One of the biggest challenges facing nonprofit organizations is managing risk. In uncertain times, it becomes clear that advance planning is crucial for handling potential disruptions. While no one can foresee everything, planning for known and unknown risks is a vital exercise.
Nonprofit organizations have many tools to assist with annual or multi-year planning. Financial statements may show financial results, and a budget shows the organization’s intent to spend. A risk assessment can be another document used in the planning process. This document addresses the “what ifs” facing the organization. A risk assessment should not be a static document; but rather a discussion tool to facilitate a process, perhaps conducted by the Board of Directors and organizational management on an annual basis.
Here is a simple, three-step plan to help create a risk assessment for your nonprofit organization:
1. Brainstorm
First, brainstorm a list of risk areas that your nonprofit faces. Solicit feedback from different team members, including those directly involved in program administration, volunteer management, and other areas. By casting a wide net, you will obtain valuable insight from many different perspectives. This list of risk areas should be specific enough to aid in forming an action plan, but not so granular that impedes the process. Some examples of risk areas include loss of a major funding source; internal or external fraud; or events that might force the organization to leave a location where their programs are administered.
2. Evaluate
After you have a list of potential risk areas, evaluate the likelihood of that risk. A matrix approach is often helpful. To apply the matrix approach, first, assign a value (perhaps on a scale of 1-5) to rank the probability that the event will happen. Then, apply a score (perhaps on a scale of 1-10) to evaluate how much negative impact the event would have on your organization. By multiplying those two scores together, you can assign each risk area with a “weight.” This will help you rank these risk factors so you can focus your attention on the most important areas.
3. Plan
Finally, formulate a plan to address each risk area and mitigate the potential impact of an event. These actions may include purchasing insurance, clarifying organizational policies, or developing a procedure manual. They may also include implementing specific tools designed to reduce risk, such as bill payment systems with built-in approval processes. It may be helpful for your organization to describe the specific internal control measures that should be applied to each risk area. Make sure that responsibilities are split up among multiple team members – if it seems a though one individual is responsible for every aspect of the risk assessment, that may prove a risk in and of itself.
Once your risk assessment is created, don’t just file it away to collect dust. This document should be reviewed annually and adjusted to reflect new or altered risk areas. By looking ahead, your organization will be better prepared to roll with the punches and keep going during uncertain times.