Did you know that in the UK, 69% of charities reported that in 2022 they lost money because of fraud? And that in the US, 40% of nonprofits that are victims of fraud choose not to report the crime, for fear of damaging their reputation? A comprehensive risk management plan could solve such issues. It helps to reduce the likelihood of fraud or legal disputes, minimize financial losses, and protect your organizational reputation.
How is risk different for nonprofits than for profit-oriented organizations? Is it always necessary for a nonprofit to have a risk management plan, or can you do without one? And how do you go about developing and implementing nonprofit risk management policies?
If you are asking yourself similar questions, read on. This article will help you learn about organizational risks specific to nonprofits, situations when one should invest in a risk management plan for nonprofit, and basic tips for drawing it up and putting it into practice.
Discover effective management tool for your board
Rely on our choice – iDeals BoardVisit Website
What is a nonprofit risk management plan?
Most often, you can’t completely eliminate a specific risk, because the possibility of a negative event is not entirely under your control. But you can:
- identify that risk
- learn more about it
- mitigate it
- prepare your organization so that if the event does happen, the damages it causes are greatly reduced or even completely neutralized
This is what risk management in nonprofit organizations is all about.
A risk management plan is a group of organized and connected measures that aim at identifying, understanding, reducing, and managing all the risks that threaten an organization. When you draw such a plan specifically for a nonprofit, you have a nonprofit risk management plan.
Nonprofits need such plans so that they can avoid losing money, alienating donors, damaging their operations, being sued, and getting a bad name. It’s hard to overestimate the importance of risk management for the nonprofit sector — there isn’t really any scenario where a nonprofit would not be advised to draw and implement a risk management plan.
Risk management plans vary from one nonprofit to the other, but they should all include the essential parts listed in this succinct nonprofit risk management checklist:
- Risk identification. A list of the internal and external risks threatening the organization.
- Risk analysis. A detailed look into each of the risks, with a classification according to how likely they are to happen, and how serious the damages would be.
- Prevention measures. Actions to monitor and reduce the likelihood of the negative event happening.
- Damage control measures. Actions to be taken in case the event does happen, in order to reduce damages.
What are the most common risks that nonprofits face?
Nonprofits face most of the same risks that for-profit organizations do, both external — from competitors, legislation, or the economic situation, and internal — lack of organization, poor budgeting, or high turnover.
But apart from these, nonprofits are also exposed to dangers that are much more specific to nonprofit management. Let’s have a look at the most common risks and different areas of risk management for a nonprofit:
Now, let’s review them in more detail.
This can happen in different ways. For instance, a member of the nonprofit can pretend to use the organization’s funds to buy equipment but actually take part of the money for themselves. Or an impostor can pass for an organization spokeswoman, and get money from unsuspecting donors.
Theft too can happen in different ways, but in all cases, theft happens when someone unduly takes the nonprofit’s resources — money, equipment, data, or intellectual property — for themselves. This is particularly likely for nonprofits because they often need to rely on volunteers, which means their bar for admission into the organization has to be rather low.
By accessing the nonprofit’s data stored on servers and devices, malicious people can steal money or sensitive data, or leave channels open for others to do it. Since nonprofits often don’t have the funds to invest in high-security IT systems, they are at a higher risk for breaches of cybersecurity than for-profit organizations.
Regulatory compliance issues
When a nonprofit fails to comply with legislation, it can be sued, have to pay reparations in money, and even lose its legal tax-exempt status. Again, because nonprofits usually don’t have funds to spare, they are more likely to entrust compliance to underqualified people who end up making mistakes.
This specific form of theft happens when criminals get their hands on private information about the nonprofit, its members, donors, or beneficiaries. Nowadays, this happens mostly through cybersecurity breaches, when digital risk management is not done properly.
When donors stop trusting a nonprofit, they will stop donating to it. And since nonprofits rely largely on donors for funding, it’s essential that they keep a reputation of transparency and efficiency.
Identifying risks for nonprofits
Now we’ve seen what are the most common risks for nonprofits in general, let’s have a look at ways to conduct a risk assessment to identify which risks threaten your nonprofit organization.
Key people from all departments of the nonprofit meet and go over the risks that each one sees in their own department.
Using a checklist
The person responsible for risk management goes over a ready-made checklist of risks to nonprofits and investigates which ones apply to the organization.
Recruiting a third party
If the nonprofit is larger and has a greater budget, it can hire an external consultant who will talk to key people and identify risks.
Analyzing risks for nonprofits
After the risk assessment, you have a list of all the risks that threaten your organization, you have to analyze them so you can understand how to address them. You can analyze risks according to different criteria:
- How likely is the negative future event to happen? For instance, how likely is it that an unauthorized person will gain access to your organization’s online board meetings?
- If the event does happen, what are the scenarios? For instance, what kinds of information would the intruder obtain in the worst- and best-case scenarios?
- How likely is the worst-case scenario for this negative event? What are the chances that your board meeting will be accessed without authorization and classified data will be compromised?
