a non-profit risk management process manual

2019.07.22

Small non-profits require processes monitoring the enterprise for loss, including missed opportunity. I have written a manual that puts risk management in the hands of the committees that manage the organization's operations. The processes outlined in this document include:

• The creation of a register for the organization's objectives and a mapping of the organization's significant activities to those objectives. This is done to ensure that the entire enterprise is considered for the risks of potential loss and missed opportunity.
• The establishment of a risk culture, not through lectures and posters but: by adding the right questions to decision-making processes; adopting a code of conduct; and adopting a mentality of only ever learning a lesson once; and explicitly defining decision authority.
• The creation of an explicit risk appetite intended to make decisions on risk easier.

Weighing in at a total of seven pages, plus a two-page sample statement of risk appetite, this process covers a number of key processes from the King IV Report on Corporate Governance, a highly readable standard from South Africa. It includes:

• Escalation of potential areas of loss vertically and laterally within the organization for rapid response.
• Capturing changes to the organization's mission and activities, identifying emergent risk, and questioning decisions in light of the risk appetite statement.
• An annual review of risk management activities by the executive committee.
• Consideration of the organization's activities compared to its insurance cover.

Dispensing with abstractions such as risk registers and tedious stilted processes such as "risk management meetings", this is a manual designed for busy non-profits with limited budgets operating in uncertain times. Rather than task a "risk manager" with scolding the organization, it puts the risk management activities in the hands of the people who can do something about the potential issues identified.

About the author: I have written some sixty manuals of risk management policy and procedure for five organizations on two continents. I have negotiated working processes and policies with senior executives as well as external auditors. I have instituted risk control self-evaluation processes and obtained clean audits. I have worked with regulators and contributed to standards by which controls are evaluated. I wrote my masters dissertation on the effective use of risk control procedures. The process manual on this page represents a synthesis of work I've done spanning twenty years.

Please contact me at "michael@" this domain for a copy.