The Garden of Risk Oversight: Positioning the Board to Cultivate Strategic Risk-Taking

By Melanie Lockwood Herman

When considering the myriad risks facing a nonprofit organization, one could identify many risks that should be safeguarded against, mitigated, or prevented if possible. Strategic risks are another animal altogether, or more appropriately, a garden of risks that—if properly tended to—will grow to fruition and advance the nonprofit’s mission and vision. Strategic risks are risks worth taking because they have the potential to offer a nonprofit team a significant return.

Who better to scope out and sketch strategy than a nonprofit’s board of directors—the mission stewards who possess a broad and top-down perspective of the organization? Board members shouldn’t be planting seeds and pulling weeds in the mission garden; they should be anticipating garden predators, changing weather conditions, and market conditions that affect demand for the programs and impact sown by your mission. To nurture desired outcomes of strategy, boards must tend to risk oversight; if this key duty is discharged, boards have the power to cultivate informed strategic risk-taking that will help a nonprofit’s mission flourish.

 Nonprofit boards are increasingly keen to talk about the possibility of risk threatening—or bolstering—a charitable mission. At NRMC we are witnessing the evolution of board interest in the world of risk in breadth and depth. With respect to the breadth of risks a nonprofit faces, boards are stepping up to ask questions about strategic and enterprise-level risks—topics that extend far beyond the familiar garden walls of operational or preventable risks. On the subject of depth, a growing number of boards are requesting—if not insisting—that management teams engage with the board to understand their organization’s risk landscape and also provide periodic assurance that risks in the purview of staff have been assessed and addressed.

Garden variety risks facing nonprofits include accidents involving agency vehicles and drivers, injuries suffered by participants and volunteers, and employee theft. But truly forward-focused boards now understand that strategic risks pose the greatest threats and opportunities to their missions they support. Boardroom conversations about risks are less about the costs of safety measures, and more about the costs and rewards of making—or not making—bold moves.

What is Risk Oversight?

Risk oversight refers to the responsibility for overseeing an organization’s approach to identifying and responding to critical risks, against a backdrop of ever-present uncertainty. While ‘management’ refers to the process of controlling things, processes or people, ‘oversight’ is a better fit for an evolved, governing board committed to keeping its ‘nose in’ and ‘fingers out.’

Risk oversight activities by the board may include:

  • Considering the organization’s appetite for risk taking in various areas, from expanding the geographic reach of the nonprofit’s services, to reducing reliance on a single funding stream
  • Reflecting on the assumptions that inspire the key objectives of the nonprofit
  • Contributing to a shared understanding of the nonprofit’s risk landscape—aspects of the external environment that could cause a key strategy to fail or exceed expectations
  • Anticipating, vetting, and leveraging opportunities—or turning strategic challenges and even strategic blunders into opportunities

Boards are mission custodians who must be outwardly—as well as inwardly—focused. As an outwardly focused stakeholder group, a nonprofit board is in an ideal position to see and report back on a changing risk landscape that may be obscured to internally focused staff. As an inwardly facing stakeholder group, Boards bring a deep connection to the mission of a nonprofit and a sense of responsibility for its success. This connection extends the problem-identification and problem-solving capabilities of the staff team in various ways. For example, diverse boards can offer rich strategic discourse that integrates lessons learned across many industries, which staff members may not be privy to during their day-to-day work.

The board’s participation in the discussion of strategic risks is especially important given the tendency of managers to hesitate before poking holes in the strategies for which they are responsible. In their thoughtful article, “Managing Risks: A New Framework” featured in the Harvard Business Review, Robert Kaplan and Anette Mikes explain that “Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.”

Boards that embrace their risk oversight responsibilities demonstrate the courage to reveal and discuss difficult challenges, and the resolve to consider multiple strategies—and even poke holes in existing strategies—in order to address issues that potentially threaten or bolster the nonprofit’s mission.

