Verdict: A nonprofit risk assessment doesn't have to be an enterprise project. For most small orgs, it's a 2-hour board exercise that surfaces the three to five risks that could actually shut you down, scores each one, and assigns an owner and a deadline per row.
What works: The 5-step scoring process (identify, score likelihood, score impact, calculate, document) fits in one board meeting and produces a usable one-page register.
What doesn't: Buying GRC software before you've outgrown a spreadsheet. Waiting for a "real" risk committee to form. Acting on all 20 risks at once instead of the top tier.
Best for: Small and all-volunteer nonprofits running their first formal risk review, or any org that has never put an owner and a deadline next to a named risk.
Worth considering if: Your treasurer is a volunteer, your donor data lives in scattered spreadsheets, or you have an in-person event coming up with no insurance in place yet.
If your treasurer is a volunteer with a full-time job, your first risk assessment should fit on one page and take one board meeting. For most small nonprofits, "risk assessment" isn't an enterprise project. It's the 2-hour exercise where your board and ED name the three to five risks that could actually shut you down, score each one, and assign one owner and one deadline per row.
This guide walks through what a risk assessment is, why it matters, who runs it, the five steps to do it, and how to build your own scoring matrix in a free spreadsheet. It's written for the org where the same person opens the mail, runs the fundraiser, and emails the board agenda.
Table of contents
What is a nonprofit risk assessment?
A nonprofit risk assessment is the process of identifying, evaluating, and prioritizing the risks that could harm your organization, before you decide what to do about them. It's the diagnostic step. Risk management is the ongoing treatment that follows.
Put simply: a risk assessment helps you identify, assess, and control risks to protect your organization and guard its mission. The output of an assessment is a short list of named risks, each scored on how likely it is to happen and how badly it would hurt, with one person and one deadline against each row.
That distinction matters. A lot of small orgs say "we do risk management" when what they mean is "we bought general liability insurance once." Risk management is the year-round work. Risk assessment is the moment, ideally annual, where you stop and ask which risks are actually on the table this year.
For a small nonprofit: the assessment is the artifact that justifies every other governance task on your list. Without it, you're guessing which risks to spend volunteer time on.
Why every nonprofit needs a risk assessment
A short, honest risk assessment does four things for a small org:
- Helps protect your tax-exempt status. A documented review of compliance, financial controls, and governance gaps is part of what the IRS and state regulators expect of a board doing its job. It does not guarantee status retention, but it makes the conversation with an auditor or attorney much shorter. (See the IRS guidance for charities and nonprofits for compliance baselines.)
- Builds donor trust. Donors increasingly ask how their data is handled and how funds are controlled. A risk assessment gives you real answers instead of vibes.
- Prevents mission disruption. Most small orgs that pause programming do so because of a known, ignored risk: an uncovered event, a treasurer who stopped reviewing books, a single grant ending. Naming the risk early is the cheapest way to keep the lights on.
- Supports board fiduciary oversight. Risk review is one of the clearest ways a volunteer board demonstrates duty of care. The National Council of Nonprofits treats periodic risk review as basic governance hygiene.
For a small nonprofit: the value isn't a polished document. It's the 2-hour conversation that surfaces what nobody has been paying attention to.
Who should be involved
For a small or all-volunteer org, the answer is short: your board and your ED or founder run the assessment. That's it. You do not need a committee, a risk officer, or outside counsel to start.
Add specialists only if you already have them:
- If you have a treasurer, they own the financial-risk inputs (revenue concentration, cash on hand, who reviews the books).
- If you have program leads, each one owns the risks tied to their program (volunteer safety, participant data, vendor reliability).
- If you have an attorney or CPA on call, share the draft with them after the meeting, not during.
The common failure mode in a volunteer-led org isn't bad people. It's that no one is paid to look. Months go by, nobody pulls a financial report, nobody checks who still has access to the donor list, and a small issue compounds. The risk assessment is the forcing function that puts someone's name next to "look at this by [date]."
