In the context of operating a nonprofit or association, “risk” is something of a loaded word. Taking some risks can be beneficial and even necessary when you’re launching a new initiative or planning for growth. However, the term is more often used to describe situations that you hope to avoid because they could cause harm to your organization. Even the risks you choose to take can have damaging consequences if left unchecked.

To take all of this into consideration, your organization should first figure out how much risk you’re able and willing to take on. Then, you can develop strategies to manage any risks that are beyond your organization’s tolerance level.

As you begin the process of risk assessment and management for your association, make sure to follow these three steps:

1. Identify and evaluate your risks.
2. Develop risk-mitigation strategies.
3. Monitor and revise your risk management plan.

Keep in mind that the best risk management plans are proactive rather than reactive. When creating yours, use foresight to determine not only the best procedure for mitigating risks when they arise but also ways to prevent those risks from causing problems in the first place. Let’s dive into each of the steps.

Identify and Evaluate Your Organization’s Risks

Before you can begin managing your risks, you first need to assess them. You can either conduct your own risk assessment using one of the many checklists available online or ask a third-party specialist to provide an external perspective.

Jitasa’s nonprofit risk management guide explains that during your risk assessment, you should look for the following types of risks:

• Cybersecurity violations. If your data isn’t secure, it can lead to data breaches that expose sensitive information about your organization and its supporters.
• Fraud. This risk typically takes the form of either financial fraud (whether intentional or unintentional) or fraud by impersonation, in which a scammer uses your organization’s employer information and branding to collect “donations” while pocketing the money.
• Theft. When internal systems are faulty or untrained individuals are given access to resources they shouldn’t, it can lead to situations where someone close to your organization steals money or technology.
• Compliance. Nonprofits are subject to several rules and regulations that for-profit organizations aren’t due to their tax-exempt status. Failure to comply can incur fines or even risk that status.

Once you’ve identified what risks may be present at your nonprofit or association, determine how likely each risk is to occur and what the possible consequences could be for your organization. In addition to concrete impacts like financial losses and legal issues, remember that being involved in risky situations could damage your organization’s reputation in the community. Then, create a master list of all your risks with the most probable and impactful risks at the top.

Develop Risk-Mitigation Strategies

After your risk assessment is complete, start at the top of your list of risks and brainstorm ways to handle each one. Some popular ways to mitigate nonprofit risks include:

• Adding new policies to your financial management handbook, such as enhanced reporting guidelines or procedures for disclosing conflicts of interest.
• Tightening your internal controls—for instance, many organizations require two signatures on checks to reduce the risk of accidental financial fraud.
• Implementing data security measures, such as database encryption and two-factor authentication.

Remember to document all of your organization’s risk mitigation guidelines for future reference, ensuring you can quickly take action if risky situations come up. Also, hold risk-management training sessions for staff and board members to ensure they understand the new system and can effectively apply these preventative measures to their work.

Monitor and Revise Your Risk-Management Plan

Due to the ever-changing nature of nonprofit work, risk management is an ongoing process. At least once a year, meet with your leadership team and board to reassess your priorities, your continued ability to prevent risky situations, and whether your mitigation strategies are still effective.

Additionally, consider conducting regular audits, even if your nonprofit isn’t required to do so. An independent audit can help provide external insights on what risks are likely to affect your organization and how prepared you are to handle them.

Although taking some risks is necessary for your association to expand and evolve, having a plan in place to manage the risks that are more harmful than helpful is essential for it to thrive. With a proactive approach to risk management, your organization can not only avoid financial and legal difficulties but also protect its reputation in the community.