Organizations face myriad risks, from hazards including property damage, occupational injuries and auto accidents to operational exposures such as data breaches, abuse and molestation incidents and employment practices offenses. While most hazard and occupational risks are insurable, some have no obvious coverage.

Financial risks, such as investment and credit risk and macroeconomic shifts tied to geopolitical conditions, and strategic exposures, including succession planning, reputational damage or tax-exempt status revocation, can be devastating to a nonprofit but can’t be covered by traditional policies. Adopting an ERM strategy can help nonprofits evaluate their organization’s risk landscape from end to end, identify and triage key threats by probability and magnitude and develop practical remedial strategies to eliminate or reduce these exposures.

4 tips for nonprofits pondering ERM

A successful ERM initiative requires buy-in from nonprofit boards and leadership teams, as well as the cooperation of constituents representing an organization’s key business functions. Consider these four tips before diving into ERM:

  1. Consensus is crucial. Finance, IT, human resources, programs, operations, development and others must work together to reach a cross-disciplinary consensus on an organization’s key risks before prioritizing them through an ERM initiative. Involving a wide group of individuals with different functional areas of expertise can also help identify risks that may have been overlooked.
  2. Don’t overcomplicate. Many ERM novices fall into the trap of developing exhaustive risk registers that catalog innumerable threats, only to find themselves paralyzed by the daunting prospect of quantifying and remediating each risk. While there’s no harm in brainstorming the various contingencies that could affect the enterprise, focus on the top five or six greatest threats — the ones that could spell the death knell for the organization because of their likelihood or severity. An ERM team should invest its energy in developing avoidance and reduction strategies for these key exposures.
  3. Consider external guidance. Outside experts can help facilitate team discussions and probe issues within an organization that may not have been previously considered. Choose an external ERM consultant with broad operational experience and a pragmatic approach to problem-solving that’s tailored to the organization’s specific needs. Consider whether the organization really needs exhaustive analytics, modeling and heat mapping — all of which come at a cost — or whether the nonprofit can achieve the same impact through a leaner analysis that drives it more quickly toward the finish line.
  4. ERM needs regular reviews. Risk is as dynamic as an organization and its operating environment — ERM is never a one-and-done proposition. An organization’s ERM profile and strategies must be periodically reviewed and adjusted for current and future circumstances. The more often a nonprofit’s ERM framework is revisited and refreshed, the easier it becomes — and the greater the likelihood that ERM will become part of the fabric of the organization’s culture.

Contact HUB International’s nonprofit experts to learn more about how to navigate the enterprise risk management process.