Many for-profit companies consider a comprehensive risk assessment to be a critical part of their overall risk management process. Regrettably, some not-for-profit organizations do not take the time to perform a risk assessment for a variety of reasons: some do not understand or appreciate the benefits of such an exercise; some believe they adequately understand their risk profile; or some may feel they lack the resources to adequately perform the job.
This article provides a framework that all not-for-profit organizations can use as a starting point to implement a periodic risk assessment.[i] It describes the goals of a risk assessment, identifies the nature of the broad risks facing many organizations, suggests a proposed approach, and offers suggested steps to mitigate and control the risks. While the mechanics of a risk assessment may be undertaken by staff or consultants, the role of the board in understanding, evaluating, and assessing risk cannot be understated. It is executive leadership and the board that must set the appropriate tone, understand the dynamics of risk for any given organization, and articulate a clear philosophy on an organization’s approach to risk.
Goals of Risk Assessment
Nonprofit organizations face different types of risks than for-profit companies, but the goals of a risk assessment should be similar:
- To identify, analyze and prioritize legal/ethical misconduct and compliance risks specific to the operations and culture of the organization;
- To provide a basis for possible compliance, training and ethics programs;
- To refine or develop risk mitigation and monitoring strategies;
- To identify areas where deeper internal reviews would be warranted; and
- To develop a benchmark for ongoing risk assessment and measurement of the effectiveness of mitigation steps that may be taken.
Who Should Undertake Risk Assessment
A comprehensive risk assessment can be done by staff if competent to do so or by outside consultants, such as a law or accounting firm. Even if staff is capable of performing the risk assessment, there is value to having outsiders perform this task occasionally. This assures a fresh perspective is brought to risk evaluation and allows all parts of the organization to be evaluated without any potential for the self-interest of staff to color the assessment. These benefits must be weighed against the additional costs of an outside review. A useful compromise is to have an outside reviewer evaluate the work of staff at the end of the process, or to consult with staff during the process. Some outside firms will undertake a risk assessment pro bono, while others may discount fees.
One Methodology for In-House Risk Assessment
A risk assessment should identify a broad parameter of risks within specific categories, analyzing the probability of occurrence and the severity of impact. It should also identify mitigating factors to various risks and suggest a process for tracking or monitoring risk. All of these steps require the exercise of judgment based on knowledge of the organization. In general, this process is as much art as science.
1. Identify Risks
Step one is to carefully consider the types of risks faced by the organization. Think broadly and do not constrain yourself to solely legal risks. Risks can be broadly conceptualized into two categories: risks an organization should usually seek to avoid (what I will refer to as “threat risks”), and the risk of failure, which an organization may choose to embrace. Threat risks can result in fines, penalties, liabilities or even loss of tax exemption and can be operational, legal, financial, or related to the investments of the organization.
Risks of failure include the risk that an underlying program objective or strategy may not succeed or that the investment or financial performance necessary to sustain the organization cannot be achieved. For many nonprofit organizations, particularly foundations, failing to embrace risk in their programs or grants may result in a cautious, unimaginative organization. Foundations, in particular, have the freedom to take risks that other types of organizations or government may be unable or unwilling to take. An organization may wish to adopt a risk philosophy that articulates how it views the risks it will embrace and how it approaches threat risks.
This article focuses primarily on threat risks. It is important, however, for an organization conducting a risk assessment to recognize the different types of risks and their attendant consequences. Ultimately, in assessing any action or inaction that carries risk, an organization must balance the benefits to be achieved against the downside. An organization may also consider adopting a risk management philosophy that would entail, among other things, defining the risk appetite of the organization, determining how to implement a comprehensive risk management process, and building the process into the many facets of the organization.
Incorporating an agreed upon framework regarding risk management into the DNA of an organization helps align the balance between risk and reward, reduces the potential for unwelcome surprises, permits better planning and response time, enhances the ability to take advantage of opportunities, and more effectively allows the organization to make decisions as to how and where to use scarce resources.
Most nonprofit organizations will share the same type of broad risks that can be generally described as follows:
- Internal or external fraud
- Misuse of assets
- Inadequate monitoring or understanding of investments
- Incomplete, unreliable or improperly reported information
- Damage to reputation caused by a variety of potential factors
- Violation of legal requirements
- Government investigations or audits
Within these broad categories there are a host of specific risks that should be considered and analyzed. A listing of many of these risks can be found here. Of course, not all of these risks will apply to every organization.
2. Talk to Other Staff
A useful risk assessment will include discussions with staff at varying levels of and in different areas of the organization. Staff members interviewed should be asked to identify what they see as the principal areas of risk within their areas, how the risk is currently addressed or mitigated, and ideas for more effectively addressing or mitigating the risks.
Particular care and attention should be paid to those risks that have a higher likelihood of occurrence and a more significant impact. Those that are less likely to occur but still would have significant impact should also be carefully reviewed.
3. Rate the Risk to Assess Likelihood and Severity of Impact
In assessing the likelihood of a particular risk occurring, the following factors might be considered:
- Your organization’s culture and ethics;
- Ongoing compliance;
- Internal controls;
- Workforce awareness and knowledge;
- History; and
- Employee intent.
There are different methodologies and charts that can be used to present the risk assessment and which one you choose is dependent on your organization’s needs, culture, and sophistication. Here is an example of one such chart.
|Almost Certain||Highly likely, this event is expected to occur.|
|Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it.|
|Possible||Event may occur at some point – typically, there is history to support it.|
|Unlikely||Not expected but there is a slight possibility it may occur.|
|Rare||Highly unlikely, but it may occur in unique circumstances.|