Nonprofit leaders might assume that enterprise risk management (ERM) is something only large, complex organizations need (or can afford). But the truth is, organizations of all sizes can benefit from an ERM framework — and it doesn't have to be complicated or resource-intensive. Whether your organization has a handful of staff or multiple departments, ERM can help you focus your limited time and resources on what matters most.
At its core, ERM is simply a structured way to better understand and mitigate whichever risks pose the greatest threat to your mission. ERM isn't about eliminating all risk. When serving communities, launching programs and pursuing growth, some risk is unavoidable. Instead, an ERM program provides a portfolio view of risk, helping leadership compare risks across the organization and decide which ones deserve the most attention.
For example, your organization may be willing to accept some programmatic or reputational risk to advance its mission, but far less willing to tolerate financial, compliance or governance risk. ERM helps make those preferences explicit, so decisions are consistent and intentional.
ERM is also scalable. A small nonprofit doesn't need sophisticated software or a dedicated risk department. What it needs is a shared understanding of risks and a repeatable process for addressing them.
Experienced financial advisors and risk-management consultants can help you set up an ERM program. Generally, you'll want to start by establishing a risk management governance structure with assigned roles and responsibilities. Your nonprofit's executives and board should define your organization's risk tolerance and make clear its commitment to the program.
Next, your organization should assemble a cross-departmental committee to develop the program. If you don't have distinct departments, ensure that a diverse range of work experience and responsibilities is represented in the committee you form. Once assembled, your committee should take four basic steps to build your ERM framework:
1. Identify risks. Risk identification works best when it's collaborative. Conduct surveys and interviews with board members, leadership, staff and even clients to gather broad input and surface risks that might otherwise go overlooked.
Start by asking a simple question: What could prevent us from achieving our mission? Be as comprehensive as possible and consider risks from every angle, including financial management, regulatory requirements, leadership transitions, data security, program outcomes, stakeholder trust, public reputation and beyond.
2. Categorize risks. Group all the risks you've identified into categories. This helps create organization-wide clarity and avoids treating every issue as a standalone problem. Categorization also helps leadership see patterns. For example, it can show whether multiple risks stem from the same root cause, such as limited staffing or outdated systems.
3. Prioritize risks. Not all risks deserve equal attention. Prioritization is where ERM delivers the most value for smaller organizations with limited capacity. Each risk should be evaluated based on both likelihood (how probable it is) and impact (how damaging it would be if it occurred). The goal is to focus on the risks most likely to disrupt your mission, financial stability or public trust.
4. Mitigate risks. Identifying, categorizing and prioritizing risks will be of little benefit if you don't devise a plan to mitigate them appropriately. For each key risk, leadership should determine whether to:
Mitigation doesn't have to incorporate complex controls. In many nonprofits, effective mitigation can be as simple as having clearer roles and responsibilities, stronger oversight, better documentation or improved communication.
Developing an ERM framework isn't a one-time exercise. As your nonprofit evolves, so do its risks. Continually monitoring key risks, evaluating performance indicators and making appropriate adjustments helps ensure your organization's risk tolerance remains aligned with its goals and objectives. With a practical framework and shared commitment, even small organizations can design, implement and monitor an effective ERM program. Contact us for help tailoring an ERM approach that fits your organization's size and complexity.
Get in touch today and find out how we can help you meet your objectives.
