Most non-profit leaders often assume that enterprise risk management (ERM) is only for large organizations, as they often need it and can better afford it. However, ERM doesn’t have to be complicated or resource intensive, and organizations of all sizes can benefit from it. ERM helps your organization focus its limited time and resources on what matters most, whether you have a handful of staff or multiple departments.
What ERM Really Is (& Isn’t)
At its core, ERM is simply a structured way to better understand and mitigate whichever risks pose the greatest threat to your mission. ERM isn’t about eliminating all risk. When serving communities, launching programs, and pursuing growth, some risk is unavoidable. Instead, an ERM program provides a portfolio view of risk, helping leadership compare risks across the organization and decide which ones deserve the most attention.
For example, your organization may be willing to accept some programmatic or reputational risk to advance its mission, but far less willing to tolerate financial, compliance, or governance risk. ERM helps make those preferences explicit, so decisions are consistent and intentional.
ERM is also scalable. A small non-profit doesn’t need sophisticated software or a dedicated risk department. What it needs is a shared understanding of risks and a repeatable process for addressing them.
The Basic Components
Experienced financial advisors and risk-management consultants can help you set up an ERM program. Generally, you’ll want to start by establishing a risk management governance structure with assigned roles and responsibilities. Your non-profit’s executives and board should define your organization’s risk tolerance and make clear its commitment to the program.
Next, your organization should assemble a cross-departmental committee to develop the program. If you don’t have distinct departments, make sure that a diverse range of work experience and responsibilities is represented in the committee you form. Once assembled, your committee should take four basic steps to build your ERM framework:
1. Identify risks. Risk identification works best when it’s collaborative. Conduct surveys and interviews with board members, leadership, staff, and even clients to gather broad input and surface risks that might otherwise go overlooked.
Start by asking a simple question: What could prevent us from achieving our mission? Be as comprehensive as possible and consider risks from every angle, including financial management, regulatory requirements, leadership transitions, data security, program outcomes, stakeholder trust, public reputation, and beyond.
2. Categorize risks. Group all the risks you’ve identified into categories. This helps create organization-wide clarity and avoids treating every issue as a standalone problem. Categorization also helps leadership see patterns. For example, it can show whether multiple risks stem from the same root cause, such as limited staffing or outdated systems.
3. Prioritize risks. Not all risks deserve equal attention. Prioritization is where ERM delivers the most value for smaller organizations with limited capacity. Each risk should be evaluated based on both likelihood(how probable it is) and impact (how damaging it would be if it occurred). The goal is to focus on the risks most likely to disrupt your mission, financial stability, or public trust.
4. Mitigate risks. Identifying, categorizing, and prioritizing risks will be of little benefit if you don’t devise a plan to mitigate them appropriately. For each key risk, leadership should determine whether to:
- Accept it (because the cost of action outweighs the benefit),
- Reduce it (by strengthening controls, policies, or processes), or
- Avoid it (by changing or discontinuing certain activities).
Mitigation doesn’t have to incorporate complex controls. In many non-profits, effective mitigation can be as simple as having clearer roles and responsibilities, stronger oversight, better documentation, or improved communication.
An Ongoing Process
Developing an ERM framework isn’t a one-time exercise. As your non-profit evolves, so do its risks. Continually monitoring key risks, evaluating performance indicators, and making appropriate adjustments helps ensure your organization’s risk tolerance remains aligned with its goals and objectives. With a practical framework and shared commitment, even small organizations can design, implement, and monitor an effective ERM program. Contact us for help tailoring an ERM approach that fits your organization’s size and complexity.
