February 3, 2025
Risks facing organizations are evolving at an unprecedented pace.
The Risk and Advisory Services team at GRF has analyzed the top risks predicted by political, economic, and business experts as well as insights from our 40+ years of experience serving nonprofits and associations. Our Top Risks Report explores the top risk themes of 2025 and the potential implications for nonprofits and associations. The report also includes recommended steps to mitigate these risks.
Legislation and Policy Change
As the new administration, House of Representatives, and Senate begin a new term, they will be considering many proposals for legislation and policies that could significantly impact tax-exempt organizations. It is too soon to gauge which changes will be enacted, but the need to prepare for potential outcomes will impose real costs associated with monitoring proposals, strengthening compliance efforts, and potentially reducing mission-related activities.
There are three areas of potentially significant impact:
- Funding
- Tax-Exempt Status
- Tax Liabilities
Cybersecurity
As organizations become more digitally connected and reliant on third-party technologies, external data sources, and outside service providers, they are more exposed to direct cyberattacks and more vulnerable to the financial, operational, and reputational consequences of an attack on a vendor or partner. At the same time, cybercriminals are becoming more sophisticated with the assistance of artificial intelligence, leading to more frequent attacks that are harder to prevent and counter.
State-sponsored and politically motivated cyberattacks are often orchestrated by organized crime groups rather than individual hackers. Ransomware-as-a-service enables these criminal entities to acquire credentials, custom-developed ransomware, and ransom payment processing services with minimal technical expertise. As a result, nonprofit organizations are increasingly vulnerable to sophisticated cyber threats stemming from geopolitical tensions.
Nonprofit organizations, which typically have lower budgets and fewer cybersecurity defenses, are particularly at risk. Smaller entities may be seen as prime targets due to their increased dependence on third-party service providers and remote or hybrid work environments. There is a misconception that moving to a software-as-a-service (SaaS) application moves the security burden entirely to the SaaS provider, but this is frequently not the case. A false sense of security can leave organizations vulnerable to cyberattacks. The financial and operational repercussions of cybersecurity incidents can be severe. Data breaches can lead to lasting reputational damage.
Organizations that are recipients or subrecipients of U.S. government funds are now subject to stricter cybersecurity guidelines recently released by the Office of Management and Budget (Section 200.303 of 2 CFR). The scope of required cybersecurity and information safeguarding controls has been expanded beyond just personally identifiable information to all other information the federal agency or entity designates as sensitive data. Failure to implement reasonable cybersecurity measures not only exposes organizations to increased cybersecurity risks, but also jeopardizes their eligibility for federal funding. Additionally, non-compliance may result in reputational damage, legal liabilities, and financial penalties.
Significant Operational Disruption
The increased frequency of low probability, high impact events has become a defining feature of the post-pandemic world. The suddenness and significant impact of events in 2024 – from flooding in western North Carolina and fires in Los Angeles, to exploding pagers in Lebanon and a terror attack in New Orleans, to the CrowdStrike outage – are signs of what to expect in the years ahead. Despite the increasingly regular occurrence of extreme events, many organizations remain inadequately prepared. The likelihood of being directly affected by such events is small in the short term, but increases significantly when indirect impacts such as disruption to activities or events are considered over a longer time horizon.
Three major areas pose significant risks:
- Climate Change
- Conflict and Civil Unrest
- Reliance on Critical Technologies
2025 Top Risks for Nonprofits and Associations provides GRF’s assessment of how these major themes are likely to impact nonprofits and associations, and how you can address these threats. The appendices include detailed summaries and links to the research reports referenced, including insights from the World Economic Forum, the Internal Audit Foundation, the Federation of European Risk Management Associations, the National Association of Corporate Directors, AuditBoard, AXA, Allianz, S&P Global Ratings, and the Eurasia Group.