| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Risk ID | Risk Description | Category | Likelihood | Impact | Risk Score | Risk Level | Controls in Place | Recommended Actions | Risk Owner | Status | |||||||||||||||
2 | ||||||||||||||||||||||||||
3 | R-001 | Unauthorized access to donor or member data due to lack of multi-factor authentication | Cybersecurity | High | High | 9 | High | Password-based authentication required for account access. Access limited to authorized members/officers. No multi-factor authentication implemented | Implement multi-factor authentication (MFA) for all accounts. Enforce stronger password requirements (length and complexity). Conduct periodic access reviews to validate user permissions. | IT Administrator | In Progress | |||||||||||||||
4 | R-002 | Phishing attack leading to compromised accounts of officers or members | Cybersecurity | Medium | High | 6 | High | Email accounts used for communication among members and officers. No formal phishing awareness training conducted. No email filtering or phishing detection tools formally implemented. | Provide basic security awareness training focused on phishing identification. Establish a process for reporting suspicious emails. Encourage verification of unexpected or unusual requests before responding. | IT Administrator | In Progress | |||||||||||||||
5 | R-003 | Loss of critical organizational records due to lack of regular data backups | Operational | Medium | High | 6 | High | Organizational data stored across individual devices and shared platforms. No formal backup schedule or centralized backup solution in place. Data recovery procedures not documented. | Implement a centralized backup solution for critical data. Establish a regular backup schedule (e.g., weekly or monthly). Document basic data recovery procedures. | Secretary | Open | |||||||||||||||
6 | R-004 | Improper handling or exposure of member personal information | Compliance | Low | Medium | 2 | Low | Member information shared among designated officers as needed. No formal data handling or privacy policy established. No defined controls over storage or transmissions of sensitive information. | Develop and document a data handling and privacy policy. Limit access to sensitive information based on role. Define approved methods for storing and sharing member information. | Secretary | Open | |||||||||||||||
7 | R-005 | Misuse or misallocation of funds due to lack of financial oversight or segregation of duties | Financial | Low | High | 3 | Medium | Financial responsibilities assigned to designated officers (Secretary, Treasurer). Informal review of financial activities may occur. No formal segregation of duties or documented financial controls in place. | Implement segregation of duties for financial processes. Conduct periodic financial reviews or internal audits. Maintain clear and consistent documentation of financial transactions. | Treasurer | Mitigated | |||||||||||||||
8 | R-006 | Unauthorized physical access to sensitive documents or meeting places (e.g., lack of access reviews of vault) | Operational | Low | Medium | 2 | Low | Physical keys distributed to select members/officers. No formal access control system (e.g., badge or key tracking system). No periodic review of who has a physical access. | Establish a formal key management process (issuance, tracking, return). Maintain an inventory of individuals with physical access. Conduct periodic review and revoke unnecessary access. | Facilities Manager | Open | |||||||||||||||
9 | R-007 | Loss of critical accounts due to poor password management or lack of centralized control (e.g. single account ownership, etc) | Cybersecurity | Low | High | 3 | Medium | Accounts managed individually by members/officers. No centralized password management system in use. Password policies not standardized or enforced. | Implement a centralized password management solution. Establish and communicate password standards. Document ownership and recovery procedures for critical accounts. | IT Administrator | In Progress | |||||||||||||||
10 | R-008 | Dependency on single individual for critical operations without documented procedures | Operational | Low | Medium | 2 | Low | Responsibilities assigned to specific roles or individuals. Informal knowledge of sharing may occur. No formal documentation or cross-training in place. | Document critical procedures and responsibilities. Cross-train members or officers on key functions. Assign backup individuals for critical roles. | Leadership | In Progress | |||||||||||||||
11 | R-009 | Excessive physical access to facilities due to lack of access reviews and absence of a formal key policy | Compliance | Medium | High | 6 | High | Keys distributed based on trust and role. No centralized inventory of issued keys maintained. No process in place for tracking, revoking, or reviewing access. | Implement a key tracking and inventory system. Require sign-out and return procedure for issued keys. Conduct periodic access reviews and remove unnecessary access. | Facilities Manager | Open | |||||||||||||||
12 | R-010 | Lack of proper security awareness and procedures leading to unsafe practices (e.g., individuals securing facilities alone, failing to secure the facility) | Operational | Low | High | 3 | Medium | Security cameras installed to monitor facility access points. Designated individual assigned to monitor entrance during meetings. Informal expectations for securing the facility after use. No formal documented procedure for closing/securing the facility. No requirements for multiple individuals when securing the building. | Develop and document formal procedures for securing the facility. Require a two-person rule when closing or securing the building. Provide safety guidance to individuals responsible for facility operations. | Leadership | Mitigated | |||||||||||||||
13 | R-011 | Lack of emergency preparedness procedures leading to delayed or ineffective response to incidencts (e.g., fire, medical, break-ins) | Operational | Medium | High | 6 | High | Basic awareness of emergency situations among members. No formal emergency response procedures documented. No regular drills or training conducted. | Develop document emergency response procedures (fire, medical, security). Communicate emergency procedures to members and officers. Conduct periodic walkthroughs or reviews of emergency response expectations. | Leadership | Open | |||||||||||||||
14 | ||||||||||||||||||||||||||
15 | ||||||||||||||||||||||||||
16 | ||||||||||||||||||||||||||
17 | ||||||||||||||||||||||||||
18 | ||||||||||||||||||||||||||
19 | ||||||||||||||||||||||||||
20 | ||||||||||||||||||||||||||
21 | ||||||||||||||||||||||||||
22 | ||||||||||||||||||||||||||
23 | ||||||||||||||||||||||||||
24 | ||||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||
27 | ||||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |