Nonprofit Accounting Basics

Nonprofits Are Embracing Enterprise Risk Management

An increasing number of nonprofits have embraced enterprise risk management (ERM), which is a structured and continuous process designed to provide an organization’s board and senior leaders a strategic perspective of risks so that they can be managed proactively.

When it comes to risk management, some may think of areas like IT, investment risk management, or risk events that can be covered by insurance, but these are just silos, or pockets, of risk. Strategy is the driving force of decision-making, budgeting, and the determination of critical mission goals, thus ERM’s main purpose is to bring the focus back to the most critical strategic risks of the organization for top leadership to be proactively informed.



In ERM, nonprofits conduct a risk-rating analysis, where they identify and evaluate all risks to achieving the organization’s strategic objectives. This builds a “risk universe.” To facilitate the risk evaluation process, nonprofits can use risk surveys, risk workshops, interviews, past risk events, and industry risk events.

To implement ERM, nonprofits should begin by securing buy-in and approval from the board and then designating a champion or committee dedicated to and responsible for risk mitigation. Logically, a growing number of chief financial officers are leading ERM initiatives for their nonprofits since most have already been designated to oversee financial, IT, and HR risks. Many organizations are also instituting internal risk councils consisting of executive management and “risk owners,” such as representatives from HR, IT, marketing, and so forth.

There is no right or wrong way to formalize ERM, nonprofits should educate the board, management, and staff on ERM goals and objectives and begin with what makes the most sense within their organization. You can start simply with an assessment of risks and progress to more sophisticated models of risk management as your organization evolves.

The best ERM programs keep risk management simple by focusing on the following:

  • Understanding the organization’s context (industry, strategy, culture, structure, processes, system, and people).
  • Identifying the organization’s risk universe through surveys, workshops, industry trends, and so forth.
  • Using a logical method to rank risk (likelihood and impact scales).
  • Deciding who is responsible for actions, whether a risk council, ERM champion, or risk owners.
  • Monitoring and learning, including board reporting and developing a risk aware culture.


Example Annual ERM Cycle



With ERM, the risks with the top rank are ones the board should be monitoring.  This helps the organization focus on the risks that truly affect the organization, rather than a single stakeholder’s view of priorities aka the loudest person in the room. 

For more information about Enterprise Risk Management, visit our website at