Defining Risk and Compliance in the Nonprofit Realm

For many decades, nonprofit organizations were highly regarded as groups that worked hard for the greater good without compromising their good reputations. In recent years, that concept began to change as several nonprofits came to the attention of the media for deceptive practices. The scandals cast a new light on the risks that nonprofits face and led to concerns over ethics and compliance issues.

For example, a 2014 scandal rocked the nonprofit world when media reports surfaced about fraud at the Federation Employment & Guidance Service, the largest social services agency in New York. The agency abruptly closed due to financial mismanagement. On the heels of this debacle, Goodwill Industries in Toronto declared bankruptcy in 2016 without warning. The CEO and the entire board resigned as a result of the failing. Perhaps no nonprofit scandal was as scathing as that of the Wounded Warrior Project, where the board fired the CEO and the COO after reports about wasteful and lavish spending that had more to do with the executives than with the wounded service men and women.

In 2013, a Washington Post investigative report revealed that over 1,000 major nonprofits in the U.S. had disclosed financial losses in their federal filings as a result of some type of internal fraud.

These scandals shed light on the fact that all nonprofits need to address risk and compliance issues on some level. With cybersecurity issues on the rise, one of the many challenges facing nonprofits is having the adequate capital to incorporate the necessary level of cybersecurity programs to protect their organizations from unprecipitated data breaches.

These reports demonstrate that risks and compliance in the nonprofit space simply can’t be ignored. Nonprofit boards have a duty to define risk and compliance and to develop appropriate action steps to address it. The steps that are considered appropriate will likely look a bit different based on the nonprofit’s stage of development. A good first step for all nonprofits is investing in a highly secure board portal system like BoardEffect.

Defining Risk and Compliance in Nonprofit Organizations

A quick internet search will yield multiple definitions for the term governance, depending on the context in which it’s used. In general, governance refers to individuals and groups with power, authority and influence who come together to enact policies and decisions for the good of a group or an organization.

The term risk refers to the probability of a threat of loss, especially a financial loss, and the ability of an organization to mitigate or control risks that can hinder their operations and their prospects for sustainability.

Compliance refers to the process of conforming to regulatory requirements for business operations and business practices.

When we combine the terms governance, risk and compliance, we construct a picture of having a coordinated strategy to manage the broad issues of governance, enterprise risk management and regulatory compliance.

As for a more formal definition, the Open Compliance & Ethics Group (OCEG) published one of the most comprehensive definitions of governance, risk and compliance, which is the system of people, processes and technology that enables an organization to:

• Understand and prioritize stakeholder expectations.
• Set business objectives that are congruent with values and risks.
• Achieve objectives while optimizing risk profile and protecting value.
• Operate within legal, contractual, internal, social and ethical boundaries.
• Provide relevant, reliable and timely information to appropriate stakeholders.
• Enable the measurement of the performance and effectiveness of the system.

Now, with clear definitions, nonprofits can easily proceed with taking some firm steps toward responsible approaches to risk and compliance.

How Nonprofits Can Approach Risk and Compliance

The early stages of nonprofit organizational development aren’t the best time to invest in a sophisticated and expensive risk management plan. Nonprofits in the early stages are not sufficiently viable in sustainability to implement much more than basic risk management programs or platforms.

Two tools stand out as the best and most cost-effective risk management and compliance tools for early-stage nonprofits. Both are tools that nonprofits can implement in their infancy and retain throughout the life of the organization. Those tools are an insurance policy and a board portal system.

The end of the startup phase typically signals a period of strong growth. Nonprofits will begin undergoing audits and will hopefully be attracting large donors. This is the point at which nonprofits start to engage in strategic planning and start developing governance processes, such as implementing new policies and formalizing board and staff descriptions. Nonprofit boards at this stage of development are focusing on their strengths, weaknesses, opportunities and threats (SWOT).

Part of strategic planning should begin to focus on identifying risks and how to manage them. Insurance is still important at this stage, but it’s not enough on its own. Implementing risk management plans protect the future and give donors assurance that their funds are being protected in earnest.

Nonprofit boards will go through a series of steps toward developing a responsible risk and compliance plan, including the following:

Understand the context. Gather the current mission and vision statements, as well as the strategic and organizational plans, to set the stage for the board to assess the organization’s current status, what it stands for and what they hope the organization’s future will be.

Develop a timeline and set goals. Develop a timeline in phases and set up metrics to gauge success. Build on successes. Perform a risk inventory that identifies threats and opportunities across all areas of the operation.

Create and use a risk register. Inventory the organization’s risks across all areas. Prioritize risks and assign ownership.

Implement a risk cycle. Research issues and develop responses. Develop policies to eliminate certain risks where appropriate. Review the risk cycle periodically and make improvements.

Implement a board portal system if you haven’t already done so. A board portal is a highly secure platform where boards and committees can streamline their agendas and meeting minutes. BoardEffect makes communicating and collaborating on risk and compliance issues secure, easy, intuitive and convenient. BoardEffect supports a nonprofit’s meeting cycle, development cycle and board cycle, which support the regular duties and responsibilities of board directors.

Finally, boards need to work toward improving their risk and compliance processes over time with regular protocols for information gathering and reviews. This is where a board portal by BoardEffect is indispensable.