Impact assessment covers four domains: social, environmental, organizational, and sustainability. The comparison, shared architecture, and how AI changes it.
Use case · overview · across four working domains
Most organizations need two or three kinds of impact assessment, not all four — and not necessarily the kind they started with. The decision happens at scoping. The four working domains share an architecture; the tools that fit each one do not. This page is the comparison, not the build — the deep-dive pages for each domain handle that.
01
The four working domains — social, environmental, organizational, sustainability — and a decision matrix for which one fits which question.
02
The six principles that make any of the four defensible. Same architectural commitments, different evidence sources.
03
The tools landscape — three categories, what each one is for, what each one cannot do, and where AI changes the work.
Four domains · what gets assessed
Each domain measures a different kind of change. Each draws from a different mix of evidence sources. Each has its own deep-dive page covering process, report format, and worked examples. The shared architecture sits underneath all four — covered in §06.
Domain 01 · people & community
Measures outcomes for people and communities — programs, projects, policies, and investments that touch livelihoods, health, education, housing, dignity, and cohesion. Roughly 80% of the evidence base is primary data — voice, narrative, lived experience — because no administrative record captures what stakeholders are actually experiencing.
Domain 02 · ecosystems & resources
Measures effects on ecosystems, air, water, biodiversity, and physical resources. Mandated by regulation in most jurisdictions for projects above defined thresholds. Roughly half primary stakeholder data and half sensor and monitoring data — both are required for a defensible report.
Domain 03 · capacity & maturity
Measures capacity and maturity inside the organization itself — governance, finance, program delivery, leadership pipeline, learning systems. Diagnostic rather than retrospective; produces a roadmap for capacity building rather than an outcome report. Often uses standardized rubrics like OCAT or custom maturity models.
Domain 04 · ESG & reporting
Tracks ESG performance over time across operations, suppliers, and stakeholders. Continuous rather than episodic. Mandated by CSRD in the EU, increasingly required by US SEC climate disclosure, and standard in lender-required corporate reporting. Reports against GRI, SASB, CSRD, or TCFD.
Adjacent and specialty forms — health impact assessment, heritage impact assessment, privacy/DPIA, algorithmic or AI impact assessment, crisis impact assessment — are focused applications of these four domain principles. They are covered in §09 below.
Decision matrix · which assessment fits your question
The selection happens by question, not by tool category. Most organizations need two of these — and a few need three or four. Reading the matrix bottom to top covers single-domain choices; the combined-assessment patterns appear in §10.
What the matrix does not solve is timing. Several of these questions arrive together — a foundation funding a workforce program in a community affected by a new transit project, or a corporate ESG report that needs social-license evidence from a project SIA. The combined-assessment patterns in §10 cover those cases.
Shared architecture · what the four domains have in common
The methodologies differ. The frameworks differ. The reports differ. What does not differ are the architectural commitments — and these are what separate an assessment that holds up under review from one that does not. Every deep-dive page in this cluster rests on them.
01 · Identifier
Every stakeholder, household, site, or supplier gets a stable identifier at first contact — used at every later touchpoint. Without this, baseline and follow-up live in different worlds and reconciliation becomes a six-week project at every cycle.
02 · Mixed-method
Numbers paired with narratives at the moment of collection, not joined retrospectively. The qualitative explains the quantitative; the quantitative anchors the qualitative. Reports that separate them read as activity logs with quotes pasted in.
03 · Framework first
IRIS+, SDGs, GRI, CSRD, IFC PS, or a custom logic model — picked before instrument design. Retrofitting a framework at report time produces compliance-friendly but learning-thin reports. The framework decides which indicators get baselined.
04 · Baseline + follow-up
Every assessment compares before and after for the same identifiable units — same participants, same households, same sites. Comparing the cohort that started to the cohort that finished is selection bias dressed up as measurement.
05 · Validation
Required by IAIA principles for SIA, by IFC PS for ESIA, by GRI for material disclosure. The validation is the audit chain — and the place where false findings get corrected before publication rather than after.
06 · Continuous
Annual or end-of-cycle reporting arrives months after the decisions it should have informed. Continuous assessment runs in weeks or quarters — fast enough that program teams adjust mid-cohort, foundations re-allocate between cycles, and regulators see drift before it becomes a violation.
Notice what is not on the list. Choice of survey tool. Choice of statistical method. Choice of report length. These are domain-specific decisions that follow from the six commitments above. The deep-dive pages cover the choices each domain makes; the six principles are what the deep-dive pages each build on.
