How to Forge a Great Risk Management Partnership with Your Board

“The board is getting involved in decisions our staff should make…again.” “Board members worry about the strangest things! We’re working to keep the lights on and they’re asking questions about risks that seem so unlikely.” 

Do these statements sound familiar? The NRMC team often hears comments like these from nonprofit leaders we work with. Sometimes, frustration between nonprofit executives and their boards stems from differing ideas, perspectives and priorities in the risk realm.  

Healthy dialogue about the top risks among boards and staff can strengthen both halves of the equation and fortify trust and respect. Differences of opinion on risk tolerance should be expected and can help nonprofit teams use a risk lens when considering new opportunities and developments in dynamic and stressful environments. But if they aren’t addressed with care and skill, those disagreements or disconnects can snowball. In this article, we’ll share strategies for how to distribute risk responsibilities among staff and the board and foster discussion that brings you into closer alignment, not further apart. 

Understanding a Board’s Risk Role 

To craft a vision for a shared understanding of risk, it helps to revisit board roles and responsibilities and understand how they differ from those of staff. 

Nonprofit staff teams have primary responsibility for risk identification, action planning, and keeping the board apprised of the team’s approach and progress addressing top risks. 

The board’s ideal role in risk management is to ensure the organization has enough resources to manage risk well; consider whether the organization is taking enough risk to achieve its mission; and bring board members’ diverse perspectives to the discussion about concerning developments and risks (possibilities) on the horizon. 

Defining Roles and Responsibilities 

So how do you ensure both staff and the board know their lane and stay in it? 

Board and committee charters can be very helpful in spelling out the responsibilities of those groups. Many boards vest risk management responsibility in a board audit committee. The audit committee is sometimes seen as ideal for risk governance because it often has a lighter work load than other board committees. In our experience audit committee members are often grateful when their role is expanded to include risk governance (oversight), giving them a window into issues beyond financial health and fiscal policy. NRMC recommends keeping audit committees separate from finance committees when possible. A finance committee works closely with the nonprofit’s CFO or Director of Finance, reviews periodic financial statements, and reviews the draft budget before it is presented to and approved by the full board, while an audit committee leads the process to select an independent audit firm and reviews audit reports before they are shared with the full board.  

Some larger nonprofits form a risk committee separate from a finance or audit committee to focus solely on risk management issues. Whether this is a fit for your organization depends on your board composition and risk profile. If your board has several members with risk management interest and relevant expertise, or risk, compliance and ethics issues are especially complex in your nonprofit, a board risk committee could be a wise move. 

It can also be helpful to spell out the risk responsibilities of staff. We have seen dozens of staff risk management configurations, many of which might work for your nonprofit. All staff do some level of risk management every day, and we encourage you to recognize that. Often, a point person (who may or may not have a designated risk title) will handle risk questions that arise—such as, “Would one of the policies in our current portfolio of insurance coverages potentially respond to claims arising from this new program?” And a leadership team might quarterly determine a handful of priority risks to focus on and guide the formation of action plans, in partnership with the risk point person. 

A staff risk committee can also help ensure an organization’s risk management work includes perspectives from all levels and departments. You can reach out to people across your organization you think would be a great fit, but in our experience, asking for volunteers to round out the committee is a good practice. We recommend a staff risk committee include at least one member of leadership, so the people identifying the risks have a connection to the decision-makers who can approve needed expenditures and actions. 

But what do you do when those responsibilities get confused or a board member strays into the management domain? 

At NRMC, we believe one of the best ways to keep boards focused on the areas where they can add the most value—and out of day-to-day operations—is to provide strategic issues for the board to ponder and involve them in decisions related to the organization’s direction, top priorities, and values.  

Help Your Board Stay Involved and On Point 

Resolve to provide a clear purpose and focus for your board. Most people long for a job to do and a reason to do it. That includes board members. If their purpose and value isn’t clear, some trustees will forage for something to focus on. And because humans are used to managing things, from family schedules to grocery lists, they will likely find an activity that looks and sounds like a management task. NRMC has reviewed board committee charters with excessive detail about how often the committee meets, quorum requirements, membership criteria and other minutiae, and too little information on roles and responsibilities. The lack of a clearly stated purpose increases the risk that the committee will stray outside its lane.   

A board’s risk responsibilities ideally include considering the nonprofit’s risk appetite. Risk appetite describes the amount and type of risk an organization considers appropriate and necessary to deliver its mission and execute its strategic priorities. Defining risk appetite provides helpful guardrails and clarity for key decisions.  

If your board hasn’t already discussed risk appetite, doing so will help board members build their risk muscles and practice staying in their lane. A risk appetite exercise gives board members the opportunity to focus on high-level strategic issues while giving the staff the guardrails needed to do the day-to-day management where they excel. 

