September 1, 2021

Both the COVID-19 pandemic and the preceding great recession presented serious challenges for organizations eager to develop an annual budget and stick to it. In fact, many businesses and nonprofits alike found themselves with reduced revenue, additional expenses, and worst yet, no contingency plan. Without a crystal ball, the best any organization can do is plan for various scenarios after identifying and prioritizing potential risks to their roadmap. Enterprise risk management (ERM) is the framework used by organizations to safeguard their strategy by building in contingencies that help them develop and manage a more accurate budget.

The Reinforcing Nature of Strategy, Budgets, and Risk Management

Integrating ERM with strategic planning and budgeting processes improves an organization’s ability to respond to uncertainty and have the resources available to achieve its mission. An organization’s strategic plan provides a roadmap for achieving its objectives by translating its mission into programs and activities. Enterprise risk management adds a framework for structuring an organization’s approach to avoiding or minimizing potential roadblocks to meeting strategic objectives.


Budgets ensure that the organization’s strategic plans are feasible, and its resources are allocated to maximize the likelihood of achieving its strategic objectives. Explicitly aligning ERM and budgets to each other, as well as to the overall strategy, leads to more insightful results from the ERM process and more accurate budgets.

More Insightful Enterprise Risk Management

Using strategy as a starting point for ERM helps an organization identify its most important risks, which often cut across functional areas and therefore might be missed in a more traditional, department-oriented risk management approach. ERM establishes a process for prioritizing those risks that are most instrumental to an organization’s success and ensuring that these risks get the attention they require from the right people.

An organization’s budget process supports both risk identification and risk management. Its leaders may discover previously unconsidered risks by examining the largest expenditures and sources of revenue, and by asking what would happen if the assumptions underpinning them turned out to be incorrect. Reviewing large and mission-critical vendors can help determine where there may be vulnerabilities or dependencies, and help the organization plan its response in the event of a service disruption. Asking staff which aspects of the budget were most challenging to forecast may reveal uncertainties that need to be captured in risk registers and addressed in risk management plans (at the project level if not at the enterprise level). In supporting documentation, project managers can indicate the risks that may affect their ability to achieve their budget projections along with the steps they are taking to address these risks. Using the same terminology as the risk taxonomy can be particularly helpful for large organizations to identify common themes occurring across the organization.

Reviewing the budget can be a useful check on the practicality of risk management plans. Risk owners should have the budget information and authority they need to implement required activities, especially for risks that fall across or in between program areas. Viewing budgets and risk management plans together can help identify program and support functions that may be strained if risk events occur so that risk management plans can be appropriately modified. And improving communication between risk owners and budget managers can reveal areas where the organization has capacity to take on more risk than it previously realized.

Finally, budget tracking may be helpful for monitoring risks. Although variance analysis and ratios are backward-looking, tracking trends and rates of change can signal emerging risks. For example, an increase in certain costs may indicate shifts in operating environment conditions.

More Accurate Budgeting

Basing the budget on the organization’s strategy helps ensure strategic priorities are sufficiently funded. When a budget is rolled forward, it may not allocate resources to where they are most needed in the future. Using a zero-based budget, which starts each budget fresh and builds up revenue and costs from zero rather than incrementally changing the prior period’s budget, is generally more resource-intensive, but can be more effective at controlling costs and aligning budget priorities with strategic priorities. Regardless of whether a zero-based budget is used, a multi-year budget that matches the strategic plan’s timeframe can improve the efficiency of the budgeting process and better support strategic objectives.

When an organization’s risk management program also draws from its strategy, connecting ERM to the budgeting process ensures that the budget allocates sufficient resources to mitigation activities for the most critical risks. This is especially important for cross-cutting risks. Budget-ERM alignment can be formalized through including the relevant strategic objective and associated risk in budget documentation.

The ERM process can support financial scenario planning through identifying the key variables that are most likely to affect strategic objectives and quantifying their impact. This can inform reserve requirements and support negotiations with donors for contingency funds or force majeure clauses, which release contractual obligations when unforeseen risk events occur that make program completion temporarily or permanently unfeasible. These clauses allow the organization to allocate a pre-defined percentage of their budget to manage situations such as forced withdrawals and evacuations when extraordinary events occur, but generally require the recipient organization to have clear mitigation measures in place.

ERM focuses on uncertainty, which can have positive, as well as negative consequences. Using the ERM process to inform the budget increases the likelihood that the organization will have identified plans and resources to act promptly to take advantage of potential opportunities as they arise.

Getting Started

It’s impossible to know when or where the next global or national crisis will strike, but it is within our control to anticipate potential risks and plan for them. Organizations can now use proven tools and methodologies to help their leaders not only identify possible risks, but also consider their impact as part of their strategic planning and budgeting exercises. For more information and resources on risk management, visit GRF’s ERM Resource Center.




Melissa Musser, CPA, CITP, CISA

Partner and Director, Risk & Advisory Services

GRF CPAs & Advisors



Amy Wares

Risk & Advisory Services

GRF CPAs & Advisors