One specific area to walk through together: who has access to your donor data, and how do you remove access when a volunteer rolls off? On a five- or six-person team, login privileges sprawl fast, and most small orgs have no audit trail of who can see what. If donor data lives in one place with real access controls, that question takes a minute. If it lives in three spreadsheets on three personal phones, it takes a weekend. Zeffy's built-in donor management is one way small orgs replace the spreadsheet sprawl with a single system.
For a small nonprofit: if you're waiting until you have a "real" risk committee to start, you'll never start. Your board plus your ED, around a table for two hours, is the assessment team.
5 steps to conduct a nonprofit risk assessment
This is the core of the work. The whole process is designed to fit in one board meeting.
Step 1: Identify the risks
Walk through your operations and list every risk you can think of. Don't filter yet. Cover finances, programs, fundraising, technology, people, compliance, and reputation. Ask each board member to bring three risks they worry about. Look at what's gone wrong before, and what almost did.
For a small org, the boring-but-fatal risks tend to come up first:
- No general liability insurance in place before your first in-person event.
- One donor or one grant funds more than a third of your budget.
- Your treasurer has not reviewed bank statements in three months.
- Your donor list lives in a personal Gmail or a phone contacts app.
- You aren't sure whether your raffle is legal in your state.
One quick note on infrastructure: using a PCI-compliant payment processor like Zeffy's free, PCI-compliant payment processing means your nonprofit isn't storing card data itself, which removes one infrastructure-risk category from the list before you start scoring. Plain guidance, not a fix-all.
Step 2: Score the likelihood
For each risk, ask: how likely is this to happen in the next 12 months? Score it 1 to 5.
Use the room. If three board members say "this happens to small orgs like us all the time," that's a 4 or 5. Don't overthink it.
Step 3: Score the impact
For each risk, ask: how much harm would this cause if it happened? Score it 1 to 5.
- 2 = recoverable in a week
- 4 = a hard year, programs paused
- 5 = the org might not survive it
Two simple questions help you prioritize: how likely is the risk to happen, and how much harm could it cause? Steps 2 and 3 are just those two questions, written down.
Step 4: Calculate the risk score and prioritize
Multiply likelihood by impact. That's your risk score, from 1 to 25.
- 15 to 25: act now. These are the risks that could end the org.
- 8 to 14: plan this quarter. Real risks, manageable with attention.
- 1 to 7: monitor. Note them, revisit next year.
You'll almost always find three to five risks in the top tier. That's your list. Resist the urge to act on everything. A small org can credibly work on the top tier this year, not all 25 things.
Step 5: Document findings and assign owners
For every risk in the top two tiers, write down four things in one row:
- 1. The risk, in one sentence.
- 2. One owner. A real person, not "the board."
- 3. One deadline. A real date.
- 4. One next action. The smallest thing that moves the risk down.
Example: "We have no general liability insurance before our June gala. Owner: Maria. Deadline: April 1. Next action: get two quotes from nonprofit-friendly brokers." That's a complete row.
Put the document in a shared folder the whole board can see. Revisit it at every board meeting for five minutes. That's the difference between a risk assessment that works and one that lives in a drawer.
For a small nonprofit: if you finish the five steps with a one-page list, three to five top-tier rows, and an owner and date on each, you've done a real risk assessment. That's the bar.
How to build your own risk assessment matrix
You can build the matrix in any free spreadsheet (Google Sheets, Excel Online, Numbers). Here is the structure.
Set up the grid. Use a 5x5 grid. Likelihood runs across the top (1 to 5). Impact runs down the side (1 to 5). Each cell holds the score, which is likelihood times impact. Color the top-right corner red (scores 15 to 25), the middle yellow (8 to 14), and the bottom-left green (1 to 7).
The grid looks like this:
|
| 5 (Org-ending) | 5 | 10 | 15 | 20 | 25 |
| 4 (Hard year) | 4 | 8 | 12 | 16 | 20 |
| 3 (Hard quarter) | 3 | 6 | 9 | 12 | 15 |
| 2 (Recoverable week) | 2 | 4 | 6 | 8 | 10 |
| 1 (Minor) | 1 | 2 | 3 | 4 | 5 |
Build the risk register. On a second tab, make one row per risk with these columns: Risk, Category, Likelihood (1-5), Impact (1-5), Score (formula: =likelihood*impact), Owner, Deadline, Next action, Notes.
