Create A Risk Management Function That’s Built To Last

By Melanie Lockwood Herman and Eric Henkel

Many nonprofit organizations have made it a priority to integrate risk-aware thinking and decision-making into day-to-day operations and strategic planning. Plenty of organizations demonstrate expertise in managing risks related to programs, facilities, and clientele. But nonprofits’ ever-changing risk landscape invites a broader and deeper approach to risk management.

How is the risk landscape changing? A State of Risk Oversight report from the Enterprise Risk Management Initiative at NC State found that nearly 60% of respondents said the “volume and complexity of risks have increased ‘mostly’ or ‘extensively’ in the last five years.” This increase helps drive leadership teams to strengthen or formalize risk practice. It’s easy to want to evolve risk management, harder to do it. Many leaders ask NRMC team members what they “should” do to strengthen risk management. We often turn the question back to them: What might make sense for your nonprofit, at this point in its history?

Many clients share a desire to evolve risk management to make the discipline “baked-in,” rather than “bolted-on.” Few leaders of ambitious nonprofit organizations have extra dollars or people to support and fully staff a new risk management function.

So how does an organization develop or evolve its risk management capabilities? Unfortunately, no simple step-by-step linear process fits every organization. It may be useful to think of structure design like juggling many objects of different sizes, types and weights. We offer guiding questions and principles to consider in creating a ‘one-size-fits-one’ risk management function and corresponding capabilities for your nonprofit.

Function with a Purpose

Before getting carried away with drafting new risk policies, canceling too-risky activities, or adding risk responsibilities to existing job descriptions, ponder the purpose of your more intentional focus on risk management.

  • Consider the Catalyst – Are there external or internal catalysts for the effort? Common external catalysts include costly claims and lawsuits, fear of a breach of privacy event, changing requirements of accrediting agencies, or regulatory changes. Familiar internal catalysts include a board member’s experience with risk management in another organization, recognition that the nonprofit lacks the nimbleness necessary to seize opportunities, or recognition of ineffective safety protocols after an accident, incident or near-miss. Fully assessing the catalyst(s) will position you to develop risk management capabilities that achieve your desired outcomes.
  • Evaluate the Skills Gap – What new skills or capabilities will you need to anticipate risk events, develop contingency plans, and encourage risk-aware thinking across the organization? In which areas does your nonprofit deserve high marks—risk assessment, accident investigation, or inclusive problem-solving? How will new skills be shared and leveraged across the organization— perhaps in improved teamwork, transparent information sharing, and more efficient decision-making? Is your organization capable and confident or ill-prepared to handle unexpected outcomes and events? Some leadership teams resolve to strengthen risk management capabilities to better anticipate events and actions that could take the organization off course. Others strive to build resilience across the organization, helping fortify programs, staffing, fundraising, operations and even strategy setting against the inevitable bumps in the road and surprises.
  • Connect Risk to Mission – Understanding the catalysts for improved risk management and the strengths and skill deficits are key to framing your efforts with a purpose. But whatever you discover in those areas, don’t forget to connect what you’re trying to do in risk management to the mission of your nonprofit. For example, “By reducing the number of accidents our volunteers suffer, we can increase the breadth and volume of support we provide to our clients,” versus “We need to reduce accidents to keep our insurers happy.”

Measure by Measure

Although you mustn’t lose sight of your purpose as you build your risk management capabilities, you also need to conceptualize an end point and interim milestones. Ask: how will we know we have made progress, or achieved goals for the function? What does success look like?

Another important consideration is scope. In some cases, formalized risk management means addressing a wider, more comprehensive range of operational risks. In other cases, evolving risk management might focus on improving the analysis of incidents, accidents and near-misses through disciplines such as root cause analysis.

Yet another important aspect of scope is timing. Is your goal to start slowly and ramp up? Kick off the project with a big bang? Experiment with ways to source risk information, or conduct a comprehensive survey seeking input from many stakeholders?

When considering these elements of your evolving risk function, anticipate the varied reactions internal stakeholders might have to the proposed scope, timing and milestones. For a risk function to remain effective and sustainable, those directly involved must buy into it and carry it forward, and those indirectly involved or outside the risk function must respect it. Always design a risk function with the needs and desires of your team members in mind; ask your board, staff and volunteers questions to ensure you understand the scope and timeframe they are comfortable with.

Small Team or Cast of Thousands?

When pondering who should be involved in risk management in a nonprofit, the obvious, but not pragmatic, answer to this question is ‘everyone.’ Analyzing the changing risk landscape and developing seamless contingency plans may be easier with a core group, versus a cast of dozens, hundreds or thousands. But ultimately, the commitment to safety and risk-aware decision making requires the participation of staff at all levels of the organization. Staff who feel they don’t have to notice, report or act on hazards are a costly claim or lawsuit in the making.

Consider the possible participation and vital roles of the following groups as you ponder how to strengthen risk management:

  • Executives – Many experienced risk professionals note that buy-in from the executive team is an important first step in fortifying risk management capabilities. Even if executives assure you they buy into the risk effort, staff members need to see this commitment through the actions and participation of the executive team—not simply through words, which can seem like empty support.
  • Front-line staff – An important consideration in sourcing risk information and implementing new risk strategies is engaging the perspective and support of front-line staff. The view of a risk landscape from the C-Suite is likely to differ from the view at your mission’s sea level. Front-line staff experience your clientele and programs in real-time, and they also feel the burden and weight of complex policies, including those that may conflict with their own or the nonprofit’s professed values. Similarly, front-line staff members witness the effects of organizational risks on the stakeholders you serve. Woods Bowman, professor emeritus of public service management at DePaul University in Chicago, Illinois, said that “…the risks of a nonprofit are borne by the people it serves (its clients), who have neither a voice in selecting the organization’s leadership nor ability to manage the risks” (Finance Fundamentals for Nonprofits: Building Capacity and Sustainability). Front-line staff are positioned to sense and understand the effects of risk on your stakeholders because they interact with those clients every day.
  • Middle managers – Remember the ‘middle’ part of your organizational chart  when it comes to risk function design and risk strategy implementation. Supervisors of front-line staff will likely hear and see risk differently from others in the nonprofit. Staff in the middle of the organization can share and reinforce messages about the “why,” “how” and “what” of your risk management function. This group can help mediate or clarify interactions between front-line staff and executives whose perspectives might be so polar that risk communication is stifled or stagnant.
  • Governing teams – As described in the article “The Garden of Risk Oversight,” the board of a nonprofit has an important role to play in risk oversight. Parallel to its responsibility for fiscal oversight, risk oversight helps the board ensure it considers upside and downside risks in the board’s decisions about the nonprofit’s mission, future direction, structure, and key objectives.
  • External advisors – Many nonprofit missions benefit from independent advice provided by paid or pro bono advisors. These advisors, from insurance professionals to legal or finance/investment experts, often want to weigh in on the risks facing the nonprofit, and the effectiveness of existing risk management strategies.

(Note: NRMC’s web app, My Risk Assessment, makes it easy to source risk information from a large team of internal stakeholders.)

Clarify Roles

The willing participation of internal and external stakeholders is a ‘win’ to a team trying to fortify the risk management function in a nonprofit. Clarify roles and set expectations early on. For example, before soliciting input from an advisor or stakeholder group, consider how you will weigh that input in making decisions. Is the group providing input empowered to make changes and implement specific actions? Or is the group advisory, providing information and advice to someone else who will make decisions? Knowing the answers to these questions at the start will draw people in and reduce push-back and cynicism.

No matter who you involve in risk management at your organization, remember any individual can serve your mission as a Risk Champion—an individual who supports and progresses effective risk management practices to safeguard and advance your mission. Clients often ask the NRMC team if nonprofit organizations need a dedicated Risk Manager or Chief Risk Officer to wear the risk leadership hat. Though a dedicated, full-time risk professional is certainly an asset, that may be impractical and out of reach for some nonprofit teams. Still, Risk Champions can be empowered anywhere in your organization. Clarifying Risk Champion roles is critical for an effective risk function. Determine which risk leaders will oversee and make decisions about risk management initiatives, and which risk leaders will source and analyze information about risks that arise across the organization, or serve as liaisons to departments or peer groups that want risk education or risk management assistance.

No two risk functions look exactly the same. The NRMC team recently had the honor to work with nonprofit teams who developed the structures below to assign risk management accountability to various staff members throughout their organizations. Consider these distinct models and poll your team to learn what model could be suitable and sustainable at your organization.


Strengthening, expanding or formalizing risk management may seem like a daunting task. Nonprofits are structured in very different ways and provide many different types of services. Here is a suggested linear process to make design and implementation more manageable—this process can guide you to create a completely customized risk function.

  • Assess where your organization is now – When people think about expanding risk management to touch all functions and activities in an organization, they often believe the effort is starting from scratch. In reality, every nonprofit—from a start-up to a century-old agency—has risk management. Many examples of practical risk management are contained, however, to specific business units or silos. The risk of asking prohibited questions during the hiring process may be managed by using an interview script and training interviewers. The risk of financial fraud may be managed through a system of internal controls and segregating financial duties among multiple personnel. The risk of chaotic transitions may be managed through cross-training and the use of ‘desk manuals’ explaining key tasks. Acknowledging the existence of helpful and wise risk management strengths will help everyone see that your nonprofit is working to evolve risk management, rather than begin anew. Doing so can help boost morale and support for a process that often feels imposing and overwhelming at the start.
  • Expand your knowledge base – Take the opportunity to learn more about risk management and gauge the maturity of your efforts. Read past editions of Risk Management Essentials and the Risk eNews for inspiration on simple steps to take your risk management program from “here” to “there.” Resolve to customize what you discover to best suit your mission, culture and structure.
  • Look for opportunities to gain momentum quickly – Once you have identified and acknowledged existing efforts, connect those efforts across the organization. These connections will highlight that risk management is not just a series of individual efforts in operational silos, but a combined effort that encompasses the interactions of risks across the organization. This horizontal integration of risk management will need to be accompanied by vertical integration as well. Internal stakeholders need to see that their efforts at various levels of the organization are visible and recognized by individuals at other levels. However, this involvement at all levels needs to happen without over-involvement in any one level. It would be easy for the board to start focusing on operational-level efforts when the main priority for the board should be strategic-level concerns. Finding the appropriate level of engagement at each level early on will help maintain momentum as the integration of risk management efforts occurs.
  • Make the mission connection – Strive to align your risk management efforts with the values of the nonprofit to bring and keep people on board. When risk management’s tone is focused on compliance, penalties and punishment, few stakeholders will join the bandwagon to strengthen the function. When the function is viewed as key to mission success, team members will embrace the opportunity to contribute.

As the risk management function design process continues, revisit the issues of purpose and outcome to ensure progress is being made in the right direction at the appropriate pace.

What comes next?

Considering all these things at the outset of the risk management function design process will go a long way towards creating a sustainable effort to integrate risk management in your organization. Ultimately, designing and implementing your risk management function can’t happen in isolation. A connection to overall strategy, inclusion of and support from a wide variety of stakeholders, and integration into operational efforts will bring the greatest success and return on organizational investment.

Melanie Herman is Executive Director and Eric Henkel is a former Project Manager at the Nonprofit Risk Management Center. Melanie welcomes your questions about risk capabilities and risk function design at or 703.777.3504.