Risk Oversight in Action

Once the board accepts and embraces its responsibility for risk oversight, how do you turn the commitment into action? What information is needed? What steps must be taken to help board members perform their duties and perform risk oversight responsibilities with skill and confidence? What support will guide the board into the less familiar territory of strategic risks?

Some nonprofit boards naively believe that receipt of an annual report or brief presentation describing the status of various insurance coverages is risk oversight. Although a component of oversight is receipt and review of information attesting that certain processes are in place, developing effective risk oversight capabilities at a nonprofit requires far more. At NRMC, we believe that boards effectively meet their responsibility for risk oversight by ruminating about a range of issues related to risk-taking and risk management in the organization.

Cultivate risk oversight at your nonprofit by identifying where the board should focus its risk attention span. Some of our favorite themes and questions for the board include 1. risk-taking, 2. risk culture and responsibilities, 3. risk breadth and depth, and 4. risk landscape.

  1. Risk-Taking
  • What is our risk appetite? Do recent decisions suggest that we are honoring that risk appetite? In what ways have we dishonored our risk appetite by being too tentative, or by acting without first completing the due diligence warranted by the potential consequences of the decision?
  • Are we taking enough risk, and in the right areas to advance the mission and achieve the core objectives of the organization?
  • Do recent decisions reflect the commitment to balance short-term performance with long-term sustainability? Have we taken any risks recently that sacrifice one for the other?
  • In what areas will bold risks be necessary in the next 1-5 years? 5-10 years?
  • During the past 5 years, what bold risks has the board inspired? To what result?
  • Historically, what opportunities and risks—those that we took and those that we didn’t take—got us to where we are now as an organization? How can those lessons help inform our decisions about the uncertain future?
  1. Risk Culture and Responsibilities
  • Do we have a culture that acknowledges mistakes and missteps and supports time to reflect, learn and grow?
  • Are all teams willing to take ownership of risks and risk management or risk oversight initiatives? After organizational failures, do we promote thoughtful and honest reflection or do we have a culture of blame, retaliation, or concealment?
  • Do we openly and candidly discuss upside and downside risks when considering important board decisions related to organizational structure and future direction?
  • Is the board-staff relationship one of respectful interdependence, or do we sometimes engage in unproductive power struggles?
  • Is there clarity about where responsibility for risk monitoring and action lies, based on the type, complexity or source of risks? For example, the board may be responsible for managing risks related to the governance function, while staff teams bear responsibility for risk management around operational risks.
  1. Risk Breadth and Depth
  • Do discussions about risk at the board level focus on strategic risks—threats and opportunities related to our direction and key objectives?
  • What are the key assumptions in each major strategy, and what if they are wrong?
  • What are the potential risks arising from or impact by the core strategies of the organization? What factors could cause each core strategy to fail? (e.g., people, process, systems, external events)
  • What could cause major disruptions or discontinuities to how our organization exists today, such as changes in technology, business models and demographics?
  1. Risk Landscape
  • Is there a process by which the board supports risk management by sharing its unique perspectives on the changing risk landscape?
  • Does the diversity of the board ensure that we’re seeing the world around us from multiple vantage points?
  • What perspective(s) is/are missing when we discuss the impact of the world around us on the key objectives and strategies of the organization?
  • In what ways are we effective or ineffective at sensing weak signals, trends, or indicators in our landscape?
  • What significant changes in the world have caught us off guard during the past 5 years?

Finally, do we spend time thinking about the unthinkable and preparing our organization to adapt to unimaginable surprises? Take a moment to reflect on the great questions your board asks about strategic risk—and the questions your board has never asked but should.

