Nonprofit Risk Management: 5 Frequently Asked Questions

Guest post by Jitasa

For nonprofit leaders, it’s crucial to understand what steps to take when unexpected negative situations arise, which is why risk management is a key part of successful strategic planning. While taking some risks is necessary for your organization to grow, even the risks you take on voluntarily can become harmful without careful management.

Especially when everything is going well for your nonprofit, it can be hard to know where to start with risk management. Fortunately, this guide will help you develop an actionable strategy for your organization by answering these frequently asked questions:

  • What is nonprofit risk management?

  • What effects can risky situations have on my nonprofit?

  • What are the most common types of nonprofit risk?

  • How do I conduct a risk assessment for my organization?

  • How can my nonprofit mitigate and prevent risks?

Keep in mind that the most effective risk management plans are proactive rather than reactive. Instead of waiting until a risky situation comes up, start while your nonprofit is in a good position, and include preventative measures in your plan as well as mitigation strategies. Let’s dive in with an overview of what risk management is in a nonprofit context.

What is nonprofit risk management?

Jitasa’s nonprofit risk management guide defines risk as “the probability that something bad might occur. This might be due to internal circumstances at the organization itself or external factors that pose a greater social risk.”

Based on that explanation, risk management is the process of identifying, assessing, and mitigating internal and external circumstances that could result in something negative happening to your nonprofit.

What effects can risky situations have on my nonprofit?

Not all risks will affect your nonprofit to the same degree or impact the same areas of your operations. However, risky situations that go unchecked can bring about a variety of negative outcomes, including:

  • Financial loss. Whether this takes the form of broken contracts, declining investments, or revenue shortfalls, unmanaged risks can have significant effects on your nonprofit’s budget.

  • Legal consequences. These can range from lawsuits against your organization to the loss of your 501(c)(3) status.

  • Reduced ability to fulfill your mission. Risks can inhibit your organization’s daily activities in many ways, from lowering fundraising efficiency to directly impacting the services you deliver.

  • Reputation damage. According to NXUnite, negative publicity and controversy surrounding your nonprofit can break supporters’ trust and cause them to stop contributing to your work.

Not only do these impacts highlight the general need for nonprofits to have risk management plans, but they also show how important it is for each organization to understand what types of risk are most likely to affect them so they can be prepared.

What are the most common types of nonprofit risk?

Just as every nonprofit is different, so are the risks that will have the greatest consequences for each organization. However, the most common nonprofit risks to be on the lookout for include:

  • Cybersecurity violations that can expose sensitive information about your organization, its staff, and its supporters.

  • Fraud, particularly financial fraud and fraud by impersonation (in which a scammer sets up a fake online donation page, collects “contributions” under your nonprofit’s name, and keeps the money for themselves).

  • Theft of money or technology, which is often (unfortunately) perpetrated by someone close to the organization.

  • Non-compliance with federal and state regulations, especially because nonprofits are subject to some rules that for-profit organizations aren’t.

Several of these risks—especially financial fraud and incidents of non-compliance—can happen either intentionally or unintentionally. Be aware of this as you identify potential risks for your nonprofit to ensure you don’t overlook issues that could occur by accident.

How do I conduct a risk assessment for my organization?

Risk assessments allow you to determine what risks could affect your nonprofit and how you should go about mitigating them. There are three basic steps to a risk assessment:

  1. Identify the various types of risky situations that could impact your organization.

  2. Evaluate how likely each risk is to occur and what its most probable consequences are.

  3. Prioritize all of your nonprofit’s risks based on both likelihood and impact.

You can either conduct your risk assessment internally using one of the many checklists available online or ask a third-party nonprofit risk management professional to provide an external perspective on your organization’s situation. Both options have advantages and drawbacks—consider your nonprofit’s timeline, budget, and bandwidth as you make your decision.

How can my nonprofit mitigate and prevent risks?

After you assess your nonprofit’s situation and come up with a prioritized list of risks, it’s time to develop your management plan. Start at the top of your list and brainstorm ways to alleviate each risk if it were to occur—or better yet, prevent it from becoming an issue in the first place.

Here are some common risk mitigation strategies your nonprofit might try:

  • Tightening data security measures. Consider implementing two-factor authentication on all of your organization’s essential accounts, encrypting your databases, and investing in a PCI-compliant payment processor to keep donors’ information safe. Additionally, practice good nonprofit data hygiene to ensure important information isn’t accidentally misplaced and left vulnerable.

  • Reviewing your fiscal policies. Make sure your organization has procedures in place for requesting, accepting, and tracking various types of gifts, reimbursing expenditures on behalf of your mission, and handling conflicts of interest. This protects against all sorts of fraud and compliance issues, in addition to being essential for sound day-to-day operational and financial management.

  • Establishing internal controls. In addition to your major fiscal policies, internal controls are procedures specifically designed to prevent risks. For example, many nonprofits require two signatures on checks over certain amounts to reduce the risk of financial fraud.

  • Improving communications. Make sure all of your organization’s essential information is properly recorded and reported, from donations made to project updates. Risks can arise when nonprofit leadership, staff members, and volunteers let communication fall by the wayside, so work to prioritize communication among your team.

Once you’ve decided which strategies to incorporate into your risk management plan, share the plan with your board of directors so they can sign off on it and provide oversight as you implement your ideas. Then, hold training sessions for staff members to establish a risk-prevention mindset at your nonprofit and ensure that everyone knows how to mitigate any risks that may arise as they go about their daily activities.

Nonprofit risk management is an ongoing process. After implementation, monitor how it’s going for six months to a year to ensure your strategies are working. Then, revisit your plan at least once a year to re-evaluate your risk management priorities and develop mitigation strategies for any new risks that have come up since your last review to ensure your organization remains protected long term.