What’s the Worst That Could Happen? Running a Risk Audit on Your Nonprofit
June 24, 2025
Nonprofits are used to operating under pressure. Limited budgets, lean staff, and constantly changing regulations are part of the job. But one question doesn't always get the attention it deserves: What could go wrong, and are we ready for it?
A risk audit isn't about fear. It's about being prepared. Like a fire drill or a safety check, it helps your organization stay ready, resilient, and focused on the mission, even when things don’t go according to plan.
What is a risk audit?
A risk audit is a structured review of your organization's operations, designed to identify potential problems before they become real ones. It helps you uncover threats, evaluate how likely they are, and assess whether your current safeguards are strong enough.
Think of it like a checkup. You're asking:
- What could disrupt our ability to serve?
- Where are we vulnerable?
- Are we doing enough to reduce our risks?
Common risk areas in nonprofits
Risk can take many forms, and every organization is different. That said, these are some of the most common categories you should include in any risk review:
- Financial risks
- Misuse of funds or fraud
- Weak internal controls
- Overdependence on a single funding source
- Operational risks
- Data breaches or IT failures
- Facility issues like fire hazards or maintenance problems
- Program disruption due to staff shortages or turnover
- Compliance risks
- Missed deadlines for reports or filings
- Violations of IRS or state requirements
- Incomplete documentation for restricted funds
- HR-related risks
- Outdated policies or handbooks
- Workplace safety violations
- Inconsistent hiring or training practices
- Reputational risks
- Poor handling of public complaints
- Inactive or unmanaged social media
- Negative press about leadership or services
- Client and participant safety risks
- Lack of background checks
- Inadequate staff supervision
- Improper response to incidents or complaints
How to run a basic risk audit
You don’t need a consultant to get started. A simple internal audit can be effective if it’s thoughtful and consistent. Here’s a step-by-step approach:
- Create a small team. Include leadership, HR, finance, and program staff.
- List risk categories. Use the ones above or customize based on your operations.
- Identify specific threats. Be honest and detailed.
- Rate each risk. Assess both likelihood and impact.
- Prioritize action. Focus on the highest risk areas first.
- Assign responsibilities. Designate staff to manage action items.
- Review regularly. Set a schedule to revisit your audit annually.
Why this matters
A risk audit helps you avoid scrambling during a crisis. It also builds trust—with funders, your board, and your staff. When people know that you’ve thought about the worst-case scenarios and have a plan, it strengthens confidence across the board.
Other benefits include:
- Better funding opportunities. Many grantmakers and insurers ask about risk planning.
- Fewer surprises. You’ll be more prepared when something unexpected happens.
- Stronger operations. A risk audit often uncovers small issues before they become big problems.
How CNIS can help
CalNonprofits Insurance Services works with nonprofits of every size to identify potential risks and provide the right coverage. Whether you’re reviewing your property insurance, looking at liability exposures, or wondering what you're missing, we can help.
Visit our Property & Casualty services page at https://www.calnonprofitsinsurance.org/property-casualty or Request a Quote at https://www.calnonprofitsinsurance.org/request-a-quote to talk with a nonprofit-focused advisor.
Key takeaways
- Risk audits are not about fear. They are about smart planning and good stewardship.
- Every nonprofit has risk. The question is whether those risks are known, monitored, and managed.
- You can start small, but the process should be structured and repeatable.
- An annual risk review is one of the simplest ways to protect your mission and people.
.png)
