What is a nonprofit board’s role in risk management? It turns out that, like staff’s role, the Board’s role is cyclical.

First, the Board must ensure that staff has a risk management process in place.

Second, the Board must make informed decisions about the most important risks facing the organization. That means looking at the organization’s top risks on its risk register. Note: this is not an invitation for the Board to micromanage how staff addresses risks. As elsewhere, the proper governance role for the Board is captured in the phrase “Nose in, hands off.” Be nosy. Ask questions. But except in circumstances in which a committee or task force of the Board itself is assigned a role in addressing a risk, leave execution to the executive director and staff.

Third, the Board should set the tone at the top, emphasizing the need for sound governance, compliance, and risk management.

Why is this a cycle? Because, as the graphic at the top shows, the process is a continuous one. Having fulfilled its obligations, the Board lets staff work on managing risks. The staff does this, and then reports up to the Board periodically. In other words, it performs, then informs. The Board then ensures that staff is performing risk management, weighs in on important threats and opportunities, and continues to set a tone of strong controls and values. Lather, rinse, and repeat.

How long does it take this cycle to repeat itself? It depends on many factors, but as a rule, I advise a nonprofit board to receive an update about risk management at least every six months.

So, if you are a member of a nonprofit board: Have you determined whether your nonprofit has a risk management process? Do you review and evaluate the organization’s most important threats and opportunities periodically? Do you expressly set and model a tone of compliance and stewardship for the organization? If you answer “no” to any of these questions, consider changing your ways.