A Rubric for Ranking Risks

The prioritization of potential risks during nonprofit risk management is vital to the success of your risk process. A successful nonprofit organization cannot focus on every threat and opportunity: instead, it must focus on the few issues that must be addressed right now. When a nonprofit CEO or Executive Director receives the results of a team’s initial risk prioritization, s/he should take steps to ensure that the prioritization reflect the true understanding of the stakes.

[This post is the sixth in our Lean Risk Management series. To find the others, start with why nonprofits need risk management.]

The initial prioritization exercise we advocated in our prior post allows teams and board members to react emotionally to the nonprofit challenges and risks they face. That is important input, because emotions drive attention. But emotions do not tell the whole story. As a result, we suggest nonprofits use the following rubric as an additional screen to orient their focus toward the most important issues facing the organization.

Critical Issues

  • Legal liability
  • Health and safety of employees or customers/clients
  • Violation of our values or sound ethical practices

Address Promptly

  • Ambiguity about legal obligations, core values, or sound ethical practices
  • Evidence of unhealthy culture
  • Exposure to significant reputational harm
  • Exposure to significant (for us) financial loss
  • Areas of employee complaint or disgruntlement


  • Evidence of mission drift
  • Evidence of failure to meet plans
  • Ambiguity about plans to accomplish mission
  • Ambiguity about mission


  • Areas of potential mission expansion that may serve customer or organizational needs
  • Areas of potential new initiatives that fit existing mission
  • “Moon shots” that deserve discussion and consideration
  • Potential changes to processes that may materially improve performance
  • Lack of documented processes
  • Inefficient or ineffective processes
  • Evidence of lax procedures
  • Settled practice that’s not been reconsidered in light of potentially changed circumstances

(For a downloadable PDF of this rubric, click here.)

As you can see, this rubric emphasizes that legal liability, health and safety violations, and unethical practices should receive prioritization over other identified risks.

Risks that do not trigger liability of that sort, but raise questions about potential liability or ethics or value violations, should be prioritized next, along with issues of potential unhealthy culture, reputational harm, significant financial loss, or employee complaints or disgruntlement.

Then come issues that should be investigated as soon as practicable, including concerns about mission drift, execution of strategic or operational plans, or ambiguity about mission or progress toward mission.

Finally, issues of potential upside, performance improvements, or potentially outmoded operations should receive focused exploration.

This rubric can be used by a nonprofit Executive Director or CEO to place his or her imprint on staff results from their risk prioritization exercise. Using this nonprofit tool will allow a leader to identify the critical few issues that most clearly deserve immediate or prompt attention. In our next post, we will explain how to use these results to create your own initial risk register.

Nonprofits Build Strength Together (BeST)

Risk Alternatives sponsors and curates an online group for nonprofit leaders who want to build resilient organizations.

To stay informed about this group, called Nonprofits Build Strength Together (BeST), click the button below.