Risk Management: Five Step Plan

Boards can help ensure that their organization can work towards its mission and vision in a safe environment.

Risk management involves recognizing and controlling risks so you can protect and conserve your organization’s resources. There are numerous risk management strategies, which include the following five steps:

  1. Understand Risk Management
  2. Identify Risks
  3. Analyze Risks
  4. Plan Risk Responses
  5. Monitor and Control Risks 



The board will want to ensure the risk management plan creates value, is part of the organizational process, has structure, is transparent and is responsive to change.

Effective risk management — like other aspects of governance — begins at the top. It calls for a board of directors with the knowledge and ability to approve risk policies and to oversee their implementation. The capacity of staff to manage risk will be an important consideration in how the board organizes itself to oversee risk issues.

The first step is for board members and staff to gain an understanding of the risk management process before proceeding through the other four steps. This includes the shared understanding of terms and definitions, awareness of different types of risk, the development and monitoring of policies and procedures, and the development of a risk management plan. 

It is common to begin the process with an overview of risk management including key terms and common areas of risk, which include: fraud/misuse of funds, tax liabilities, potential loss of nonprofit or charitable status, investments, fundraising, program safety and loss of physical assets. An external firm, such as Henderson Insurance, can provide a good Risk Management overview for board and staff. 

Once the board has a good understanding of the various areas of risk, it can work with staff to develop a risk management plan that will guide their work over the year. The board will want to ensure the risk management plan creates value, is part of the organizational process, has structure, is transparent, is responsive to change, is open to continual improvement and enhancement and is at least periodically evaluated. Where the board elects to delegate specific risk-related responsibilities to board committees or staff, it is important to ensure this designated group reports their activities to the full board at least annually.

 Whether they delegate or assess on their own, boards should also develop a good understanding of its risk tolerance. Some organizations have an appetite for risk, others are more risk adverse. Most successful organizations find a balance. The board can provide direction to staff and committees by providing policies and approving risk tolerance levels that balance risk and opportunity.



When starting to identify risks, a key question might be “What might affect us in achieving our mission?” Board and staff are encouraged to work together with staff to brainstorm potential risks. Approaches may include internal processes, self-assessment; SWOT (Strengths, Weaknesses, Opportunities, Threats), external sources, tools/diagnostics and processes; and audits. Remember not all risks are negative. Some risks are opportunities for the organization.

 Be aware of the types of risk:

There are a variety of different names for categories of risk. Many can be summarized into the following:

  1. Compliance Risk - The risk of fines and other regulatory penalties for such offences as failure to remit payroll deductions, etc.
  2. Strategic or External Risk - The risk of becoming irrelevant, losing the support of the public and funding sources and failing to respond to economic, demographic and other trends. The risk of inappropriate or unrealistic programs and initiatives, and failure to keep the organization strong and relevant.
  3. Financial Risk - The risk of fraud, financial failure and decisions based on inadequate or inaccurate information.
  4. Governance Risk - The risk of ineffective oversight and poor decision-making.
  5. Information technology or Cyber Risk - The risk that the information technologies used in the organization may not provide dependable service and accurate, secure information that is available when needed.
  6. Reputation Risk - The risk of losing goodwill, status in the community and the ability to raise funds and appeal to prospective volunteers. The risk of poor or inaccurate communication that casts the organization in a negative light.
  7. Operational Risk - The risk of poor service delivery, day-to-day crises, and misuse of neglect of human capital and other resources. This type of risk includes:
  • Programs
  • Human Resources
  • Environmental, Health and Safety

The identification of risks is the first step in creating a risk register, which lists all the different types of risks associated with your work. Sample headings in the log include the risk, type, priority, and response. Once risks have been identified and logged, you are ready to move on to analysis.



The goal of the analysis step is to prioritize the potential risks. Once each risk has been identified, it is important to assess the ”likelihood” or “probability” of the risk happening, as well as the “impact” of the risk on the organization if it happens. 

There are different ways to assess Probability and Impact. Common methods are for staff and board to rank according to numerical scales. For example, QualityGurus.com provides these two scales:

*Assessment criteria for demonstration only, adjust as needed.

 An IMPACT score would be an average of the assessment for the impact areas. Board and staff should calculate Probability and Impact of each risk they identified. In the end, each risk should have a numerical Risk Score. 


Plot each of the Risk Score’s in the Probability/Impact Matrix. Those risk that fall in the RED zone (High Impact/High Probability) are you major risk areas.



In areas of high risk, a crisis management plan, or disaster recovery plan, is needed.

The next step is to decrease the negative impact or enhance the positive opportunities of each risk. For each risk, the board must decide what its response will be. Management is responsible for the appropriate response strategies.

For negative risks, if avoidance is not an option, then the board needs to ensure that training, policies, procedures and/or insurance are in place to reduce the likelihood and potential harm. In areas of high risk, a crisis management plan, or disaster recovery plan, is needed, which outlines responses that will help the organization handle risk and stabilize outcomes. In some cases, the risk may be so low, it will be handled through contingency plans, ie. bank deposit delayed.

For positive risks, the focus on being ready to move forward and take opportunities that will help support your organization into the future. Boards can be proactive and ready, or they can just wait to handle opportunities as they come.

Include a risk response for each risk identified in the risk register. There are many resources available to support risk response and prevention.



Measuring the success of performance against plans is a useful way to detect problems and manage risks.

It is important for the board to determine how it will monitor and review the types and responses to risk identified through the risk register, taking into account changing circumstances. Both staff and board should review the organization’s risk register at least once a year and/or whenever there are incidents that suggest existing responses are not working.

An annual risk review is recommended as part of an annual board review process. As part of its due diligence, the board will want to ensure that the review of the risk management plan is documented in its minutes.

 The Chartered Professional Accountants - Canada recommend the following questions to ask when reviewing the risk management register and processes:

  • Are we achieving the results we planned?
  • Are there any formal or potential complaints against the organization, new or potential crisis, breaches of conduct, litigation, etc.?
  • Are we monitoring and learning from risk response breakdowns, losses, or near misses?
  • What are we doing about the major risks we have identified?
  • Do we have the necessary guidelines or policies and procedures in place? Do they work?
  • Are there any new risks or opportunities and how are they being managed?

Measuring the success of performance against plans is a useful way to detect problems and manage risks. If outcomes identified in strategic or operational planning are not met, the board should review and ensure the explanation for not completing does not impose a risk to the organization.

 In addition, when the board is called upon to approve a new proposal or action, it should require a report from staff outlining a balanced picture, including: potential risks and how they will be managed; alternatives; worst case scenarios, and staff concerns, as well as optimistic expectations.

Managing risk is integral to good governance. With some pre-planning and a risk management plan, boards can help ensure that their organization can work towards its mission and vision in a safe environment.