7 Steps to Nonprofit Risk Management
Nonprofits face risk on all sides. In a March 2016 report, Oliver Wyman and SeaChange Capital Partners list some of the difficult conditions under which nonprofits must operate. Among these are:
- Tackling society’s hardest problems
- Limited funding
- Increasing costs for services
- Recruiting and retention
- Ever-changing operating environment
These experts conclude, “It is no surprise that many nonprofits are always living close to the edge.”
Away from the edge: How to mitigate risk
Clearly, it’s impossible to avoid all risk. To do so would be to close your doors—which would leave the people or causes you serve more vulnerable than they already are. The best thing you can do is to manage the inevitable risk. KnowHowNonprofit.org, which provides community-made advice and support for nonprofit organizations, offers a seven-step risk management process.
1. Identify your risks. The British-based Charity Commission recommends that you review risks under the headings of governance, external, regulatory, financial, and operational. These classifications can be used as a framework, as you think about the risks in relation to each of your strategic objectives.
2. Analyze the risks. This involves giving a score for the likelihood of occurrence and impact of each risk on your organization:
a. Likelihood is rated on a 1 (rare) to 5 (certain) scale.
b. Impact also uses a 1 to 5 scale, with 1 being insignificant and 5 being major. Measuring impact also considers the possible consequences if a risk occurs, such as the impact on service and reputation, possible complaints, and chances for litigation.
The initial risk score is calculated by multiplying the impact score by the likelihood score. This gives you a level of risk (low, medium, high) and the corresponding level within your organization that should take action (staff, management, or board).
3. Prioritize the risks. Use your risk rating score to identify which risks to address. A cutoff point can be helpful here—a level above which you’ll manage the risk and below which you won’t. You may decide, for example, to manage the top five risks or those that score six points or more.
4. Determine your risk appetite. How much risk are you willing to accept to pursue your objectives? This might change depending on the activity. In this step, consider the top 10 risk you’re managing. For each,
5. Reduce and control the risks. You want to control the level of each risk to an acceptable level. Your board should work with the people who “own” the risk to consider all the controls that are in place to reduce its likelihood or impact. After listing these controls, you can re-score the likelihood and impact of that risk to determine a residual risk score.
6. Give assurance. Make sure these controls are performing as expected. You can ask the risk “owner” to periodically confirm that the controls are effective. Internal or external auditors can also provide this assurance.
7. Monitor and review risks. Risks are always evolving, so the way you manage them will also change. Thus, it’s good practice to tie the monitoring and review process to your strategic and operational planning. You may choose to do an in-depth review of a specific risk at each board meeting, which gives trustees a detailed understanding of your risks and controls—and helps assure them that risk is being effectively managed.
Mitigating risk with technology
Risk management, in large part, is about control. That’s where cloud fund accounting software such as Sage Intacct can help. It decentralizes the planning and control process, so you can achieve a granular level of accuracy. Setting budgets for each event, campaign, program, and funder—and then tracking the actuals—creates tighter controls and helps prevent unexpected outcomes.
Another excellent risk management strategy is relying on the nonprofit technology experts at JMT Consulting. We help deliver the financial, development, and productivity solutions that you need to manage risk and achieve mission success. Want to learn more? We’re only a phone call or email away.