Risk Management for Nonprofits: 9 Smart Strategies
Thursday, November 12, 2020
For nonprofit organizations, a nonprofit risk management plan is essential--especially in a year like this one. Whether we’re talking about legal liabilities, financial unpredictability, accidents, natural disasters, or even errors in management, nonprofits and every other kind of business put themselves at risk by merely existing. While nonprofits may aim to be very careful, prepared, and strategic about managing these risks, they’re often overlooked because nonprofit businesses tend to feel secure in their relationships and practices.
Unfortunately, natural disasters don’t care how much the work you’re doing helps your community, and a shift in the global economy spares nobody. Nonprofits are wise to strategize for potential risks. In the best circumstances, these plans aren’t necessary, but often, they’re your saving grace.
Types of risk common in nonprofits
The term ‘risk’ can encompass many different things, but by definition, it refers to the probability that something bad (damage, injury, liability, loss, etc.) might happen. Whether the cause be internal or external, risk is an issue to everyone.
It is important to remember that risks and uncertainty are two different things. An uncertainty can turn into a risk once a certain threshold is reached, but it doesn’t have to. There will always be times when it is difficult to predict the outcome of something, but whether or not it is a risk is up for debate.
The risks a nonprofit faces may be slightly different than risks other businesses face, although there will be overlap. Potential risks can vary significantly, but may include:
- Violations of cybersecurity. Although this can include many different things, violations may include data breaches that expose donor names, addresses, and credit card information, or even bank account information.
- Fraud by impersonation. While there are many types of fraud, nonprofits often fall victim to people hoping to profit off the community-minded work the nonprofit is accomplishing. By posing as a particular nonprofit by using available logos, etc. scammers can raise money under the guise of charity, pocketing the cash themselves.
- Theft. Nonprofits tend to be composed of good, trusting individuals, which can make them especially vulnerable to theft. Employees in a tough spot, new recruits or volunteers with access to a lot of important information, and faulty systems that make it easy to steal can lead to situations in which someone close to the organization is taking money.
- Compliance. Although this one is a little less exciting, it is an important part of risk management. Nonprofits are subject to some rules and regulations that for profit businesses are not, and making sure all rules are followed should be part of your risk management plan.
Of course, you mitigate your risk by implementing some strategies to protect yourself. Often, they aren’t complicated or expensive, but they can save you a lot of heartache–and money–in the long run.
How to begin: identify and analyze potential risks
It can be difficult to plan for potential risks if you haven’t identified them. And, while knowing what could happen is useful, it is more beneficial to know what exactly your specific organization is susceptible to. You can begin to do this by performing a nonprofit risk assessment, which will be the first step in developing a comprehensive risk management plan.
Because the acquisition and management of data impacts all businesses, it makes a great starting point. Begin by looking at all the data that your nonprofit collects. Identify where and how it is stored, and think about reorganizing if necessary.
If you’re struggling to complete a potential risk assessment, you can hire a professional to help point out the places that you are weak and identify effective strategies to minimize these situations. Whether you hire someone to help or assemble your own internal risk management team, plan on spending some time (more than just a one hour meeting) to assess risk and formulate a thorough nonprofit risk management plan.
Just as your nonprofit has a financial plan, you should have a risk management plan that guides your business and service.
What makes a good strategy?
Although a good nonprofit risk management strategy will look different based on your individual organization, good ones have a few things in common. They approach risk proactively instead of reactively. They identify risks and take actionable steps that help avoid them ever happening.
Who’s job is it?
As you can imagine, risk management does not fall to just one person within your organization. In fact, it is the responsibility of both management, staff, and even your nonprofit board. Day to day, risk management will be overseen by leadership within a nonprofit, but the board should be involved in identifying a risk management strategy. The board may serve as an oversight committee, or they, along with leadership, may appoint one.
This board or committee may:
- Identify and assess risk, prioritizing by likelihood and severity
- Oversee and evaluate risk mitigation
- Reduce risk by implementing plans
- Implement preventive risk measures
- Maintain administrative oversight to ensure organizational compliance
How to manage nonprofit risk
Once you’ve identified what risks you may be susceptible to, you can move into managing them. Risk management doesn’t just begin once a negative event has occurred–instead, it is a year-round process that seeks to prevent negative things from ever occurring. After you’ve performed a risk analysis, consider:
We can’t protect ourselves against everything all the time, so select the risks from your assessment that you would most like to avoid. Rank risks, taking into account the level of difficulty in preventing them, the resources required if you fall victim to them, and how important the result might be to your organization. Assigning them a number may be a helpful way to rank and categorize them. Online, there are several free templates available that help you in prioritizing risks based on a number of factors.
Define your comfort level
Some risk is inevitable, so it is important to determine what risks are worth taking for you and which are not. In some cases, the risk is worth the reward, so you may be fine with engaging in some riskier behavior.
Assign an owner
Put someone (preferably a separate person) in charge of your top five or so risks. While they won’t mitigate them on their own, they’ll serve as a point person and lead the effort to mitigate risk. When people feel ownership over something, they’re more apt to give it their all, which is especially helpful in managing nonprofit risk.
Put a plan in place to check in with your risk management team to evaluate how things are working. Be flexible if you determine that risk is still high. Either internally or externally, perform an audit with your risk owners to determine effectiveness. Make risk review an integral part of your operational planning, and check in often.
Consider your tools
Lucky for you, risk management is much easier now, given the number of great tools available for all types of organizations. Use technology to your advantage when it comes to risk management. There is software that helps with operational oversight, controls data management, or predicts budget outcomes. Find the right tools for your nonprofit, automating as much of the process as you can.
Diversify your team
Risk often arises when people are too busy to check in on each other, so make sure you’re adequately staffed. Ensure that each person has a job to do, but also that they’re asked to work together, which increases visibility. A great way to do this is to hire experts to help with the things you may not have time for. Finding a nonprofit accountant, risk auditor, or other professional can open up everyone’s time and help prevent nonprofit risk.
Set payment controls
The most important area for visibility within a nonprofit is regarding payment. Payment controls can be as simple as requiring two signatures or as involved as hiring a nonprofit accounting firm. They can include multiple departments writing a budget, approval thresholds, invoice reviews, reimbursement policies, etc.
Check in with legal
Your organization likely has some sort of legal review process or resource. As a nonprofit, you’re beholden to a lot of regulations. Violating some of them could result in losing your tax exempt status, which means this is an area of significant risk. Make sure that all contracts are reviewed by your legal resource, and rely on a due diligence checklist for grants, investments, etc.
Beef up internal documentation
An easy win for risk management is to present new and existing employees with a thorough employee handbook that outlines expectations regarding appropriate behavior, all types of harassment, discrimination, etc. Put policies into place and make them available in writing, which protects leadership, staff, board members, and the organization at large.
The bottom line
Nonprofit risk management is an ongoing process. It takes time and oversight–and then the year flips and you’re beginning again. While this may seem tedious, it ultimately saves your organization time and money in the short and long term.
By focusing your efforts on nonprofit risk prevention, you avoid being one of the many nonprofits we all read and hear about in the news. Put the effort in now to build an organization that is safe, solid, and ready to serve!