Running a nonprofit is a balancing act. You are constantly weighing the needs of your community against your available resources, striving to do the most good with what you have. In the midst of this, the concept of Enterprise Risk Management (ERM) often feels like a luxury reserved for massive global corporations with endless budgets and dedicated compliance departments.
But here is the truth: ERM isn’t about big budgets or complex software. It is about protecting your mission. Whether you have a staff of five or fifty, a structured approach to risk can help you focus your limited time on what matters most—ensuring your organization survives and thrives.
Let’s strip away the jargon. At its core, ERM is simply a structured way to understand what might threaten your ability to achieve your goals. It is not about eliminating all risk. After all, to serve a community or launch a bold new program, you have to take chances.
Instead, ERM gives you a "portfolio view" of risk. It allows leadership to compare different types of exposure across the organization. For example, you might be willing to accept some reputational risk to advocate for a controversial but necessary cause. However, you likely have zero tolerance for financial mismanagement. ERM helps make those preferences explicit, ensuring that your decisions are intentional rather than reactive.
One of the biggest misconceptions we see is that small nonprofits can't do ERM. That couldn't be further from the truth. ERM is completely scalable. You don't need expensive proprietary software or a dedicated Chief Risk Officer.
What you need is a shared understanding of your risks and a repeatable process for addressing them. It starts with your board and executives defining your risk tolerance and committing to a governance structure. Once you have that buy-in, you can build a framework that fits your specific size and complexity.
To get started, we recommend assembling a cross-departmental committee. If your team is small, just ensure you have a diverse range of perspectives in the room—from finance to programs to frontline staff. Once assembled, follow these four steps:
This works best when it is collaborative. Don't just sit in a boardroom and guess; conduct surveys or interviews with staff, volunteers, and even clients. Ask a simple question: What could prevent us from achieving our mission?
Look at this from every angle. Consider financial stability, regulatory changes, leadership succession, data security, and public trust. The more comprehensive you are now, the fewer surprises you will face later.
Once you have a list, group them. This prevents you from treating every issue as a standalone fire to put out. Categorization helps you see patterns. You might realize that five different risks all stem from the same root cause, such as outdated IT systems or understaffing in a specific department.
This is where ERM delivers real value for lean organizations. You cannot fix everything at once. You must evaluate each risk based on likelihood (how probable is it?) and impact (how damaging would it be?).
Your goal is to focus your energy on the risks that are most likely to disrupt your mission or financial stability. Everything else can wait.
Identifying a risk doesn't help if you don't have a plan to handle it. For your high-priority items, decide whether to:
Mitigation doesn't have to be complicated. Often, it is as simple as clarifying job roles, improving documentation, or setting up stronger oversight for a specific process.
Developing an ERM framework isn’t a one-time checklist. As your nonprofit grows and the world changes, your risks will evolve. Continually monitoring your performance indicators and adjusting your strategy ensures that your risk tolerance stays aligned with your mission.
At SD Mayer & Associates, we believe that understanding your risks empowers you to make better decisions. If you need help tailoring an approach that fits your organization’s size, we are here to partner with you.