Nonprofit Risk Management: Complete Guide + Tips for Success
Thursday, December 15, 2022
Nonprofit organizations often feel comfortable in their relationships and regular practices, meaning they sometimes overlook inherent risks associated with organizational operations. The increased reliance on technology over the last several years has helped nonprofits everywhere better recognize the value of developing nonprofit risk management policies.
When circumstances are good, risk management plans seem unnecessary. No nonprofit wants to use this plan. However, when there’s economic turbulence, natural disasters, mistakes, or even errors in management, your risk management policies can become your nonprofit’s saving grace.
Our experts at Jitasa have developed nine smart strategies that your organization can use to prepare for the worst, while always hoping for the best. Let’s dive deeper into risk management strategies for your nonprofit.
Common Types of Nonprofit Risk
Nonprofit risk refers to the probability that something bad (damage, injury, liability, loss, etc.) might occur. This might be due to internal circumstances at the organization itself or external factors that pose a greater social risk.
While commonly used interchangeably, nonprofit risk and uncertainty are two different ideas. Uncertainty can turn into risk once a certain threshold is reached, but it’s not necessarily the case. There will always be times when it is difficult to predict an outcome, but whether or not it is considered a risk is up for debate.
The risks nonprofits face may be slightly different than the risks other businesses face, although there will be some overlap between the two industries. Potential risks can vary significantly, but may include:
Violations of cybersecurity
Nowadays, we rely more heavily on online networks than ever before. Especially since the shift to more virtual interactions, we tend to use our computers (and smartphones) to give donations, attend events, and otherwise interact with nonprofits. Therefore, your nonprofit needs to ensure your cybersecurity policies are up to date and you don’t risk losing donor and organizational information due to online practices that leave your data vulnerable.
Violations of cybersecurity can include data breaches that expose donor names, addresses, credit card numbers, or even bank account information. If these breaches occur, your nonprofit may lose trust and credibility in the community which can lead to fewer donations and supporter engagement in the future.
Policies around cybersecurity risk for nonprofits should encompass protections for your CRM data, online donation payment processor, financial system, and your organization’s own bank account information. While banks have security features in place, it's important to double-check that you're taking advantage of them and using your own protocols to minimize risk wherever possible.
Fraud by impersonation
While there are many types of fraud, nonprofits often fall victim to people impersonating the organization. These impersonators hope to profit off the community-minded work and credibility of the nonprofit. While personal identification can be protected through the secrecy of social security numbers, there is often little protection around an organization’s employer identification number (EIN). Therefore, scammers can obtain that number and pose as your nonprofit.
By using your EIN, any available logos, taglines, and other brand materials (often available on your website), these scammers can raise money under the guise of charity while pocketing the cash themselves. If this happens, your nonprofit will need to report it to the Federal Trade Commission as soon as possible to avoid any negative repercussions.
Nonprofits tend to be composed of good, trusting individuals, which can make them especially vulnerable to theft. Employees in a tough spot, new recruits or volunteers with access to important resources, and faulty systems can lead to situations where someone close to the organization steals money or technology.
Make sure you know who has access to what materials at your nonprofit. Conduct background checks on your employees and immediately remove access to resources from employees who leave their jobs with your organization. This will help mitigate risk when it comes to theft.
Although this one is a little less exciting, it is an important part of risk management. To maintain their 501(c)(3) registration and tax-exempt status, nonprofits are subject to some specific rules and regulations that for-profit businesses are not. Making sure all rules are followed should be a key part of your risk management plan.
Of course, you mitigate your risk by implementing some strategies to protect yourself. Often, they aren’t complicated or expensive, but they can save you a lot of heartache–and money–in the long run.
Identifying Your Nonprofit’s Risk
It can be difficult to plan for potential risks if you haven’t identified them. And, while generally knowing what could happen is useful, it is more beneficial to know what exactly your specific organization is susceptible to. You can begin to do this by performing a nonprofit risk assessment, which will be the first step in developing a comprehensive nonprofit risk management plan.
Because the acquisition and management of data impacts all businesses, it provides a great starting point. Begin by looking at all the data that your nonprofit collects. Identify where and how it is stored, and consider reorganizing if necessary.
There are three potential ways you can complete a risk assessment for your own nonprofit organization:
- Self-evaluation: A self-evaluation allows your organization to review your organization piece by piece, asking yourselves, “What risks are associated with this?” Then, you can take appropriate action based on your findings.
- Using a checklist: There are risk assessment checklists available online, through auditing firms, and in books, that your nonprofit can follow to evaluate your organization’s risks. For example, this one is from Board Leadership Calgary.
- Recruiting a third party: If you’re struggling to create your own risk assessment, you can hire professional help to determine the places you are weak and identify effective strategies to minimize these situations. You might start with your nonprofit financial auditing firm as they may conduct these assessments themselves or refer you to another firm to do so.
