Growing Up Fast: Risk Program Maturity

By Melanie Lockwood Herman

Melanie's daughter (2 yrs) dressed up for Halloween

Every year on my daughter’s birthday, I am reminded of how quickly time passes. So many milestones in her life seem like they happened moments ago: her first Halloween-themed birthday party, the first day of kindergarten, her first dance recital, and so on. During a recent birthday chat, I refrained from the sappy reminiscence that is often met with eye-rolls and exasperation. Instead, I spoke to my daughter about my optimism for what’s next as she grows in her relationship and as a professional team member.

During the 2021 Virtual Risk Summit, it was my honor to present a session on risk management development titled “Growing Up Fast: ERM Maturity Milestones.” Strengthening or evolving risk practice in a nonprofit is a common ‘wish’ or goal expressed by our consulting clients and Affiliate Members. Few risk champions are content managing a static program that isn’t changing to keep up with the times or reflect an organization’s dynamic risk landscape.

Frequently expressed worries regarding risk program maturity include:

  • “We’re doing risk management, but not in an integrated or holistic fashion.”
  • “We talk about risk, but I’m not confident we’re talking about the right risks with the right people at the table.”
  • “Our risk program consists of dated tools (think risk registers and heat maps!) which contrast with our modern, tech-inspired approach to service delivery.”
  • “I’m not sure we’re learning and growing our risk management capabilities and know-how.

When are the Seeds for a Growth Spurt Planted?

In our team’s experience, maturity happens in various ways throughout an organization’s life cycle. Do any of these growth-spurt moments sound familiar?

  • Soon after the arrival of a new leader (think CEO, CFO, General Counsel, Board Chair, Audit Chair) who has an affinity for risk management or prior experience realizing the mission-advancing benefits of a risk program
  • In the wake of an event or disruption (think data privacy breach, the abrupt departure of an executive, contract dispute with a vendor, global pandemic) that caught the organization off-guard and unprepared
  • During conversations with a key funder who asks about the organization’s risk capabilities, readiness, or resilience or requests that the risk management program be described in a funding application
  • Following a conversation with a broker who explains that the organization’s premium will be increasing due to market conditions and the lack of controls deemed necessary by an underwriter
  • Days after a senior leader attended a risk-themed conference or webinar (maybe one of ours!) and found themselves inspired to seize the day and reinvent risk management
  • During a presentation by an external auditor recommending that the organization undertake an ‘independent risk assessment’

Tips and Insights

During my “Growing Up Fast” workshop at the Risk Summit, I shared a handful of tips and insights from our work as risk advisors:

  • As you work to elevate risk management or evolve from a traditional approach (avoiding losses) to Enterprise Risk Management (leveraging opportunities and adding value), focus on how the function can guide and support leaders who must make decisions in an environment of uncertainty
  • Don’t feel confined to existing (or conventional) tools—especially risk registers and heat maps—just because they have been around forever, especially if they have questionable utility
  • Take time to learn from unexpected risk events: do an After-Action Review, or use our “Learning from Success, Failure and Near Misses” worksheet
  • Stay humble and in learning mode: no risk program offers a prescient forecast of future events. The best you can hope for is to build resilience and readiness to manage through (and possibly learn to relish and welcome) surprises
  • Promote risk optimism by asking:
    • What’s the best that could happen?
    • What are the potential upsides of this risk event, action, or decision?
    • What could we do to become more comfortable TAKING this risk?
  • Encourage others to share their risk worries and concerns by sharing yours

Variety is the Spice in Life (and Risk Management!)

The NRMC team has offered a supportive hand, functioned as a coach and sometimes a sounding board, and has served as the architect of modest (and grand!) plans to evolve risk practice in nonprofits with myriad missions. Some of the varieties of improvements we’ve helped build or witnessed include:

  • An expansion of the risk team in a nonprofit to include professionals from multiple functions
  • The drafting of clear statements describing the risk function’s goals, purpose, and areas of focus over one, two, or three years
  • The hiring a full-time risk professional to assume the role of internal risk champion and subject matter expert (increasingly, we’re being asked to support or lead searches for full-time risk leaders)
  • The broadening of scope for an existing board committee (e.g., from Audit Committee to Audit and Risk Oversight Committee)
  • The adoption of a written Risk Management Plan describing the function’s purpose, scope, components, and intended outcomes
  • The completion (finally!) of a practical Business Continuity Plan that will be a roadmap for managing through future disruptions to normal operations
  • A decision to convene annual risk workshops to revisit and poke at lists of top risks and prior assessments of strategies and actions in the face of risk

Whatever steps you’re prepared to take to improve the risk function in your agency, I hope you’re feeling optimistic and supported. Your agency won’t be the first—or the last—to ponder practical steps to modernize your approach and strive for ‘better’ practices all around. If you’re a current or former consulting client of NRMC or a current Affiliate Member of NRMC, please know that there is no cost to speak with us about your vision and plans! We welcome the opportunity to ruminate with you about the goals you have for evolving risk management. The NRMC team enjoys sharing tips and insights from our 33+ years as a nonprofit risk leadership team dedicated to helping other nonprofits. And there’s a good chance we know another nonprofit leader who is at or has recently been in a similar spot and would love to meet you. We’ll help you find the answers!

Melanie Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your questions about evolving your nonprofit’s risk management program and your stories about planting strategic seeds of maturity and growth at 703.777.3504 or