How to Conduct a Risk Assessment for Your Nonprofit

When circumstances are favorable for your nonprofit, risk management may seem unnecessary. However, becoming comfortable with day-to-day practices can cause some organizations to overlook inherent risks associated with their operations. That is why it’s essential to develop a strategy for managing risks, as it can be your nonprofit’s saving grace in all types of challenging situations, from economic turbulence to natural disasters to unintentional mistakes.

Only 28% of nonprofits have a “complete” or organization-wide risk management process in place, according to a 2022 report from the Enterprise Risk Management Initiative at NC State University (opens as pdf), despite increased pressure from stakeholders and boards to focus on mitigating risks. A key part of developing a complete plan is a strategy for assessing what risks could potentially occur and how they would impact your organization.

To help you get started, here are three basic steps you can take to conduct a risk assessment for your organization.

1. Identify Potential Risks

Generally speaking, a risk is the probability that a future event will negatively impact a nonprofit like yours. Some of the most common types of nonprofit risk fall into four categories.

Cybersecurity violations. As online networks’ role in nonprofit operations has grown, so has the risk of data breaches and ransomware attacks. While more than 70% of nonprofits use some form of wireless technology, only about 55% have some type of policy in place to handle cybersecurity risks, NTEN reported (opens as pdf).

Fundraising fraud. Because most nonprofits’ employee identification numbers (EIN) are publicly available, scammers can obtain that number and falsely use an organization’s name and logo. Then, they collect donations under the guise of charity while pocketing the money for themselves.

Theft. If a nonprofit’s internal systems are faulty or individuals who haven’t been vetted gain access to resources they shouldn’t, someone close to the organization may steal its money or equipment.

Compliance. Nonprofits are subject to specific rules and regulations that for-profit organizations aren’t, and not complying with those regulations risks an organization’s tax-exempt status.

As you consider which of these risks might affect your organization, keep in mind that there are times when you may need to take on some risks so your nonprofit can grow. However, these four types of risks tend to be harmful rather than helpful and therefore need to be mitigated. Even the risks you take for growth purposes should be carefully monitored to ensure they remain within your organization’s control and don’t lead to one of these negative situations.

2. Determine the Impacts of Each Risk

Once you know what types of risks are possible, you’ll need to consider how they would impact your organization if they were to occur. These impacts often fall into one of these categories:

• Financial loss related to donations, grant funding or earned income, such as membership dues.
• Legal consequences, including lawsuits, fines and other penalties.
• Operational disruption leading to reduced service delivery capabilities.
• Reputation damage that breaks down stakeholders’ trust in your nonprofit.

Some risks may have more than one impact. For instance, a data breach could result in various financial losses, legal investigations, diminished donor confidence — or all three. Make sure to consider all of the possible consequences of each risk as you conduct your assessment.

3. Prioritize Risks to Inform Your Mitigation Plan

Determining the possible impacts of each risk your nonprofit might face is one key factor in prioritizing your list of risks. Consider both the amount and severity of each risk’s potential consequences when deciding which ones should be addressed first.

The other major factor in prioritization is the likelihood that each risk might occur. You can determine this by doing some research into data and trends in nonprofit risk, as well as by analyzing past incidents at your nonprofit and other similar organizations.

Figuring out which risks are most likely to occur and which ones would be most detrimental allows you to put more of your time and resources into discovering and addressing the greatest potential threats to your nonprofit.

Once your nonprofit has conducted a risk assessment, you can refer back to it as you put preventative measures in place and develop contingency plans outlining your responses to risky situations. Keep in mind that your organization’s situation will likely change over time, so it’s important to reevaluate your list of risks periodically to ensure you’ve considered all potential outcomes and can prevent or mitigate as many threats as possible.

The preceding blog was provided by an individual unaffiliated with NonProfit PRO. The views expressed within do not directly reflect the thoughts or opinions of NonProfit PRO.