Getting Started with Risk Management for Small Nonprofits
Graham Seel
Bringing all I've learned in a career focused on banking and technology into the non-profit world, hoping by God's grace to see growth in justice, equity, love and peace throughout the world.
Are you on the board or leadership of a small (<$1 million) nonprofit? Then this article is for you.
When did you, both individually and as a board and staff, last review your organization's Risk Management Plan? Do you have one? How are you making decisions about appropriate controls and insurance coverage? How do you assess new programs from a risk perspective?
For board members especially, you are legally and ethically responsible for managing the risks attached to your people, assets, and activities. Without a Risk Management plan, you can't fulfill this responsibility.
The reality for most small nonprofits is that they (we) don't have the staff time, money, or knowledge necessary to do formal risk management. How can we prioritize it when we barely have enough time and money to carry out our mission through programs; market our brand (another area in which we tend to be weak); raise funds from foundations, government agencies, and individuals; and manage the basic administration of the organization?
I recommend starting with a great Stanford Social Innovation Review (SSIR) article: "Call for Nonprofit Risk Management." I would suggest that your ED and Board President get together over a coffee to discuss this and decide whether risk management is a priority for your organization (it is!)
Next, the board and senior staff would likely benefit from a primer on risk management for nonprofits. It should cover a definition of risk, areas of a nonprofit that carry risk, and options for dealing with risk (avoidance, mitigation, remediation, transfer (insurance), or acceptance). It should also introduce the creation and maintenance of a risk management program. A simple example that covers most of this is "A Primer on Risk Management" from the NC Center for Nonprofits.
Now, identify a staff member and a board member as the lead partnership for creating a risk management plan. If they have risk management, finance, or insurance experience, it would help. But anyone can learn this. After all, we manage risk all the time, albeit somewhat haphazardly. For more general guidance, they can join and use the resources of the Nonprofit Risk Management Center.
Here are some basic steps for getting started with more formalized risk management:
1.?????? Risk Inventory. Begin with current strategic and operational plans and mission and value statements. From these materials, assess where the organization currently stands. Identify and document potential threats and opportunities across all programs and operations.
2.?????? Risk Register. Working with appropriate staff and board members, rank identified risks and gather them in a "risk register." This document should detail who is responsible for managing each risk, the actions taken, and when the organization should review these risks. Make the risk register a standard item on meeting agendas to maintain focus on high-priority issues.
领英推荐
3.?????? Risk Management Cycle. After identifying and prioritizing risks, proactively respond to them – just knowing about a risk is not the same as managing it.
a.?????? Decide what approach to take: if you're not comfortable simply accepting the risk, can you take action to eliminate or reduce the likelihood of occurrence or the impact if it does happen? Can you take out insurance?
b.?????? Assign a risk owner: this could be a staff member, board member, or committee.
c.?????? Track progress on the risk register: record owner, planned actions, due dates, and outcomes. At least the higher priority risks should be reported and, if necessary, discussed at full board meetings.
d.?????? Create policies and procedures: implement the proposed actions and formalize them in your daily operations.
4.?????? Funder Support. Encourage funders to support the nonprofit's capacity for risk management through access to professional development, technical assistance, and coaching. Many funders recognize the importance of risk management in ensuring nonprofit sustainability and are increasingly supportive of efforts in this area.
5.?????? Increase Sophistication Incrementally. Once basic risk management tools are in place, consider ways to enhance their effectiveness. This might include developing staff positions dedicated to risk management, improving data-gathering processes, and refining risk assessment methods to better predict different scenarios' financial impacts.
At its most sophisticated, risk management requires professional expertise, dedicated staff resources, and substantial staff and board time. But you can start (relatively) small and then grow over time. If you have access to (and budget for) nonprofit consultants, ensure they have deep experience implementing risk management programs at small and medium nonprofits. They should have a good balance of rigor and pragmatism, be able to train staff and board members, and be able quickly to propose a framework for your nonprofit quickly.
It's time for all nonprofit organizations to address the high risks inherent in not managing risk effectively. Good luck … oh, ok, let's trust less to luck and more to planning!
Chief Executive Officer at GERAR INITIATIVE. M.Sc (Mketing), B.Sc(Bus Adm),Dip (Ins),MCIB, HCIB CEMF,CMIEC,CIPM,FCILR,
7 个月This is highly educative. The challenge most times I think is that the bigger picture of their measuring performance against st goal is not a hard core unlike profit oriented organization. If performance measurement is critically done then the importance and need to have a robust risk management model and practice from the top management to the lowest cadre of staff will be given the priority it deserves.Having an appropriate risk management model and policy in any organization is the determinant of its success or failure comparing with its goal. Ultimately this determines the survival of the organization. This article is so enriching.