In an article published by the American Institute for Certified Public Accountants, Dr. Mark Beasley noted, “some may naively conclude that more effective risk oversight is a corporate issue that isn’t relevant to not-for-profits. That perspective is dangerously wrong.” Why, then, do so many board members routinely commit their time and reputations to nonprofits without asking about risk management? It often comes down to seven factors:
- Board members lack awareness of risk management.
Although most large for-profit organizations have risk management programs, many smaller organizations use ad hoc risk management efforts—or none at all. As a result, some board members lack familiarity with contemporary risk management. Many do not know what it does, why it is necessary, or how to begin. In other words, they don’t know what they don’t know. As fiduciaries of their nonprofits, however, the board has a responsibility to become aware of the threats and opportunities facing their organization, and to learn about how the organization addresses these risks.
- Board members believe insurance is enough.
Some know enough about risk to ask whether the nonprofit has directors’ and officers’ liability insurance. If it does, they believe they and the organization are protected. But insurance is not a substitute for risk management. A D&O policy may protect a director from personal liability, but it does little to directly protect the nonprofit. Furthermore, even if the organization has other policies for errors or accidents, insurance rarely compensates for an entire loss and cannot compensate for the reputational harm that can flow from missteps. Nor does insurance increase a board’s awareness of the threats and opportunities facing the nonprofit. Insurance merely shifts certain identified risks from one person to another.
- Board members are not sufficiently engaged in oversight.
Some board members do not know enough about the nonprofit’s operations to ask informed questions about the threats and opportunities it faces. They may also feel inhibited by this lack of awareness and remain silent rather than confess ignorance. Nevertheless, board members are obligated to know enough about an organization to fulfill their basic duties of care.
- They believe cost considerations prevent the adoption of risk management initiatives.
Understanding that their nonprofit is strapped for resources and always seeking new funds, board members may believe there is no room in the budget for another program, especially one focused
on infrastructure rather than end-user services. But risk management does not have to cost very much. In fact, a risk management program can be started with very little expenditure of time or money.
- They believe programming or fundraising come first.
Boards often believe that programming activities or fundraising must always take priority over efforts that may not immediately bolster the organization’s resources. It is not an “either/or” proposition, however. Risk management enhances programs and fundraising and, through the assessment of threats and opportunities across various functional areas, may identify even more important organizational priorities.
- Board members believe risk management is only for for-profit companies.
This assumption recalls the “dangerously wrong” perspective Beasley described. Risk management is actually even more important for nonprofits than profit-seeking enterprises. For-profit businesses seek to make money for their owners or shareholders. By contrast, a nonprofit must take account of numerous stakeholders, including current clients, future clients, donors, board members, the community, employees and government regulators. It must balance these interests and achieve these objectives in the face of near continuous resource constraints. Risk management is therefore mission-critical for nonprofits.
- Board members believe they lack options.
Even if boards are aware of risk management and its potential value, they may not know how to start. A variety of resources are available, both online and in print, to provide guidance. Consultants can also help organizations build a program. At the very least, a board member should ask the nonprofit to explore what options are available, and at what cost.
Having dispelled these misconceptions, it is clear board members must ask questions about risk management at a nonprofit. Asking the following can uncover some useful information:
1. What risk management do we have now?
The nonprofit is almost certainly engaged in some form of risk management currently. What are those efforts, and how are they coordinated?
2. How does the nonprofit engage the board in risk management?
The organization should be keeping its board apprised of major threats and opportunities and what is being done about them. This needs to be updated regularly. The nonprofit should also be asking the board how much risk the organization wants to accept in order to achieve its objectives, so that the staff knows how aggressive to be in pursuing its various functions.
3. How often does the organization review its risk management program for improvement?
Risk management is not static; it is a dynamic process that should aim for continuous improvement over time.
4. When was the last time a risk inventory was performed?
A risk inventory is an exercise in which the organization surveys its threats and opportunities. This process engages team members from the bottom up in order to increase everyone’s awareness of risks and encourage them to be more risk-aware in their jobs.
5. Who keeps the organization’s risk register, and how often does the board receive and review it?
A risk register is a document that lists threats and opportunities faced by the organization, prioritizes those risks, assigns them to specific individuals for follow-up, and tracks progress over time. A board should periodically see at least the top few items on the risk register, since those items are—from staff’s perspective—the most important threats and opportunities currently facing the nonprofit.
6. If risk management programs take time to grow, why can’t we start small now?
If staff responds that they do not have time or energy to adopt risk management now, the solution should be to start small with a pilot program. Once that is in place, it can be reviewed to gauge its impact on the organization.
Nonprofit boards must abandon the dangerously wrong perception that nonprofits do not need or cannot afford risk management programs. Effective board governance requires that members ask these questions and demand thorough answers.