What Is a Risk Management Plan?
During the past two years the Nonprofit Risk Management Center has been engaged in a process of defining what it means to create a risk management plan. While that exercise could have been both interesting and insightful for its own sake, our motivation was the need to create a software tool that helps nonprofit leaders create a plan (See box).
The inspiration for the project began a while back when we began receiving calls and e-mails from nonprofits of various sizes and purposes, asking: “Can you tell me how to prepare a risk management plan?” Many said, “We are required to have a plan, but the national office is unable to provide guidance.”
The answer to “what is a risk management plan” depends on who you ask and even when you ask. A professional risk manager might explain that a risk management plan is a compilation of the organization’s key risk management policies and procedures plus details on the organization’s risk financing and insurance program. A board member might reply that a risk management plan is a definitive analysis of critical risks facing an agency. A harried executive director might describe the plan as something that meets the requirements imposed by a parent organization, funding source or insurer.
What we have concluded, after two years of research and design, is that there is no single approach to creating a risk management plan for your nonprofit. Instead, an effective plan is one that expresses an organization’s commitment to managing myriad risks, and communicates the strategies in place and the agency’s plans for the future. Perhaps the best way to describe an effective plan is that it acts as both a travel diary and a roadmap — one diagraming your agency’s risk management journey and the other your plans for the future. There is no “right” or “wrong” way to approach the development of a plan.
In our journey we have learned that there are some principles that apply to the most useful, most effective plans. While not a template per se, they are universal.
Best Practices — Your Risk Management Plan
An effective risk management plan:
- reflects a wide range of views and perspectives in an organization;
- expresses the nonprofit’s belief in and support of risk management;
- states that personnel at all levels of the organization play a vital role in protecting the nonprofit’s mission, reputation and assets;
- incorporates the existing risk management policies of the organization;
- reflects the nonprofit’s goals and aspirations for its risk management efforts;
- focuses on priority risks and considers secondary risks.
How to Get Started
Every nonprofit has some risk management policies/procedures in place, yet leaders find it difficult to make time to organize these materials into a broad plan. There are two ways to begin using My Risk Management Plan:
- Gather your existing risk management policies and procedures. If you know what you have and know where each file (electronic or paper) is stored, working with the software will move along more quickly than if you have to hunt for paper or electronic information and consult other staff as you go.
- Or dive right into the software’s modules, beginning with the Introduction, and consult with colleagues or locate appropriate policies as needed to insert policies into a module. Neither way is the “right” way, it is a matter of working style. Either approach will get you to the end result.