Risk Management for Not for Profit Organizations: Practical Guide for Managers and Directors


The author and /Abrimo Global Consulting Ltd shall not be liable for any loss or damage arising out of or in connection with the use of this publication. This is a comprehensive limitation of liability that applies to all damages of any kind, including, (without limitation), compensatory, direct, indirect or consequential damages, loss of data, income or profit, loss of or damage to property and claims of third parties.


Risk means different thing to different people. According to the business dictionary, Risk is defined as: probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

It is common to think of risk as what might go wrong in an organization. But a more precise definition is the effect of uncertainties surrounding opportunities and threats in an organization which have the potential to enhance or hinder an organization from achieving its objectives. Therefore, risk includes both (a) potential threats to achieving organization’s objectives (negative risk), and (b) potential opportunities for achieving those objectives (positive risk).

As an organization’s internal dynamics change, or evolve so does its threats and opportunities; therefore, keeping abreast of the risks that may affect an organization must therefore be an ongoing activity.


Is coordinated activities undertaken by an organization to identify, assess , evaluate, analyze, mitigate ( control or reduce) risk.

Enterprise Risk Management (ERM) can therefore be summarized as the process effected by an organization’s Board of Directors , management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Establishing the context: Organizational objectives are influenced by internal and external factors which create uncertainty in achieving those objectives. The effect of this uncertainty is “risk” to the organization’s objectives.

Any risk policy or statement about risk is meaningless unless there is a clear understanding of the context. Therefore, it is paramount for the management to critically consider and screen the following internal and external factors.

Internal context

  • • Organizational objectives
  • • Project, process, or activity objectives
  • • Policy, standards, guidelines and models adopted by the organization
  • • Contractual relationships

External context

  • • Legal, Regulatory, Financial
  • • International, national, regional or local
  • • Relationships with, perceptions and values of external stakeholders2.
  • • The Risk Management process context should therefore clearly set the objectives, scope, responsibilities, methods of risk identification and mitigation. It should also defining the risk criteria – measures, tolerance levels, and risk appetite of the organization.

Risk identification: The overall process of risk identification, risk analysis and risk evaluation. It involves finding, recognizing and describing risks which yields a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives.

Identification should include risks whether or not their source is under the control of the organization

Risk assessment: Is the process to comprehend the nature of risk and to determine the level of risk. It comprises of three steps:

Risk analysis: Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. It provides the basis for risk evaluation and decisions about risk treatment.

Risk evaluation: The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.

Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk

Decisions should be made in accordance with legal, regulatory and other requirements.

In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls.

Risk treatment: The process of selecting and implementing measures or ‘treatment options’ to modify risks or their potential consequences and implementing those options.

Risk treatment options are not necessarily mutually exclusive. The options can include the following:

Transfer: Transfer of risk is achieved by sharing the risk with another party or parties (including contracts and risk financing).

An organization can transfer the risk by taking out insurance cover therefore effectively transferring the risk to the insurance company by paying an insurance premium. It may also be achieved in some cases through outsourcing if the contract specifies the transfer of risk.

Avoid: Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk or removing the risk source.

Mitigate: Risk can be mitigated by changing the likelihood or changing the consequences (impact). The organization can develop a response plan to mitigate the effects of possible risks.

Risk mitigation is appropriate in situations where the organization has no control over the event but it can plan ahead to ensure that it can respond effectively.

Accept or Retain: The organization can retain the risk by informed decision. The acceptance/retention of risk should be after risk mitigation have been put in place to manage the risk, leaving a residual risk which acceptable to the organization.

It is also important to note that an organization may take or increase the risk in order to pursue an opportunity.

Information & Communication

Information: Information is needed at all levels in organization to:

  • Identify risks
  • Assess risks
  • Respond to risks

The quality of information includes ascertaining whether:

  • Content is appropriate – is it at the right level of detail?
  • Information is timely – is it there when required?
  • Information is current – is it the latest available?
  • Information is accurate – is the data correct?
  • Information is accessible – is it easy to obtain by those who need it?

Communication: Internal – Effective communication flows downstream, across, and up the organization

External – There is also effective communication with external parties such as – customers – suppliers – regulators – and shareholders. Management must be aware of the additional risk exposure the organization could face if sensitive and confidential information is released to third parties without authorization.

Internal communication should effectively communicate:

  • The importance and relevance of effective ERM.
  • The entity’s objectives.
  • The entity’s risk appetite and risk tolerance.
  • A common risk language.
  • The role and responsibilities of personnel in effecting and supporting the components of ERM.
  • Address behavioral expectations and the responsibilities of personnel

Monitoring & review: The monitoring and review process is an integral part of the risk management process involving regular checking or surveillance. It ensures controls are effective & efficient and helps in detecting change in external or internal context. It also helps the analysis, lessons learned, continuous improvement and in the Identification of emerging risks.


A risk management system encompasses many elements: a risk management policy, a risk management framework, and various risk management tools and processes – all of which form the enterprise risk management framework.

Risk is present at all levels of the organization and can vary in nature. There are risks that may affect the organization as a whole and there are some risks that may affect only certain activities or services or projects.

Constructive use of risk management techniques can draw out the positive management responses available to an organization and develop the capacity of individuals to manage risks more effectively. However, organizational biases may also inhibit the ability to discuss risk and manage it appropriately.

Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment.

A number of treatment options can be considered and applied either individually or in combination. It is also important to note that risk treatment itself can introduce risks which may result from the failure or ineffectiveness of the risk treatment measures.

Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.

Finally, the management should ensure there is effective and coordinated communication and information sharing within the organization as this will enhance the risk identification, assessment and response at all time.

Leave a Reply

Your email address will not be published. Required fields are marked *