Most non-profit boards rightly focus their risk governance on identifying and assessing risks before developing a set of escalating controls to prevent an adverse event. They then consider how their organisation should respond should the hazardous event actually occur, and how those measures can best mitigate the damage that arises.
Some also consider their incident response methodology, recognising that this is their opportunity to add value as directors by improving future risk management plans. Maintaining an incident register is merely a bureaucratic exercise in record keeping unless your risk committee reflects on the pattern of incidents, and digs deeper into the causes and contributing factors which allowed adverse events to occur.
The effort required to do incident analysis can be considerable, and allocation of the necessary time and other resources to do this formally may only be required by your board in ‘severe’ cases, involving critical or catastrophic outcomes. Informal review processes may be used for less severe ‘incidents’, so that these too are remedied. Some organisations use a critical incident report template to capture relevant data, and to record the analysis of the root cause and contributing factors.
Most adverse events demonstrate an array of coinciding factors that allowed things to ‘go wrong’. Understanding the root cause is essential to preventing recurrence, but identifying other contributing factors can also be very helpful in refining prevention and mitigation measures.
The definitions offered above may assist your interpretation of the Risk Event Analysis chart which appears in the header image. This is a simplified outline of the steps used in determining causes and contributing factors as part of your adverse event ‘post mortem‘.
Incident Analysis Process
A more detailed procedure is outlined in the larger chart below, and this emphasises the importance of moving beyond simply confirming what happened and why. Identifying what can be done to prevent a similar event occurring in future, and to respond more effectively should it recur despite those enhanced preventive measures, are essential to the ‘value adding’ process.
The factor analysis step (Step 7) suggests that it will be beneficial to classify contributing factors according to type. The chart below suggests seven categories, and depending on which of these were involved, different responses would be required to enhance risk management of processes, people, and systems/technology.
If your non-profit risk committee has not yet considered its approach to incident analysis, they may find some of the ideas covered in this post of interest.