Tend the Garden of Risk Information with Care

More than ever before, board members desire information about risks facing the organization and staff’s risk management capabilities. For a board to answer the challenging risk oversight questions listed above, the appropriate risk information must flow openly between board and staff. In a recent Enterprise Risk Management engagement for an international nonprofit, our team asked individual board members, “what information would you want to see in a periodic board report on risk?” The answers we received were as varied as the professional backgrounds and lives of members of the board! The individual board members’ risk reporting ‘wants’ included:

  • The risks that the board should be most concerned about—those that could affect the survival of the organization
  • A prioritized list of our risks
  • An assessment of our financial viability, plus an assessment of staff satisfaction
  • A quarterly report showing priority risk areas, mitigation strategies, risk owners, plus a narrative describing emerging risks
  • A one-page visual showing gaps between exposures and capabilities.
  • Risk information in several formats: gaps, perceptions, top three risks, anecdotal commentary, and immediate vs. existential risks
  • Risk buckets: internal, external, donor-related
  • Risks highlighted with corresponding mitigation strategies
  • Information about risks in three key areas: financial, legal and people risk
  • Our risk landscape over time—a risk trajectory
  • Information that will help us focus on specific risk issues or themes at each board meeting.

Satisfying the individual risk information ‘wants’ of a diverse board is a daunting, if not impossible task. Some board members prefer a filtered, short list—the weeds emerging from or just below the rich soil—while others want to see risk in every layer of soil and every corner of the garden. Ultimately, a responsive board risk report offers insights on top-of-mind risk concerns, but also inspires confidence in the day-to-day risk management work being championed by the staff. The report invites questions focused on direction and strategy, without asking board members to wield a gardening tool or get their hands too dirty. Here are a few tips for creating a memorable, action-inspiring risk report that will enable your board to fulfill its risk oversight duty:

  • Ask, don’t assume, what the board wants to see and discuss when it comes to the risks facing your organization
  • Define what risk oversight means by including a reference in your position description for the board, or in the duties and responsibilities section of a board committee charter
  • Never present data on risks without corresponding questions for board discussion (for example, “do you agree with this assessment? If not, what issues or considerations are missing?”)
  • Resist the lure of oversimplification and vow to provide appropriately rich information to the board. A bountiful garden results from careful planting and tending, as well as hospitable soil; one element without the other invites a world of weeds.
  • Remind your board members that healthy dialogue around risks might become heated at times; provide training for your board members to engage in productive discourse around risks that might evoke strong emotions across the board.

Growing a Lush Garden of Risk Oversight

Practice the following tips to empower your board members to grow a lush garden of conversation and effective decisions around strategic risks.

  • Practice Topic (Crop) Rotation Just as crop rotation improves soil quality and yield by interrupting pest life cycles, guard against subject matter burn out by rotating the risk topics put before the board. Instead of shying away from risk—due to fear that the board may dip into operational territory—invite the board to consider and discuss strategic risks.
  • Allow Risk Topics to Germinate – Germination in the garden refers to the growth of a plant after a period of dormancy. Remember to give the board time to reflect on the risk topics scheduled for discussion, by including topics and provocative discussion questions in the materials sent out in advance of a board meeting.
  • Go Organic – The term organic refers to material ‘derived from living organisms.’ Gardening without chemical or synthetic fertilizers or pesticides is often referred to as ‘organic gardening.’ To keep the board on track with any discussion about risk, choose real instead of hypothetical scenarios. Reflect on what’s already happened as well as what could or might occur in the future.
  • Xeriscape, Don’t Complicate Risk Oversight – Xeriscaping refers to the practice of creating a low maintenance landscape through the cultivation of native plants and minimal use of turf grass. One of the primary benefits of xeriscaping is that it reduces the need for water. Risk oversight functions are best sustained when they complement the structure and governance processes of the board. For example, instead of establishing a new risk management committee, consider adding risk oversight leadership responsibility to an existing committee.
  • Reap What You Sow – If your board’s risk oversight capabilities and discussions around strategic risks are not as productive as you hope, sow new seeds to inspire the discussion you want to cultivate. Similarly, when the board makes effective or ineffective strategic decisions, be sure to celebrate or reflect on those milestones as a means for enhancing the board’s risk oversight capabilities over time.

Melanie Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your questions about boards and risk oversight at or 703.777.3504.