Pre-populate it with the boring-but-fatal risks small orgs flag. Use these as your starter rows; cut what doesn't apply.
|
| No general liability insurance before first event | Insurance | 3 | 5 | 15 |
| One donor or grant funds more than 33% of budget | Financial | 4 | 4 | 16 |
| Treasurer has not reviewed books in 90+ days | Oversight | 4 | 4 | 16 |
| Donor data lives on personal phones / shared spreadsheets | Data | 5 | 3 | 15 |
| Online raffle status under state law is unclear | Compliance | 3 | 4 | 12 |
Worked example. Take the first row, "No general liability insurance before first event." Likelihood: 3 (you have an event coming and no broker contacted, so it's possible nothing is in place by the date). Impact: 5 (one injury at an uninsured event can end a small org). Score: 15. That puts it in the top tier. Owner: board chair. Deadline: 30 days before the event. Next action: get two broker quotes. Done.
That's the whole tool. A grid, a register, and discipline about owners and dates.
7 types of risks every nonprofit should assess
1. Data breaches and cybersecurity
Small nonprofits hold donor names, emails, giving history, and sometimes payment info. That data is valuable to attackers and easy to leak when it lives across personal phones, shared Google Drives, and an old spreadsheet a volunteer downloaded once.
What to look for: donor data on personal devices, shared logins, no record of who has access to what.
Warning signs: nobody can name everyone with access to your donor list. A volunteer left and you don't know what they still have.
Ask: if our most active volunteer's laptop was stolen tonight, what donor data would be exposed? Replacing scattered spreadsheets with a single donor system that has real access controls is one of the highest-leverage moves a small org can make.
2. Financial instability and revenue concentration
If one donor, one grant, or one event funds most of your budget, you have concentration risk, full stop. Diversifying revenue is the long-term fix.
What to look for: any single source above 33% of revenue. Months of cash reserve below 3.
Ask: which one donor or grant ending tomorrow would force us to cut programs? Diversifying your revenue streams across donations, recurring giving, events, and memberships shrinks this risk over time.
3. Legal and compliance risks
State and federal filings, charitable-solicitation registrations, employment classification, and gaming law are all live wires for a small org.
What to look for: a missed 990, an expired state charitable-solicitation registration, raffle activity in a state where you haven't checked the rules.
Ask: which compliance filings do we owe in the next 90 days, and who is doing them? See our nonprofit compliance overview for the common items to track, and check with your state attorney general or charity regulator on anything specific.
4. Insurance and liability gaps
General liability coverage is table stakes for any in-person event. Directors and officers (D&O) coverage protects your board members personally and is increasingly required by funders and venues. Treat liability insurance as a pre-first-event line item, not a someday line item. Many venues require proof of coverage before they'll let you load in.
Ask: do we have proof of general liability we can hand a venue tomorrow? Do our board members have D&O? Frame this as general practice; specific requirements vary by state, funder, and venue.
5. Human resource and volunteer risks
Burnout, key-person dependency (the one volunteer who knows the donor database), and turnover are real and quiet risks.
Ask: if our most loaded volunteer left this month, what would break? Write it down. That's your succession plan.
6. Reputational risk
Donor trust is the asset. A botched receipt season, a tone-deaf social post, or unclear messaging on fees can dent it.
Ask: what would a current donor see if they searched our name today? Do our receipts go out automatically and accurately?
7. Strategic and technology risk
Buying tools you can't staff, or staying on tools nobody trained on, both create real cost. Map your tools, name an owner per tool, and don't add a tool without a plan to use it.
Ask: are we paying for software nobody opens? Is there a tool a volunteer set up that only that volunteer knows how to use?
Financial risk assessment for nonprofits
Financial risk deserves its own pass. For a small org, the categories that matter are concrete:
- Revenue concentration. Track the percentage of total revenue from your largest donor, your largest grant, and your top three sources combined. If any single source is above 33%, that's an evergreen concentration risk worth a row on your matrix, regardless of who the funder is.
