6 min read
Worrying about problems that haven't happened yet or ones that might never happen to your organization may seem like a waste of time and resources – especially if you have more pressing concerns like determining how you're going to meet your fundraising goals so that your mission can survive another year.
Failing to consider potential risks that could affect your organization, however, can result in worse damages and a heightened emergency in the event an unforeseen risk does occur.
Of course, you'll never be able to imagine or prepare for every possible bad thing that could affect your nonprofit. However, preparing the best you can for as many possible scenarios as you can imagine will ensure you're more likely to avoid more risks, minimize risk-related damages, and survive the challenges that come your way.
What Is Organizational Risk Assessment/Nonprofit Risk Management?
Organizational risk assessment is the process of identifying, assessing, and prioritizing the management of risks that could affect a nonprofit. The assessment should be followed up by an actionable plan designed to mitigate risks to the nonprofit organization.
A nonprofit's risk management plan should include both inherent and residual risks with "inherent risks" including those the organization faces before performing organizational risk management and "residual" risks including those that remain after the organization has performed risk management.
Why Risk Assessment and Management Are Important for Nonprofit Organizations
The primary reason why risk assessment and risk management are important is that they are vital to the future health of a nonprofit organization and its ability to continue carrying out its mission. Performing risk assessment and risk management can support the nonprofit's health in the following ways:
- Recognizing potential risks is essential to thorough strategic planning.
- Identifying risks and ranking them helps the board identify and rank the organization's priorities.
- A practice of thorough risk assessment and management demonstrates good stewardship of financial resources to your donors.
- Risk assessment helps the board identify manageable risks so that you can protect your organization from harm and keep it sustainable to continue providing services in the future.
Who Is Responsible for Nonprofit Risk Management?
Risk assessment is primarily the responsibility of a nonprofit's board of directors, working in tandem with the executive director to actively manage risks within the organization.
Best Practices for Conducting Nonprofit Risk Assessments and Organizational Risk Management
Identify and Assess Potential Risks
The first step in nonprofit risk assessment is to identify the risks your organization faces. As mentioned above, the risks that nonprofits face are countless and many of them might not currently be identifiable. However, this step is primarily about assessing the risks that can be identified.
Read More: Preventing Fraud In A Nonprofit
Some of the risks nonprofit organizations commonly face include challenges such as:
- Cybersecurity and Data Breaches - sensitive information leaks that could leave your organization liable and with major reputational damage
- Fundraising Fraud - nefarious individuals "fundraising" while pretending to be affiliated with your organization
- External Theft or Internal Fraud - anyone stealing from the organization
- Regulatory Compliance - fines, penalties, fees, or other losses incurred as a result of noncompliance with local and federal laws
- Natural Disasters - Weather-related events that damage your physical office or hinder your ability to operate
Score and Prioritize Risks
After identifying and assessing potential risks, the nonprofit board should create a risk register. This is a document that ranks the risks according to their degree of severity and the likelihood that they will occur. As a result, the organization's risks can be prioritized and the board can determine which risks need to be managed first.
Determine How to Handle Risks
When it comes to managing organizational risk, there are three basic strategies:
- Avoid - Some risks can be avoided with new strategies or processes that circumvent the original, more risky process.
- Retain - An organization might decide to retain a minimal risk by not addressing it.
- Share or Transfer - Risk can be shared or transferred to another party through outsourcing and insurance.
Outline an Action Plan
Once all risks have been identified, assessed, and prioritized, and a strategy for managing each risk has been identified, the board should then outline an action plan. This plan should identify the resources (such as insurance, outsourcing, infrastructure, IT consulting, etc.) that are necessary for managing risk. Additionally, the action plan should include a strategy for funding and acquiring these resources.
All in all, the action plan should aim to strengthen the organization and its ability to carry out its mission through risk management.
Revisit Your Risk Management Plan
No risk management plan is perfect the first time around, and no risk management plan remains perfect or complete throughout an organization's lifetime. As a result, it's necessary to revisit your risk management plan at least annually to reassess, identify new and emerging risks, and continuously improve the organization's risk management strategy.
Gain Objective Insights
If your nonprofit organization can afford to do so, it can be highly beneficial to hire a third-party, risk management consultant. A professional working outside of your organization can help you gain objective, bird's-eye-view insights that can help you more thoroughly identify and manage potential risks.
Even hiring a consultant just once to help your board of directors to get started will create a strong foundation for future risk management. A professional consultant can help your leaders thoroughly identify and rank risks while creating a sound risk management process to work forward from in the future.
How Your Back Office Can Help You Mitigate Risk
Having a sound and secure back office is a powerful strategy that nonprofit organizations can implement to help mitigate a variety of different risk types. From establishing internal controls to safeguard the nonprofit from internal fraud to ensuring your organization's personal information and data are secured against external cybersecurity threats, a robust back office can help to keep your nonprofit safe by minimizing the risk of potential monetary losses and reputational damage.