ReadyToManage Webstore

Risk Management

Managing Risk in the Nonprofit World

November 20, 2015 by Dr. Jon Warner in Risk Management

Managing Risk in the Nonprofit World

Most for-profit companies consider a comprehensive risk assessment or survey process to be a critical part of their overall risk management process. However, many not-for-profit organizations do not necessarily understand or appreciate the benefits of such an approach and this can expose the organization to future problems that could be avoided. 

Whether you are for profit or not for profit the goals of a sound risk assessment process are as follows:

  • To identify, analyze and prioritize legal/ethical misconduct and compliance risks;
  • To provide a basis for possible compliance, training and ethics programs;
  • To develop risk mitigation approaches;
  • To identify areas where deeper analysis and/or measurement of risk may be required;
  • To measure the effectiveness of any risk mitigation controls or steps that may have been instituted. 

A Simple Risk Assessment Approach

A good risk assessment should aim to discuss and review the probability of occurrence of each risk assessed and then the impact or severity of the risk should it occur. It should then look at possible mitigating factors to various risks and suggest a process for monitoring and controlling risk. At a more detailed level the process works in the following way:

1. Identify All Major Risks

Here we start by listing all types of risks faced by the organization. Many risks are often called “threat risks” which can often result in fines, penalties, liabilities or even loss of tax exemption and can be operational, legal, financial, or related to the investments of the organization. Other risks relate to possible failure (such as the chances of a strategy or program to fail).  For many nonprofit organizations, failing to embrace risk in their programs or grants may result in a cautious, unimaginative organization. An organization may wish to adopt a risk “appetite” that defines how it generally views the risks it will embrace. Most nonprofit organizations may have similar risks that can be generally described as follows:

  • Internal or external fraud
  • Misuse of assets
  • Inadequate monitoring or understanding of investments
  • Incomplete, unreliable or improperly reported information
  • Damage to reputation caused by a variety of potential factors
  • Violations of legal rules, regulations and laws
  • Government investigations or audits 

2. Talk to “Front-line” Employees

Once possible risks have been identified, employee input needs to be sought to validate which risks look most pressing and to understand the detail in some cases.  A risk assessment will include discussions with staff at varying levels of and in different areas of the organization but the closer they are to the process and how it works in practice, the better. Particular care and attention should be paid to those risks that have a higher likelihood of occurrence and a more significant impact or severity. 

3. Rate the Risk to Assess Likelihood and Severity of Impact

In assessing the likelihood of a particular risk occurring, the following factors might be considered:

  1. Your organization’s risk appetite in general
  2. The organization’s culture
  3. The legal or compliance regime which broadly applies
  4. Specific Policies;
  5. Existing Internal controls;
  6. Workforce awareness and knowledge;
  7. Past history; and
  8. Employee intent and motivation

When assessing likelihood the following scale may be useful in categorizing the probability of a risk’s occurrence:

Likelihood Explanation
Almost Certain Highly likely, this event is expected to occur.
Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it.
Possible Event may occur at some point – typically, there is history to support it.
Very Rare/Unlikely Highly unlikely, but it may occur in unique circumstances.

Similarly, the impact or severity of a risk can be assessed using the following example scale:

Impact or Severity Explanation
Minor Low severity or little impact on people, quality or costs
Moderate Moderate severity or some measurable  impact on people, quality or costs
Severe Moderate severity or some measurable impact on people, quality or costs. In human terms this would include possible long term injury potential or even death

4. Addressing or Mitigating Risk

There are several steps that any organization, regardless of its size or type, can take to address or mitigate risks. These steps are outlined below. 

  • Set the right tone at the top: Risk control is extremely difficult unless the leaders of the non-profit—senior staff and the board—take risk determination seriously and act as good role models. In other words, compliance and risk management starts at the top, with the executive and the board. The board of the nonprofit must therefore maintain vigilant oversight of the organization directly or through committees with very specific roles and responsibilities to assess risk and then act to mitigate it.
  • Segregate duties: It is critical that staff duties regarding oversight of assets, reporting, and payments be segregated so that there are sufficient checks and balances to protect against possible fraud or asset misuse.
  • Set payment controls: The greatest fraud often arises from a lack of adequate payment controls where one party or department has the ability to shield payments from other departments or parties. For example, payment controls can include requiring two signatures on checks as an appropriate reconciliation process. Accountant and attorneys can be helpful in suggesting the appropriate controls for the nature of the specific organization.
  • Conduct “due diligence” exercises: Any nonprofit should conduct adequate due diligence and ensure that there has been legal review of contracts or other agreements. Due diligence checklists for investments, grants and vendors are available from a variety of sources.
  • Conduct audits (external and internal): Even the best set of controls or processes should be subject to periodic review and audit. The use of an independent outside firm to perform periodic audits on specific processes or controls is ideal but even an internal review is better than doing nothing.
  • Implement and follow strong internal policies: A well governed nonprofit should have a range of key internal policies in place which everyone has read and understands. This should include conflicts of interest, whistle-blowing, payment controls, code of ethics, and dealing with sexual/other harassment and bullying etc. 


Performing a thorough and comprehensive risk assessment may seem both time consuming and burdensome to many organizations. However, it should be seen as a key part of the responsibility of the managers or stewards of any non-profit entity. Hopefully, this article offers guidance to allow any organization to initiate, continue, or improve its own risk assessment process.

Related Resources

Share this article.

About Dr. Jon Warner

Dr. Jon Warner is a prolific author, management consultant and executive coach with over 25 years experience. He has an MBA and a PhD in Organizational Psychology. Jon can be reached at

View all posts by Dr. Jon Warner →

Related Posts

Shop the ReadyToManage Webstore for 100's of downloadable coaching, training and development resources!
About the Editor and Primary Author

Jon Warner

Jon Warner is an executive coach and management consultant and in the past has been a CEO in three very different companies. Read more

Newsletter Subscribe

ReadyToManage Webstore Close-Out Sale


ReadyToManage is your one-stop shop for world class employee and personal development resources.  Our mission is to assist individuals and companies in developing management, leadership, and business skills in themselves and their employees through effective and affordable development materials and courses.

Newsletter Subscribe

Join Now!

Search Topics