Risk Management Basics: How to Protect Your Nonprofit

This is a guest blog.

From relationships you’ve spent years developing to programs built on extensive experience, your nonprofit has accumulated resources and established itself as a force for good. As such, it’s essential to implement practices to protect what you’ve built. 

Risks come in many forms, and as your nonprofit grows, you’ll inevitably encounter several of them. Whether you have concerns about your nonprofit’s budget and finances, cybersecurity, or PR strategy, this guide will help you understand risk management and how to mitigate crisis scenarios. 

Types of Nonprofit Risk

Nonprofits can experience a wide range of risks, and identifying what type of potential threats your organization might face will help you better prepare for them. Let’s walk through four of the most common types of risks to be on the lookout for.

Financial risks

This category encompasses various threats to your nonprofit’s financial health and stability. Financial risks can have a range of causes, such as:

• Budget mismanagement. Sometimes risks come from internal issues. If your nonprofit misallocates funds, makes poor investments, or can’t align its books and bank statements, your organization is at financial risk. 

• Unexpected funding shortfalls. If your nonprofit’s funding falls short, you may not have enough funding to continue operating. This may be due to internal issues, such as a fundraiser that isn’t well planned, or external factors, like government funding suddenly being withdrawn. 

• Fraud. Nonprofits are common targets for scammers due to a presumption that they’ll trust anyone claiming to share their mission. CharityEngine’s nonprofit fraud guide highlights a few common warning signs of fraud, including invoices from vendors you don’t recognize, many small donations hitting your payment processor at the same time, high activity at an unusual time of day, and messages from email addresses that seem strange. 

While some financial risks are unavoidable, your biggest defense against these threats is improved internal practices. This can range from working with an accountant with nonprofit expertise to diversifying your income streams to having your employees undergo fraud training. 

Operational risks

Anything that threatens your ability to further your nonprofit’s mission is considered an operational risk. Internally, operational risks might include staff turnover and technology breakdowns. For example, if a hospital’s online intake process suddenly goes down, that would jeopardize its ability to serve patients. 

Externally, you might experience operational disruptions due to partners failing to complete their assigned tasks. For instance, if a hospital misses a shipment of personal protective equipment, it would struggle to care for patients.

Assess potential operational risks by understanding your organization’s limits, providing employees with the support they need, and having contingency plans for emergency situations, such as how to operate offline in the event of a technology breakdown. 

Governance and compliance risks

All nonprofits must comply with various laws and regulations to maintain their tax-exempt status. Additionally, nonprofits in certain fields, such as the healthcare sector, must maintain compliance with industry-specific requirements to ensure they are operating ethically. 

Primarily, compliance risks will take the form of not properly completing state and federal forms. For example, Jitasa’s guide to Form 990 filing (which all nonprofits have to complete annually) explains that submitting this form late can result in a $20 per day fine for nonprofits with annual gross receipts of less than $1,208,500 and $120 per day for nonprofits with greater annual gross receipts. If a nonprofit fails to file a Form 990 for three consecutive years, it can lose its 501(c)(3) status. 

Additionally, when establishing your nonprofit, you will set up internal bylaws. Bylaws are a binding legal document that dictates how your nonprofit should be run structurally and ethically. Violations can have consequences for the individuals who violate them and your nonprofit as a whole. 

Bylaws are meant to keep your nonprofit running smoothly, meaning that breaking them can disrupt your organization. Additionally, if there is a legal dispute at your nonprofit, your bylaws can be reviewed in court. For example, a board member may feel they were unfairly dismissed and issue a legal challenge based on the procedure for removing a board member laid out in your bylaws. 

Reputational risks

Positive public relations are essential for building trust with donors, program participants, sponsors, and anyone else your nonprofit interacts with. 

Negative PR can happen for a range of reasons, such as a person or organization your nonprofit is associated with experiencing a scandal or criticism of your nonprofit’s programs and operations. Ensure you have a media relations plan, have staff who make public statements complete basic media training, and research individuals your nonprofit plans to partner with. 

How to Manage Risk

While types of risk vary, nonprofits can generally mitigate the most damaging risks by following these practices: 

Implement internal controls. 

Implementing stronger guidelines with proper oversight and enforcement mechanisms is typically the best way to resolve problems related to internal disorganization. For example, to prevent financial risks, your nonprofit should consider:

• Training team members. While firewalls and encryption tools are valuable, a team trained to spot fraud is your best defense against security breaches, as an estimated 98% of cyberattacks involve social engineering. Invest in fraud training to help your team identify, report, and stop potential scammers from stealing your nonprofit’s data. 

• Requiring multiple sign-offs. For major decisions and procedures, multiple individuals at your nonprofit should review relevant contracts, transactions, and other documents. This creates a system of accountability, gets more eyes on important decisions, and prevents individuals from committing fraudulent actions (whether they’re intentional or accidental).  

• Strengthening board oversight. Overseeing your nonprofit’s finances and operations is one of your board’s key responsibilities. Ensure your board takes these responsibilities seriously and has the necessary resources to properly fulfill this role, such as bank statements and financial reports. 

Internal controls shouldn’t feel like constraints, but rather structural tools that keep your nonprofit productive, ethical, and secure. For example, you might encourage learning about fraud by creating sporadic tests and rewarding employees who pass them. 

When implementing these policies, ensure your team understands why they’re necessary and be open to feedback about how they impact day-to-day operations. 

Maintain budgetary compliance. 

One challenge unique to nonprofits is navigating funding restrictions, which major donors, grantmakers, and corporate sponsors often place on their contributions to ensure they are spent on specific initiatives. Failure to properly allocate restricted funding can result in financial and reputational risks. 

When your organization receives these funds, make careful records of any restrictions in your accounting system. Record these funds separately from unrestricted funding to ensure no revenue is accidentally misused. Then, when planning your budget, allocate restricted funding to its designated projects before filling in the gaps with unrestricted revenue. 

If you don’t use all of your restricted funds, check in with the donor or funder about the proper use of the remaining funding. They may ask for it back, request it be put toward another specific initiative, or release it from restriction so you can spend it however you choose. Continuing to honor these wishes will keep your nonprofit out of legal trouble and strengthen its most important relationships.

Create a risk management plan. 

While no nonprofit likes to think disaster will strike, having a structured process in place for mitigating crises can help you minimize damages and recover quickly. For most nonprofits, a standard risk management strategy consists of these steps:

1. Identification. Consider all possible risks your nonprofit is likely to face and create standardized plans for handling them. 

2. Assessment. Determine each risk’s likelihood of occurring and potential impact. Give risks a numerical rating for these scales, such as a 1 for minor and unlikely risks and 5 for catastrophic or highly likely risks. 

3. Mitigation. Create detailed plans for the risks that are the most likely to occur and would have the greatest possible impact. 

Your nonprofit may still encounter unpredictable scenarios, but having contingency plans ready to go will help you navigate the most likely scenarios or brainstorm solutions for similar problems. 

As your nonprofit grows, it will encounter new challenges and risks. With the right plans and training, your organization can avoid many damaging risks and make the best of situations outside of your control. To improve your risk management processes, take inventory of the risks your nonprofit is most likely to encounter and start brainstorming plans and internal processes that can mitigate their severity. 

Be sure to follow us for more updates on Facebook and LinkedIn!