Tools landscape · three categories
Confusion about tools is usually confusion about which category solves which problem. Teams that buy a collection tool and expect a report, or buy an analysis tool and expect a workflow, end up reconciling spreadsheets manually at every cycle. Naming the three categories upfront makes the choice clean.
Category 01
SurveyMonkey · Qualtrics · Google Forms · JotForm · Typeform · KoBo Toolbox
Forms and surveys to gather responses. Strongest at one-off campaigns, simple instruments, and broad reach. Most teams already use one of these and assume they have an impact assessment tool — they have a collection tool, which is the first of three things they need.
StrengthFast deployment. Familiar interface. Cheap. Often free at small scale.
LimitationNo persistent identifiers across waves. No framework alignment. No joining with administrative or archived data. Reconciliation at report time is manual.
Category 02
NVivo · Atlas.ti · MAXQDA · R · SPSS · Stata · Excel · Tableau · Power BI
Tools that code qualitative data, run statistical comparisons, or build dashboards. Strong at deep analysis once the data is clean. Built for analysts working on bounded studies rather than continuous program teams.
StrengthStatistical depth. Defensible methodology. Customizable analysis pipelines.
LimitationSeparate from collection, separate from reporting. Requires specialist time. Data exported, manually coded, manually charted — every cycle.
Category 03
Sopact Sense · the emerging category
Tools that thread collection through analysis through reporting with persistent identifiers and framework alignment built in. AI codes open-ended responses at submission. Every quantitative finding traces back to the source response. Reports update as new data arrives.
StrengthOne configuration, continuous operation. Persistent IDs threaded throughout. Framework-aligned from day one. Every finding traceable to source.
LimitationRequires the discipline of choosing framework and indicators at scoping rather than at reporting. Pays back at the second cycle and every cycle after.
The third category is what closes the gap between collection and decision-ready assessment. Most teams need it because the first two leave reconciliation as a manual project — and that manual project is what compresses learning cycles into compliance cycles. Choosing Category 03 alongside Categories 01 and 02 is not the wrong choice; choosing Category 01 alone and treating it as a substitute for the other two is.
AI in impact assessment · two senses of the term
The phrase "AI impact assessment" is doing two different jobs in the same sentence depending on who is saying it. One is about using AI inside the assessment process. The other is about assessing AI systems themselves. Both are real categories; they need different tools and different methodologies.
The first sense — AI applied to the assessment workflow — has been the biggest practical change in the last two years. Concrete examples:
The architectural commitment that makes any of this work is the persistent identifier from §06. Without it, the AI is processing a pile of disconnected responses rather than threading a participant trajectory.
The second sense — assessment of an AI system — is a separate methodology that has emerged with the EU AI Act, the Treasury Board of Canada's Algorithmic Impact Assessment, and OECD AI Principles. The question is what an AI system does to the rights, opportunities, and outcomes of the people it touches. Algorithmic impact assessment shares architectural commitments with the four working domains:
Tools for this second sense include vendor-specific algorithmic-audit platforms, GRC modules with AI risk overlays, and increasingly impact intelligence platforms that handle both the data architecture of monitoring an AI system and the stakeholder evidence that contextualizes the quantitative drift.
Most organizations encounter the first sense long before the second. The platforms that handle theme coding and participant profiling for social and environmental assessments are the same platforms that handle stakeholder monitoring for an AI system — because the underlying data architecture is the same. The methodology that wraps it is what changes.
Specialty & adjacent forms · focused applications
A handful of specialty forms appear in regulatory and industry contexts. They are not separate disciplines — each is a focused application of the four-domain principles, with a vocabulary and audience specific to its niche. Mentioned here so readers searching for a specialty form land in the right place; depth lives elsewhere.
A data protection impact assessment (DPIA) is required under GDPR when an organization processes personal data in ways that pose a high risk — large-scale profiling, biometrics, public-area surveillance, sensitive categories. The DPIA names the data flow, the risk to individuals, the safeguards, and the residual risk. Closest to the organizational and AI assessment domains. Tools are typically vendor-specific privacy software or modules inside GRC platforms.
Health impact assessment (HIA) evaluates how a project, program, or policy affects population health — direct exposures (air quality, water, occupational hazards) and indirect determinants (housing affordability, transit access, food security). HIA is a focused subdomain of social impact assessment with health as the central life domain. WHO and IAIA both maintain HIA guidance. Often combined with environmental impact assessment in ESIA for infrastructure and industrial projects.
Heritage impact assessment evaluates how a development project affects tangible and intangible cultural heritage — archaeological sites, historic structures, indigenous cultural landscapes, intangible cultural practices. ICOMOS (the International Council on Monuments and Sites) publishes the most widely used HIA guidance. Combined with social impact assessment for community-cultural-ties analysis and with environmental impact assessment for landscape and visual analysis.
