Color Block
Sarah Belliveau, CPA

Enterprise Risk Management for Not-for-Profits: How to Eat an Elephant


Enterprise Risk Management—ERM. You’ve heard about it. You may have implemented the fundamentals in a few areas. Or a board member has brought up the topic. Now is the time to explore ERM more deeply.

An increasing number of granting agencies and funding sources are requiring not-for-profit organizations to have an ERM plan in place. It’s not generally mandated, but it would be wise for all organizations to start thinking about risk management. Whether required or not, ERM plans help organizations think prudently about protecting their assets, people, and ability to fulfill their missions.

What is ERM?

Enterprise Risk Management provides stakeholders with an understanding of where your organization stands, and puts actions in place to: 

  • Identify risks
  • Measure their likelihood of occurrence
  • Manage their cumulative impact
  • Integrate plans to manage individual risks

Sounds reasonable, right? Then why haven’t more organizations implemented ERM? It is a huge undertaking when starting from scratch. The good news is that you can do it piece by piece. It’s like the old joke: “How do you eat an elephant? One bite at a time.”

How to eat the elephant

The scope of ERM is broad, beyond financial controls and systems security measures. It brings together risks from across the enterprise (e.g., human capital, operations, legal/compliance). This is the elephant part: You’re looking at a beast of a project. ERM goes beyond the spreadsheet. You need to digest (read: thoughtfully consider) all the risk areas of your not-for-profit.

An ERM approach asks your board and stakeholders to fundamentally shift their thinking about risk. For example, boards accustomed to considering risk as an emergency situation may have trouble allocating resources to risks that don’t feel urgent. With an ERM, you prioritize risk on an ongoing rather than as-needed basis. You establish priorities by focusing on your long- and short-term strategic goals and then identifying what will help you—or hinder you—in carrying out your mission.

Begin at the top

One of your ERM goals is to clarify the roles and responsibilities for risk management throughout your organization. While the Executive Director or CEO of your organization has overall risk responsibility, the board is responsible for risk oversight. The board sets the tone, determines the organization’s appetite for risk (i.e., risk tolerance), and oversees management’s development of the right processes in place to maintain the agreed-upon level of acceptable risk.

The board should articulate how it wants to address its role of oversight. Whether the board drives the process or whether it provides a general framework for others to carry out will depend on the nature of your organization. Often the board’s audit (or finance) and governance committees are most closely involved with the ERM plan.

Start small and focus

Trying to implement an entire ERM at once is overwhelming. Start small. Prioritize the most significant risks enterprise-wide and identify areas of weakness in existing controls or policies associated with that risk. For example, an independent school may have strong procedures for student and employee safety, but may have done little risk evaluation for the IT vulnerabilities that could wreak havoc with its operations. Charge a small number of people with a balanced perspective across the organization to identify the risks.

Some possible risk areas include: 

  • Technological (data privacy and security, IT infrastructure)
  • Human capital (turnover, insufficient policies, skill alignment)
  • Financial (reporting, donor management, protection of assets)
  • Operational (reliance on outside providers, barriers to accuracy or timeliness)
  • Legal (regulations, accreditation)
  • Strategic (ability to execute key strategy components)
  • Reputational (damage based on a change in the organization’s reputation or public perception)

Next task: Be the turtle, not the hare

Once you have identified your risks, begin planning how to manage them. Determine the possible effects on your mission and prioritize resources to mitigate or accept the risk. The guiding principle for any organization is to preserve the organization’s ability to meet strategic goals.

ERM goes beyond just protecting key assets or remaining in compliance with legal and fiduciary requirements. An ERM process encourages you to identify, measure, and manage the potential risks to operations. By doing this planning step by step you lay the groundwork for applying your resources more effectively enterprise-wide. To quote another saying, “Slow and steady wins the race.”

Get help

If you have questions about ERM planning, contact Sarah Belliveau or Tammy Michaud. They offer presentations, education, and advisory services on this and many other topics designed to help your board and organization be more effective.