How to Incorporate Risk Management Into Nonprofit Operations
When your nonprofit discusses risk management, you probably think about it in the context of mitigating negative situations. After all, if risks arise, having a procedure in place to handle those risks is critical for getting your organization back on track.
However, the most effective nonprofit risk management plans are proactive rather than reactive. There are a variety of preventative actions your nonprofit can take as you go about your regular activities, which work side by side with your mitigation procedures to protect against risks.
To help you incorporate risk management into your nonprofit’s day-to-day operations, here are four strategies to implement:
- Review Your Organization’s Financial Policies
- Implement Data Security Measures
- Outsource Certain Operational Functions
- Communicate With Stakeholders
As you develop your risk management plan, start by conducting an assessment so you know what types of risks are most likely to affect your organization. You can either conduct a self-evaluation using an online checklist or ask a third party such as an auditor or consultant to provide an outside perspective. Either way, keep your nonprofit’s unique situation in mind as you apply the tips in this guide. Let’s get started!
1. Review Your Organization’s Financial Policies
In addition to laying the foundation for effective management practices, financial policies help protect your organization against three of the most common nonprofit risks: fraud, theft, and failure to comply with federal and state regulations. To provide a reference for staff and board members on how to properly handle funding, outline all of your organization’s fiscal policies and procedures in a single document or handbook.
Jitasa’s guide to nonprofit financial management explains several essential policies to include in your financial management handbook, including the:
- Gift acceptance policy. This policy outlines the types of gifts (both monetary and in-kind) that your nonprofit can and can’t accept, as well as the procedure for recording each donation in your accounting system.
- Expense reimbursement policy. When staff members or volunteers spend their own money on behalf of your cause and request reimbursement, this policy ensures that all funds paid back were actually used for activities related to your organization.
- Conflict of interest policy. This policy protects your organization’s leaders and board members from making decisions that could be influenced by outside financial interests.
In addition to these major policies, it’s also a good idea to review your internal controls, which are smaller procedures designed to prevent risks. For instance, many nonprofits require two signatures on checks to help catch mistakes before payments are processed and ensure no individual is held entirely responsible if an error falls through the cracks.
2. Implement Data Security Measures
Along with fraud, theft, and non-compliance, cybersecurity violations are among the most common nonprofit risks. However, this category requires a separate and specific operational adjustment to prevent: strengthening your organization’s data security measures.
Some best practices for protecting your nonprofit’s data include:
- Enabling two-factor authentication for all account logins.
- Encrypting databases that contain sensitive information.
- Limiting user permissions on certain data to individuals who need access for their roles.
- Conducting regular data security training for staff members, as well as volunteers if needed.
Data breaches can expose sensitive information such as credit card and bank account information for your nonprofit and its donors. As online fundraising and donor management continue to be popular, protecting your data is essential to maintaining your organization’s credibility.
3. Outsource Certain Operational Functions
Outsourcing some roles and responsibilities allows your nonprofit to gain access to specialized professionals who can provide an outside perspective on your risk prevention strategies. Plus, it ensures you have the necessary capacity to manage risks while being more cost-effective than hiring new in-house staff members.
Several nonprofit departments particularly lend themselves to outsourcing, including:
- Information technology. External IT professionals can evaluate your data security practices and use their expertise to train your staff more effectively.
- Human resources. HR consultants will analyze your payroll, compensation, and hiring policies to help you maintain compliance.
- Accounting. Outsourced nonprofit accountants bring the financial and strategic expertise necessary to make your internal controls and policies as strong as possible. These professionals also ensure your transactions are recorded and tax returns are filed correctly.
Although outsourcing allows your nonprofit to prevent certain risks, you still need to carefully vet any outsourced professionals you hire to ensure they have their own risk management policies and procedures in place. Interview your top picks for outsourced roles, check their references, and establish clear contractual agreements so that your decision to outsource contributes to your risk management strategy rather than leading to additional uncertainty.
4. Communicate With Stakeholders
One of the most important purposes of risk management is protecting your organization’s reputation, and this can be accomplished proactively through effective communication. There are three main groups you should make sure to communicate with regularly as you incorporate risk management into your organization’s operations:
- Board members. Your nonprofit’s board of directors provides oversight for all of your policies and procedures, including your big-picture risk management strategy.
- Staff members. Your staff will be responsible for various day-to-day activities associated with risk management depending on their roles.
- Supporters. Keeping your community of support in the loop about how your organization is working to prevent risks shows them that you’re trustworthy and reliable, which can encourage them to continue their involvement with your mission.
Of course, you’ll need to communicate different information to each group—for instance, staff members have to understand your specific policies in much more detail than supporters, who simply need to know that your organization is working to keep their personal information and contributions safe. However, being transparent with all of these groups about how your nonprofit is working to prevent risks can boost your credibility.
Incorporating risk management into your nonprofit’s operations is an ongoing process. After you establish policies for financial management and data security and review your outsourcing options, monitor each of these areas over time to ensure your strategies are still meeting your organization’s needs. Additionally, continue communicating with all relevant stakeholders as you make adjustments so that your nonprofit can maintain a high level of accountability to them.
Jon Osterburg has spent the last nine years helping more than 100 nonprofits around the world with their finances as a leader at Jitasa, an accounting firm that offers bookkeeping and accounting services to not for profit organizations.