Enterprise risk management (ERM) is a strategic approach to managing risk holistically across the organization and its ecosystem. Under ERM, risks are not merely identified and addressed on a program or business segment level, they are surfaced so they can be assessed, analyzed, and managed with consideration of the entire organization, including its mission, its values, its intended beneficiaries, and its interested communities and environment.
Many risks have myriad implications across an organization. Similarly, many strategies to mitigate and manage risks have varying impacts. Strategies that help in one segment may create harm in others. So, it makes sense that many risks should be considered and managed in a top-down enterprise approach.
ERM, if executed well, may also promote more communication and coordination within a nonprofit and uncover opportunities. Managing a risk is not only a strategy to prevent harm; it can be a way to find alternative, more beneficially impactful ways of advancing the nonprofit’s purpose.
Despite the benefits of ERM, there are costs and risks involved in its implementation. Adopting an ERM framework requires an investment in change – money and time. And even with sufficient investment, there may be a failure of understanding or buy-in by key leaders; the danger of not timely addressing specific, local risks; and the harm of overwhelming management with complexities that they lack resources to adequately address. Moreover, the nonprofit should have a process for assessing results and continually adapting the approach.
Nevertheless, ERM is more than a trend. Here are some specific benefits that may accrue to a nonprofit that adopts and effectively implements ERM (which could take a few years):
- Identify previously unknown or underappreciated risks
- Manage risks with greater understanding of implications on entire organization and ecosystem
- Better safeguard interests of the nonprofit’s intended beneficiaries and other interested parties
- Align risk mitigation strategies with overall organizational strategies and values
- Promote legal compliance and accountability throughout the organization
Take, for example, the risk of a continuing drop in the total number of a nonprofit’s donors. If the strategies to address this risk were developed and implemented solely by the development department, that might result in a greater focus on wealthier donors. However, under an ERM approach, the programmatic departments might weigh in identifying the accompanying risk of alienating more diverse communities, which might be inconsistent with the organization’s values of racial equity and inclusion. The board might add that recruitment of board members might also suffer if the profile of donors was to become increasingly nondiverse. Lawyers and accountants might weigh in on the danger of failing the public support test and tipping into private foundation status. With greater identification of applicable risks and alternatives, the nonprofit may orient itself to a different solution that would be more likely to strengthen the organization and better serve its intended beneficiaries.
Admittedly, ERM may be more applicable as a concerted process for organizations large enough to have different programs, departments, or segments. For very small organizations, ERM may be thought of more as an orientation for persons involved in the governance and operations of the nonprofit.
The holistic approach of ERM syncs nicely with purpose-driven board leadership (PDBL), which emphasizes the nonprofit board’s duty to consider mission, values, and vision (collectively, the nonprofit’s purpose) in making its decisions and setting the organization’s direction. PBDL is an ecosystem-centric approach that prioritizes purpose over organization. See our posts on PDBL here and here. Also see Anne Wallestad’s article, The Four Principles of Purpose-Driven Board Leadership (Stanford Social Innovation Review).
Enterprise Risk Management: The Final Frontier (Nonprofit Risk Management Center)