5 Steps to Develop a Nonprofit Risk Management Strategy

When everything is going well for your nonprofit, it’s easy to become comfortable in your day-to-day activities and not consider the possibility that your situation could change. However, in times of uncertainty or difficulty, having risk management policies could very well be a lifesaver.

In some cases, your nonprofit will choose to take calculated risks to facilitate growth, while other negative situations arise from unexpected places. Understanding these risks and planning ahead to manage them can protect your organization’s reputation, increase trust with stakeholders, and help you weather difficult financial periods, among other benefits.

In this guide, we’ll walk through five steps to develop a risk management strategy for your nonprofit that both prevents unwanted risks and keeps calculated risks in check. Let’s get started!

1. Identify Potential Risks

To begin the risk management process, you’ll need to identify what types of risky situations might affect your nonprofit. Doing so will help you develop more effective procedures for what to do in each situation.

A few types of risks that nonprofits commonly encounter include:

• Cybersecurity violations. From online fundraising tools to artificial intelligence (AI) solutions, nonprofit technology is constantly evolving. But as technology becomes ingrained in more nonprofit activities, there is a greater potential for data breaches that expose sensitive information, particularly donors’ contact and payment details.

• Fraud. This risk can take many forms within your organization and occur intentionally or unintentionally. Plus, fraud by impersonation is a common external risk because scammers can obtain nonprofits’ publicly-available employer identification numbers and branded materials fairly easily. Then, these individuals can pose as charitable organizations, collect “donations” online, and keep the cash for themselves.

• Theft. If a nonprofit’s internal systems are faulty or individuals who haven’t been vetted gain access to resources they shouldn’t, someone close to the organization could steal money or equipment.

• Noncompliance. Nonprofits are subject to some specific rules to remain exempt from federal taxes, such as following their state’s fundraising guidelines and filing their Form 990s on time each year. Failing to abide by these regulations risks losing your organization’s exempt status, and keeping track of all of them can be tricky.

You can use one of the many sample checklists available online to self-identify your nonprofit’s risks. Or, you could work with a nonprofit controller or other financial consultant if you feel you’d benefit from an external perspective.

2. Assess Each Identified Risk

Once you’ve identified potential risks to your nonprofit, determine each one’s priority by assessing its likelihood and impacts. This way, you’ll know which risks are most important to put time and resources into preventing when you create your management plan.

To determine the probability of a risky situation occurring, research past incidents at your organization and issues at other nonprofits that have made the news. Review any data you can find on these incidents, then analyze your current situation to see how much of a threat that risk currently poses. Additionally, consider how great the risk’s consequences would be as well as the manner in which your organization would be affected—financially, reputationally, operationally, or in another way.

3. Develop Mitigation Tactics

Next, start at the top of your prioritized list of potential risks and brainstorm ways to mitigate each one. These plans should cover not only the steps to take if the risk were to occur but also ways to prevent these risks from becoming a problem at all.

Here are some common mitigation tactics to consider:

• Establishing new policies or procedures. Reviewing how you approach your nonprofit’s routine operations can mitigate all kinds of risks. For example, having sound staff compensation policies allows your organization to comply with employment regulations and reduces the potential for fraud. Or, you might require employees to set up two-factor authentication for their database logins to prevent breaches.

• Re-evaluating internal controls. In addition to operating procedures, your organization should have mechanisms specifically meant to detect and prevent errors. This is why many nonprofits require two signatures on checks for large amounts—if a mistake occurs, it’s less likely that the person who accidentally authorized the incorrect payment will be suspected of theft.

• Ensuring contract drafts are up to date. If your nonprofit hires external professionals to help with specific projects, you’ll need to provide a legally binding contract outlining the parameters of the engagement. Have a contract template on hand that you can revise for each contractor, and regularly review the draft to avoid signing an outdated contract that no longer aligns with your organization’s policies.

Additionally, NPOInfo’s guide to nonprofit data hygiene recommends regularly removing outdated, incorrect, or duplicated data from your nonprofit’s systems. Following these and other data management best practices helps reduce various internal risks for your organization, from developing inaccurate budgets to missing out on key fundraising opportunities.

4. Implement Your Plan

When you implement the mitigation strategies you’ve brainstormed, delegation will be essential. Getting your entire organization involved in the process ensures everyone understands the importance of risk management and their role in it.

The main parties involved in implementing your plan will be:

• Board members, who will either oversee the implementation process themselves or appoint a risk management committee to provide oversight.

• Staff members, who will be responsible for managing the risks that are most applicable to their roles (for example, your human resources department will prevent risks related to hiring and compensation).

• Outsourced professionals, who will ensure your organization is adequately staffed and protected in their areas of expertise, such as fundraising strategy or accounting.

It’s also beneficial to keep your community informed about your risk management efforts so they understand that your nonprofit takes these situations seriously, which helps protect your reputation. Plus, they’ll know to keep an eye out for risks that also affect them, like fraud by impersonation, and report them to your organization so you can mitigate them.

5. Monitor Your Efforts

Effective risk management is an ongoing process. Revisit your mitigation plan regularly, assess how well you’re managing risks based on that plan, and make improvements as necessary. It may be useful to adjust the priorities you’ve assigned to each risk as circumstances change.

Jitasa also recommends conducting regular independent audits, even if your nonprofit isn’t required to. Getting an external auditor’s perspective on your internal controls and procedures every year, or even every few years, can help you continuously improve your risk management strategy.

By adapting the steps above to your nonprofit’s needs and situation, you’ll be well prepared to prevent and mitigate many risks before they result in long-lasting negative consequences for your organization. More than that, you’ll be more likely to maintain the relationships and safeguard the funding you need to further your organization’s mission.