Nonprofit Risk Management: Identify & Mitigate Common Risks
When everything is going well for your nonprofit, risk management probably doesn’t seem like a priority. However, if difficult situations arise, having a risk management plan in place can be your organization’s saving grace.
The key to effective risk management is to take a proactive approach. Rather than simply figuring out how to solve problems as they come up, you should develop both mitigation and prevention strategies. This way, you’ll not only be able to work through challenging situations more quickly but also be more likely to avoid them in the first place.
In this guide, we’ll walk through the key steps for creating a risk management plan for your nonprofit, including how to:
- Understand the Different Types of Nonprofit Risk
- Prioritize Risks Based on Likelihood and Impact
- Develop Risk Mitigation Strategies
As you create and roll out this plan, make sure to keep your supporters in the loop. Communicating to donors that you’re taking active steps to keep your organization safe—and by extension, their contributions and personal information—builds trust and makes them more likely to continue supporting you. Let’s dive in!
1. Understand the Different Types of Nonprofit Risk
Jitasa’s nonprofit risk management guide defines risk as “the probability that something bad might occur. This might be due to internal circumstances at the organization itself or external factors that pose a greater social risk.”
Every nonprofit is unique, so the risks that pose the greatest problems to one organization might be different from the main risks to another. However, the four most common types of nonprofit risk that you should keep in mind are:
- Cybersecurity violations. Your nonprofit collects a lot of data on its campaigns, finances, and supporters. If this information isn’t secure, it can lead to data breaches that expose sensitive information.
- Fraud. While this risk can take several forms, a major one to watch out for is fraud by impersonation. This happens when a scammer uses your organization’s employer identification number and brand assets to “fundraise” as your nonprofit while pocketing the money for themselves.
- Theft. Nonprofits are usually made up of good-natured, trusting staff and volunteers. However, when internal systems are faulty or individuals gain access to resources they shouldn’t, it can lead to situations where someone close to the organization steals funding or equipment.
- Compliance. As a registered 501(c)(3) nonprofit, your organization is subject to certain federal and state regulations that for-profit organizations aren’t. Complying with these rules is important to maintain your status as a charitable organization.
To determine which of these risks is most likely to impact your nonprofit, conduct a formal risk assessment. You can either do this internally by following one of the many nonprofit risk assessment checklists available online or reach out to an auditor or other external professional to get a third-party perspective on your organization’s risk levels.
2. Prioritize Risks Based on Likelihood and Impact
Identifying risks is only one half of an effective nonprofit risk assessment. The second part of the process involves prioritizing the risks you’ve identified. This way, you can focus on preventing the risks that are most likely to occur and those that would have the greatest negative impact on your organization if the situation were left unchecked.
When determining the impact of each risk you’ve identified, consider consequences such as:
- Loss of your nonprofit’s financial resources
- Limitations on your team’s ability to deliver services or fundraise
- Legal implications such as lawsuits against your nonprofit or having your 501(c)(3) status revoked
- Damage to your organization’s reputation among supporters, stakeholders, beneficiaries, and the general public
Create a preliminary list of all of the risks you identified during your assessment, then reorder the list based on likelihood and impact. The most probable risks with the most severe consequences should be listed first so that you know to address them early on in your risk management plan.
3. Develop Risk Mitigation Strategies
Now that you know what risks are likely to occur at your nonprofit and have considered their impacts, it’s time to start strategizing ways to prevent or mitigate each of these situations. Starting at the top of your prioritized list, brainstorm ideas to specifically address each risk you’ve identified.
Here are a few risk prevention ideas to consider including in your plan:
- Update your fiscal policies and procedures handbook. This document is not only essential to effective nonprofit financial management—it also lays out guidelines for how your team should handle your organization’s funding to prevent a variety of financial risks.
- Revisit your staff and volunteer onboarding processes. Make sure to train new employees in data security, fraud recognition, nonprofit compliance, and other best practices that help avoid risk. Double the Donation’s guide to volunteer management suggests implementing a training process for volunteers as well. This should be less intensive than staff onboarding, but you’ll likely cover some of the same risk prevention topics.
- Clean your database. In addition to enabling new cybersecurity measures such as data encryption and two-factor authentication, practice good database hygiene to reduce the risk of essential information going missing and eventually being leaked.
- Outsource some functions at your nonprofit. An organization that is adequately staffed allows employees to have more free time to check in with each other, increasing visibility across the team. However, hiring someone to fill every role can be expensive and time-consuming. Instead, consider outsourcing responsibilities such as information technology, human resources, and accounting to third-party experts.
Once you’ve brainstormed ways to mitigate each of the most important risks your organization needs to address, it’s time to create your complete risk management plan. When listing each risk within the plan, discuss both preventative measures and the steps you’ll take to mitigate the risk should it become an issue, as well as who at your nonprofit is responsible for handling that type of situation.
After establishing a risk management plan for your nonprofit, make sure to revisit it at least once a year. Consider whether your organization’s situation has changed significantly enough for new risks to arise or for your priorities to change. Additionally, apply any new knowledge you’ve gained from managing your nonprofit for another year to strengthen your prevention and mitigation strategies over time, allowing your organization to be even more prepared for any situation that comes your way.