Risk Management

Risk comes in many forms — and its effects can be potentially devastating to an organization. However, risk can also create unanticipated opportunities.

Viewing, analyzing, and managing risk from all angles places the nonprofit in a strategic position. It allows the organization to quickly cope with a crisis or to seize an unforeseen potential while continuing to safely fulfill its mission without interruption.

Getting Started with Risk Management

Managing risk begins with determining who will coordinate the effort. The board and chief executive are often the instigators. Both must be sensitive to the existence of risk, set the tone for dealing with it, and ensure that proper processes and tools are in place to keep the organization safe and ready to act when a situation demands it. A risk management task force may include board members, staff, outside experts, legal counsel — anyone who is able to help design, implement, and monitor the process.

Protecting Your Organization

The essence of risk management is to protect the organization — keep it safe and efficiently operating while guarding its reputation. The Nonprofit Risk Management Center uses three basic questions to help with this task:

  • What can go wrong?
  • What will we do to prevent the harm from occurring and what will we do in the aftermath of an occurrence?
  • If something happens, how will we pay for it?

Seizing Opportunities

Protection is only one part of strategic risk management. It is reactive in nature. In fact, an organization can actually benefit from considering the full potential of risk. The organization can propel itself forward while taking a risk, allowing it to take advantage of seemingly precarious or uncertain situations. Planning ahead — being ready to act under different circumstances — develops a proactive framework. It protects the organization from losses due to pressured business decisions and positions it to grasp opportunities.

Risk Management Process

Risk management is a structured process. The following steps keep the organization focused and determined to choose the best options at each phase.

  1. Acknowledge and identify risk.

Analyze and thoroughly audit all of your activities. Examine prior claims to map out potential weak spots in the organization. Consider unexpected events that would require a quick response.

  1. Evaluate and prioritize risk.

Create criteria to help determine which risks your organization should address. One method is to prioritize risks by determining their likelihood, frequency, financial impact, and the public’s expected reaction.

  1. Select and implement the appropriate risk management techniques.

Once risks have been identified and prioritized, decide the best approach to deal with them. Here are common approaches and examples.

    • Avoid the source of risk replacing a damaged hand railing or refusing a questionable real estate gift.
    • Modify a risk to lessen its impact or to make it acceptable installing a high-tech security system in a food bank or carefully checking the background of staff and volunteers, as appropriate.
    • Retain risk as is and accept the consequences — keeping the pony rides at the annual festival or choosing a high deductible for auto insurance.
    • Share or transfer risk to another party to assume part or all of the risk — purchasing general property insurance to cover on-site accidents or forming a supporting organization to house liability-sensitive activities.
    • Plan — prepares and guides the board and managers to make smart, less risky decisions.
    • Scenario planning — outlines multiple options when a decision needs to be made on a short notice.

Monitor and update your risk management strategy as needed.

Keep abreast of any organizational or external environment changes that may affect or require updates to the risk management approach. The risk management consideration should be aligned with the organization’s strategic plan. Continuous monitoring assesses the relevance and timeliness of all the details included in risk management: contracts, insurance policies, renewal dates, and claims-reporting procedures. It ensures that selected strategies stay valid and that the individuals responsible for carrying out the details remain accountable.

Your strategy should also allow your organizations to take advantage of opportunities. Risks must be weighed but they don’t all need to be avoided.

Many organizations create a crisis management and communication plan, including a policy on who speaks for the organization, to complement their risk management.


201 Resource | Last updated: February 13, 2024

Resource: Financial Responsibilities of Nonprofit Boards; The Garden of Risk Oversight: Positioning the Board to Cultivate Strategic Risk-Taking; Nonprofit Risk Management Center  The Future is Now: Preparing for the Unknown Crisis

Disclaimer: Information on this website is provided for educational and informational purposes only and is neither intended to be nor should be construed as legal, accounting, tax, investment, or financial advice. Please consult a professional (attorney, accountant, tax advisor) for the latest and most accurate information. BoardSource makes no representations or warranties as to the accuracy or timeliness of the information contained herein.