Risk Management Policy Template for Non-Profit

Risk management for NGOs

Free Resource — Aid Notes

Risk Management Policy Template for Non-Profits

A practical, field-tested policy template built for small and medium-sized Ukrainian NGOs and INGOs operating in conflict-affected settings. Covers security, infrastructure, financial, and operational risk — adapted to the realities of programming in Ukraine.

↓  Download Free (.docx)

No sign-up required · Word format · Fully editable

“Risk management in Ukraine is not a compliance exercise. Security, power cuts, fraud exposure, and donor requirements all demand active, structured attention — before something goes wrong, not after.”

7 Key Elements of a Risk Management Policy

The template covers all seven elements an auditor, donor, or oversight body would expect to find in a credible risk management framework.

🔍
Element 01
Risk Identification
A structured method for identifying risks across all programme and operational areas, with clear prompts and examples relevant to Ukraine.
📊
Element 02
Risk Assessment Matrix
Likelihood × Impact matrix calibrated for small-to-medium NGOs — financial thresholds scaled to realistic organisational budgets (up to $250k).
⚖️
Element 03
Risk Appetite Statement
Zero tolerance for safety and fraud. Defined appetite levels across security, compliance, infrastructure, and programme delivery risks.
🛡️
Element 04
Risk Treatment Options
Terminate, Treat, Transfer, Tolerate — each defined with practical examples. Treatment must be documented in the Risk Register.
👥
Element 05
Roles & Responsibilities
Clear accountability from Board to individual staff. Every identified risk must have a named owner responsible for monitoring and escalation.
📅
Element 06
Monitoring & Reporting
Quarterly review cadence, escalation triggers, donor reporting requirements, and critical risk escalation procedures.
📋
Element 07
Risk Register Template
A ready-to-use Risk Register with pre-filled example risks for Ukraine: shelling-related access loss, power outage, vendor fraud, and donor compliance failure.

Primary Risk Categories for Ukrainian Organisations

01
⚠ Security Risk
Armed conflict, shelling, access restrictions, forced evacuation. Zero appetite. Programmes must be suspended if staff safety cannot be assured.
02
⚡ Infrastructure Risk
Power cuts, internet blackouts, destroyed facilities. Medium appetite where contingency plans exist. Generator and offline data protocols required.
03
₴ Financial Risk
Fraud, corruption, inflated invoices, currency volatility. Zero tolerance for misuse of funds. Dual sign-off and sanctions screening are mandatory controls.
04
⚙️ Operational Risk
Key-person dependency, partner capacity gaps, data protection. Low-to-medium appetite. Backup roles and partner due diligence are core mitigations.
05
📜 Compliance & Donor Risk
Donor reporting failures, procurement non-compliance, audit findings. Low appetite. Compliance calendar and document retention are non-negotiable.
06
📣 Reputational Risk
Media exposure, partner misconduct, staff conduct. Low appetite. Requires designated communication authority and social media conduct guidelines.

Note: Safeguarding, Sexual Exploitation and Abuse (BSEA) is a distinct risk category governed by a separate Safeguarding Policy. It is not covered by this template.

Download the Risk Management Policy Template

Fully editable Word document. Adapt the risk appetite, matrix thresholds, and register examples to match your organisation’s size and donor requirements.

↓  Download Free

Word format · No attribution required · Free for all NGOs

Also available: Procurement Policy Template →