Whether you hire someone to help or assemble your own internal risk management team, plan on spending some time (more than just a one-hour meeting) to assess risk and formulate a thorough nonprofit risk management plan. Just as your nonprofit has a financial plan, you should have a risk management plan that guides your operations and service.
All nonprofits are different. So if you’re still unsure about how to best proceed to analyze your nonprofit’s own risk, try discussing the options with your accounting firm. Nonprofit risk management and finances often go hand-in-hand, so your accountant experts and advisory team should be able to help you determine the best course of action for your nonprofit.
Ask the experts at Jitasa about risk management for your nonprofitContact Jitasa
What makes a good nonprofit risk management strategy?
Although a good nonprofit risk management strategy will look different based on your individual organization, good ones have a few things in common. First, they approach risk proactively instead of reactively. They identify potential risks and take actionable steps that help avoid them ever happening.
For example, an effective nonprofit risk management strategy might include items like:
- Definitions of each risk you identify. Define what the risk is, whether it’s internal or external, how much you can control it, and if it’s inherent to your organization or residual from addressing another issue.
- Protections from human biases. Human biases can occur easily, whether because we’re blinded by ambition while starting a new project or simply don’t take all of the possible outcomes into consideration. The best way to avoid this is to ensure your risk management policy has built-in requirements for open communication between staff, stakeholders, and other parties.
- Different categories of risk. Each risk you identify should also include the category under which the risk falls. For example, you might have categories like cybersecurity, data governance, third-party risk, financial, programmatic, or operational risks.
- Assurances that financial responsibilities are segregated. Simple measures like asking two people to sign for large purchases ensure that your organization’s financial eggs aren’t all in one basket.
The majority of risk management plans also include emergency plans in case there is a data breach, theft, or other emergencies. It outlines the actions the organization takes in the event of these emergencies and who is responsible for each of those actions.
Of course, this is just a sample of what may be included in your risk management plan. The top priority is to make sure your plan takes a detailed, proactive approach to reduce risk at your organization. Emergency measures are a last resort in these plans. Then, make sure all employees are aware of these procedures and follow them regularly.
Whose job is it to manage nonprofit risk?
As you can imagine, risk management does not fall to just one person within your organization. In reality, it is the responsibility of your management team, staff members, and even your nonprofit board.
The people most involved with your nonprofit risk management strategy will be your board of directors. The board may serve as an oversight committee themselves, or they, along with leadership, may appoint a committee to manage risk at the organization. The following tasks may fall under the responsibility of the board or committee:
- Identifying and assessing risk, prioritizing by likelihood and severity
- Overseeing and evaluating current risk mitigation
- Reducing risk by implementing management plans
- Implementing preventive risk measures to protect the nonprofit in the future
- Maintaining administrative oversight to ensure organizational compliance
Not all risk management tasks will fall to your board or committee members. The day-to-day responsibilities associated with your nonprofit’s risk management plan will be overseen by leadership within your organization. For example, your leadership will be in charge of ensuring that all staff members use secure passwords and update them regularly.
Because nonprofit risk management falls on so many parties, it’s essential that everyone communicates about this issue openly and frequently. For example, let’s say your nonprofit is outsourcing a new accountant. Your leadership will be in charge of issuing an RFP, part of which collects information to ensure the accounting firm’s financial, privacy, and security practices are within your organization’s risk appetite. Then, the board will use this information to approve or deny hiring that particular firm. Open communication and sharing of resources between departments are essential to choosing the right accounting firm.
Nonprofit Risk Management Checklist
Once you’ve identified what risks you may be susceptible to, you can start managing them. Nonprofit risk management doesn’t just begin once a negative event has occurred—instead, it’s a year-round process that seeks to prevent negative things from ever occurring.
The first step in any good risk management plan is performing a risk assessment, which we covered earlier. Then, you’ll follow these steps to round out your strategy.
Prioritize risk at your nonprofit
We can’t protect ourselves against every possible risk at all times, so select the risks from your assessment that you would most like to avoid and are most likely to befall your nonprofit. Start by ranking the risks you identified in your organization’s risk assessment.
Prioritizing your risks will help your nonprofit focus your attention and energy on the most important and most likely risks.
For example, a nonprofit with a shrinking reserve ratio might flag their emergency fund as a significant risk for the organization. Meanwhile, if they’ve already taken action to ensure all staff members follow specific guidelines for password security, that might fall lower on the list.
Once you’ve ranked your risks, consider if there are any current policies or procedures that can help prevent them. List out any resources that your organization will need if you were to fall victim to the risks you’ve outlined.
Define your comfort level
Some risk is inevitable, so it is important to determine what risks are worth taking and which are not. In some cases, the risk is worth the reward, so you may be fine with engaging in some riskier behavior.
