Risk Management

Risk comes in many forms — from a slippery sidewalk to a lack of internal controls — and its effects can be potentially devastating to an organization. However, risk can also create unanticipated opportunities.

Viewing, analyzing, and managing risk from all angles places the nonprofit in a strategic position. It allows the organization to quickly cope with a crisis or to seize an unforeseen potential while continuing to safely fulfill its mission without interruption.

Getting started

Managing risk begins with determining who will coordinate the effort. Naturally, the board has to be the instigator. The board must be sensitive to the existence of risk, set the tone for dealing with it, and demand that proper processes and tools are in place to keep the organization safe and ready to act when a situation demands it. A risk management task force may include board members, staff, outside experts, legal counsel — anyone who is able to help design, implement, and monitor the process.

Protecting your organization

The essence of risk management is to protect the organization — keep it safe and efficiently operating while guarding its reputation. The Nonprofit Risk Management Center uses three basic questions to help with this task:

  • What can go wrong?
  • What will we do to prevent the harm from occurring and what will we do in the aftermath of an occurrence?
  • If something happens, how will we pay for it?

Seizing opportunities

Protection is only one part of strategic risk management. It is reactive in nature. In fact, an organization can actually benefit from accepting the full potential of risk. The organization can propel itself forward while taking a risk, allowing it to take advantage of seemingly precarious or uncertain situations. Planning ahead — being ready to act under different circumstances — develops a proactive framework. It protects the organization from losses due to pressured business decisions and positions it to grasp opportunities when they knock on the door.

Risk management process

Managing risk is a structured process. The following steps keep the organization focused and determined to choose the best options at each phase.

  1. Acknowledge and identify risk.

Analyze and thoroughly audit all of your activities. Examine prior claims to map out potential weak spots in the organization. Consider unexpected events that would require a quick response.

  1. Evaluate and prioritize risk.

Create criteria to help determine which risks your organization should address. One method is to prioritize risks by determining their likelihood, their frequency, their financial impact, and, in some cases, the public’s reaction to adverse effects.

  1. Select and implement the appropriate risk management techniques.

Once risks have been identified and prioritized, decide the best approach to deal with them. Here are common approaches and examples.

    • Avoidance eliminates the source of risk — replacing a damaged hand railing or refusing a questionable real estate gift.
    • Modification adjusts a risk to lessen its impact or to make it acceptable — installing a high-tech security system in a food bank or carefully checking the background of volunteers.
    • Retention leaves a risk as is and accepts the consequences — keeping the pony rides at the annual festival or choosing a high deductible for auto insurance.
    • Sharing or transferring finds another party to assume part or all of the risk — purchasing general property insurance to cover on-site accidents or forming a supporting organization to house liability-sensitive activities.
    • Planning prepares and guides the board and managers to make smart, less risky decisions.
    • Scenario planning outlines multiple options when a decision needs to be made on a short notice.

Monitor and update your strategy as needed.

Keep abreast of any changes in the organization or external environment that may affect or require updates to the risk management approach. Your strategic plan is the overall guide here. Continuous monitoring assesses the relevance and timeliness of all the details included in a solid risk management plan: contracts, insurance policies, renewal dates, and claims-reporting procedures. It ensures that chosen strategies stay valid and that the individuals responsible for carrying out the details remain accountable.


201 Resource | Last updated: June 8, 2016

Resource: Financial Responsibilities of Nonprofit Boards