Algorithmic or AI impact assessment evaluates the impact an AI system has on the people, rights, and decisions it touches. Frameworks include the EU AI Act conformity assessment, the Treasury Board of Canada's Algorithmic Impact Assessment, and OECD AI Principles. See §08 above for the relationship to AI used inside the assessment process — these are two different applications of AI to impact assessment terminology.
Crisis impact assessment applies the four-domain principles in rapid-turnaround conditions — pandemic response, natural disaster, conflict displacement, supply-chain shock. Cycle time is compressed from months to weeks; the architectural commitments (persistent IDs for affected populations, mixed-method evidence, framework alignment) hold. Platforms used for crisis impact assessment emphasize mobile-accessible data collection, live dashboard updates, and offline-capable instruments for disrupted environments. Same primary-data architecture as social impact assessment, faster cycle.
Operational impact assessment evaluates the effect of a process change, service redesign, or policy reform on the people who deliver and receive the service. Common in public-sector reform, healthcare service redesign, and corporate operational change. Closest to organizational assessment with stakeholder feedback as the primary evidence layer. Same six principles from §06 apply.
What unites these specialty forms is that each carries a specific audience and vocabulary, but each rests on the same architectural commitments. Picking the right framework and the right tool category from §07 matters more than picking between the specialty labels. The four-domain breakdown in §04 is usually where the actual planning starts.
Combined assessments · when two or more domains apply
A handful of contexts require two or more of the four domains running together. The most common is ESIA — combined environmental and social. The shared-architecture commitments in §06 are what make running them together possible without doubling the cost.
Required by IFC Performance Standards, the World Bank Environmental and Social Framework, EBRD, ADB, and the Equator Principles for project finance. Triggered by projects above defined thresholds — infrastructure, energy, mining, agriculture at scale, large industrial development.
An ESIA pairs the environmental impact assessment (air, water, biodiversity, sensor data, mitigation engineering) with the social impact assessment (community livelihoods, displacement, cultural ties, FPIC documentation). The two halves share stakeholder catchments and project footprint geometries; they do not share evidence sources or report sections. Tools that handle both are rare; most organizations run two parallel workstreams.
A multi-program foundation funding workforce, environmental restoration, and capacity-building grantees often needs three domains. A corporate sustainability program running CSR, regulatory ESG disclosure, and supply-chain due diligence often needs all four. The architectural commitments do not change. What changes is the indicator dictionary that has to cover multiple framework crosswalks — IRIS+ for social, GRI 300 for environmental, OCAT or custom rubrics for organizational, CSRD or SASB for sustainability.
Running three or four domains from one primary-data infrastructure requires the shared identifier discipline and framework alignment at scoping. Without those, the four assessments become four projects. With them, the four assessments share the same intake, the same identifiers, and the same report assembly — and the cycle compresses from "annual end-to-end build" to "continuous monitoring with annual disclosure."
Build pattern · combined assessment
Most organizations underestimate the cost of running two domains separately versus the cost of running two domains from one infrastructure. The separate-projects path looks cheaper at the start; by the third reporting cycle it costs more in analyst time than the integrated build would have, and by the fifth cycle the analysts have left and the integrated build is the only path forward.
For deeper coverage of how this works in practice, see the social impact assessment deep dive and the environmental impact assessment deep dive — they share architecture but split methodology cleanly.
FAQ · impact assessment
An impact assessment is a structured process for measuring whether a program, project, policy, or organization changed outcomes for the people, communities, environment, or systems it touched. It pairs quantitative indicators with qualitative evidence and reports against a chosen framework. Four working domains cover most cases: social, environmental, organizational, and sustainability. All four share the same architectural commitments — persistent identifiers, mixed-method evidence, framework alignment chosen at scoping, and baseline-plus-follow-up structure.
Four working domains cover most assessments. Social impact assessment measures outcomes for people and communities. Environmental impact assessment measures effects on ecosystems and resources. Organizational assessment measures capacity and maturity inside the organization itself. Sustainability assessment tracks ESG performance over time. Adjacent specialty forms — privacy/DPIA, health impact assessment, heritage impact assessment, algorithmic or AI impact assessment, crisis impact assessment — are focused applications of the broader four-domain principles.
Impact assessment evaluates real-world change — what happened to people, communities, ecosystems, or organizational capacity as a result of an intervention. Impact analysis is a broader term that often refers to software-engineering work (analyzing how a code change affects a system), regulatory analysis, or business risk modeling. In social-sector usage the two overlap; in software and IT usage they are different disciplines. This page covers impact assessment in the social, environmental, organizational, and sustainability sense.
