Assessing Risk for NFPs

Understanding risk is a key element in the decision-making process of not-for-profit organizations

To obtain an understanding of the current state of enterprise risk oversight among entities of all types and sizes, The Enterprise Risk Management Initiative in the Poole College of Management at North Carolina State University has partnered with the AICPA’s Management Accounting – Business, Industry, and Government Team to survey business leaders regarding a number of characteristics related to their current enterprise-wide risk management efforts.

According to the ERM Initiative’s Spring 2019 survey on the State of Risk Oversight, 64% of not-for-profit (NFP) organizations surveyed responded that the volume and complexity of risks has been increasing “mostly” or “extensively” in the past five years. Additionally, 70% of NFP organizations responded that they had experienced an operational surprise “somewhat,” “mostly,” or “extensively” in the past five years.

Identifying Risks

When we think about risks, we can start to identify some broad categories of risk.  Such categories include strategic, operational, financial, and reputational risk. Some often-mentioned risks affecting NFP organizations include:

  1. Data breach and cybersecurity – whether it be client, employee, or donor information
  2. Donor retention – how does the NFP continue to engage donors with growing interest in crowd funding and donor advised funds?
  3. Compliance – what changes to laws or new laws and regulation does the NFP face?
  4. Funding sources – are there existing funding sources that are at risk of drying up? What are the opportunities for new funding sources? How might funding sources change into the future?
  5. Staffing and succession planning – with the unemployment rate at a historic low, how is the NFP responding to staffing and succession challenges?
  6. Sustainability – is the operation of the NFP sustainable at its current level? What threats or opportunities impact the future of the NFP?
  7. Technology changes – are there technological risks, not just IT, but in science or health areas that may affect the NFP’s mission?

It’s important to identify these risks to determine which hinder the accomplishment of your objectives. Some solutions to identify strategic, operational, financial and reputational risks include:

  1. Interviews of staff and board to get a perspective of all involved
  2. SWOT Analysis
  3. Brainstorming
  4. Questionnaires & Surveys

Understanding, Evaluation & Prioritize Risks

Risk is typically thought of negatively as something to avoid or minimize. However, risk can also have tremendous payoffs by taking advantage of strategic opportunities.

Once you’ve identified your risks, it’s important to assign them with Probability and Impact (P&I) scores such as high probability, low probability, high impact and low impact. You can then use these scores to determine which risks to focus on; you should focus first on those risks with high probability/high impact.

Monitor, Mitigate, and Control Risks in an NFP

What risks an NFP chooses to take can have far-reaching effects on the organization’s ability to deliver on their mission.

Risk mitigation strategies are designed to eliminate, reduce or control the impact of known risks intrinsic with a specified undertaking, prior to any injury or fiasco. Four types of mitigation strategies include:

  1. Risk Acceptance: This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself.
  2. Risk Avoidance: It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
  3. Risk Limitation: This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both.
  4. Risk Transference: Risk transference is the involvement of handing risk off to a willing third party.


Enterprise Risk Assessment is a process to manage the impact of these risks in the context of strategic planning and operational performance. It involves assessing the full range of possible obstacles to achieving the NFP’s mission.

Organizations that have a strong Enterprise Risk Assessment process in place are in a better position to protect against identified threats and capitalize on opportunities that support their mission, vision and core values.  NFPs who successfully manage risk may benefit from more thoughtful or strategic decision-making, increased compliance and accountability, enhanced donor satisfaction, and greater sustainability.


This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author