What this is: An introduction to nonprofit risk management, including the types of risks nonprofits commonly face, how to conduct a nonprofit risk assessment and effective risk mitigation strategies.
What this means: Nonprofit risk management is the process of identifying, prioritizing and mitigating risks at your organization. It’s important for ensuring smooth operations, maintaining compliance and protecting your nonprofit’s reputation.
Operating a nonprofit comes with an inherent level of uncertainty. Furthering your mission requires launching a wide range of programs, projects and growth initiatives, some of which will succeed while others won’t. Plus, you rely on fundraising dollars to accomplish these initiatives, but the goals you set are essentially educated guesses of how much your supporters will contribute.
However, there is a difference between dealing with these basic uncertainties and managing true risks. According to Jitasa, “Nonprofit risk refers to the probability that something bad (damage, injury, liability, loss, etc.) might occur.” Once an uncertain situation gets to the point where these major negative impacts can affect your organization, it’s considered a risk.
To help you prevent risky situations from causing problems at your nonprofit, this guide will walk through the basics of risk management, including how to identify, assess and mitigate risks.
1. Identifying Common Types of Nonprofit Risk
The first step in managing your nonprofit’s risk is to know what types of risks are likely to affect your organization. While every nonprofit is unique and will have different inherent risks associated with their operations, the most common types include:
-
Cybersecurity violations. Your nonprofit likely collects and stores a lot of data about its donors, fundraising campaigns and performance metrics. If this data is left vulnerable due to gaps in security practices, breaches can occur that expose sensitive information about your organization and its supporters.
-
Fraud. Although there are many types of fraud, the 2 that most often affect nonprofits are financial fraud (both intentional and unintentional) and fraud by impersonation. The latter occurs when a scammer sets up a fake donation page using your organization’s branding and employer identification number (EIN) to collect donations under the guise of charity while pocketing the money for themselves.
-
Theft. Nonprofit staff tend to be good-natured and trusting, which makes organizations like yours particularly vulnerable to theft from the inside. If internal systems are faulty or individuals gain access to resources they shouldn’t without proper screening, it can lead to money or technology being stolen.
-
Noncompliance. As a tax-exempt organization, your nonprofit is subject to a variety of rules and regulations that for-profit organizations aren’t. Failing to file required reports on time or ensure valid charitable solicitation registration risks losing that tax-exempt status, or at the very least, incurring penalties.
All of these risks can lead to varied legal and financial consequences for your nonprofit. However, don’t discount the potential impact of reputation damage on your organization’s ability to attract and retain community support.
2. Conducting a Nonprofit Risk Assessment
Risk assessments allow you to tailor your risk management strategy to your organization’s specific needs, creating a stronger plan. They help you determine:
-
What kinds of risks are most likely to affect your nonprofit.
-
What the probable consequences would be if each negative outcome were to occur.
-
Which risks should be prioritized based on their likelihood and impact.
There are 2 main ways to conduct risk assessments. You could complete a self-evaluation using one of the many nonprofit risk assessment checklists available online. This is the more cost-effective route and allows you to dive deep into your organization's operational structure.
Or, you could hire an external risk management professional to provide an objective third-party perspective on your organization’s risk. If you’ve worked with an independent financial auditor in the past, they may be able to recommend someone to conduct your risk assessment.
3. Implementing Nonprofit Risk Mitigation Strategies
When your risk assessment is complete, you should have a list of all of your nonprofit’s risks prioritized based on their likelihood and potential impacts. Assemble the staff and board members who you’ve decided will be in charge of risk management and, starting with your highest priority risks and moving down the list, brainstorm mitigation strategies for each one.
While there are a variety of strategies you could include in your risk management plan, we’ll help you get started by walking through 3 of the most effective.
Would you like to read more about building a foundation for your mission? Start with our Nonprofit Services Resource Center.
Update Internal Policies and Procedures
Ensuring your organization’s internal guidelines are sound (especially those related to the handling of funding) can help mitigate a variety of risks. Review your nonprofit financial management handbook and implement or update policies regarding:
-
Gift acceptance to make sure you don’t accept donations that are fraudulent or could otherwise harm your organization.
-
Conflicts of interest to prevent your leaders’ personal or business interests from influencing the fiscal decisions they make on behalf of your nonprofit.
-
Expense reimbursement to confirm that all reimbursements of funds used on your nonprofit’s behalf are legitimate.
Additionally, consider implementing new internal controls, which are procedures specifically designed to prevent risks in your organization’s operations. For example, many nonprofits require 2 signatures on checks over a certain amount. This way, your team is more likely to catch mistakes that could lead to accidental fraud before they happen.
Secure Your Nonprofit’s Data
The best way to mitigate the risk of data breaches is to take active precautions regarding cybersecurity. Here are some security measures to consider:
-
Choose software platforms that are known for their security. For example, make sure your payment processing solution is PCI compliant or certified so that it will protect donors’ credit card and bank information.
-
Enable encryption measures. Many donor databases can be encrypted so that sensitive information is unreadable to unauthorized users.
-
Limit user permissions to those who need access to data to do their jobs. For the staff members who utilize data regularly, confirm that they’re using strong passwords and have 2-factor authentication enabled.
Additionally, NPOInfo recommends implementing a standardized data input process and training your nonprofit’s staff on data security best practices to help maintain a protected and clean database.
Work With External Professionals
Gaining an outside perspective on your nonprofit’s risk is useful not only in the assessment phase but also in the mitigation phase. Consider partnering with external professionals to develop various aspects of your risk management plan, such as:
-
Information technology consultants who can review your data security measures and help train your staff on implementation.
-
Nonprofit compliance experts who can ensure your organization follows key regulations, properly registers to solicit and files all necessary reports by their due dates.
-
Outsourced accountants who can assist in strengthening policies and procedures as well as compiling the financial data you need for effective reporting.
Working with external professionals also takes some stress off your team, giving everyone time to focus more deeply on fewer tasks and regularly check in with each other about their progress.
As you compile your risk mitigation strategies into a comprehensive management plan, remember that risk management is most effective when it is proactive. Even if everything seems to be going well for your nonprofit, identifying and assessing possible risks now can help prevent negative situations from happening and make it easier to resolve them if they do occur.
FAQs
Why is it important that a fundraising platform provides insight into my nonprofit's donations year-round?
Let’s say your nonprofit hosts an auction fundraiser. Some supporters will donate items to be auctioned off, while others attend the auction and place monetary bids on the items. Cash and in-kind donations are just 2 types of contributions your nonprofit may receive and they must be categorized differently when reported to the IRS. Your fundraising software can categorize each contribution so that you know exactly where each dollar came from. Read our article, How Fundraising Platforms Can Manage Nonprofit Compliance, for more information.
Are the Charleston Principles still relevant today with regard to providing guidance on online fundraising?
The Charleston Principles, when they were released in 2001, did provide some regulatory guidance for online fundraising, but even these guidelines are decades old and there has since been an explosion of online fundraising methods not imagined since their release. State charity officials have frequently called for a retooling of the Charleston Principles to provide more guidance to charities fundraising online in a legal and regulatory desert. Enter the State of California as a new sheriff in town, armed with the passage of Assembly Bill 488 and regulations recently finalized. To read more on this topic, visit our article, A New Sheriff in Town: California’s New Platform Fundraising Requirements.
This article is provided for informational purposes only and should not be considered, or relied upon, as legal advice.
