Risk Management Maturity: Where Do You Stand?


Hosting an Office Holiday Party? Listen to Episode #3 of The Risk Jockeys Podcast: Ho Ho Hold On There! Managing Office Party Risks

~8.5 minutes | Recorded 12.16.17


Looking back on the NRMC team’s work throughout 2017, one of the hottest topics for our consulting clients and Affiliate Members was risk management maturity. Nonprofit leaders want to know:

  • Compared to other organizations, how advanced are our risk management capabilities?
  • Based on the gold standard for risk management performance in the nonprofit sector, how are we doing?
  • What can we do to progress from practicing risk management to Enterprise Risk Management (ERM)?

These tough-cookie questions have puzzled many a nonprofit leadership team, partly because there are no recognized, published, nonprofit-specific standards on risk management or ERM maturity. With our mission to cultivate risk management leaders and instill effective risk management practices across the sector, the NRMC team realized it was time to step in and address this need.

If you’ve asked yourself the questions above, then order our newest book, World-Class Risk Management for Nonprofits, in which we shared NRMC’s new Risk Management Maturity Model.

Our four-phase model offers an expert benchmark of the effectiveness and sophistication of your risk management program. Risk management maturity advances from phase one to phase four:

  1. Emerging/Ad Hoc
  2. Established/Fundamental
  3. Advanced
  4. Strategic/Integrated

Take a peek below at some of the indicators of phase one, which signify emerging or ad hoc risk management capabilities exist in an organization. If you can agree or respond “yes” to most of these indicators, then your nonprofit is probably in phase one now. Though phase one is just the beginning, we know that staff in every nonprofit engage in risk management in some fashion. Celebrate your wins and continue cultivating your world-class risk management program, one maturity phase at a time.

Indicators of Risk Management Maturity in Phase 1: Emerging/Ad Hoc Risk Management Capabilities

  • When we use the word risk, we are referring to the possibility of harm or loss.
  • Some team members in the organization intuitively identify and manage risks, but other team members are unfamiliar with the discipline of risk management.
  • If a risk management strategy/tactic is developed and implemented, it’s because a staff member or a team took the initiative to implement it.
  • Risk management practices are inconsistent throughout the organization (e.g., one manager might check references as part of the screening process for new hires, while another might skip that step; one manager might seek legal review of draft contracts, while another might proceed without legal review, etc.).
  • No one person or team is specifically designated as a risk management leader/team (e.g., a Risk Manager or other Risk Champion, a risk management committee or task force, etc.).
  • Our risk management efforts are usually reactive; they are often motivated by incidents or crisis events that have already occurred.
  • We do not deliberately consider or plan for risks during regular planning activities (e.g., budgeting, program development, fundraising activities, etc.).

To gauge your risk management capabilities against NRMC’s full Risk Management Maturity Model, order World-Class Risk Management for Nonprofits. World-Class is a perfect holiday gift for the Risk Champion in your life (especially if that’s you!).

Spending less this holiday season? Try our free Risk Benchmarking App to compare elements of your risk management program against those of your peers. Pick one of five benchmarking topics, and answer a couple quick questions to anonymously share your nonprofit’s risk management maturity. Then enjoy instant results of all the benchmarking responses to-date. You can view aggregate results, or view results from peer nonprofits based on their service type (sub-sector), operating revenue, or location of services.

Wishing you a merry and risk management-mature holiday season!

Contact the Nonprofit Risk Management Center team to learn about risk management maturity and our educational resources: 703.777.3504 or info@nonprofitrisk.org.