Enterprise Risk Management for Nonprofits: A Practical Approach

Broker Dealer Audit Services
Written By EWA Accounting

Nonprofit leaders sometimes assume that enterprise risk management (ERM) is only relevant for large organizations with extensive resources. In reality, nonprofits of all sizes can benefit from a thoughtful approach to managing risk. A well-structured ERM framework does not need to be complex or expensive. Even organizations with small teams can use ERM to direct their attention and resources toward the issues that matter most.

Understanding the Purpose of ERM

Enterprise risk management is essentially a structured process for identifying and addressing the risks that could threaten your organization’s mission. The goal is not to eliminate every risk. Nonprofits regularly take calculated risks when launching programs, expanding services, or pursuing new opportunities to support their communities.

Instead, ERM helps leadership evaluate risk across the entire organization. By taking this broader perspective, leaders can determine which risks require the most attention and which are acceptable in pursuit of their mission.

For example, a nonprofit may be comfortable accepting some reputational or programmatic risk when developing new initiatives. However, the same organization may be far less willing to tolerate risks related to financial stability, regulatory compliance, or governance. An ERM framework clarifies these priorities so decisions are consistent and aligned with organizational goals.

Importantly, ERM can scale to fit your organization’s size. Smaller nonprofits do not need advanced technology platforms or dedicated risk departments. What they do need is a shared understanding of risk and a simple process for identifying and addressing it.

Core Steps in Building an ERM Framework

Financial advisors or risk consultants can help guide nonprofits through the ERM process. However, many organizations can begin building their framework internally. The first step is establishing a governance structure that defines responsibilities for managing risk. Leadership and board members should also determine the organization’s overall tolerance for risk and demonstrate support for the process.

From there, nonprofits should assemble a team that represents multiple perspectives across the organization. Even if your nonprofit has a small staff, the goal is to ensure a variety of roles and experiences are represented.

Once a team is formed, four key steps help establish a functional ERM framework.

1. Identify Potential Risks

Risk identification works best when it involves multiple viewpoints. Conduct interviews, surveys, or discussions with staff, leadership, board members, and even clients to uncover risks that might otherwise go unnoticed.

A helpful starting question is simple: What events or challenges could prevent us from fulfilling our mission?

Risks may arise from many areas, including financial oversight, regulatory compliance, leadership transitions, cybersecurity threats, program outcomes, public perception, or stakeholder trust.

2. Organize Risks into Categories

After identifying potential risks, grouping them into categories can improve clarity and efficiency. Categorization helps leadership avoid treating each issue in isolation.

It can also reveal patterns. For instance, several risks might stem from a common root cause, such as outdated technology systems or insufficient staffing levels.

3. Prioritize the Most Significant Risks

Prioritization is especially important for smaller nonprofits that operate with limited resources. Each risk should be evaluated based on two primary factors: the likelihood that it will occur and the potential impact if it does.

This process helps leadership focus on risks that could significantly disrupt the organization’s mission, financial health, or public credibility.

4. Develop Mitigation Strategies

Once key risks are identified and prioritized, the next step is determining how to respond to them. Leadership typically has three main options:

• Accept the risk if the cost of mitigation exceeds the potential benefit
• Reduce the risk through improved controls, policies, or oversight
• Avoid the risk by modifying or discontinuing certain activities

In many cases, effective mitigation does not require complicated systems. Simple improvements such as clearer responsibilities, stronger documentation, improved communication, or additional oversight can significantly reduce risk.

ERM Is an Ongoing Process

Enterprise risk management should not be treated as a one-time project. As nonprofits grow and evolve, new risks emerge while existing ones change.

Regularly reviewing key risks, monitoring relevant indicators, and adjusting strategies helps ensure the organization’s risk tolerance remains aligned with its goals. With a practical structure and leadership commitment, even smaller nonprofits can build and sustain an effective ERM program.

EWA Accounting
Previous

When Accounting and Development Disagree on Financial Reporting
Next

Turning Donor Data Into Stronger Relationships With DRM