Is Your Nonprofit Ready for What’s Coming? A Guide to Managing Risk Before It Manages You
The world is becoming more unpredictable. Geopolitical shifts, cybersecurity threats, pandemics, demographic changes, and rapid technological disruption are just a few of the forces reshaping the landscape for nonprofit organizations. In this environment, having a clear, organization-wide approach to identifying and managing risk is no longer optional. It is critical to long-term survival and mission fulfillment.
Why Nonprofits Need a Better Approach to Risk
One of the most striking observations in risk management research is how different leaders within the same organization perceive risk. According to research from NC State’s Enterprise Risk Management Initiative, when asked about significant risks facing their organization, board members, CEOs, CFOs, and technology leaders gave wildly different answers. This disconnect is dangerous. If an organization’s leadership cannot agree on what its biggest threats are, it has little chance of effectively addressing them.
Many organizations still manage risk in silos, meaning each department tracks its own concerns independently, without any shared picture of how risks across the organization connect or compound one another. A more integrated approach, called Enterprise Risk Management (ERM), encourages organizations to look at risk from the top down, connecting it directly to the organization’s strategy and long-term goals. The goal is not just to avoid bad outcomes, but to make smarter decisions in the face of uncertainty.
How to Identify and Prioritize Risks
There are several practical techniques for identifying risks. These include reviewing past events, analyzing internal processes, considering current events in the broader world, conducting staff surveys, and facilitating structured conversations with leadership. The output of this work is a risk inventory, essentially a master list of the threats and uncertainties your organization faces.
Once risks are identified, the next step is to evaluate them based on two factors: how likely they are to occur, and how significant the impact would be if they did. A simple matrix can help visualize this. A risk that is both highly likely and highly impactful demands immediate attention, while one that is unlikely and minor can be monitored with less urgency.
It is also worth noting that organizations tend to focus on risks they already know about. But some of the most consequential threats are ones that are knowable with a little effort, and others are genuinely unknowable in advance. Building resilience means preparing for uncertainty in general, not just the specific risks on your current list.
Once risks are understood, organizations need to decide how to respond. Options include reducing or mitigating the risk, avoiding it entirely, transferring it through insurance or outsourcing, simply accepting it, or in some cases, capitalizing on it as an opportunity.
Keeping Score and Staying Alert
Good risk management does not end with a one-time assessment. Organizations need ongoing monitoring. Two useful tools are Key Performance Indicators, which measure how well things are going based on past results, and Key Risk Indicators, which serve as early warning signals for problems that may be developing. Think of the former as a report card and the latter as a weather forecast.
Another important concept is risk appetite, which refers to how much uncertainty your organization is willing to accept in pursuit of its goals. Some organizations are naturally cautious and will only take action when potential downsides can be minimized. Others are more open and willing to accept uncertainty in exchange for opportunity. Knowing where your organization falls on this spectrum helps leaders make consistent, principled decisions.
Connecting Risk to Financial Reserves
Perhaps the most actionable area of risk management for nonprofits is the connection between risk oversight and financial reserves. Many nonprofits set reserve targets somewhat arbitrarily, perhaps based on a rule of thumb like “three months of expenses.” A more intentional approach ties the size of your reserves directly to the risks and opportunities your organization has identified.
The process works like this. Starting with your strategic plan, you identify the mission-critical risks and opportunities facing your organization. Your operational and financial plans then translate those into resource requirements. Your reserve policy should reflect the financial cushion needed to absorb the most significant risks or fund the most promising opportunities. Your investment policy determines how those reserves are managed over time.
In the current operating environment, nonprofits face a large number of unpredictable risks including political uncertainty, potential loss of grant funding, membership declines, cybersecurity threats, and volatile financial markets. These challenges can compound one another in ways that are hard to predict, sometimes referred to as the “contagion factor.” Having adequate reserves is not just good financial practice, it is what enables an organization to continue serving its community and members when the unexpected happens.
Taking the Next Step
Nonprofits should establish a risk management committee that reviews the organization’s risk landscape regularly throughout the year. They should align their reserve levels with the risks and opportunities they have identified. And they should begin building a culture where risk awareness is part of every major decision, not an afterthought.
Managing risk well is not about predicting the future. It is about making sure your organization is resilient enough to weather whatever the future may hold.
