Risk Assessment: A Template for Nonprofit Boards
What is risk? According to the Business Dictionary, risk is defined as:
“A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.”
While it’s not possible for boards to eliminate every potential risk, it’s prudent for nonprofit boards to conduct a thorough risk assessment annually to mitigate risks for the protection of the organization and its donors.
All organizations face some degree of risk, which is usually necessary to realize growth. The degree of risk that organizations choose to accept is called the “risk appetite.” A risk assessment is a formal process for identifying, evaluating and controlling risks.
Risk Assessment Template
The following is a seven-step process for conducting a risk assessment:
Step #1: Identify the Risks
Risks exist in various areas of nonprofits’ operations. Reviewing your organization’s strategy and main objections will start you off in the right direction toward identifying risks. Each organization has different objectives and different needs, and the types of risk will reflect them.
Start by listing categories that risk may fall into, such as the following:
Develop questions for each of these categories. For example, you may have questions under the financial category about whether the organization has enough financial reserves, or if they can begin investing some of their funds. Under operational risks, you may want to know if there is enough staff to operate safely.
Step #2: Analyze the Risks
Two main questions lie at the base of analyzing risks:
- What is the likelihood that the risk will happen?
- What would the impact be on the organization if the risk occurred?
It takes a team that’s familiar with the workings of the organization to brainstorm about all of the possible implications of each risk. It’s important to take some time to complete this portion of the assessment and to think beyond the obvious impacts that risks can create.
Impact from risk may affect the organization or the people in it.
After analyzing the risks, score them first according to the likelihood of occurrence and then according to the degree of impact on the organization on a scale from 1 to 5, similar to the following:
Scores for Likelihood
Score 1 Rare—unlikely to happen, may happen only under special circumstances.
Score 2 Unlikely—don’t expect it will happen, but there is some possibility of it occurring.
Score 3 Possible—likely to occur some of the time, but not frequently.
Score 4 Likely—likely to occur, happens more often than not.
Score 5 Certain—occurs in the majority of cases.
Scores for Impact on the Organization
Score 1 Insignificant impact—little or no impact on the organization’s operations or reputation. Complaints are unlikely, and there is only a remote possibility of litigation.
Score 2 Minor impact—potential for slight impact on the organization’s operations or reputation. Complaints and litigation may be possible.
Score 3 Moderate impact—could lead to moderate disruption of operations or moderate negative publicity. Complaints and litigation are probable.
Score 4 Significant impact—operations would be disrupted, and adverse publicity would be certain. Formal complaints and litigation would be almost certain.
Score 5 Major impact—interrupts operations for a lengthy period and generates major negative publicity. Major litigation would be likely and senior management and/or resignations would be anticipated. This category may also reduce confidence in the organization’s beneficiaries.
Now you have the proper information to be able to calculate the initial risk score.
Multiply the likelihood score by the impact score.
For example, if you assigned a risk with a likelihood of 4 and an impact of 3, the initial risk score for that risk would be 12.
The next step is to assign an action level according to the following definitions:
Levels 1–8 Low risk. Accept the risk and manage it at this level.
Levels 9–16 Medium risk. Manage the risk with the goal of taking action to recategorize it to a low risk.
Levels 17-25 High risk. Alert the rest of the board to this risk and discuss options for mitigating it.
Step #3: Prioritize the Risks
Don’t expect to manage every risk. This step, prioritizing risks, will show you what to focus on most heavily and to establish important priorities.
Board discussion on this step will focus on what steps they’re willing to take to mitigate risk versus accepting the risk on its face.
Step #4: Determine the Appetite for Risk
It helps to take a hard look at the top-10 risks and determine the board’s appetite for assuming risks. The willingness to accept risk may increase if the board can find a way to mitigate it, which is called “residual risk.”
Step #5: Reduce and Control the Risks
Make a final determination as to whether risks are acceptable, too high or too low. The board may decide not to take action on risks that fall in the acceptable level. Board directors should be taking a more in-depth look at risks that fall into the high-risk category and making decisions about how to further reduce the risk or stopping the activities that lead to the risk.
Step #6: Give Assurance
Boards are responsible for oversight of the operations. This step requires board directors to ensure that the risk controls are performing as they expect them to. Board directors may ask internal or external auditors to provide assurance that internal controls are in place and working.
Step #7: Monitor and Review Risks
The risk assessment is a valuable tool. Boards need to be aware that circumstances around risk may change continually. Risks come and go. The impact of risks can change as other circumstances change. It’s best for boards to implement some plan for monitoring and reviewing risks on a regular basis.
Some boards find it helpful to select one risk to add to their agenda at each meeting. This provides time to discuss and review each risk on an ongoing basis. Boards should look for assurance that nothing has changed, and that the proper controls remain in place.