Every industry sector has its risks, and nonprofit organizations are no different. When it comes to risk management, identifying risk is only part of the battle. Once risks are recognized, you need a plan to address them with changes in policy or procedures.
While adequate insurance — directors and officers liability or property and casualty coverage, for example — is essential to managing risk, your organization must also assess activities which, if poorly managed, might get in the way of its mission.
Managing risk for a nonprofit organization often includes three main areas: money, people, and reputation.
Money & Financial Management
Fundraising — as well as fund management — is a big focus for nonprofit risk managers. The laws governing solicitation are complex and require high levels of record keeping.
For example, with so many donations being collected online, you might need to register in more states than previously considered. In-kind donations, especially real property, are another area of potential risk because not all nonprofit organizations can properly conduct the due diligence necessary to assess value and environmental liability.
Fundraising events can have a high reward if everything goes according to plan. To mitigate risk, there should be an event director supported by a dedicated committee to review safety, logistics, communication, and coordination. The committee should also evaluate the need for special event insurance.
In terms of financial management, internal controls, including separation of duties, should also be in place to adequately control the risk of fraud and waste. Budgets prepared by staff or partners with strong financial backgrounds will provide an accurate picture of the organization’s financial risk, and an internal controls study can illuminate areas of concern regarding fraud.
Volunteers & Employees
Volunteers are the backbone of nonprofit organizations. For many, volunteers not only provide the means of delivering the main service or mission but also provide guidance and management through board membership.
In either case, the mere dedication of these people cannot be the only determinant of success. All volunteers should meet certain criteria clearly communicated through policy. For example, if your organization involves volunteer interaction with children, background checks and a strong child protection policy must be in place.
Volunteer education is also important. Volunteers should be onboarded with some form of mandatory training — whether it’s how to safely sort food during a shift at a food bank or how to appropriately communicate with other board members during a service term on the board.
People attracted to employment opportunities at nonprofit organizations might be motivated by the notion of carrying out a greater good. This idea may unfairly translate into an expectation that a nonprofit would be a more nurturing, supportive, and easygoing place to work.
However, effective nonprofit organizations are just as strict with their human resource policies as they are with their financial policies. The board must regularly review and update employment policies, job descriptions, performance evaluations, employee handbooks, and whistle-blower protection policies.
While other risks can be covered with specialized insurance, your reputation cannot. A strong reputation improves demands for services, volunteer and donor support, and options for partnering.
To reduce reputational risk, leaders must create and maintain open and trusted communications with all constituents and staff. If a reputation-damaging event does occur, a well-prepared crisis management plan and public relations partner can help mitigate risk after the fact. Of course, a proactive approach is always better.
Finally, a quick word about cybersecurity, which has reached new risk levels with people working remotely during the pandemic: At a minimum, every organization should require annual cybersecurity training for employees and volunteers who have access to the network.
Our team can help you manage risk. Call us at 434.296.2156 to ask us about an internal controls assessment.