Enterprise risk management helps nonprofits contain threats

Like their for-profit counterparts, nonprofits face an ever-expanding range of risks. The numerous, sometimes overlapping, types of risk demand a holistic approach. Enter enterprise risk management (ERM). Even organizations with limited resources can — and should — use an ERM process to combat the risks that come with operating in the 21st century.

What is ERM exactly?

ERM is a comprehensive approach to risk that considers the organization’s entire portfolio of risks. Rather than attacking every risk equally, ERM compares risks and strategically deploys resources against them. It considers both the organization’s strategic objectives and its “risk tolerance” or willingness to accept uncertain outcomes.

Risks, after all, have different types of potential impact — and you might have different tolerances for different kinds of threats. For example, you might be mildly cautious about reputational risks and very averse to financial risks, as they might affect services and the achievement of your mission and goals. With ERM, you can contain those risks with the greatest potential impact and respond nimbly to others.

How can you use it effectively?

Launching an ERM strategy can seem quite daunting, but breaking it down into a four-step process can help:

  1. Establish a risk management governance structure. A formal ERM program requires a formal structure, with assigned roles and responsibilities. While ERM encompasses the entire organization, it should start at the top. Leadership should define your organization’s risk tolerance and make clear its commitment to the program.

    Designating a cross-departmental committee responsible for developing the program is critical. Different departments may have different perspectives on the importance of certain risks. For instance, someone from Finance might think inaccurate reporting of program information is inconsequential because it’s unlikely to affect revenues or expenses. Your communications or public relations department could have a different perspective.

  1. Conduct a risk assessment. The committee’s first task is to identify all of your organization’s risks. It shouldn’t rely on its own knowledge, though — interviews of management and surveys of lower-level staff can prove invaluable. You also might solicit input from the population you serve.

    One of the most crucial aspects of ERM is then ranking risks based on your organization’s risk tolerance and the potential impact of each risk. Which are most likely to occur and which will cause the most harm? For a nonprofit, this usually comes down to the question, “Which risks are most likely to affect our ability to accomplish our mission?”

  1. Create and implement a risk management plan. Once risks are identified and prioritized, the committee should devise a plan to mitigate them appropriately. For each risk, it must determine whether to accept, reduce or avoid it. And it should implement controls, processes and procedures accordingly.

    The committee is then charged with rolling out the plan. This should include communicating it throughout the organization.

  1. Review and revise. ERM is an ongoing process, with continual monitoring of key risks and key performance indicators to ensure appropriate adjustments. Updating your initial risk assessment to reflect organizational changes (for example, new staff or services), as well as changes in the legal and regulatory environment, is critical.

You can’t afford not to

The risk universe facing nonprofits calls for you to proactively manage threats to your organization and apply resources wisely. ERM provides the tools to do just that.