Tips for Risk Management in Nonprofits

By Rebecca Cross

The Enterprise Risk Management (ERM) Initiative, housed in the Poole College of Management, hosted the inaugural ERM in Non-Profit Organizations Workshop this fall. Poole College of Management faculty and ERM leaders in nonprofit organizations joined to teach interactive sessions and guide conversations about managing risks nonprofits face. 

Mark Beasley, Ph.D., director of the ERM Initiative, said much of the current ERM training in the marketplace is geared toward large, public companies, and nonprofits are eager to find training tailored to their organizations.

 “In our workshop, we speak the nonprofit lingo,” Beasley said. “Participants learn from peer organizations that share tactical ways they have implemented ERM in their entities. We foster conversations among the nonprofit participants about their challenges and approaches to those challenges.”

 Beasley engaged in a Q&A about risk management in nonprofits:

This is the first annual Non-profit Organization Workshop. What prompted the organization of this event?

Every entity faces risk, and there has been a growing interest in how entities manage risk. So much of that effort has been in the corporate sector, so I think a lot of nonprofits are asking themselves, “Should I be following what corporates are doing or is there something unique to the nonprofit setting?” We are also hearing growing expectations for nonprofit organizations to manage risks more robustly. So, we [ERM Initiative] realized there was a need to really pull nonprofit leaders together and talk through some of the challenges of how they manage their risks.

What types of unique risks do nonprofits face?

In a lot of ways, the risks that a nonprofit faces are not that different than a for-profit. Nonprofits have people risk, technology risk, and competitor risk – they’re just competing for donor dollars or grant funding instead of competing to sell a product.

What makes nonprofits unique is their different business model than for-profit organizations. They’re dependent on grants, giving, and donations, so they often don’t have funding to be able to build the infrastructures that a big public company can. For almost every nonprofit, the risk they face is funding, and lack of funding means they can’t invest in the infrastructures. They can’t be as innovative sometimes as a big public company.

What are some consequences of unaddressed risks for nonprofits?

The biggest consequence, I would say, is that if they don’t manage a given risk, it may have such a reputation damage effect that it has a massive impact on donor base and grant funding. Say a nonprofit has a major ethical issue in leadership, donors and grant agencies will pull back their funding due to lack of trust in the nonprofit’s leadership. So, I think that by not managing risks, whatever that risk may be, nonprofits are more worried about the reputation harm. A reputation hit can be catastrophic. 

That’s a catastrophic risk, but there are also day-to-day risks. For any entity, if they don’t manage their risks, they spend all their time trying to put out a fire instead of using that energy to think about achieving organizational goals. You’re being reactive instead of looking to the future when you don’t manage day-to-day risks.

As you mentioned, sometimes nonprofits have limited resources. What are some characteristics of effective nonprofits that have used the resources they do have to manage risk well? 

For one, they are explicitly talking about risk on a regular basis. A lot of ways that entities are managing risk is what I call a gut-level risk management. They say, “We talk about risk all the time,” but that often means they talk about topics and occasionally a risk-conversation emerges associated with those topics. A really good nonprofit is explicitly taking management through a risk identification and prioritization process. For example, asking management “What are our risks over the next three years?” Get them naming any and all risks and then ask, “Okay, now that those risks are identified, what are we going to do about it?” That risk identification and prioritization conversation is not happening in a lot of places. It tends to be more of a one-off kind of conversation.

The second piece, I think, is that entities that manage risk well are doing everything through a strategic lens. They begin their risk conversations by understanding why they exist and what their mission is. Then, they ask themselves, “What are the risks to fulfilling those strategic points?” These entities have connected risk to strategy.

You see, many entities manage risk in a very siloed way. The risks that are out there don’t really care about my organizational chart. So, when a risk emerges, it’s not going to neatly fall into the legal department or the IT department or the treasurer’s office. People who are good at managing risks are talking about risks explicitly and tying it to their overall strategy.

It sounds like sometimes people just aren’t talking about risk. Why do you think people are resistant to talking about risk?

There are a lot of reasons that a management team might not be talking about risks. For one, we, particularly in the Western world, tend to have an optimism bias. We get lured by the opportunity for return. We also don’t like a naysayer or a contrarian. And, our culture doesn’t really reward that. If you’re always the one bringing up the contrarian voice, people get tired of talking to you, and they just sort of don’t include you, so you quit sharing. We tend to like optimism, and it’s more fun to think about the future possibilities. 

Another reason people aren’t talking about risk is that they assume everyone is on the same page with what the entities’ risks are. But, they’ve never really asked the question, “What are our big risks?” That comes back to my earlier point – we don’t realize what our big risks are because we don’t explicitly talk about risk. We talk about it, but it’s not in a focused way.

So, it’s a little bit of this optimism bias, the resistance to being the naysayer, and we don’t really foster a transparent conversation about risk.

How is managing risk in today’s world particularly challenging? 

It’s not getting simpler. The world is getting faster. When you think about it, the societal changes are happening at a faster and faster pace. That speed means there’s more and more uncertainty about what’s going to be the reality in five years. Well, uncertainty causes risk. 

Society is getting more complicated and connected from a technology and from an innovation perspective. For example, more and more entities are outsourcing services to vendors. When entities do that, they may start thinking, “Well, not only am I worried about my data and technology systems being exposed, but now I’m wondering if my vendor’s technology is breached, how might mine get breached, too?” It can exponentially get more and more risky because we’re so connected.