What Is a Risk Management Plan?

During the past two years the Nonprofit Risk Management Center has been engaged in a process of defining what it means to create a risk management plan. While that exercise could have been both interesting and insightful for its own sake, our motivation was the need to create a software tool that helps nonprofit leaders create a plan (See box).

NEW! My Risk Management Plan 2.0

Click here to check out a brand-new online program developed by the Nonprofit Risk Management Center. My Risk Management Plan Version 2.0 consolidates many of the screens in the original release. Version 2.0 has updated content and is easy to use. My Risk Management Plan walks you through the process of creating a custom risk management plan for your nonprofit. The $139 cost provides unlimited access to the software and your results. Return whenever you wish to edit entries, fill in new modules or create your own module. For more information on the program, click here. Call (703) 777-3504 if you have questions about the program.

The inspiration for the project began a while back when we began receiving calls and e-mails from nonprofits of various sizes and purposes, asking: “Can you tell me how to prepare a risk management plan?” Many said, “We are required to have a plan, but the national office is unable to provide guidance.”

The answer to “what is a risk management plan” depends on who you ask and even when you ask. A professional risk manager might explain that a risk management plan is a compilation of the organization’s key risk management policies and procedures plus details on the organization’s risk financing and insurance program. A board member might reply that a risk management plan is a definitive analysis of critical risks facing an agency. A harried executive director might describe the plan as something that meets the requirements imposed by a parent organization, funding source or insurer.


My Risk Management Plan is a Web-based software program that helps nonprofit leaders develop customized risk management plans for their organizations. Generous funding to support the development of this program was provided by the Public Entity Risk Institute and the St. Paul Companies, Inc. Foundation. The program was developed by the Nonprofit Risk Management Center (www.https://nonprofitrisk.org/).

How Does it Work?

The program walks the user through a suggested Table of Contents for a Risk Management Plan. Each section of the plan is presented as a program module. The current modules are:

  • Introduction
  • Risk Management Program
  • Governance
  • Human Resources
  • Programs and Services
  • Client Safety
  • Financial Management
  • Fundraising and Public Relations
  • Facility/Site Safety and Security
  • Technology and Information Management
  • Transportation
  • Crisis Management
  • Volunteer Management
  • Insurance Program
  • Your Custom Module

Once you select a module, you will review introductory material followed by a list of submodules. The program then asks about the existence of current policies covering the topic area. For example, under “Risk Management Program,” you will be asked whether your nonprofit has established specific risk management goals. If you answer “yes” you will have the opportunity to incorporate this existing material into your Risk Management Plan. If you answer “no” you will be able to view sample policy statements. Each section of the program affords the user an opportunity to select from sample language, draft original language or paste in existing policies or procedures.

Any time after you have completed at least one module, you can generate a draft Risk Management Plan. The program provides simple instructions for saving the draft plan on your computer hard drive or network.

Flexible. Affordable. Accessible.

My Risk Management Plan offers tremendous flexibility. You can add a custom module covering special areas of interest in your nonprofit and draft original statements of policy as you progress through the program. With a one-time cost of $139, the program is an affordable, time-saving tool for busy leaders who have struggled to organize existing risk management policies into a document that can be presented to the board of directors, funders, accrediting agencies, or national groups that are increasingly demanding the development of a plan. The software is accessible and easy-to-use. If you can access the Internet, you can access My Risk Management Plan and begin honing your risk management program without delay.

For information about developing a special edition of My Risk Management Plan for your national association or umbrella group, contact Melanie Herman at (777) 777-3504 or via e-mail.

What we have concluded, after two years of research and design, is that there is no single approach to creating a risk management plan for your nonprofit. Instead, an effective plan is one that expresses an organization’s commitment to managing myriad risks, and communicates the strategies in place and the agency’s plans for the future. Perhaps the best way to describe an effective plan is that it acts as both a travel diary and a roadmap — one diagraming your agency’s risk management journey and the other your plans for the future. There is no “right” or “wrong” way to approach the development of a plan.

In our journey we have learned that there are some principles that apply to the most useful, most effective plans. While not a template per se, they are universal.

Best Practices — Your Risk Management Plan

An effective risk management plan:

  • reflects a wide range of views and perspectives in an organization;
  • expresses the nonprofit’s belief in and support of risk management;
  • states that personnel at all levels of the organization play a vital role in protecting the nonprofit’s mission, reputation and assets;
  • incorporates the existing risk management policies of the organization;
  • reflects the nonprofit’s goals and aspirations for its risk management efforts;
  • focuses on priority risks and considers secondary risks.

How to Get Started

Every nonprofit has some risk management policies/procedures in place, yet leaders find it difficult to make time to organize these materials into a broad plan. There are two ways to begin using My Risk Management Plan:

  1. Gather your existing risk management policies and procedures. If you know what you have and know where each file (electronic or paper) is stored, working with the software will move along more quickly than if you have to hunt for paper or electronic information and consult other staff as you go.
  2. Or dive right into the software’s modules, beginning with the Introduction, and consult with colleagues or locate appropriate policies as needed to insert policies into a module. Neither way is the “right” way, it is a matter of working style. Either approach will get you to the end result.