How to Incorporate Risk Management Into Nonprofit Operations

Mitigating risks is a natural part of running an organization, so having procedures in place to get your nonprofit back on track is crucial.

However, a strictly reactive approach doesn’t capture the entire picture or best prepare your organization for the future. The most effective nonprofit risk management strategies are proactive. Weaving preventative measures into the fabric of your everyday activities, alongside mitigation procedures, protects your nonprofit from risks occurring in the first place and limits the severity of negative consequences if they do.

Let’s explore four organizational tactics for limiting your nonprofit’s exposure to risk. 

1. Review Your Organization’s Financial Policies 

Financial policies are the cornerstone of a preventative risk management strategy. Not only do they facilitate efficient financial management that makes the most of your nonprofit’s resources, but they are also instrumental in protecting against three of the most common nonprofit risks: fraud, theft, and failure to comply with federal and state regulations.

The following policies set up good foundational organizational practices:

• Gift Acceptance: This policy outlines the types of gifts (both monetary and in-kind) that your nonprofit can and can’t accept, as well as the procedure for recording each donation in your accounting system.
  Expense Reimbursement: When staff members or volunteers spend their own money on behalf of your cause and request reimbursement, this policy ensures that all funds paid back were actually used for activities related to your organization.   
• Executive Compensation: Jitasa’s guide to nonprofit compensation policies explains that this guideline “should have provisions and processes outlined to ensure your executive director’s compensation is reasonable but not excessive” to comply with 501(c)(3) requirements.
• Conflict of Interest: This policy protects your organization’s leaders and board members from making decisions in which outside financial interests impact their duty to act in your nonprofit’s best interest.

Store these policies together in a single document, folder, or handbook, so staff and board members can easily find and reference them.  

In addition to these major policies, it’s also a good idea to review your internal controls, which include additional procedures designed to prevent risks. For instance, many nonprofits require two signatures on large checks to help catch mistakes before payments are processed and prevent any single individual from carrying full responsibility if an error falls through the cracks.  

2. Implement Data Security Measures   

Along with fraud, theft, and non-compliance, cybersecurity violations are also a frequent area of concern for nonprofits. However, this category requires a separate, specific operational adjustment: strengthening your organization’s data security measures.

Just because using online fundraising platforms and digital donor management tools is the norm for nonprofits doesn’t mean data breaches are impossible. The exposure of sensitive donor credit card and bank account information can erode your nonprofit’s credibility, and your organization’s own private details may also be exposed.

Prioritize tools that have security features built in, and take these actions to protect your nonprofit’s data:

• Enable multi-factor authentication for all account logins.    
• Encrypt databases and emails that contain sensitive information.
• Update software regularly so you’re always taking advantage of providers’ latest system security patches. 
• Limit user permissions on certain data to individuals who need access for their roles.    
• Conduct regular data security training (e.g., phishing simulations) for staff members, as well as volunteers if needed.

In today’s world, no cybersecurity strategy is complete without addressing AI. While the responsible use of AI can transform your operations, these tools can raise questions of data privacy and security. To combat common issues that arise, BWF recommends anonymizing any data (i.e., removing personally identifiable information) that you input into an AI tool and using encryption and other security measures.    

3. Outsource Certain Operational Functions    

Over-burdened staff members might not seem like a risk—just par for the course in your busy nonprofit. However, when there is too much to do, something will inevitably get dropped. For important matters like submitting your annual tax return to the IRS or updating user permissions after an employee leaves, you cannot afford to miss these tasks.

It isn’t always feasible for your nonprofit to hire new, full-time, in-house employees, but you still need to staff your organization appropriately. Outsourcing some roles and responsibilities allows your nonprofit to work with specialized professionals, gaining the benefit of their expertise for a lower cost than hiring. In addition to completing your vital organizational tasks well, they can also provide an outside perspective on your risk prevention strategies.

Several nonprofit departments particularly lend themselves to outsourcing, including:

• Information technology. External IT professionals can evaluate your data security practices and use their expertise to train your staff more effectively.     
• Human resources. HR consultants will analyze your payroll, compensation, and hiring policies to help you maintain compliance.     
• Accounting. Outsourced nonprofit accountants bring the financial and strategic expertise necessary to make your internal controls and policies as strong as possible. These professionals also ensure your transactions are recorded and that tax forms are filed correctly.

Once you’ve got your team of employees and outsourced experts in place, assign important tasks to individuals, giving someone ownership over each item. Accountability increases the likelihood that tasks will get done and reduces favorable circumstances for fraud.

Although outsourcing allows your nonprofit to prevent certain risks, you still need to carefully vet any outsourced professionals you partner with to ensure they have their own risk management policies and procedures in place. Interview your top picks for outsourced roles, check their references, and establish clear contractual agreements so that your decision to outsource contributes to your risk management strategy rather than leading to additional uncertainty. 

4. Communicate With Stakeholders     

Damage to your nonprofit’s reputation can have equal severity to physical asset damage or even cases of theft. Your nonprofit might not feel an immediate monetary loss, but losing your community’s trust can have long-lasting negative effects on your fundraising, hiring, and programs.

Timely, honest communication, particularly during a crisis, is the best proactive defense of your nonprofit’s reputation. There are three main groups you should make sure to communicate with regularly as you incorporate risk management into your organization’s operations:
 

You’ll need to tailor the level of detail provided to different individuals—for instance, potential major donors will probably want more insight than one-time event participants, and board and staff members need to know more about your risks than any supporter. However, being transparent with all of these groups about how your nonprofit is working to prevent risks will go a long way towards building loyalty and trust among your supporters.

Risk management isn’t a set-it-and-forget strategy. Just like you regularly review and optimize your other processes, from fundraising to hiring, the best preventive measures will also change with your nonprofit’s growth and industry innovations. Your nonprofit will never be able to achieve full immunity from risk, but by taking action today, you’re setting your organization up for a more resilient tomorrow.