Defending Risks Everywhere Is Not a Strategic Plan

You must discuss the risk elephant in the boardroom.


by Dan Busby and John Pearson


He who defends everywhere, defends nowhere. [1]

Sun Tzu


Every organization has and takes risks—and ministries are no exception. Neil Simon once said, “If no one ever took risks, Michelangelo would have painted the Sistine floor.”[2]

But ask ministry board members to name the top three risks facing the ministry they serve, and their responses will be varied. While many risks will be projected, few board members are prepared to crisply identify the highest risks.

Interestingly, when an ECFA research project compared boards that described themselves as effective to those that are ineffective, 84 percent of effective boards agreed that “Our board devotes creative energy and board meeting time to assess risks and opportunities—and thus is well-informed about the outside forces impacting the organization.” Sadly, only 39 percent of ineffective boards agreed.[3]

We know a ministry board that doesn’t have term limits for board members. If you were once elected to the board, you are a lifer. So after several years of committee meetings discussing the adoption of term limits, the topic finally makes it to the board agenda. It is a contentious issue because several individuals have been board members for decades and they do not want to give up their positions.

The debate ebbs aimlessly. Then, at a tension-filled moment in the discussion, Ray says he believes the discussion on term limits should be tabled. He contends the ministry has a significant risk because the ministry’s physical security policies are out-of-date and the board should focus on security risks.

Jordan is the board chair, and this isn’t his first rodeo. He graciously thanks Ray for his comment on security but suggests that the comment does not really relate to the topic of the hour. The board continues to discuss term limits.

The board adopts the term limit proposal after 90 minutes of discussion, and miraculously the vote is unanimous. Jordan pauses to offer a prayer of thanksgiving for the board’s unity.

After he says “Amen,” Ray again brings up his concerns about the risk of inadequate security procedures. He is upset that security policies never make it to the board agenda. And, if the policies are a board-level and not a staff-level issue, Ray has a good point.

Why is it so difficult for boards to discuss and identify significant risks? There are several reasons:

  • Failure to put risks on the agenda. Most boards do not regularly focus on risks because the topic is generally not on the board’s agenda. This leaves the door open to the ad hoc management of risks. The risk management topic should be on the board’s agenda at least annually.
  • Assuming we have no major risks. Some boards falsely assume that the ministry does not have any major risks. There are almost always major risks. Boards often identify some routine problems and totally miss the risk elephant in the room.
    Peter Drucker said, “Fortunately or unfortunately, the one predictable thing in any organization is the crisis. That always comes.”[4]
  • Treating all risks equally. Heed the Russian proverb: “If you chase two rabbits, you will not catch either one.”[5] If all risks are considered to be equal, then all risks will get the same attention—the major risks and the minor risks. The major risks receive too little attention and the minor risks get too much attention. Few ministries have the resources to fully address every risk.
  • Not adequately considering input from staff. Boards tend to focus on their own assessment of risks and input from consultants, forgetting that the staff may have keen insights on potential risks. Staff work with organizational systems and volunteers every day. And staff are probably in the best position to assess risks and recommend solutions.

Boards that do not take a proactive approach to risk management are destined to pay a high price when risks make a surprise visit. It is not a matter of whether a ministry has risks; rather, it is a matter of how many risks exist and which ones are significant.

Categories of Risk

Consider these areas when prioritizing possible risks in your ministry. Note: This list is not exhaustive but can be a spring­board for your discussions.
Be sure to get feedback from staff and volunteers on possible risks that the board may not be aware of and prioritize accordingly.


Category of Risk



Data breaches
Malware, spyware


Trip and fall
Loss through fire, theft, or natural disaster

Human Resources

Regulatory noncompliance
Hiring competencies
Succession planning




Economy/Lack of reserves
Budget deficit/borrowing from restricted funds


Changing giver base
Changing giving methods
Dependence on limited number of givers


Safety and security
Youth safety (travel, activities)


Sexual misconduct
Appearance of impropriety


Active shooter
Medical emergencies



Boards are well served to take a holistic approach to risk management,
moving from a fragmented view of risks to an integrated and broadly focused view.
This approach includes not only risks associated with unintended losses
but also financial, strategic, operational, and other risks.

  Board Action Steps:

  1. Review: Regularly include risk assessment on the board’s agenda.

  2. Prioritize: Identify the most important risks and subsequently review the risks to be sure they remain the top risks.

  3. Budget: Allocate appropriate budgetary funds to address the largest risks.



Lord, give our board the discernment to identify our most significant risks,
and then help us to address them. Amen.




[1] Adapted from Sun Tzu, The Art of War (Value Classic Reprints, 2016), 17. This quote is based on the more literal translation of Sun Tzu’s caution: “If he sends reinforcements everywhere, he will everywhere be weak.”

[2] Rosemarie Jarski, Words from the Wise: Over 1,000 of the Smartest Things Ever Said (New York: Skyhorse, 2007), 430.

[3] Warren Bird, Unleashing Your Board’s Potential: Comprehensive Report from ECFA’s Nonprofit Governance Survey (Winchester, VA: ECFAPress, 2019), 21.

[4] John Pearson, Mastering the Management Buckets (Ventura, CA: Regal, 2008), 182.

[5] Gary Keller with Jay Papasan, The ONE Thing: The Surprisingly Simple Truth Behind Extraordinary Results (Austin, TX: Bard, 2012), 1–3.


From More Lessons From the Nonprofit Boardroom: Effectiveness, Excellence, Elephants!, 2019,

This text is provided with the understanding that ECFA is not rendering legal, accounting, or other professional advice or service. Professional advice on specific issues should be sought from an accountant, lawyer, or other professional.