Here’s what I discovered when I built my first Enterprise Risk Management program at a major university. Risk plans were treated like insurance policies. Filed away in drawers, forgotten until disaster struck. Sound familiar? You’re not alone. Most organizations experience multiple critical risk events yearly, yet their risk management provides minimal competitive advantage. But here’s the thing: the problem runs much deeper than poor filing systems.

Fear Creates Terrible Risk Assessment

When I started mapping the university’s actual risk landscape, everyone rated their risks as “high likelihood, high impact.” Everything felt catastrophic. A finance team member panicked about weak controls for consultant payments. They worried someone could easily pay a “dummy” consulting firm $50,000 without oversight. The reality? While $50,000 isn’t trivial, it wouldn’t destroy the institution. The likelihood was low since it had never happened. Insurance would cover the loss (there was an appropriate policy in place), and legal would get involved since payments would be traceable. Fear was masquerading as risk analysis.

The Tabletop Solution That Changed Everything

I borrowed a technique from my public health training: tabletop exercises. These “what if” scenarios bring all stakeholders to the table. I introduce a crisis situation, then ask everyone: “What now?” The magic happens when people start talking through their actual processes. Suddenly, the COO discovers what the CFO actually does. The CEO learns how departments really communicate. Everyone realizes they have way more safety nets than they thought. These sessions become accidental cross-training that reveals hidden organizational resilience.

The CEO Dependency Problem

I structure tabletop exercises strategically, starting with lower-level employees and building up to the C-suite. Sometimes I tell the CEO to just watch and let other officials work it out. The results are eye-opening. Teams either step up intelligently or freeze when they can’t default to “ask the CEO.” Organizations discover whether they’re dangerously dependent on one person’s decision-making. Many CEOs learn their organizations are severely siloed with poor information flow between departments.

How AI Changes the Game

Traditional tabletop exercises only reveal known scenarios. I’ve started using AI to uncover hidden risks by analyzing in-depth interviews about past crisis management. AI searches for patterns across similar organizations that faced comparable challenges. This creates comprehensive risk profiles identifying threats no one in the organization has considered. The insight is powerful: these aren’t risks that might happen. They’re risks that are coming. Other similar organizations have already faced them. It’s not a matter of if, but when.

Making Risk Management Strategic (Not Just Reactive)

The 2017 COSO framework repositioned enterprise risk management from compliance exercise to strategic function. For nonprofits, this transformation is critical. With 80% of nonprofits having no cybersecurity plans and nonprofit data breaches increasing 103% in two years, reactive risk management threatens mission fulfillment. Strategic risk management connects directly to organizational resilience and mission impact. When nonprofits understand their real risk landscape through systematic assessment rather than fear-based guessing, they make better decisions about resource allocation and strategic priorities. The goal isn’t eliminating risk. It’s transforming risk management from a compliance burden into a competitive advantage that strengthens mission delivery.

Want to try this approach?

Start with one tabletop exercise. Pick a scenario that keeps your leadership team awake at night. You might discover you’re more resilient than you think.