News and Information about the nonprofit sector in Massachusetts. Check back frequently to keep informed.
January 20, 2022
Assessing Nonprofit Governance Risk
By Robin L. Cabral

Robin Cabral
Robin Cabral
All nonprofit organizations face a variety of risks and, regardless of their size or focus, their directors should regularly conduct a formal risk assessment and develop or adjust governance practices as appropriate.

First things first. Risk, as defined by, is “A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.”

Risk management is the process of identifying legal, financial, and reputational risks and taking steps to avoid exposure to them. A well-developed risk management policy helps you respond to an emergency quickly and minimizes the effect on your operations.

Organizations without the processes and people in place to manage risk exposure are vulnerable to devastating losses if a crisis situation occurs. Addressing risk management before a problem arises decreases your nonprofit’s risk exposure and the potential for damages or liability.

A good place to start is by asking questions:
  • Financial risks: Do you know who is responsible for verifying and auditing your organization’s finances? Are your financial records up to date? Do you have the checks and balances in place to prevent fraud? Are you compliant with tax regulations? Managing your non-profit’s financial risks involves knowing the status of your financial situation and taking steps to protect it.

  • Property risks: Do you have any physical security measures in place to protect your physical property? Video monitoring, alarm systems, safety and security processes, and security personnel can protect your organization from property risks such as theft or vandalism. Fire suppression systems, including smoke detectors, sprinklers and fire extinguishers, can prevent or limit fire damage.

  • Personal safety risks: Are your employees and volunteers safe while working for your organization? Have they been adequately trained for the jobs they are performing? Are there processes in place to deal with health and safety accidents? Is your organization liable for any accidents or injuries that occur on your property or at your events?

  • Reputational risks: Who manages your organization’s brand and reputation? Who is responsible for reviewing content and messaging before it is presented to the public? How do you ensure that the information your organization creates or promotes, the events it sponsors and the people it associates with match your corporate goals, mission, and values? Who responds to media inquiries and publicity requests?

  • Liability risks: Your organization may be held responsible for the actions of your partners, contractors, employees, and volunteers even if they have signed contracts releasing you from liability and responsibility. Do you have the proper legal contracts in place with landlords, contractors, service providers, and event sponsors detailing the legal responsibilities of each party? Do you have adequate liability insurance to protect your organization? Are all employees and volunteers properly screened, hired, trained, and supervised when providing services to the public?
It behooves organizations to conduct risk assessments as part of its stewardship to their constituents and their donors. And, the board of directors is responsible for the oversight of the organization's operations. It should:
  1. Develop a risk management policy. This policy would identify the risk the nonprofit faces by conducting an inventory, assessing the effect experiencing each risk would have on your organization, offering ways to prevent such risks from occurring, and outlining risk response strategies in the event of an unpreventable crisis.

  2. Set risk management goals, review compliance to plan and mandates by state and accrediting organizations, establish policies and standards to reduce risk, and review this annual risk management policy yearly.

  3. Ensure that the organization periodically identifies, analyzes, and prioritizes legal/ethical misconduct and compliance risks specific to the operations and culture of the organization.

  4. Begin to have “risk assessment and management” conversations. These are the kinds of conversations that be part of the board's governance function. Governance is about assessing future threats and risks. If this topic is not part of your board meeting agendas, then make it.

  5. Identify the type of risks the organization faces and analyze the likelihood of their occurring. What would the impact be on the organization if the risk occurred? Determine its willingness to take the risk, reduce and control the risk if needed, and then monitor it.
It behooves organizations to conduct thorough risk assessments, develop risk management policies, and include risk management discussions at a governance level that will allow them to proactively plan for possible changes that may have a disastrous impact on their bottom-line.

While nonprofits can't predict the future, they can and should have a system in place as part of their core governance function that focuses on risk assessment and management.

Robin Cabral, principal of Development Consulting Solutions, is a certified fundraising executive who works with mid-sized nonprofits to build capacity and improve fundraising results. Email her at or call 508-685-8899.
March 2020
SUBSCRIBE FREE – Keep current with the Wednesday Report emailed to you free each week. Click here.
Got news, advice, resources? Send it to