A Guide for Nonprofit Risk Management

The term “nonprofit” means that companies reinvest their profits into the organization instead of paying them out to individual people (for instance, no quarterly bonuses to the board of directors) In exchange for serving a public benefit–whether it’s job-training services, raising awareness about an issue, a religious organization, or any of the 27 different types of nonprofits recognized by the IRS – nonprofits don’t have to pay federal income tax on the money they make from activities associated with their mission.

Otherwise, the organization would be classified as a corporation – and they’d have to pay big bucks to Uncle Sam. This allows nonprofits the freedom to do good work (or, at least work that they consider to be good – of course, whether every nonprofit is serving the public interest is a debate for another day).

But let’s be clear: to avoid paying hefty federal corporate taxes, nonprofits must be incredibly scrupulous in the execution of their efforts, including their accounting, compliance, reporting, and the stewardship of the money they bring in from private donations, fundraisers, grants, and individual gifts. With so many moving parts – a board of directors, a squadron of volunteers, lobbyists, employees, vendors, and an executive leadership team that must be well-compensated lest they jump ship to more lucrative corporate roles – nonprofit risk management is complex, sometimes messy, and absolutely mission-critical. It’s also essential for procuring appropriate nonprofit insurance, that’ll not only protect you from losses, it’ll strengthen donors’ trust in your organization.

Why is a risk management plan important for nonprofits?

For any company, a risk management plan is essential to identify, assess, and control its full range of potential vulnerabilities – including the domino effect it could have if just one thing goes wrong. But nonprofits have some additional burdens that regular corporations don’t have to contend with. Perhaps the biggest risk of all for nonprofits is that because they rely heavily on fundraising, their viability is inextricably linked to the economy in ways traditional corporations are not.

During periods of economic uncertainty, say, a global pandemic or rising inflation, income doesn’t flow from donors’ pocketbooks quite as liberally as it does during normal economic times. That makes nonprofits uniquely sensitive to their entire ledger of risks. In these circumstances, a nonprofit looking for areas to minimize costs might be tempted to cut corners around abstract “what-if” scenarios instead of reinforcing those areas of vulnerability. The challenge with nonprofit risk management is juggling these fluctuations while maintaining the balance sheet. Here are a few more reasons why a risk management plan is important for nonprofits:

• Agreement on objectives. The leadership team must have a shared understanding of the hazards and opportunities they face so they can decide what goals to pursue and how to achieve them.  
• Creating a roadmap. Balancing the risks and rewards allows a nonprofit to develop their strategic agenda.
• Viability. Donors need to see that the organization has a solid plan to use their money wisely in pursuit of its mission.

What are the specific risks nonprofits face?

In addition to fluctuations in funding, nonprofits face specific risks that for-profit corporations don’t. Chief among these are stringent state and local rules related to taxes, payroll, and other 501(c)(3) restrictions that they have to comply with or risk losing their tax exempt status. Along with these are also detailed record-keeping, other taxes, filing Form 990 during tax season, and regular financial audits.

Another big risk that hits nonprofits hard is reputational harm, partly because it diminishes the “halo effect” they otherwise enjoy. And nobody likes to look bad when they’re trying to do good. Any missteps made in the execution of the nonprofit’s mission also reflect poorly on the organization itself which may negatively impact contributions. And if that money dries up, you’re done. Here are a few more specific risks nonprofits face:

Compliance. In order to maintain their tax exempt status, nonprofits have to present detailed audits of their financial activities to prove that they’re using their money for a charitable purpose.

Cybersecurity. Nonprofits collect large amounts of sensitive data from their donors and supporters. Any breaches of private data could be disastrous for a nonprofit.

Fraud and misappropriation. Nonprofits are particularly vulnerable to fraud for various reasons. A few common fraud schemes include billing schemes (where a dishonest employee sets up a fake account that bills for bogus services and uses the money), using your organization’s name to collect donations, and kickbacks.

Theft. The large amount of cash and check donations nonprofits receive and the inadequate screening and/or low pay of the people handling that money presents a big risk for nonprofits.

What are the steps to manage risks for nonprofits?

Identify the risks. Take an inventory of every aspect of the organization and don’t let any department escape your scrutiny: accounting and finance, IT, donor relations, engineering, human resources, public relationship, vendors, volunteers. Find out what they’re doing, what procedures and software they use, how they’re documenting their work. Scrutinize the kind of data that your organization collects, where it’s stored, and ask yourself if it is as safe and protected as possible.

Analyze risks. In the risk analysis stage, you are determining the qualitative and quantitative impact a negative event would have on each aspect of the organization. Explain what the impact would be on costs, schedules, projects, long-term campaigns, etc.

Evaluate and rank risks. What is your organization’s risk exposure to negative events and their impact? In other words, how likely is it that something bad will happen and if it does happen, what will it take to recover? Create an impact-probability matrix to plot out this step visually and then classify the risks from most to least likely.

Counteract the risk. This is where you lay out a response plan to eliminate the risk, lower the chances of it happening, and mitigate the impact. You may not be able to counteract every risk with a solid action plan. It’s OK to create a plan to strategically minimize certain risks over time.

Resources for nonprofit risk management

For nonprofits that need extra guidance in risk management, several organizations provide assistance. These groups help nonprofits with a range of services including cybersecurity training, consulting, and more.

• National Council of Nonprofits. This organizations offers a program called Cybersecurity for Nonprofits to help organizations understand and manage their data security risks.
• Nonprofit Risk Management Center. The NRMC offers a wealth of resources for nonprofit risk management including a membership program with special access to publications, events, and consulting.
• Nonprofit Technology Network. NTEN provides technology support – a major issue for nonprofits – such as professional development, a tech readiness program, and conferences.
• Stanford Social Innovation Review. The SSRI offers a comprehensive library of risk management resources for nonprofits.

Nonprofit risk management strategy

To benefit from the Federal government’s tax exemption, nonprofits must be diligent in their compliance with rules and regulations. In addition, nonprofits must be exceedingly careful with their finances, since much of their income comes from personal or corporate giving. All this while also trying to do something positive for the world. Performing a risk management audit may seem secondary to a nonprofit’s mission, but sometimes doing good means doing better.