Nonprofits Need Lean Risk Management

Nonprofits work in highly risky contexts, but are expected to be risk-averse. They are told to adopt risk management, but not told when or how. They see how other sectors (for-profits, government) adopting risk management principles, but find little guidance about how to adapt similar principles to their sector.

We want to change that. We’re going to walk you through a series of posts about how nonprofit organizations can begin using risk management to improve their performance.

Here’s our tentative plan of publication. We say “tentative” because these posts are real “essays” — attempts or tries. These posts will not be the last word in nonprofit risk management. On some topics, they might be the first. As we receive feedback and watch the sector over time, we may dive deeper into some topics or change the structure to accommodate current events.

Who Should Read This Series

These posts are written principally for nonprofit staffs and boards of directors. You are being held to increasingly rigorous and unpredictable standards of care, and you need to understand how to use risk management principles to protect and advance your operations and meet your mission.

The essays are also written for funders. When funders place their resources in the hands of a nonprofit, they need to be confident that the investment is sound. A nonprofit without effective risk management is flying blind. Funders have no reasonable expectation that nonprofits without risk management understand their true priorities or will perform effectively with donated resources.

Finally, this series is written for nonprofit advisers. Attorneys, accountants, and bankers need to be aware of whether their clients are protecting themselves from emerging threats and preparing themselves to seize on emerging opportunities. Consultants providing organizational development, leadership training, strategic planning services, or other advice need to consider how those efforts interact with the risk management function. Advisors and consultants can achieve substantial synergies by becoming more aware of what risk management is, why it is important, how it improves operations, and how it is implemented effectively.

Why Nonprofits Need Risk Management

We will begin by setting out the case why nonprofit risk management is essential. After all, if this topic is not important, why pay attention?


We will next provide basic definitions, describing risk management and contrasting it with other activities. Also, because these posts will advocate a new form of risk management that we call Lean Risk Management™, we will also introduce the concept of “lean.”


We will then address the question of when in its life-cycle a nonprofit should adopt a risk management program. While almost any nonprofit may benefit from efforts to become more agile in the face of uncertainty, a start-up nonprofit  has more important concerns than developing a formal risk process. We will provide guidance for when investment in nonprofit risk management should become a priority.

The Risk Cycle – Identify, Prioritize, Respond, Assess and Improve

Once a nonprofit decides that it is time to begin implementing risk management strategy, it must decide how. These posts will provide a step-by-step path for piloting a Lean Risk Management™ program, including the risk inventory, the risk register, and the risk cycle.

Risk Inventory

We will initially provide detailed guidance on how to perform a risk inventory within an organization. We will describe the risk inventory process — who should be involved, its timing, and what to expect during the process.

Risk Prioritization, the Risk Register, and Risk Responses

We will next describe how to prioritize risks. We will describe different ways comparing risks against each other so that the organization can determine what threats and opportunities should receive top focus.

The key tool introduced in this part of these posts is the risk register. This is a simple spreadsheet providing a prioritized punch list of risks, who is responsible for each risk, what the next step is with respect to that risk, and when the team should check back on that risk. As part of this discussion, we will also describe six basic responses to risks.

Rick Cycle

What should an organization do after identifying, prioritizing, and responding to risks? A successful nonprofit cannot live without risk – in fact, it doesn’t want to. Nonprofits must accept some risk in order to function within the sector. Thus, one aspect of risk management is accepting residual risk.

But acceptance is not a passive process. To the contrary, an organization must periodically assess how its responses to identified risks are working out. It can strive to improve its processes to be more efficient and effective over time.

And finally, an organization can turn the risk management process into a risk cycle. Thus, we will describe how a nonprofit can raise risk management issues during everyday operations. We will also detail how a nonprofit can supplement its risk identification process by building in feedback loops for employees, end-users of services, and other stakeholders.

The ultimate goal is to bake risk assessment, awareness, and agility into every aspect of the nonprofit. Throughout this part of the series, we will explain how lean management insights, which emphasize continuous process improvement, can bolster the effectiveness of risk management efforts.

Broader Issues

After providing the basic structure of Lean Risk Management, we will delve into some of the broader issues, like the following: 

Board’s role in Lean Risk Management™. Nonprofit board members have a limited but critical role in risk management. We will describe the board’s role and provide tools that can be used to raise board awareness of risk management and energize the board to accomplish its tasks effectively.

Timeline. We will provide a suggested timeline for implementation of Lean Risk Management™. We will explain how you can go from no risk management to effective Lean Risk Management™ in a period of months.

Overcoming Objections. We will also discuss standard objections to adopting a risk management program. These include cost, competing priorities, employee resistance, “cultural” factors within the organization, fear of what might be uncovered, and worries about the burden that might be imposed by creating a risk management overlay on operations. We hope to show why those objections are readily overcome.

Inviting Your Questions

Again, these posts will be essays. We have thought a lot about the issues. We have trained hundreds of nonprofits, and have gathered a large amount of objective data about nonprofit risk management. But we welcome questions, comments, and critiques. If you have particular issues you would like us to address, let us know. Please reach out at info@riskalts.com to interact with us along the way.

If you would like to schedule a complimentary strategy session with the Risk Alternatives team, please email info@riskalts.com!

Nonprofits Build Strength Together (BeST)

Risk Alternatives sponsors and curates an online group for nonprofit leaders who want to build resilient organizations.

To stay informed about this group, called Nonprofits Build Strength Together (BeST), click the button below.