- How much does it cost to manage risks — to mitigate or eliminate the possibility of an event, or put in place damage control measures? For instance, how much would it cost to get secure software for board of directors so you can ensure that your meetings are private?
Answering these questions will help you decide which risks to your nonprofit need to be addressed first, and which can be dealt with later or even ignored.
Preventing and minimizing risks for nonprofits
Once you’ve assigned the right levels of priority to the risks that threaten your nonprofit, you can develop a risk management program — that is, a series of organized measures to mitigate the more serious and probable risks.
Counteracting and mitigating risks
If there’s anything you can do to reduce the likelihood of the damaging event happening, you take action. In some cases, you have no influence whatsoever on that — for instance, there’s nothing you can do to prevent a tornado from hitting your premises. On the other hand, you can decide to store your documents on a VDR, so that you minimize the risk of their being lost in a tornado.
Monitoring and reviewing risks
After you’ve followed all the steps above, it’s important not to let your guard down. Your nonprofit should have someone who is in charge of keeping an eye on the risks that threaten it and periodically reviewing them. This way you can quickly spot when a negative event is going from probability to reality, as well as identify any new risks that come up.
How to draw a risk management plan for a nonprofit organization
Now that we’ve gone over the essential steps of successful risk management for nonprofits, let’s look at what strategy you can follow in order to draw a comprehensive risk management plan for nonprofit organization. A general nonprofit risk management framework you can follow includes the following five steps:
Now, let’s take a closer look at what each of these steps is about.
1. Raise awareness about risks
It all starts in the mind. Talk to your nonprofit’s employees, volunteers, and board members about the risks that threaten the organization. Ask them, does the nonprofit have risk management issues? Check if there’s already a risk management plan, and how (or if) it’s actually implemented. Ask the secretary to include risk management in the agenda for the next board meeting.
2. Get people to work together
Once members and employees are interested in developing your nonprofit risk management plan strategy (or brushing up an already-existing one), make sure you know who’s important for the plan, and get them all on board. Appoint a risk management board. Help people work together on the risk assessment and analysis, and on developing your nonprofit risk management strategy.
3. Specify concrete measures
Don’t just get a one-size-fits-all sample nonprofit risk management plan — an effective risk management strategy depends on measures that are tailored to your nonprofit. And once you’re working on your risk management policies, take care to select specific and actionable measures for managing risk — and assign them to specific people. “Be more careful when accepting volunteers” is not concrete. “John Smith will check if volunteer candidates have open legal pursuits” is.
4. Set specific and measurable goals
As with measures, you have to specify what risk management goals you want to achieve. Of course, your main goal is not to have anything bad at all happen to the nonprofit. But that’s both unrealistic and too vague. Instead, you can set as one of your goals for instance “identify frauds by impersonation within a maximum of three days”. This concrete formulation begs the question: how? And this helps you develop concrete measures to help you achieve this goal.
5. Include monitoring
Remember that risk management is not a one-time program — it’s a continuous process. So you should include risk monitoring in your risk management plan. Once your first round of risk management goals are achieved, someone in your team will be responsible for keeping an eye on known and new risks and adapting the goals and measures as necessary.
Implementing a risk management plan for a nonprofit
The best risk management strategy is no good if it remains a dead letter. After drawing your program, you must keep working to ensure it’s implemented properly. But if you’ve really gotten people in your nonprofit on board on risk management, this should not be too hard.
- Make sure to keep an eye on everything, and be there for your team when they have doubts or disagreements among themselves.
- Communicate the plan to stakeholders — doing this at the next meeting of the nonprofit board is a good idea.
- Remember that risk management should be an ongoing process — your team should regularly check and update your nonprofit risk management strategy.
- Opt for dedicated software made to simplify corporate and board governance — there are many reliable board portals on the market that provide dedicated services and improve the organization’s operations.
Other resources for nonprofit risk management
Often, nonprofits need extra guidance on implementing risk management plans. For this reason, dedicated organizations exist. Such organizations provide risk management of nonprofit governance and help to deal with various nonprofit risk management issues.
Below is a short list of such organizations:
- National Council of Nonprofits
- Nonprofit Risk Management Center
- Nonprofit Technology Network
- Stanford Social Innovation Review
Let’s now shortly summarize the article above:
- Risk management plans are crucial for any nonprofit.
- You can create a solid risk management strategy by recruiting key people in your organization to assess and analyze risks and develop mitigation and damage control measures.
- Given the specific vulnerabilities of nonprofits, you should definitely invest in a risk management plan for your nonprofit.
- If you want to communicate with your board about risk management, or if you want to increase the security of your online board meetings, our experts recommend the iDeals board portal as a top software option for nonprofits.
Time to use the modern board management software!
iDeals Board serves board of directors, committee members with a comprehensive suite for governance toolsVisit Website
How often should an organization perform a risk management plan?
The implementation of a risk management plan is an ongoing process. The plan must be regularly updated — for instance, every quarter or twice a year, depending on your organization.
Who is responsible for nonprofit risk management?
It depends on the size of the nonprofit. If it’s small a single person can be appointed to be responsible for risk management. Medium and large nonprofits can have a special department dedicated to risk management.