Risk Management is the Umbrella You Didn’t Think You Needed

Non-profits are complicated organizations. Strategic plans are directly tied to the wants and needs of clients, members, and stakeholders, which creates a big responsibility to protect those needs from something damaging or undesirable. Most non-profits are usually funded through grants, donations, fees, or fundraising. Funders can change their programs with very short notice and donors can decide to support a different group, all putting the sustainability of the organization at risk. Risk is a big part of a non-profit’s everyday operations.  

The new year is a great time for a non-profit to conduct a risk assessment.

The new year is a great time for a non-profit to conduct a risk assessment. Non-profits will already be handling risk management through the use of policies, procedures, and monitoring. An annual risk assessment is a sort of check-in to identify if something is missing. The assessment can be completed quickly and include input from as many or as few people as desired.

Start with 5 core categories that align with the structure of the organization and add more as needed. Here is a sample list to get started.

1. Governance/Strategic – Anything related to governing the non-profit or the strategic goals.
2. Operations/Programs and Services – Anything related to the day-to-day operations and programs being offered.
3. Financial – Anything related to revenues and expenses, including how they come in, go out, and are tracked.
4. People – All people connected to the non-profit, such as board members, staff team, volunteers, members, and clients.
5. Legislation – The laws that regulate how the non-profit can function.

If one person is conducting the risk assessment on their own, write each of the 5 categories on a piece of paper. If a large group is conducting the risk assessment together, write each of the 5 categories on flipchart pages.

Brainstorm possible risks.

For each category, brainstorm possible risks that might impact the organization. The list can include past, current, and future risks. If its hard to come up with ideas to add to the list, simply ask board members or the staff team for ideas.

Assess each risk using a 0/low to 10/high ranking system.

Once there is a list of brainstormed ideas under each category, assess each risk using a 0/low to 10/high ranking system for each of these 3 questions.

1. How likely is this risk to happen?
2. What is the impact if this risk were to happen?
3. What would be the severity if this risk were to happen?

The next step is to go through each risk and corresponding rankings, to evaluate what needs to be done to lessen the risk.

Example #1

A lack of board members might come up as a potential risk. On a scale of 0 to 10 the likelihood of a lack of board members happening, might be given a ranking of 5, since lack of board members has always been a worry, but volunteers have always been found. On a scale of 0 to 10 the impact of having a lack of board members might rank at an 8, since the organization might not have enough board members to meet bylaw requirements – that’s serious. On a scale 0 to 10 the severity of having a lack of board members might rank at a 10, since funding would be frozen if the organization didn't have a minimum number of board members.

For an example like this, the likelihood the risk will happen is low, but the impact and severity are high, so further action is needed. One of the mitigation strategies might be to monitor board succession at every board meeting or set a threshold number of board members where, if numbers would fall below, board succession would become the top priority for the board until numbers increased.

Example #2

Employee retirement might come up as a possible risk. On a scale of 0 to 10 the likelihood of employee retirement might be a 10, since many employees have indicated they will be leaving the organization in the next few years. On a scale of 0 to 10 the impact of employees retiring might be a 2 since the organization has a strong recruitment process and regularly gets lots of applications for job openings. On a scale of 0 to 10 the severity of employees retiring might be a 1 since it would be only a minor inconvenience to the operations of the organization to hire and train a new employee.

For an example like this, there appears to be very little to worry about. While the risk is high, the impact and severity are so low that no further action is required.

Decide what/if needs to be done.

Assigning a ranking to each potential risk, using each of the three questions, will help to determine if something needs to be done to address the risk.

Don't wait for the emergency.

When an emergency happens, it is already too late to create a new policy or monitoring tool. Those pieces need to be in place, ready and waiting. They are the spare tire or the umbrella you weren’t sure you might need until you needed it.

It isn’t possible to prevent all risk but future you will be so grateful that past you took the time to complete a risk assessment, handle the tasks, and create the needed policies.

The rewards of risk management will pay off in big ways in later days. Policies may help to identify and stop unwanted activity before it gets out of hand. Monitoring may help to identify red flags far earlier. Plans created and stored can be pulled out with very short notice.

Imagine a report to the board, that explains a major negative event that could have severely impacted the organization. Imagine the report going on to explain that a plan was already in place for this situation, the plan was implemented, and the risk was defused.

Conducting a risk assessment can be, in all honestly, a little boring. If conducting the assessment alone, the easiest way to get started is to pair each of the 5 risk categories with an event that will more easily bring to mind brainstorming ideas. For example, the brainstorming for risk assessment for operations, might happen after a staff meeting, when operations are top of mind. Or the brainstorming for risk assessment for financial, might happen after completing a monthly bank reconciliation, when financial matters are top of mind.

Risk assessment isn’t perfect, but it is one heck of a great start to put the plans in place to prevent and manage emergencies. Get the brainstorming added to the schedule for THIS month.

Thanks for taking the time to read my ideas. What questions do you have? Please use the form on the right side of the page to let me know.

-Christie

…

Hi, I'm Christie Saas, former board member, current Executive Director, and non-profit volunteer. I remember well, those early years when I lacked the training, the confidence, and the work-life balance to focus on becoming the best non-profit leader I could be.

Fast-forward past many bumps in the road, lessons learned, and you’ll find me still in the trenches, but a little wiser, a little calmer, and a whole lot happier. I love my work and I want to help you love yours too.

I created ChristieSaas.com so non-profit leaders never need to feel alone. I’m here to help. If you’re a brand-new non-profit leader, or a little more seasoned, someone who’s looking to make a meaningful contribution and still have time for a full life away from the job, you’re in the right place.

© Christie Saas 2023 All Rights Reserved

…

Want to learn more?
Start with one of my free resources.

FREE Guides