Defending Risks Everywhere Is Not a Strategic Plan

You must discuss the risk elephant in the boardroom.


by Dan Busby and John Pearson


He who defends everywhere, defends nowhere.[1]

Sun Tzu


Every organization has and takes risks—and churches are no exception. Neil Simon once said, “If no one ever took risks, Michelangelo would have painted the Sistine floor.”[2]

But ask church board members to name the top three risks facing the church they serve, and their responses will be varied. While many risks will be projected, few board members are prepared to crisply identify the highest risks.

We know a church board that doesn’t have term limits for board members. If you were once elected to the board, you are a lifer. So after several years of committee meetings discussing the adoption of term limits, the topic finally makes it to the board agenda. It is a contentious issue because several individuals have been board members for decades and they do not want to give up their positions.

The debate ebbs aimlessly. Then, at a tension-filled moment in the discussion, Ray says he believes the discussion on term limits should be tabled. He contends the church has a significant risk because the church’s physical security policies are out-of-date and the board should focus on security risks.

Jordan is the board chair, and this isn’t his first rodeo. He graciously thanks Ray for his comment on security but suggests that the comment does not really relate to the topic of the hour. The board continues to discuss term limits. While Ray accepts Jordan’s response, he observes that there never seems to be a right time to discuss security risks.

The board adopts the term limit proposal after 90 minutes of discussion, and miraculously the vote is unanimous. Jordan pauses the board agenda to offer a prayer of thanksgiving for the board’s unity.

After he says “Amen,” Ray again brings up his concerns about the risk of inadequate security procedures. He is upset that security policies never make it to the board agenda. And, if the policies are a board-level and not a staff-level issue, Ray has a good point.

Why is it so difficult for boards to discuss and identify significant risks? There are several reasons:

  • Failure to put risks on the agenda. Most boards do not regularly focus on risks because the topic is generally not on the board’s agenda. This leaves the door open to the ad hoc management of risks. The risk topic should be on the board’s agenda at least annually.
  • Assuming we have no major risks. Some boards falsely assume that the church does not have any major risks. There are almost always major risks at a church. Boards often identify some possible problems and totally miss the risk elephant in the room.

Peter Drucker said, “Fortunately or unfortunately, the one predictable thing in any [church] is the crisis. That always comes.”[3]

  • Treating all risks equally. Heed the Russian proverb: “If you chase two rabbits, you will not catch either one.”[4] If all risks are considered to be equal, then all risks will get the same attention—the major risks and the minor risks. The major risks receive too little attention and the minor risks get too much attention. Few churches have the resources to fully address every risk.
  • Not adequately considering input from staff. Boards tend to focus on their own assessment of risks and input from consultants, forgetting that the staff may have keen insights on potential risks. Staff work with church systems and volunteers every day. And staff are probably in the best position to assess church risks and recommend solutions.

Boards that do not take a proactive approach to risk management are destined to pay a high price when risks make a surprise visit. It is not a matter of whether a church has risks; rather, it is a matter of how many risks exist and which ones are significant.


Categories of Risk

Consider these areas when prioritizing possible risks at your church. Note: This list is not exhaustive but can be a spring­board for your discussions. Be sure to get feedback from staff and volunteers on possible risks that the board may not be aware of and prioritize accordingly.


Category of Risk



  Data breaches
  Malware, spyware


  Trip and fall
  Loss through fire, theft, or natural disaster

  Human Resources

  Regulatory noncompliance
  Hiring competencies
  Succession planning




  Economy/Lack of reserves
  Budget deficit/Use of cash from operations


  Changing giver base
  Changing giving methods
  Dependence on limited number of givers


  Safety and security
  Youth safety (travel, activities)


  Sexual misconduct
  Appearance of impropriety


  Active shooter
  Medical emergencies



Boards are well served to take a holistic approach to risk management,
moving from a fragmented view of risks
to an integrated and broadly focused view.
This approach includes not only risks associated with unintended losses
but also financial, strategic, operational, and other risks.

  Board Action Steps:

  1. Review: Regularly include risks on the board’s agenda.

  2. Prioritize: Identify the most important risks and continue to rank your highest priority risks to ensure they are on the board’s radar at every meeting.

  3. Budget: Allocate appropriate budgetary funds to address the largest risks.



Lord, give our board the discernment,
to identify our most significant risks,
and then help us to address them. Amen.



[1] Adapted from Sun Tzu, The Art of War (Value Classic Reprints, 2016), 17. This quote is based on the more literal translation of Sun Tzu’s caution: “If he sends reinforcements everywhere, he will everywhere be weak.”

[2] Rosemarie Jarski, Words from the Wise: Over 1,000 of the Smartest Things Ever Said (New York: Skyhorse, 2007), 430.

[3] John Pearson, Mastering the Management Buckets: 20 Critical Competencies for Leading Your Business or Nonprofit (Ventura, CA: Regal, 2008), 182 (quoting Peter Drucker).

[4] Gary Keller with Jay Papasan, The ONE Thing: The Surprisingly Simple Truth Behind Extraordinary Results (Austin, TX: Bard, 2012), 1–3.


From Lessons From the Church Boardroom: 40 Insights for Exceptional Governance, ECFAPress, 2018, www.ECFA.Church/KnowledgeCenter.

This text is provided with the understanding that ECFA is not rendering legal, accounting, or other professional advice or service. Professional advice on specific issues should be sought from an accountant, lawyer, or other professional.