparing a micro plan for every single risk case. But this only happens after the activation, right? So if sometimes you foresee some risks but they never occur, then you don't go to the active phase. You use active model only when the risk, okay. And during the case analysis, you also identify necessary resources and the time plan and then you go to the team formation. Depending on the nature of the risk, you form the best team. So if you need someone with cybersecurity background, you add him to the team. If you need someone with communication skills to communicate with public, you add him in the team. You can also use the in existing team if it is perfectly aligned. And then at this stage, you also assign a team leader. So it can be the natural leader like the director of the program or the person with the highest hierarchical level can be the team leader or you can task someone to do it. Let's say if there's a risk about cybersecurity, executive director may not be the right person to deal with it. So you may have someone in your team who has more background or better knowledge on cybersecurity. And the next phase is implementation. You start implementing the plan in coordination with the rest of the staff. And verification, the next stage is verification. The project manager or the risk project manager and the team leader will check the progress and verify that the risk management plan is working. Okay, so it's important because if we notice something is not working, we don't need to wait until the end. The formal process has a backup plan, has a closed loop circle, has a control system to go back to the previous stages, to the case analysis stages, which was the second phase. And finally, the ending as I highlighted, it can be successful or unsuccessful. It doesn't matter what we can learn from our failures and we can learn from our successes and we should. So we at this phase, we close the case, we prepare an evaluation report with some suggestions for similar cases in the future. The project manager will submit the information to the decision makers and other stakeholders, right? So sometimes we may prefer to consult our risks with external stakeholders, sometimes not, right? Let's say, if you are a direct service provider and if you are experiencing financial risks, it is okay to go to the funders, right? Like you can go to city of Ottawa and say, this is a service we deliver on behalf of society and we need your support. And this is the evaluation report that we got so far and you can get their support, ask for their support. So I want to highlight this positive risk component little bit more, COVID was terrible and I'm really sorry for the people who suffered during this period. On the other hand, just like in any other crisis, any other global crisis, it also brought lots of opportunities for nonprofit organizations. So while dealing with negative risks, we shall not forget the positive risks and the opportunities. So some of the ideas that came to our minds, pandemic changed the world. Okay, so this is something we all know and now we have a totally new world which was already there even before the COVID, but now it's more promising to the nonprofit sector. So internet is a domain with lots of opportunities and I believe all of us agree on that. Well, how are we going to manage it? Where do we need to start? Where are the opportunities? Why can't we see it? Can we just learn from the experience of other people or can we just, can we be reactive and wait until something happens or can we be proactive and manage our own future? And the answer is yes, we should manage our own future and one of the trending topics in one of the popular projects is digital social enterprise, for example. Digital social enterprise can be a good positive opportunity for nonprofit organizations after the COVID. Okay, thank you very much for listening. I will be happy to answer your questions or if you have any comments, if you have any inputs, please feel free to share with me. Thank you, Omer. That was very impressive, very thorough. If you guys have any questions, feel free to either enter them in the chat or you can come off mute and ask them directly. Okay, we've got a question here. Could you go over the control part again? I wasn't sure how to map it in the graph. Thank you very much, Jean-Paul and Dana. So the question came to you, Sandra? It's in the chat here, Sarah. Okay, control part again. I wasn't sure how to map it on the graph. So we have the survey, okay? So we rely on the answers and observations and knowledge of the people, of the decision makers or knowledgeable stakeholders. So in your organization, you determine who those people are and then give the survey to them and ask them to populate those cells. And for each risk, you ask them to put a mark between zero and 10. Like for probability, what is the probability of experiencing a security safety or health risk? Nine, so it's very risky nowadays because of the COVID. Let's say the probability is nine, very high. What is the impact? Luckily, it is not as impactful as before. Let's say four. And the level of control, how much control do we have over COVID? Very low, almost zero. Let's say one, okay? Now we have those numbers. We go back to this chart. So the probability was 90%, so it's somewhere here. The impact was negative, but not minus 100. Let's say it is minus 30, minus 40. It's somewhere here. So we are at this point. And since we have very limited control, we just draw a very small circle here, each indicates that we have very limited control. Okay, so the size of the bubble, is that what you're talking about? Was it how you put it? Okay, got it. Sorry, I used a long way of explanation. That was good, I wasn't sure exactly how you got that piece of data onto the map. So that was helpful, thank you. Yes, and once you plot everything, you will have several bubbles. You cannot manage all of the bubbles at the same time. That's where the governance comes in. And they prioritize and they say, let's choose one, two, three and forget about the rest for now. Okay, thank you. That was great. It was a very helpful explanation, thank you. I don't see any other questions. Does anybody else have anything to share or add? All right, with that, I'm going to just share our next, whoops, not that screened, our next events, whoops. I don't have too many tabs though. These are our next events coming up. So if you're on the TechSoup event site, we have another event from Trella's coming up. And Omar, I believe these are two more sessions coming up from you later this year. Yes. And we'll be adding, I'll be adding a Canva, kind of many training sessions because that kind of came out in one of our previous ones. And I have a couple other in the works too. So keep an eye on our events. And if you guys have any questions or comments or feedback, please feel free to let me know. Excellent. My pleasure. Thank you. All right, thank you again, Omar. We'll see you in a couple of months, I think. Bye. Have a great day. Bye everyone.