Home > Uncategorized > Nonprofit Board Two-Page Risk Management Overview

Nonprofit Board Two-Page Risk Management Overview

Nonprofit Board Two-Page Risk Management Overview

David Tate, Esq. (San Francisco) Website

PDF Version, Website Version

 Risk management is an extremely broad subject-matter area.  While there are several available risk management models, there is no agreed upon definition or process.  However, it is, or is becoming, an accepted practice that risk oversight is a board function. Further, by statute or rule (and/or accepted prudence or industry standard) many organizations are now legally or quasi-legally required to exercise formal risk management, with board oversight. It is also not uncommon for the board to delegate risk oversight to a board committee; however, at least for legal, business judgment and reputational reasons the board should remain engaged in risk management oversight even if significant responsibility is delegated to a board committee.

What is risk management and what does it include? There is no standard answer, and I am not going to propose one in this paper as that is not the objective. The objective here is for the organization to consider and improve upon its risk management. Risk management is a process—or, more correctly stated, risk management is the processes—that are designed and implemented to help the organization achieve its mission, objectives and strategies—to get to where it wants to go.  Risk management is current-day and forward looking.  Every organization has risk.  Risk is a part of operations and business.  Although there can be a tendency to view risk management from a negative or liability avoidance perspective, risk management is considerably more broad in scope and should be viewed both positively and negatively as both positive and negative unexpected or unplanned events occur.  Also consider, for example, (positive) designing and implementing processes for identifying, developing and securing new and increased funding resources, as compared to (negative) “in this down economy we are at risk of losing the XYZ contract or source.”  Also keep in mind that with the “best” of risk management processes unexpectancies will occur—the occurrence of an unexpectancy, even a negative unexpectancy, does not mean that someone is at fault or acted improperly.

Enough of the overall background discussion—start by listing the organization’s mission, objectives, strategies, and projects—then indentify and prepare a list of the risk factors that impact or could impact the organization in relation to achieving its mission, objectives, strategies and projects.  While the list might seem endless, consider that an event or unexpectancy with a high likelihood of occurrence, even within the immediate future, but with little likely impact, probably is not as important to address right away as an event that has much less likelihood of occurrence but that carries the potential for high impact.  This gets into the areas of risk assessment, appetite and tolerance. Simplistically, management, with the board’s oversight, evaluates not only the risks, but also the organization’s level of appetite for the risk, and if there is a further level of tolerance for allowing the risk if the risk begins to exceed the appetite.

Some risks and risk management processes are generally shared or are similar across organizations and industries; whereas, of course, between organizations and industries other risks and risk management processes will vary.  So, first concentrate on what I would consider the most significant risk factors based on the overall likelihood of occurrence (viewing current conditions, not just based on the historical likelihood of occurrence), the likelihood of occurrence within a particular time frame (e.g., today, next week, next month, etc.), and the potential for impact upon occurrence.  Impact can be quantitative or qualitative, or both (e.g., money, reputation, or some other criteria).  Risks also can change at the clock speed of business—that is, at anytime.  Thus, in some reasonable manner risk management processes are or should be continuous.

The following is one recent example.  By historical standards the likelihood of a gulf oil spill might be slight, but the likely impact could be
catastrophic. Of course, historical standards of likelihood could be an erroneous criteria as based on then existing current conditions (i.e., the then existing conditions of the equipment being used, training, and safety procedures—possible leading indicators of the risk event), the likelihood of occurrence might have been higher. There would be little or no appetite or tolerance for the occurrence of a significant spill—presumably processes for addressing and preventing the risk of possible spill occurrence, and processes for emergency containment and remedial actions in the event of such a spill would be given the highest priorities.

We don’t want to get bogged down in a technical discussion about risk management as the objective here is to encourage the organization to consider and improve upon its risk management processes. For the purpose of an exercise, let’s take the example of a hypothetical nonprofit that provides assistance to people in need who are of low or no income. In part, the nonprofit runs a care clinic. The clinic is staffed with volunteers and with licensed care professionals who provide their time and services at a reduced rate. The nonprofit primarily receives revenue/receipts from donations, from a government contract with the city which pays for care provided to qualifying patients who access the clinic on a per-patient basis (the city contract covers a little over half of the costs of operating the clinic), and from insurance and public benefit reimbursements. The nonprofit’s mission is also in part religious.

Some of the nonprofit’s objectives and risks that quickly come to mind are: securing a timely stream of revenues/receipts/donations from the various available sources; identifying the care that will be provided and maintaining the quality and timeliness of diagnosis and care; proper discharge and/or referral of patients; satisfying the specific requirements of the contract with the city; medical record security and privacy; satisfying HR requirements; satisfying legal requirements and adopting compliance programs and processes; maintaining the religious aspect of the organization’s mission; obtaining appropriate liability and risk insurance coverage; and proper and timely transaction recording, accounting records, internal controls and financial reports and statements.

The following chart outlines one possible process for identifying, evaluating, handling, and monitoring objectives and risk.

Project / Objective

Strategic Initiative / Revised Strategic Initiative

Potential Risk to Strategy

Likelihood of Risk Occurring / Period of Time

Potential Impact if Risk Occurs

Appetite for the Risk

Tolerance for the Risk

Key Leading Risk Indicators

Strategic Response to Risks

People and Processes for Monitoring / Trigger Points

Revised Strategic Response



Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s