Risk Management 101: The Essential Guide for Nonprofits

Nonprofits face unique challenges that necessitate dedicated risk management strategies, whether through self-correction, outsourcing to a professional, or leveraging software. In this guide, we’ll explore the basics of risk management and how nonprofits can develop effective strategies to mitigate these challenges.

What Is Nonprofit Risk Management?

Nonprofit risk management is the process of identifying and mitigating risks that could negatively impact the organization’s ability to fulfill its mission. In order to properly mitigate potential risks, nonprofits must develop a strategic plan to protect the organization’s resources and operations. This plan should outline both preventive and responsive measures to various types of risks.

Types of Nonprofit Risk

Nonprofits face unique risks that aren’t present in other industries. Risks also vary from organization to organization, depending on your nonprofit’s specific vertical and workflows. 

In general, there are three types of risk nonprofits should look out for:

• Compliance risks: Nonprofits are subject to specific regulations, such as state laws regarding charitable solicitation registration or annually filing IRS Form 990. For instance, nonprofits must follow specific reporting processes when accepting an in-kind donation. Failure to adhere to these regulations poses a threat to your organization’s 501(c)(3) designation and tax-exempt status.
• Operational risks: These risks arise from your organization’s internal processes and can interrupt your day-to-day activities. Cybersecurity risks, such as data breaches, are among the most prevalent operational issues nonprofits face since an increasing number of daily tasks are based on online networks.
• Financial risks: Risks related to your organization’s financial management may include fraud or theft. For example, scammers may pose as your nonprofit and solicit funds from unsuspecting supporters. 

Additionally, your nonprofit may face risks specifically related to its mission. For example, health organizations must practice proper data governance to comply with HIPAA regulations, and faith-based organizations may be subject to specific doctrinal guidelines.

How to Identify Nonprofit Risk

Because nonprofits face a wide range of risks depending on their internal workflows and missions, your organization’s risk management plan must be tailored to its unique needs. This involves evaluating your organization’s current situation to pinpoint areas of potential risk. 

Your organization can identify risk through a nonprofit risk assessment, which can take three forms:

• Self-evaluation: Review your organization yourself, assessing every aspect to determine associated risks. Consider using a risk assessment checklist to guide your self-evaluation.
• Risk assessment software: Leverage technology specifically designed for risk assessment offers dedicated analysis tools to flag potential risks for your organization.
• Third-party assessment: A nonprofit auditing firm can be an advantageous partner during risk assessment, as these professionals are experienced in flagging financial risks.

Keep in mind that nonprofit risk and finances are often intertwined, so it can be helpful to consult an accounting firm for guidance when preparing a risk management strategy. For example, a nonprofit accountant knows the state and federal regulations regarding your nonprofit’s tax-exempt status and can ensure your organization complies with them. Even if you conduct a self-evaluation or work with an auditing firm, an expert in nonprofit finances will be well-equipped to help you address risk after identifying it.

3 Essentials for Your Nonprofit’s Risk Management Strategy

As mentioned above, every nonprofit faces different risks and needs tailored risk management strategies. However, there are a few essentials that every plan should include:

1. Improve internal documentation.

Internal documentation refers to your organization’s policies, procedures, and other formally-organized workflows. Clear documentation serves as a reference point for your nonprofit’s operations, reducing risk by ensuring all team members follow the same procedures.

Review your current policies to identify gaps in your existing documentation. Here are a few essential policies nonprofits should have in place:

• Conflict of interest policy, which requires your organization’s leaders to disclose any personal or professional interests that might conflict with their duties.
• Fundraising and gift acceptance policy, which outlines how your organization solicits, accepts, and uses donations.
• Nonprofit investment policy, which NXUnite defines as “a document that outlines how an organization can invest the funds it raises responsibly.”

Train staff members on the requirements outlined in these policies and make them easily accessible for employees to reference as needed. This way, your entire team will be aligned on your nonprofit’s expectations and the steps they should take to mitigate risk.

2. Delegate tasks appropriately.

Assign each risk management responsibility to a dedicated team with the necessary skills and experience to handle risk. You may outsource risk management to a professional team, delegate these duties internally, or use a combination of these two approaches.

For example, you may create an in-house security team dedicated to monitoring and addressing cybersecurity threats in real-time. However, if none of your existing employees are qualified to manage financial risks, you may consult a professional accounting firm as well. This way, each potential area of risk is monitored by a team equipped to flag and address any issues that may arise.

3. Consult a professional accountant.

Nonprofit accounting firms offer expertise that benefits your organization’s financial performance. While this is a key aspect of risk management, it also supports the success of your organization as a whole.

Your organization faces unique financial and tax-related regulations, such as financial reporting requirements, that an expert accountant can help with. As Chazin’s guide to nonprofit financial statements explains, accurate financial reporting is essential to follow regulations like:

• The Financial Instruments Credit Losses standard (ASU 2016-13): This standard may be applicable to nonprofits with trade receivables, loans or notes receivable, and held-to-maturity debt instruments. It requires nonprofits with these assets to calculate, document, and record allowances as credit loss expenses.
• Statements on Auditing Standards (SAS) 143 and 145: These standards require auditors to complete a detailed risk assessment process for accounting estimates and to evaluate internal controls more closely. 

Nonprofit teams may not be familiar with these nuanced standards, which is why an accountant with experience in nonprofit finances can be highly beneficial to your risk management efforts.

Remember that nonprofit risk management isn’t a one-and-done process. Regularly review your organization’s strategies to ensure you capture and address all potential risks proactively. While risk management requires a thoughtful and well-defined approach, it ultimately reduces the need for crisis management, allowing you to focus more resources and time on your mission.