The role of the board in risk management

The board is ultimately responsible for the organisation's risk management strategy. While some of the work can be delegated, the buck stops with the board.

The board (or committee of management, or council - they're all basically the same thing) of a not-for-profit organisation is responsible for the organisation's risk management strategy.

Indeed, this is among the board's most important responsibilities.

This doesn't mean that it's the board's job to go round and nail down the loose steps itself. But in such a case it would need to be satisfied that there was a safety policy, a procedure for identifying that it was a problem, responsible staff who were conscious of the need to fix it (and within a certain timeframe), and that there were resources available for maintenance.

The risk management strategy

It's the board's role to ensure there is a current risk management strategy that includes a written version of:

  • The procedures the organisation has gone through to review its risk profile;
  • The policies it has put in place to avert the risks that have been identified; and
  • The measures it has taken to cope with the consequences if the projected disasters come to pass.

If these things haven't yet been formalised, then the board will need to proceed at once to do so. The board can either ask the staff (if the organisation has any) to prepare a draft or assign a small number of its own members to work on the matter. This process needs to be inclusive but should be led by a committed board.

The development of a risk management strategy involves the exercise of good judgement and reasonable foresight to identify those risks that are both serious and likely, and developing strategies to deal with them.

When the responsible party (staff or delegated board member/s) has pulled together a risk management document that they think is feasible and achievable, then they must take it back to the board.

The board will need to be satisfied that:

  • The procedure for identifying risks is adequate;
  • The policies are a reasonable balance between cost and risk; and
  • The organisation will be adequately protected if the worst happens.

The board is not a rubber stamp, and may certainly make changes and cast out suggestions, but neither is it the bit of the organisation that is going to have to carry the final policy into operation, and it should be cautious about overriding the strongly expressed views of the staff concerned.

If there are important elements where agreement cannot be reached then this may raise questions about whether there is a need to consider more basic changes to the organisation's staffing or structure.

In any case, if the board wishes to have meaningful input into the detail of the policy it may be advisable to set up an ad hoc sub-committee to review the policies and the procedures with the aid of staff.


The next stage of the board's responsibility is to ensure that these good policies and procedures are in fact carried out. This is essentially part of the general responsibility of the board to monitor the organisation's management.

The board needs to be satisfied that:

  • the strategy clearly identifies who is responsible for the implementation of each element of the plan;
  • that there is a clear timetable for the achievement of each such element of the plan; and
  • that the resources necessary for implementation of the plan have been itemised and authorised.

As with all of the organisation's policies, the board will also need to be satisfied that the operations of the risk management policy are being monitored and modified as required.

The board (or the CEO, if risk management has been delegated) may consider appointing a "risk manager" to liaise with the board. This may be done directly or through a sub-committee or nominated board member.

Some organisations have assigned the role of risk manager directly to one of the members of the board but this runs a severe risk of confusing governance with management and is generally not advisable (although in smaller organisations may not be avoidable).


In order to ensure that nothing is missed, that changing circumstances are being taken into account, and that people know that the organisation is committed to risk reduction, it's advisable to review the risk management plan regularly - every year or even every six months.

If the situation is volatile then the board will need to revisit the area even more frequently, and the reporting will need to be considerably more regular and more detailed, covering a description of any new risks, an account of the effectiveness of the existing risk management strategy, and the prevalence of incidents (thefts, accidents, complaints, etc.) during the reporting period.

Vigilance is necessary in between reviews, as well. Staff and volunteers should be continually identifying, reporting and solving any risks on an ongoing basis.

Whenever it appears that the organisation's situation has changed significantly it will be necessary to rewrite the policy, and when this is done the new policy will once again need the approval of the board.

Liability of the board

If the organisation is incorporated, the board will generally be covered against any attempt to fix personal liability upon its members, providing the board has taken all necessary steps to ensure that the organisation can meet its responsibilities to the public.

If, however, the board has clearly neglected its duty to oversee the operations of the organisation - if, for example, it has taken no action whatever about an important issue - then the members of the board may be taken to have failed in their duty, and they become potentially liable.

You can, that is, become liable not for what you did but for what you didn't do but should have done. There were questions to be asked, and you should have asked them. There were policies that should have been on the files, and you should have asked to see them. There were people at risk, and you should have protected them.

Who/what must be protected?

The primary responsibility of a not-for-profit board is to guide the organisation in accomplishing its mission. In fulfilling this obligation, the board has a legal duty to use the organisation's assets prudently. The assets of a not-for-profit vary, but generally fall within one of the following categories:

  • People (board members, volunteers, employees, clients, donors, and the public);
  • Property (buildings, facilities, equipment, materials, copyrights, and trademarks);
  • Income (sales, grants, and contributions); and
  • Goodwill (reputation, stature in the community, and the ability to raise funds and appeal to prospective volunteers).

These are all things that the board must take into account when considering the organisation's risk management strategy.

Good practice

The board can contribute significantly to managing risk by paying close attention to hot spots - the areas most likely to result in claims. By adopting practices that minimise the likelihood of such claims, the board places an organisation on the right footing.

Some suggested good practices are outlined below.

Carefully select the Chief Executive Officer (CEO)

The board should make the delegation of responsibility for day-to-day management with care. This begins with the thoughtful selection of a CEO or executive director.

The board's ability to fulfil its legal duties and risk management responsibilities will largely depend upon the competence, skills, and cooperation of the CEO.

Oversee employment practices

While the board's responsibility for hiring generally ends in the selection of the CEO, its overall responsibility for the employment practices of the organisation extend a great deal further.

Employment-related actions are the largest source of claims filed against boards of directors under Directors and Officers' insurance policies.

The board's role is not to micro-manage every action taken by the CEO. Instead, the board is acting appropriately and responsibly when it questions whether the organisation applies its employment practices consistently, uniformly and in accordance with the law.

The board should also determine if the organisation is following the board-established employment policies. In addition, members of the board should ask what steps the staff are taking to prevent unlawful discrimination or other actions that could result in liability.

When the board deems it necessary, it should direct the senior staff to strengthen or revisit such practices.

Oversee financial management and fundraising policies.

Few not-for-profit board members are experts in not-for-profit finance, nor must the organisation require financial management skills in prospective board members.

However, in order to discharge their fiduciary duties and the duty of care, board members must be committed and diligent in reviewing information related to the organisation's financial position.

Along with establishing goals and objectives and approving the strategic plan, the board must approve an annual budget.

The board must also review financial statements regularly and question whether expenditures are consistent with the program priorities and operating policies established by the board.

Is the organisation on a sound financial footing? Are the staff's revenue projections realistic? Do the financial statements present a clear picture of the financial condition of the agency?

Fundraising is another area in which not-for-profit boards must take an active interest. The board's role in managing fundraising risks includes developing a fundraising policy.

Review insurance coverage

Insurance policies have evolved considerably over time to meet the needs of not-for-profit organisations. While some organisations continue to purchase traditional corporate policies, most now select policies that respond to the unique exposures facing not-for-profit groups.

Board members should be knowledgeable about the coverage taken out by their organisation, and request information that will enable them to evaluate whether the coverage purchased by the organisation is appropriate and responsive to the organisation's exposures.

Adopt and follow good policies procedures

"Good policies and procedures, always followed" should be the risk management mantra for any not-for-profit organisation.

Indeed, good policies and procedures are invaluable to a board as it strives to fulfil its legal duties and risk management responsibilities.

This also extends to the use of position descriptions for board and staff members and an annual evaluation process.