Risk Management Considerations for Nonprofits: Getting Started

Enterprise risk management (ERM) is one of those generic terms like cybersecurity that is all encompassing. ERM is a process to identify all possible risks that could impact your organization and determine how these risks will be managed to protect the organization, based on the determined risk tolerance. A comprehensive compliance and risk management program entails evaluating a myriad of factors, from laws and regulations to operational policies and ethical behavior. Perhaps the biggest risk of all is what you don’t know. NFPs are expected to operate in accordance with numerous federal, state, and local laws and regulations, including those pertaining to labor and employment, federal grants, contracts and awards, charitable contribution solicitation, licenses, privacy, document retention, and more. Beyond compliance with laws and regulations, NFPs face financial, strategic, operational, and reputational risks. Formalizing an enterprise risk management plan can help an NFP meet these compliance challenges by informing strategic direction, improving decision-making and resource allocation, and promoting a focus on risk as an opportunity.

Now we add in a hybrid workforce, which has risk in many different areas. Often nonprofit organizations get overwhelmed and do not know where to begin. This resource is intended to cover risk management basics to get you started with the intention to keep building out the organization’s risk management plan. While this resource focuses on the role of management, it does not negate the role of the board of directors in risk oversight and using the plan for decision-making.

Before the organization embarks on putting together a risk management plan, there are three actions the organization should take to set them up for success.

1. Ensure the proper mindset

A risk management plan is not intended to eliminate all risk, nor should it be considered something to just be checked off a list. The plan needs to be dynamic and part of decision-making for the organization. Starting with someone else’s risk management plan as a template will not allow for the required discussions to identify all of the risks for the organization. Accept that this process will take resources, mostly staff time, to invest in doing it well and going through a defined set of steps. This process will also, more than likely, require an outside facilitator unless that expertise exists within your organization.

2. Identify a project sponsor and manager

Identify a project sponsor who is a leadership team member (or similar) to oversee the project, to ensure adequate resources are allocated, and to provide executive support and influence.

Identify the project manager to ensure the project has an owner who is accountable for the plan’s creation. This does not mean others will not be responsible for pieces of the plan or steps in the risk management plan process; it means there is one person who will coordinate, monitor, and communicate the progress. This may require the day-to-day responsibilities of the project owner be shared among other staff or temporary staff to ensure focus on the plan.

3. Learning

In order to expand your risk management skill set, research what a risk management plan is, what are the benefits of a plan, what to include, and how to be most successful. Collaborate with similar organizations through research calls to learn about their process, what worked well, and what they wish they had known before they started. While there is no one-size-fits-all solution, it can be beneficial to peruse the table of contents or section headers of a selection of risk management plans for inspiration.

Enterprise risk management plan

Now that the organization has done the pre-work, it is time to put together the enterprise risk management plan in a systematic way using the following common five-step process. Keep in mind, some of these steps can be combined or broken down further.

1. Get organized — This is where you identify the staff and volunteers that will be involved in the project, create a realistic timeline that could be six to twelve months, and define risk terminology that will be used in your organization’s process. A good place to start is with the Nonprofit Risk Management Center that has a “Glossary of Risk Management and Insurance Terms”

2. Establish a framework — Explore COSO Enterprise Risk Management — Integrating with Strategy and Performance, the most widely recognized and applied risk management framework in the world.

3. Create risk awareness — Create awareness about risk by conducting risk assessment workshops to educate staff and volunteers from across the organization about risk. In addition to general risk trends (for example, strategic, compliance, financial, operational, technology, governance, human resources, reputation), ensure the organization is current on the risks that impact your industry and the types of services provided. With awareness raised, identify your organization’s risks.

4. Create a roadmap — Once all the risks have been identified, the team needs to assess, evaluate, and prioritize the risks. The result of this roadmap is often reflected in a matrix or heat map for a visual representation. This helps focus the organization on which risks to address first.

5. Develop a mitigation plan — Once identified, the NFP can assign the probability and impact of each risk to determine how to address each one. A risk can be addressed in one of four ways:

• Avoid: remove the cause of the risk or operate differently

• Transfer: find another party who is willing to take on the liability and responsibility

• Mitigate: reduce the probability and/or impact of the risk to an acceptable level

• Accept: when not possible or practical to respond to the risk by one of the other strategies, or a response is not warranted by the importance of the risk

Remember, the goal is not to avoid all risk but to understand and be intentional with the risks that your organization takes. Avoiding risk can lead to missing opportunities with a positive upside, not just avoiding negative consequences. Defining your risk tolerance is a key step in your risk mitigation plan. A communication plan is critical to ensure that the board of directors, appropriate committees, and management are kept up to date.

Create a framework that works for your NFP

It is important to note there is no one right way to implement an enterprise risk management plan. The key is to create a framework that works best for your NFP, review and update the plan at least every three years, and integrate risk management into operational decision-making.

Once the NFP’s risk management plan is in place, explore technology to support it. There are numerous risk management software programs available that focus on legal, operational, and reputational risks. These are typically best suited for larger organizations and can meet specific functionality, user volume, and deployment needs.

The risk management plan can seem overwhelming, so it is important to break it down into manageable pieces with a realistic timeline. Remember, “what gets measured, gets done,” so incorporate this project in organizational and individual goals. Create a communication cadence to staff, management, and the board to allow progress to be monitored. Accept that all risks cannot be eliminated and not all are predictable (for example, a worldwide pandemic) – in fact, taking on some intentional risk can be a good thing.

Explore additional risk management resources for NFPs.