VOices Blog Members Home Events English | Français Shopping Cart
Skip to main content

Blog > What could go wrong? A lot, in fact. Learn to manage your risks.

What could go wrong? A lot, in fact. Learn to manage your risks.

posted on May 15, 2019

by Maria Lahiffe

“Not-for-profit organizations face unique risk management challenges. They are often held to the same standards as for-profit organizations but do not have the same resources and knowledge to understand their risks and how to mitigate them.” [1, p. 191]

What is Risk Management?

Risk management is “the process of identifying your legal, financial, and reputational risks and taking steps to avoid exposure to them.” [1, p. 191] Risk management does not have to be complicated; it can be as simple as answering three questions: [2]

  1. What could go wrong?
  2. What will we do –
    1. To prevent the harm?
    2. In response to the harm?
  3. If something happens, how will we pay for it?

Why manage risk?

Risk management has numerous benefits for an organization. Having an up-to-date risk management plan will save resources by reducing the time and money required to solve problems and settle claims. Risk management protects your organizational reputation, protects people from harm, and stabilizes your operations.

Why not just buy insurance?

Risk management is not the same as insurance. Proper insurance covers your legal fees and settlement costs in the event that your organization is sued; it helps AFTER a problem has occurred. Risk management helps to prevent problems from occurring in the first place.

A good risk management plan will probably help you reduce your insurance premiums. In addition, no amount of insurance can compensate for reputational damage which comes along with harm to people or property associated with your organization.

Risk Management Planning

Risk management should not be an afterthought. It takes time and dedication to develop a risk management policy. In addition, risks should be reviewed annually, to make sure that new risks are accounted for and that mitigation strategies are still valid.

1.      Identify Risks

Some risks are present in any organization, such as the possibility of a visitor slipping on a wet floor or of an employee or volunteer embezzling funds. Others will be unique to your operations. If it could happen within your organization, then you should list it at this point.

List your organization’s operational objectives, activities, assets, and key stakeholders. For each, identify the associated risks. Other sources of information to help you identify risks include: [2]

  • Past experience, both yours and of organizations doing similar work, in any sector (not-for-profit, public, or private sector)
  • Past losses or insurance claims. Your insurance broker could help you with this information.
  • Past accidents or incidents
  • Industry associations
  • Customer/client feedback

2.      Assess the effect of each risk

For each risk, evaluate it based on potential severity and also potential likelihood. You can use this to create a risk map, which will help you prioritize your efforts. This downloadable form can help you.


Risks in the upper right portion of your risk map are the ones which need the greatest amount of attention and resources. Your plan for low risks can be simply to monitor, or possibly even ignore some of them.

3.      Offer ways to prevent each risk from occurring

Your risk prevention plan should address each risk separately, offering strategies to reduce or eliminate the risk, through some combination of reducing its likelihood and/or its impact to your organization.

Speaking theoretically, there are five major risk management techniques: avoidance, prevention, mitigation, acceptance, and transference. These are explained in more detail in this blog post. More specifically, some mitigation strategies could include: [1]

  • Insurance coverage
  • Volunteer screening
  • Well-defined policies and procedures
  • Volunteer and employee training and orientation programs
  • Financial procedures and reporting
  • Reputation management planning
  • Workplace health and safety standards
  • Technology failure and cyber risk protection

4.      Outline risk response strategies in the event of an unpreventable crisis

No matter how well you plan, some undesirable things will happen from time to time. You need to have a plan in place to respond. You should outline a response strategy for each risk you have analyzed in step 3, above.

Common risk response information includes: [1]

  • A list of emergency contacts
  • A process for notifying and updating key personnel through a crisis
  • Crisis communication strategy
  • Operational contingency plan
  • Copies of all business and financial paperwork located in a remote location

Risk management is an essential part of running an organization which serves a social good. To learn more, come to our upcoming course.

Click here to register Thursday, June 13, 2019. 9:00 a.m. to 11:30 a.m.

Like what you've read? Subscribe to our RSS feed so you never miss a post! We have a general RSS Feed for all VOices blog posts, as well as a Board Governance RSS Feed, which will focus on topics related to governance.

Related blog posts:


[1] M. Mancuso, "Nonprofit Risk Management," The Philanthropist, vol. 24, no. 3, pp. 191-197, 2012. [2] Insurance Bureau of Canada, "Getting Started Managing your Risk," July 2014. [Online]. Available: http://assets.ibc.ca/Documents/Brochures/Risk-Management-Getting-started-Process.pdf. [Accessed 29 March 2019].
new comment comment