What is the Board's Role in Risk Management?
JANUARY 2025
I am often asked what is a non-profit Board’s role in the area of risk management, which can be a scary swampland that many want to ignore. Risk management can be so overwhelming that it is sometimes difficult to find a starting point.
Enterprise Risk Management (ERM) includes the methods and processes used by organizations to assess, prioritize and manage risks and to seize opportunities. This framework is becoming more and more popular within the non-profit sector.
I had the pleasure of sitting down with Lori Prospero CAE, CEO of RisingOaks Early Learning Ontario hot off of her ERM presentation at last fall’s CSAE Annual Conference in Ottawa.
In this month's article, Lori breaks down Enterprise Risk Management from a board’s perspective and provides advice on how to get started.
----------------
Heather: Many boards struggle with understanding what role they play in risk management for their non-profit. It can be overwhelming. What first few steps would you recommend they take if they are starting from scratch?
Lori: Enterprise Risk Management (ERM) is a well-defined and cyclical process, but it can definitely feel overwhelming at the start. Here are three actions to help non-profits get started:
1. Secure leadership buy-in and set a vision - this commitment will ensure that ERM becomes an integral part of the organization’s overall strategy, versus managing risk in silos. Discuss roles and responsibilities, risk appetite and begin shaping your ERM policy.
2. Identify potential risks - within cross-functional teams and the board, brainstorm potential risks related to governance, operations, finance, legal or other defined categories. Consider using the bow-tie method to better understand these risks.
3.Finalize your ERM policy, including your risk matrix (i.e., how you will measure likelihood and severity).
Once you’ve taken these 3 actions, you will be ready to create your risk register and move on to risk assessment.
Heather: There appears to be a big gap in risk management programs or frameworks that are available - they range from short check lists to very expensive and detailed that can drain staff and volunteer time. What framework would you suggest that balances cost and effort without overkilling the whole process?
Lori: In the early days of our ERM journey, we looked to many sources and frameworks to figure out what would best meet our needs. We were drawn to the enterprise risk management integrated framework from COSO and adapted that thinking to our needs.
We also leaned on certified risk management professionals and on our governance committee to guide us and the board. This was instrumental in managing us through the process and keeping our costs low.
Heather: Some organizations use their Finance & Audit Committee to oversee their ERM programs. Why did your organization engage your Governance Committee instead?
Lori: Many organizations have robust financial risk mitigation strategies but don’t take it one step further into an ERM framework. As such, they often miss key risks for the organization. We view ERM as a key governance responsibility. The governance committee liaises with other committees to collaborate and ensures all risks are identified and assessed.
Heather: Many ERM initiatives created by non-profit boards fizzle out over time for many reasons. What advice would you give a non-profit board to keep their risk management program alive? What mechanisms can be put in place, so they keep making improvements to their risk management policies and processes?
Lori: There are two key drivers to make sure your ERM’s program is ongoing with a focus on continuous improvement: an ERM policy and supporting framework, and an annual ERM report to the Board. Our annual ERM report not only requires the governance committee (in collaboration with the CEO, committees and overall leadership) to report on the status of risks and control measures, but to also regularly evaluate and report back to the board on the overall ERM framework and tools. We try to set informed and realistic actions for each year.
Heather: What final piece of advice can you share regarding non-profit boards and risk management?
Lori: In the end, the goal is progress, not perfection. Start somewhere, anywhere really, and keep going. It’s about risk culture, not a to do list. Building ERM into existing processes increases awareness and sensitivity to risk and helps create a culture where risk is proactively assessed and managed at every level.
------------------------------------------------------------
Lori Prospero, CAE is the CEO of RisingOaks Early Learning Ontario. Lori has dedicated her career to the association sector with a focus on governance excellence. She is a subject-matter expert for the CAE program on governance and risk management and served on the board of directors for three terms, including two years as board chair. Lori was awarded the CSAE Pinnacle Award in 2022. As the CEO for RisingOaks, Lori is a member of the exchange leadership initiative and is a fierce advocate and champion for children.
Connect with Lori Prospero, CAE on LinkedIn here -
https://www.linkedin.com/in/lori-prospero-cae-14479131/?originalSubdomain=ca
-------------------------------------------------------------
As always, if you need help with any governance projects, don't hesitate to reach out!
Yours in Good Governance,
Heather Terrence, CAE, CMC
Pinpoint Governance Group
647.984.9857