Does your not-for-profit organization perform a risk assessment? Does your nonprofit board even know what a risk assessment is?
This article provides guidance that all not-for-profit organizations can use as a starting point to implement a risk assessment process. It describes the purpose of a risk assessment, identifies the risks facing many organizations, suggests a basic approach, and outlines steps to mitigate and control the risks that your organization faces.
What is a Risk Assessment?
“Risk assessment is the process of examining the exposures an organization faces in order to identify recommended steps for strengthening the organization’s future loss control and risk management strategies and activities.”
While it is not possible for boards to eliminate every potential risk, it is strongly recommended that nonprofit boards to conduct a thorough risk assessment at least annually to mitigate risks for the protection of the organization and its donors.
Why Perform Risk Assessment
Nonprofit organizations are, by definition, on a mission. In pursuit of their missions, they may engage in risk-reward scenarios. Risk assessment is essential because it helps nonprofits to understand the threats and opportunities that they are facing and then prioritize those issues. It is also helpful for seeing where your organization is at in terms of your performance and sustainability for the future.
Public trust is foundational to nonprofit organizations’ sustainability. Left unmanaged, risks can result in all sorts of losses: donors, employees, members, patrons and grants.
Who Should Undertake Risk Assessment
A comprehensive risk assessment can be done by staff or outside consultants. Even if staff typically perform the risk assessment, there may be value to having outsiders perform this task occasionally. An example of an independent consultant is the Nonprofit Risk Management Center.
While the mechanics of a risk assessment may be undertaken by staff or consultants, the role of the board in understanding, evaluating, and assessing risk cannot be understated. It is executive leadership and the board that must set the appropriate tone, understand the dynamics of risk for any given organization, and articulate a clear philosophy on an organization’s approach to risk.
In-House Risk Assessment Approach
A risk assessment should identify a broad parameter of risks within specific categories, analyzing the probability of occurrence and the severity of impact. It should also identify mitigating factors to various risks and suggest a process for tracking or monitoring risk. All of these steps require the exercise of judgment based on knowledge of the organization. In general, this process is as much art as science.
1. Identify Risks
Step one is to carefully consider the types of risks faced by the organization. Think broadly and do not constrain yourself to solely legal risks.
Most nonprofit organizations will share the same type of broad risks that can be generally described as follows:
- Internal or external fraud
- Misuse of cash and other assets
- Revenue concentration leading to loss of funding
- Incomplete, unreliable or improperly reported information
- Damage to reputation caused by a variety of potential factors including cyberattack.
- Violation of legal requirements
- Unplanned executive retirements creating challenges.
2. Talk to Other Staff
A useful risk assessment will include discussions with staff at varying levels of and in different areas of the organization. Staff members interviewed should be asked to identify what they see as the principal areas of risk within their areas, how the risk is currently addressed or mitigated, and ideas for more effectively addressing or mitigating the risks.
3. Rate the Risk to Assess Likelihood and Severity of Impact
In assessing the likelihood of a particular risk occurring, the following factors might be considered:
- Your organization’s culture and ethics
- Ongoing compliance
- Internal controls
- Workforce awareness and knowledge
- Employee intent
There are different methodologies and charts that can be used to present the risk assessment and which one you choose is dependent on your organization’s needs, culture, and sophistication. Here is an example of one such chart from Nonprofit Quarterly.
4. Take Steps to Address or Mitigate Risk
There are steps any organization, regardless of its size or sophistication, can take to address or mitigate risks. These steps are outlined below.
- Segregate duties
- Set payment controls
- Conduct due diligence and legal review
- Conduct audits (external and internal)
- Implement and follow strong internal policies
- Set the right tone at the top
- Avoid complacency
A nonprofit that manages risk openly brings people together to solve problems and improve impact. You will know the culture is working well when all involved in the organization bring risks and challenges forward eagerly, appreciate efforts to monitor their work, and seek help in making improvements.
The creation of a culture of risk assessment and management takes a lot of work and needs to be continually revisited — but it is well worth it.