Nonprofit risk management requires being honest about what is going on, then taking the next reasonable step in response to that reality. In a prior post, we explained how to perform a risk inventory. Now we turn to taking the next reasonable step, which is a matter of prioritization.

[This post is the fifth in our Lean Risk Management series. To find the others, start here for why nonprofits need risk management.]

A solid risk inventory exercise will ordinarily identify somewhere between 50 and 100 threats and opportunities across all nonprofit functions. This post will explain how to move forward with that list. In particular, it will explain who should be involved in prioritizing risks, how to prioritize, and what to do with the results.

Whose Priorities Are They? The Dialectic Among Board Members, Executive Director, and Staff


In a sole proprietorship or closely-held corporation, the question of who determines priorities is relatively simple. The organization exists to make money for its owners, and its owners determine the organization’s priorities. In most small businesses, the owners are closely associated with day-to-day decisions. The owners may delegate prioritization to one of their members. They may hire someone (a manager or CEO) to make such decisions. Whatever the precise details, however, operational and strategic priorities are determined by and on behalf of the owners.

In a nonprofit organization, however, the question is more complex. Technically, as a matter of nonprofit law, “the organization” decides who weighs in and who makes the ultimate decisions about what is important. “The organization” speaks ultimately through its Board of Directors, which then delegates execution of the organization’s tasks to a CEO or Executive Director. Thus, in some ways, setting priorities is a matter for Boards of Directors.

Yet, when considering nonprofit realities, having the Board be initially and principally responsible for prioritization is unrealistic. Members of nonprofit boards are volunteers: they are unpaid, and they generally do not put much time into their director activities. The Executive Director knows dramatically more about the nonprofit than any single board member, and probably knows more about the organization and its activities than all of the board members together. The Executive Director and his or her staff are dramatically more engaged than the Board in everyday operations. Staff will ordinarily be more aware of the social, community, political, and economic environment relevant to the nonprofit. Thus, in a very real sense, the staff is much more competent than the Board when determining priorities.

When beginning nonprofit risk management, therefore, we advise the following process for prioritizing issues.

  • Staff Involvement First. Initially, prioritization is a staff function. Staff knows operations, and the staff is aware of the environment in which the nonprofit acts. If “the staff” decides initial priorities, however, what does that mean? Ultimately, the Executive Director executes organizational objectives. She ultimately decides. But no Executive Director has visibility into all the issues within her organization. Furthermore, in some cases the Executive Director may be one of the “issues” facing the organization. (For instance, succession planning implicates the Executive Director, and personnel issues often implicate the Executive Director.) Thus, having the Executive Director determine priorities on her own is dangerous. As a result, when the organization completes its first risk inventory, the same team of staff members who took the inventory should participate in the prioritization exercise described below.
  • Executive Director Evaluation and Ranking. After the staff and Executive Director perform the initial exercise described below, we advise the Executive Director to make an independent review of the results to reorder the results as they see fit. After all, the Executive Director is responsible for results, so s/he should provide an extra layer of evaluation.
  • Share with Board through Executive Director. After the initial risk inventory results in a set of priority risks, the results should be shared with the Board. At that point, the Board should exercise its reasonable, informed business judgment to determine whether those priorities are appropriate. In doing so, the Board should probe the Executive Director about the factual basis for the prioritization. At the same time, the Board should recognize that this inquiry is not an invitation to micromanage. The organization hired the Executive Director to execute on organizational priorities. Execution is not a board activity. Indeed, Frederick Funston and Stephen Wagner capture the Board/Executive Director dialectic perfectly when they advise, “Nose in, hands off.” The Board should be inquisitive, even skeptical, but it should leave the operational details and execution to the Executive Director and his or her staff.
  • Develop Dialectic, Mediated by Executive Director. Over time, of course, priorities may change. As the organization begins to work on various threats and opportunities, some will decrease in priority, while new issues arise. Staff, through the Executive Director, will keep the Board informed of such changes, and the Board should weigh in periodically about whether the priorities match the overall direction of the organization. Furthermore, the Board may engage in a strategic planning process that modifies operational priorities. You want a healthy push and pull over risk prioritization.

A Simple Method for Prioritization


There are many ways to prioritize among competing issues. We prefer simplicity. As a result, we recommend the following process. After meeting to discuss the results of the risk inventory, each staff participant should take the following steps.

  • Each staff member who participated in the risk inventory exercise receives a copy of the results of the exercise — that is, a list of the 100 or so items the team listed as potential risks, threats, or opportunities.
  • Each participant is allocated 50 points.
  • Each participant allocates those 50 points however she wants. She can allocate 50 points to one risk, one point each to 50 items, or any division in between.
  • Each participant performs this activity on her own. This is important. We want independent risk assessments.
  • After each participant allocates her points, the results are tallied in a master document.

When deciding how to allocate points among various risks, each participant should consider three factors: Likelihood, magnitude, and speed of onset. In other words:

  • How likely is this risk to manifest?
  • If this risk occurs, how large of an impact would it have on the organization?
  • If this risk manifests, how much time would the organization have between first noticing the manifestation and bearing the full impact of the risk? In other words, what is the risk’s lead time?

Plainly, the risk process just described is subjective. Large organizations can spend millions of dollars answering such questions. Almost no successful nonprofit (except higher end educational and medical institutions) has the resources to answer any of the questions of likelihood, magnitude, and speed of onset with accuracy and precision. Yet this methodology allows a team to provide substantial insight into the felt needs of the organization.

What Next – Toward the Risk Register

After the team participants perform their prioritizations, the Executive Director should review the results. She may want to go back and inquire from certain participants why they identified certain risks and why they voted their points as they did. She will undoubtedly know many of the risks, but she will have some surprises, as well.

At that point, the Executive Director should assign priorities based on her informed judgment. In our next post, we will provide a rubric that can be used to make a more reflective, responsive evaluation. She should rank some items 1, others 2, and so forth, using a 5-point scale. The most important items — say, the first 25 or so — are placed in a risk register (described in another upcoming post). That document will guide operational and strategic decisions for the organization. She will share portions of the risk register with the Board, as noted above.

Risk Alternatives Can Help With Prioritization

As with your initial risk inventory, Risk Alternatives can help your nonprofit prioritize its risks. That’s a standard part of our Risk Identification and Prioritization Engagement. To learn more, click here or reach out to us here.


Nonprofits Build Strength Together (BeST)

Risk Alternatives sponsors and curates an online group for nonprofit leaders who want to build resilient organizations.

To stay informed about this group, called Nonprofits Build Strength Together (BeST), click the button below.