To calibrate risk appetite, choose a few hypothetical scenarios (possibilities) that would present a big risk to your nonprofit. Draft several hypothetical courses of action for each scenario. Make sure the possible paths differ from each other and reflect very different levels of risk. Then, hold a board discussion where board members vote on which course of action they would take. How different were the scores from each other? If board members have different risk tolerances, that’s great! A variety of perspectives will help ensure your nonprofit considers the nuanced upsides and potential downsides associated with key moves and decisions. But it’s important to understand where those differences of opinion exist and how you can learn from varying perspectives to support wise, risk-aware decision making for your nonprofit.  

Some of our favorite risk-inspired tasks that keep the board on track include:  

• Reflecting on and discussing whether the organization is taking enough risk to advance its mission.  

• Contributing unique perspectives and lenses to a discussion of the nonprofit’s dynamic risk landscape: what risks does each board member see and experience from their perch in the world?  

• Discussing whether staff reports inspire a sense that management has taken a thoughtful, risk-aware approach to building resilience for what’s next. 

Crafting Great Board Risk Briefings 

To keep the lines of communication open, we encourage staff to brief the board or board committee that handles risk regularly. The frequency of briefings is up to you, but we find that two briefings per year can keep risk top of mind without overtaxing the board or staff.  

It’s natural to be a little nervous when briefing your board or a board committee about risk. But an open dialogue about risk can build trust, shape strategy, and help your nonprofit better deliver its mission. Here are some steps to help you have a great discussion about risk with your board. 

Know what they want to know. Before the meeting, ask the board what they most want to learn about your nonprofit’s risk management efforts. There might be a lot of variety in the answers! Tailor your presentation to focus on the major areas where the board seeks information. 

Keep it high-level. Your presentation should highlight major risks your nonprofit faces with an overview of how you are building resilience. Don’t spend valuable presentation time on operational details. 

Get to the good stuff first. Slot your risk discussion early in the meeting agenda when brainpower runs highest. 

Don’t talk at board members; talk with them. You might want to create a huge slide deck, rush through it in the hopes that your board will say, “Nothing to see here,” and move on. But dialogue helps staff and board members better understand the organization’s challenges and opportunities. Consider adding questions you want board input on to the agenda. 

Help them visualize it. Augment your presentation with graphics that illustrate key metrics. Don’t overcrowd your presentation. A visual risk dashboard should contain no more than three key pieces of information, with the most important metric or data displayed in the top left corner. (For inspiration, see our article about risk dashboards in this issue.) 

Don’t blue-sky it. Of course you want the board to think you have everything under control. But life, and advancing a nonprofit mission, always includes plenty of things you don’t control. Be honest about how you’ve worked to build resilience, what you still don’t know, and how you are working to learn more. 

Go boldly. Share your perspective on the consequences of risk aversion and invite discussion about how and why your nonprofit should act boldly to make a difference in the lives of peoples and communities you serve.    

Consider a deep dive on one risk topic per board meeting. A deep dive serves two purposes. First, it shines a light on the care and attention you are giving to a critical risk without putting too many operational details in front of the board. Second, it builds confidence by satisfying the natural curiosity of the board to understand the “how” behind your approach to managing critical risks. 

Identify a point person. Let board members know which staff person or people coordinate risk assessment and risk management at your nonprofit. While nonprofit CEOs have ultimate responsibility for operations, by noting who constitutes the staff risk team, you will reduce the board’s worry that the CEO has too much on their plate. 

Find out what you don’t know. Include time in risk discussions for staff and board members to talk about the emerging risks you have just begun to consider. Ask leaders to share what they are seeing or hearing in their industries on those risk topics.  

Identify next steps. Summarize the board’s requests for additional data points or angles on risk management at your next briefing. For example: “We heard today that you’d like the risk dashboard to include three risks instead of five, and that you’d like the next deep dive to cover workplace violence prevention.”  

Build a Dynamic Board-Staff Relationship 

If everyone involved understands their role and how they can help and support each other, risk discussions between a nonprofit board and the staff can be fruitful, illuminating, and enjoyable. Even in a carefully thought-out partnership, disagreements can arise and things can go sideways—but with thoughtful conversation and a refocus on the roles, you should be able to find equilibrium again.  

Your board-staff dynamic may need to evolve as the organization and the environment around you change. That’s OK, too. The biggest mistake you can make in board-staff risk dynamics is not talking about them. Once the lines of conversation open, you might be surprised how many avenues to move forward appear. 

Rachel Sams is Lead Consultant and Editor at the Nonprofit Risk Management Center. She has served on nonprofit boards and presented to NRMC’s board and finds unique perspectives on both sides of the equation. Reach her with thoughts or questions about this article at rachel@nonprofitrisk.org or (505) 456-4045.