Rethinking risk: It’s not just about what could go wrong

Risk management might not sound like the most thrilling topic for voluntary boards, but in truth, it’s one of the most important conversations we should be having. And, done right, it can be surprisingly powerful.

Here’s my take – grounded in my years working with boards, both corporate and charitable – on what risk management really means for nonprofits, along with the advice I regularly offer to the leaders steering them to better risk management and oversight.

Rethinking risk: It’s not just about what could go wrong

In my experience when people hear “risk”, they often think of disaster planning or worst-case scenarios. But to my mind that’s only half the picture. Good risk management is about asking, “What are we trying to do?” and then being honest about what could get in the way – or what might happen if we don’t act.

For volunteer boards, many of whom are juggling roles, responsibilities and real-world constraints, it’s easy to treat risk as something that sits in the finance or audit file or with the audit and risk committee. But actually, I think that risk should be part of everyday conversations – not a tick-box exercise once or twice a year.

5 things board leaders and trustees should do when it comes to risk

1. Don’t fear the word “risk” – embrace it !

Risk is not the enemy. It’s part of every organization’s journey. It is to a degree part of the “Compliance Camino”. The key is not to eliminate risk – that’s impossible – but to understand it, plan for it, and learn how to live with it wisely.

For nonprofits especially, taking the right kind of risk is often what enables innovation, new partnerships or a better way of delivering impact. As the old saying goes “Ships were not built to stay in port” and all organizations need to understand their risk appetite.

2. Talk about it – properly

A risk register is fine, but it’s no use if it’s just buried in a shared drive or rolled out once or twice a year for an audit. What matters is creating a space where people feel comfortable discussing what’s really keeping them awake at night. That could be funding, safeguarding, succession planning – or yes, even an unexpected crisis.

Trustees should be encouraged to bring their full selves to these conversations, including any gut instincts or questions. I would emphasize that’s not ‘being negative’ – it’s being responsible.

3. Watch out for the ‘quiet’ risks

In nonprofits, some of the most significant risks aren’t flashy or dramatic – they’re slow burners. Things like relying too heavily on one or two key people, or not having a clear succession plan for your board. Or overlooking digital security because it “hasn’t been a problem yet”. These are the ones that can quietly unravel the great work you’re doing if they go unchecked.

4. Make it everyone’s business

Risk isn’t something that just sits with the chair, the treasurer, or a sub-committee. It’s part of every decision. The more you can weave it into your everyday thinking – whether you’re discussing a new program, hiring a staff member or launching a campaign – the stronger your organization will be. You’re not trying to stop things going wrong; you’re trying to make better decisions as a team.

5. Don’t be afraid to ask for help

Not every board will have a qualified risk or governance expert around the table – and that’s absolutely fine. What matters is being willing to ask questions, admit what you don’t know and seek the right support when needed. You don’t have to be a risk professional to care about stewardship.

Final thoughts

My sense of it for volunteer boards is that risk management is ultimately about looking after what you’ve built – your people, your reputation, your mission – and making sure it’s still standing, still relevant and still trusted tomorrow. It’s not about being risk-averse. It’s about being risk-aware.

If we do all that, we’re not just managing risk. We’re hopefully building resilience.