November 2016, Joan M. Renner, CPA, CGMA, Director, 501(c)(fit!)®

Risk Assessment is Part of Board Governance

Nonprofits make a difference every day thanks to the nonprofit leaders who govern, oversee, manage and carry out their organization’s work to serve its mission. Nonprofit leaders all want to support their organization’s capability to serve, and protect the organization from harm. Board Members want to know what threats might be out there. Management generally has a good idea of what threats are out there—and inside. In fact, they’re sometimes up at night worrying about what might happen if…

  • we lose our major supporter,
  • our major grant is not renewed, or
  • several of our key managers retire.

No nonprofit leader should have to carry these worries on their shoulders. The way for all the organization’s leaders to share the concern is through an organized risk assessment process to identify, evaluate and address the big risks so that the organization and its leaders are prepared to handle them. In a risk assessment, leaders address risk through a process to “see it”, “size it up”, and “avoid it, tame it or at least watch out for it”.

Planning Your Process— starting on the same page

Where do you start?

First you need a team to go through the process with you. Your team, or task force, should include individuals with top responsibility for each major area of your organization including operations, finance, grants, fundraising and regulatory compliance.

Your task force will explore and agree on the criteria you will use to evaluate the severity of your risks based on likelihood and potential impact. This will get your leaders on the same page with a shared understanding of what a severe risk looks like in your organization.
Once you have defined your criteria for evaluating risks, your task force will be ready to move forward and “see it”, “size it up” and “avoid it, tame it or at least watch out for it”.

Drivers and Dangers— what factors are key to your survival?

Where do you look for risks in your organization? Start by identifying what drives your organization; your major sources of resources and capability.
What could happen to these drivers? There are some basic categories of risk to consider; risks from failures related to your people, processes or systems, risks to your finances, risks from your environment and risks related to your reputation. With an understanding of your organization’s drivers and the basic types of risks that are out there, your task force will have the building blocks needed to identify potential risk events.

What If…Possible Risk Events—where risks and drivers collide

What would happen if one of your major resources became impaired or went away entirely as a result of a failure on your part or some outside event? Brainstorm what could happen to your drivers; the factors that drive your resources and capability. These possible risk events usually begin with the words “what if”. For example, what if your major annual fundraiser is a wash out due to bad weather? Develop a list of potential risk events and flesh them out, to prepare you to assess their potential impact and likelihood.

How Bad Could It Be?– evaluating potential impact and likelihood

Review your potential risk events and evaluate the severity of each one based on your assessment of their potential impact and likelihood. The impact of a potential risk event refers to how bad it could be. The likelihood of a potential risk event refers to how frequently it might occur, if ever. Severe events will be those with high potential impact and high likelihood.
After this evaluation, select the most severe risk events to move forward to the mitigation phase of your risk assessment process.

Mitigating Your Risk— avoiding, taming or at least keeping watch

What can your organization do to mitigate its identified risks? Try to develop three lines of defense for each severe risk; one to “avoid it”, one to “tame it” and one to “watch out for it”. For example, to avoid an employment-related lawsuit, you might decide to “avoid it” through appropriate HR policies. Then you might also “tame it” with employment practices insurance. Finally you will also “watch out for it” with some reporting system to collect and address complaints with further training and other action.

Developing Your Action Plan— who, what and when

What will you do with all this information? At the end of your risk assessment project, you will need to translate your proposed risk mitigations into new or revised policies and procedures for your organization. Set up ways to address risk assessment when evaluating new initiatives and revisit your risk assessment process every few years. Decide who will take care of each task and which items will require Board approval. Don’t kill yourself at this stage. You didn’t build up these risks overnight so establish a realistic timeline for sharing your findings with your fellow leaders, developing, discussing and approving mitigating policies and procedures and monitoring follow-up.


Conducting a risk assessment process is a lot of work, but it is worth it. Your task force will complete the risk assessment process with a greater understanding of your organization, its challenges and how to meet them through thoughtful proactive governance. Your organization will be better prepared to serve its mission now and in the future, for the benefit of those who depend on you. You may even find that all of your organization’s leaders sleep better at night.