Nonprofit organizations face known and unknown risks just like any other business or organization. A proactive board can the mitigate most common risks. Part of a board’s work entails understanding risk and being able to identify it. By proactively managing risks, boards protect the organization, it’s staff, volunteers, and even the other board members.
Risk management should be a prominent board activity. Risk management begins with a risk assessment. A good first step is to take inventory of your nonprofit’s data and all the places that you keep it. Plan on taking a few board meetings to develop a sound risk management plan. Once you’ve established a plan, you’ll need to monitor it and keep improving it.
What Is Risk Management?
To understand risk management, it helps to define the word risk. Risk is the chance of loss. Risk management entails forecasting and evaluating financial risks and identifying ways to avoid or mitigate the impact of risk. Risk management is a formalized process of gathering, evaluating, and responding to threats and opportunities.
Common Risks to Include in a Nonprofit Risk Management Plan
Here is a list of some of the more common risks that nonprofits face.
Fundraising Fraud. Internet fraud is rampant, and your nonprofit could be the next target. Fraudsters may create a fake event or website under your name and collect profits for themselves rather than donate them to your organization. Donors could hold you liable for their losses if they mistakenly give to the wrong party. Scams and fraudulent schemes will harm your reputation and your relationship with your donors.
Theft. Theft is a risk for all organizations including nonprofits. Nonprofits are at risk of almost anyone stealing from them. Staff, vendors, volunteers, and even board members have been known to steal from nonprofits. Many nonprofits have poor cash flow, making theft a serious problem.
Regulatory Compliance. Most nonprofits covet their tax-exempt status because it saves them large amounts of money and helps them be sustainable. Nonprofit organizations have to follow the strict rules set up by state and local governments. This is important to ensure they keep their tax-exempt status. Clear risk management procedures for compliance should be part of your risk management plan. Board members need to have a basic understanding of nonprofit tax laws and the requirements including how to fill out and file IRS Form 990.
Directors & Officers Liability. Nonprofit board directors can be sued personally for actions they’ve taken as board members. Directors and Officers insurance coverage (D&O) is a type of insurance that protects board directors from liability lawsuits. Many board recruits refuse to serve on a board that doesn’t offer D&O insurance coverage.
Cybersecurity. Data breaches are a growing concern. Nonprofit organizations make good targets for cybercrime. Hackers are keenly aware that nonprofits collect and store personal and sensitive information and that large numbers of them don’t have the budget to invest in strong cybersecurity. NTEN’s “State of Security Report 2018” shows that just over 68% of nonprofits lack appropriate policies and procedures for managing a cyberattack. About 59% of nonprofits fail to train their staff in cybersecurity risk management. Around 17% of nonprofits use risk management tools for storing and sharing user IDs and passwords. Cyber risk continues to evolve and it’s important for nonprofit board members to stay current with the latest news and media reports surrounding cybersecurity.
Exposures from social media use. Nonprofit board members and staff aren’t always careful or prudent about what they post on social media platforms, list serves, blogs, and other internet communications. Even the most well-intentioned comments can pose a liability issue for a nonprofit if someone else takes offense to it. Posting materials can also cause liability risks because of copyright and trademark infringement. Internal and external policies about internet postings should be part of a nonprofit’s risk management plan to help protect the organization, its board, and its reputation.
Staff and volunteer dissatisfaction. Whether they’re staff or volunteers, unhappy workers breed discontent. Workplace bullying or threatening behavior could be going on without the board’s knowledge. About half of the states have passed the Healthy Workplace Bill that would make it unlawful for employees to suffer mental, emotional, sexual, or physical abuse in the workplace. Even where the law isn’t in force, nonprofits can be found liable for damages for employees that become victims of assault of emotional harm. A nonprofit risk management plan should incorporate a formal complaint procedure for paid and unpaid workers and develop a code of conduct for everyone in the organization. It’s also important for the executive director and board to set the tone for appropriate behavior and lead by example.
Copyright and trademarks. Nonprofit organizations typically enlist the help of volunteers. It’s not safe to assume that all volunteers understand the risks associated with copyright and trademark infringement. Risk management plans for nonprofits should include training in copyright infringement for workers that post information on the internet, write newsletters, and design other brochures and promotional material.
Lobbying and political activity compliance. Nonprofit board members sometimes network with lobbyists and legislators to garner support for their cause. That isn’t a concern for nonprofits. However, section 501(c)(3) of the federal law states that nonprofits must refrain from political campaign activity and limit their lobbying efforts. It’s crucial for nonprofit board directors to know where to hold the line over political involvement to protect their tax-exempt status and when they need to disclose information to the government.
Not paying attention to conflicts of interest. In light of some recent media reports involving nonprofits having conflicts of interest, Congress and watchdogs have a greater awareness of nonprofits that cross the line in this area. A nonprofit risk management plan should include a clear conflict of interest policy and requirements for transparency and incorporate a routine process to identify, disclose, and manage potential conflicts.
Nonprofit boards have the ultimate authority for guiding the organization and advancing its mission. As front-line leaders, boards need to be proactive regarding the risks they’re willing to take and those they need to mitigate, monitor, and avoid. BoardEffect provides a secure online board portal for nonprofits where they can safely store their founding documents, board policies, and risk management plan in a way that makes them easily accessible for board members.