Assessment documents what changed and reports against a chosen framework, using structured mixed-method evidence. Evaluation goes further and tests whether the intervention caused the change, typically through a comparison condition like a control group or quasi-experimental design. Most programs run continuous assessment year-to-year and a formal evaluation periodically when a funder commissions one. Both rest on the same primary-data architecture — persistent IDs, baseline-and-follow-up, framework alignment, traceability.
Tools fall into three categories. Data collection tools (SurveyMonkey, Qualtrics, Google Forms) gather responses. Data analysis tools (NVivo, R, SPSS, Stata) code qualitative data and run statistical comparisons. Impact intelligence platforms (Sopact Sense) thread collection through analysis through reporting with persistent participant IDs and framework alignment, so every finding traces back to its source response. The third category is what closes the gap between data collection and decision-ready assessment.
An impact assessment framework is a structured language for what gets measured and how it gets reported. The widely used frameworks are IRIS+ (the de facto standard for impact-fund reporting), the UN Sustainable Development Goals (broad, often paired with IRIS+), GRI and SASB (sustainability reporting), CSRD (the EU corporate sustainability reporting directive), and IFC Performance Standards (lender requirements). Framework choice happens at scoping, before instrument design — retrofitting a framework at report time is fragile and produces compliance-friendly but learning-thin reports.
AI impact assessment is two things, depending on context. First, the use of AI inside the impact assessment process — AI coding open-ended responses by theme at submission, AI assembling participant profiles, AI extracting evidence quotes for the report, AI crosswalking between frameworks like IRIS+ and CSRD. Second, the assessment of AI systems themselves — the impact an AI system has on the people, rights, and decisions it touches. Tools for the first are built into impact intelligence platforms. Tools for the second include algorithmic impact assessment frameworks (Treasury Board of Canada, OECD AI Principles, EU AI Act conformity).
The process varies by domain. Social impact assessment runs eight stages from screening through monitoring. Environmental impact assessment runs eight stages with a similar shape but different evidence sources. Organizational assessment cycles on a 12 to 24 month cadence with capacity rubrics. Sustainability assessment is continuous against a reporting framework like GRI or CSRD. The shared principles across all four — persistent IDs, mixed-method evidence, framework alignment, baseline-plus-follow-up, stakeholder validation, continuous over annual — are what make any of the four processes defensible.
Funders and foundations require impact assessments to make renewal and scale decisions. Boards require them for governance accountability. Regulators require them when an intervention crosses a permitting threshold — environmental assessment is most often legally mandated, social assessment less so but increasingly required by lenders like IFC and EBRD. Corporate sustainability assessment is mandated by CSRD in the EU and by SEC climate disclosure rules in the US. Communities use assessments to verify that interventions delivered what was promised. Most organizations need two or three of the four domains rather than all four.
A crisis impact assessment is a focused, rapid-turnaround version of impact assessment applied to an emergency or disruption — pandemic response, natural disaster, conflict displacement, supply-chain shock. Same architectural commitments as the four working domains: persistent identifiers for affected populations, mixed-method evidence, framework alignment. The compression is in cycle time — the assessment runs in weeks rather than months, with continuous monitoring as the situation evolves. Platforms for crisis impact assessment emphasize fast deployment, mobile-accessible data collection, and live dashboard updates.
A data protection impact assessment (DPIA) is required under GDPR Article 35 when an organization processes personal data in ways that pose a high risk to individuals — large-scale profiling, biometric data, public-area surveillance, or sensitive personal categories. The DPIA names the data flow, the risk to individuals, the safeguards, and the residual risk. It is a focused application of impact assessment principles to data processing. Privacy impact assessment tools include vendor-specific software, DPIA templates, and integrated GRC platforms.
Combined environmental and social impact assessments (ESIA) are required when a project affects both ecosystems and communities — common for infrastructure, mining, energy, and large-scale agriculture. IFC Performance Standards, World Bank Environmental and Social Framework, and the Equator Principles for project finance all require ESIA. Multi-domain assessment is appropriate when an organization runs across the full spectrum — a multi-program foundation might need social plus organizational, a corporate sustainability program might need environmental plus sustainability plus social. The architectural principles are shared, so the same primary data infrastructure can serve multiple domains if it is designed for shared identifiers and framework crosswalk from day one.
Book a walkthrough
A 60-minute working session with the Sopact team. Bring the domain (or two) you are about to assess and the framework you have to report against. Leave with a primary-data architecture plan, the indicator dictionary draft, and a preview of how the dashboard would render on real data.