- Cash flow and reserves. Track months of operating reserve (cash on hand divided by average monthly expenses). Three months is a common floor; six is more comfortable.
- Grant compliance. For each active grant, name the reporting dates and the person responsible. Missed reports cost future funding.
- Treasury risk-aversion. Parking everything in plain checking out of complexity-fear is its own risk. A money-market or short-term treasury account at the same bank usually takes an afternoon to set up.
- Payment fraud and chargebacks. Online giving brings card-not-present fraud risk. A reputable payment processor handles the heavy lifting on dispute response, but somebody at your org still needs to read the alerts.
- Segregation of duties. The person who deposits money should not be the only person who reconciles the bank statement. If you're a three-person team, get a second board member to spot-check monthly.
For a small nonprofit: if you track concentration percentage, months of reserve, and the next three grant report dates, you've covered 80% of the financial risk a small org actually faces.
Risk assessment tools for nonprofits
Most small nonprofits should start with a spreadsheet. The 5x5 matrix and the risk register above fit in any free spreadsheet, cost nothing, and require no training. If a tool isn't getting opened, it isn't reducing risk.
For orgs that have outgrown a spreadsheet, dedicated governance, risk, and compliance (GRC) platforms exist. They're built for organizations with paid compliance staff, multiple programs across regulated areas, or complex vendor risk. Names you'll see in this category include RiskWatch, LogicManager, Ostendio, ZenGRC, Resolver, and Riskonnect. Pricing is enterprise and most small nonprofits will not need them.
Two free authority resources are worth a bookmark either way:
A note on adjacent infrastructure: the fundraising platform a small org already uses can quietly remove a few risk-register rows. Automated donation receipts, for instance, take a chunk of compliance and recordkeeping admin off the treasurer's plate. That's not GRC software. It's just one less thing to forget. Zeffy is used by 100,000+ nonprofits and has processed $2B+ raised, all free for the organization.
For a small nonprofit: a free spreadsheet, the NRMC framework as a reference, and disciplined board follow-through beats any tool you can't staff. Buy GRC only when you've outgrown the spreadsheet, not before.
How often should we conduct a risk assessment?
Annually at minimum is the common recommendation from sector authorities like the Nonprofit Risk Management Center and the National Council of Nonprofits. A small org can usually run a meaningful refresh in one 2-hour board meeting. Revisit your top-tier rows at every board meeting for five minutes; do the full refresh once a year.
What's the difference between risk assessment and risk management?
Risk assessment is the diagnostic step: identifying, scoring, and prioritizing the risks you face. Risk management is the ongoing treatment: the policies, controls, insurance, training, and review that you put in place because of what the assessment surfaced. You can't do good risk management without a current assessment.
How do we prioritize risks with limited resources?
Score every risk on likelihood (1-5) and impact (1-5), multiply for a 1-25 score, and act on the top three to five rows this year. A small org cannot credibly work on 20 risks at once, and pretending you can is its own risk. The top tier is the list.
Do we need liability insurance before our first event?
In general practice, yes. General liability coverage is widely treated as table stakes for any in-person nonprofit event, and many venues and funders require proof of coverage before they will work with you. Directors and officers (D&O) coverage protects board members personally and is increasingly expected by funders. Specifics vary by state, venue, and funder. Get two quotes from a nonprofit-friendly broker well before your event date.
Can we run an online raffle without risking our 501(c)(3) status?
Charitable-gaming and raffle law is state-specific. Licensing rules, prize limits, and whether online raffles are legal at all vary widely from state to state, and there is no single national rule we can point you to. Before you sell a ticket, check with your state's charity-gaming regulator or attorney general's office, and consider asking a local attorney with nonprofit experience. The cost of a quick check is much smaller than the cost of guessing wrong.
Who should run the risk assessment in a small nonprofit?
Your board and your ED or founder. That's it. If you have a treasurer, they own financial inputs; if you have program leads, each owns risks tied to their program. You do not need a risk officer, a committee structure, or outside counsel to do a credible first assessment.
.webp)
