Knowledge and Insights

How Nonprofits Should Manage Risk

Piggy Bank with Solar Panel

Given today’s fast-paced environment and the significant social, technological and regulatory changes that have occurred over the past few years, nonprofit organizations are subject to a myriad of risks. As a result, it’s more important than ever to identify your organization’s risks and develop a risk assessment work plan to address and mitigate them.

Risk, defined as the possibility that events will occur and adversely affect the achievement of objectives, falls into nine major categories:

  1. Strategic – succession planning, expansion beyond expertise, reliance on single funding source;
  2. Operational – client service deficiency, insurance coverage adequacy, disaster recover/business continuity;
  3. Finance – debt covenant compliance, fraud (financial misstatement, asset misappropriations, fictitious vendors, etc.);
  4. Human Capital – key employee flight, inadequate training, employee access and rights;
  5. Social Media;
  6. Information Technology – smart phone security, network vulnerability;
  7. Legal and Compliance – HIPPA, Affordable Care Act;
  8. External – economy; and
  9. Reputational – all of the above. Should any one of the above occur, there is the risk that it will negatively impact the organization’s reputation.

Having an appropriate response plan in place is critical to combating risk. Do you recall the Tylenol crisis in 1982? Tylenol pills were tainted and responsible for deaths in and around Chicago. Johnson & Johnson (J&J) recalled all Tylenol, not just those in the affected area. In addition, J&J decided not to return Tylenol to the shelves until better protection was developed to ensure the product was tamper-proof. This, obviously, was a positive response to the crisis. Fast forward to today and the General Motors (GM) ignition switch debacle, which followed the negative publicity of its bankruptcy filing and government bailout in 2009 – 2010. GM appears to have delayed for more than decade a recall of vehicles with faulty ignition switches, resulting in six fatalities as well as an expanded vehicle safety recall.

Risks and their potential impact on an organization are serious, so let’s talk about how to address them by performing a risk assessment. A risk assessment is defined as the determination of quantitative and qualitative value of risk related to a concrete situation and a recognized threat, also called hazard. A risk assessment can shield an organization from negative consequences of unexpected events. The goals of a risk assessment are to identify, analyze and prioritize risks specific to your operation and culture. A risk assessment provides a basis for possible compliance training and ethics programs. It also helps to refine or develop risk mitigation and monitoring strategies. A risk assessment helps develop a benchmark for ongoing assessment and measure effectiveness.

Harold challenged us to apply these characteristics to the nonprofit sector.

The first step of the risk assessment process is to establish a risk committee and determine the appropriate risk governance. You will need to determine who will lead the charge and how the information will be reported throughout the organization, up to the board. Typically, organizations assign someone the responsibility of being the risk officer. This officer reports to the audit committee, which, in turn, reports to the board.

The second step is to identify your organization’s risks and risk profile. The risk profile describes the consequences of risk occurrences, as well as triggers. Then the risks need to be evaluated to determine the likelihood of occurrence and the impact intensity, in terms of both financial and reputational impact. Next, the organization needs to understand its existing mitigation controls as well as other mitigation strategies that could be implemented. The organization also will need to determine its contingency plan should the risk occur and how it will respond to the occurrence.

The final step is to monitor and report. This process is critical as regular, periodic updates help maintain an acceptable level of risk and identify any risk creep. Heat maps are a quick and effective tool to use for reporting at a high level and prioritizing and implementing risk mitigation strategies.

Obtain valuable assistance with your organization’s risk assessment and mitigation process by contacting the professionals in Mercadien’s Nonprofit Services Group at (609) 689-9700 or