For example, nonprofits with additional funds in their reserve fund might find it valuable to invest those funds in a brokerage account with the hope that they grow over time, further bolstering the organization’s savings.
Meanwhile, if you’re evaluating third-party vendors with different security policies, you may find that the more secure vendor is worth a few extra dollars. You might decide the risk of losing credibility in the community due to a data breach would be massively detrimental to your nonprofit.
Assign an owner for tasks
Put someone in charge of your top five or so risks, and consider putting different people in charge of each one to spread out the responsibility across your organization. While these individuals won’t mitigate their assigned task on their own, they’ll serve as the point persons and lead the effort to mitigate risk. When people feel they have ownership over something, they’re more likely to give it their all, which is especially helpful in managing nonprofit risk.
Make risk review an integral part of your operational planning, and check-in regularly.
Your nonprofit should build in regular review periods to oversee the progress made to each of the risks and evaluate how things are working. Conduct an audit either internally or externally with your risk owners to determine the effectiveness of your risk management strategy.
In this audit, you should review the actions taken by risk owners, the level of importance and threat still associated with each identified risk, and whether any new risks have emerged that should be accounted for in your strategy.
Consider your tools
Luckily, risk management is easier given the number of tools available for all types of organizations. Use technology to your advantage when it comes to risk management.
There are a number of different tools that you can use to help manage and mitigate risk at your nonprofit. This software will help you with:
- Operational oversight
- Data management
- Budget outcome prediction
You can also invest in consultants who can help you get your initial risk assessment and management policies off the ground. Consider what combination of software solutions, consultants, and DIY risk management practices will be most impactful for your nonprofit.
Diversify your team
Nonprofit risk often arises when people are too busy to check in with each other, so make sure your organization is adequately staffed. Ensure that each person has a job to do, but also that they’re asked to work together, which increases visibility across your team.
A great way to do this is to hire experts to help with tasks you may not have time for. Finding a nonprofit accountant, risk auditor, or another professional can open up everyone’s time and help prevent nonprofit risk. Be sure to evaluate the professional you’ll outsource for these positions to be sure they also have risk protections in place like PCI compliance and data protection policies.
Set payment controls
While all nonprofits are different, one of the common areas necessary for visibility and security is payment. Payment controls help ensure your organization’s payments are secure and prevent fraud. Some payment controls may include:
- Requiring two signatures on payments over a certain amount
- Including several departments in writing and reviewing the budget
- Requiring approval for purchases over certain thresholds
- Reviewing invoices before they’re paid
- Standardizing reimbursement policies
- Ensuring sound compensation policies
While it may add extra steps to the purchasing process, additional controls on payments for your nonprofit will not only protect your organization, but also those who work there. If only one signature is required to make a large payment, but a human error occurs, that one person becomes suspect of fraud—even if it was truly an accident. By requiring two signatures, you’re less likely to encounter that mistake.
Check-in with legal
Your organization likely has a legal review process for certain decisions and compliance concerns. After all, as a nonprofit, you’re beholden to many regulations. Violating these regulations could result in losing your tax-exempt status or other negative consequences.
Check-in with legal to make sure that all contracts are reviewed, and rely on a detailed due diligence checklist for grants, investments, and more. This will ensure you don’t run into compliance issues on the legal side of nonprofit management.
Beef up internal documentation
An easy win for risk management is to present new and existing employees with a thorough employee handbook that outlines expectations regarding appropriate behavior and standard procedures. This document may include all sorts of information, but especially focus on the policies surrounding harassment, discrimination, nepotism, work overtime policy, and conflicts of interest.
Roll out concrete and detailed policies at your organization, then make them available to all of your staff members in writing. This concrete communication protects leadership, staff, board members, and the organization at large.
The Bottom Line
Nonprofit risk management is an ongoing process, requiring time and oversight every year. You’d likely rather focus on your organization’s programs and exciting new initiatives over risk management policies and procedures. However, while it may seem tedious, having an effective nonprofit risk management strategy in place will ultimately save your organization time and money in both the short and long term.
By focusing your efforts on preventing risk at your nonprofit, you can avoid ending up in the news for nefarious reasons. Put the effort in now to build a risk management plan for your nonprofit so your organization can remain safe, solid, and ready to serve!
If you’re interested in learning more about nonprofit financial risk and organizational best practices, explore the following resources:
- Nonprofit Financial Management | Best Practices to Know. Learn more about keeping your finances organized and safe with the top nonprofit financial management best practices.
- In-Kind Donations | Everything Your Nonprofit Should Know. Ensure you comply with the regulations and requirements that accompany in-kind donations to your nonprofit.
- 4 Types of Donor Analytics and What to Do With Them. Nonprofit risk management is often used to keep both your organization and your donors safe. Learn more about your donors and how to manage their data with this guide to donor analytics.