What’s a four-letter word that nonprofit executives dread hearing? RISK.
Nonprofits exist for the greater good, and we know you want to prepare your nonprofit to reach its maximum impact. To do this, you need to know how to identify and mitigate risks to your organization.
Developing a documented nonprofit risk management strategy is key to ensuring that your organization is not caught unaware by unforeseen risks. Keep reading and we’ll explain to you why risk management is important and give you five steps to create a risk management strategy.
What is Risk Management For Nonprofits?
The Alliance for Nonprofit Management defines risk management as: ”a discipline for dealing with the possibility that some future event will cause harm. It provides strategies, techniques, and an approach to recognizing and confronting any threat faced by an organization in fulfilling its mission.”
In short, risk management is the process through which nonprofit organizations deal with potential risks to their business. It includes identifying risks, analyzing and evaluating them, and treating them, as well as creating an ongoing risk management plan to continuously monitor new or unknown risks.
As a leader in your nonprofit organization, you are responsible for contributing to the creation and implementation of a risk management plan. If COVID-19 has taught us anything, it is that this world is unpredictable —and as a nonprofit leader, you must be prepared to protect your organization's interests at all times.
Don’t panic—you likely already have practices or policies in place that help mitigate risk without even realizing it. Risk management in a nonprofit can range from proper insurance coverage to employee clearances and background checks to financial checks and balances.
Nonprofit risk management might sound complex—or even scary—but it doesn’t need to be. Keep reading to learn why nonprofit risk management is important, and how to reduce risks to your organization successfully!
Why Do Nonprofits Need to Manage Their Risk?
If you work for a nonprofit, it’s likely that you feel some kind of personal connection to your organization’s mission. You want your organization to succeed and probably work very hard to ensure this happens.
That’s why you need a risk management strategy! Any unmitigated risk could easily derail your organization's operations, bringing your very important work to a total standstill. As a nonprofit executive, board member, or other stakeholder, it is critical that you understand the threats and opportunities that your organization faces.
You might be thinking: “What risks could my nonprofit possibly be facing?” Well, let us tell you, there are plenty!
There are risks specific to the nonprofit sector that for-profit businesses don’t need to consider. And there are risks that overlap between the two industries as well! As a leader in this field, it is your responsibility to understand the risks and make sure you, your Board of Directors, and your leadership team are doing everything possible to mitigate them.
If you’re still struggling to think of some risks your nonprofit might be facing, here are a few examples:
- Cybersecurity violations: This is a broad group of risks but can include data breaches that expose the names, addresses, and credit card numbers of donors.
- Theft: This is a risk posed by both internal and external actors, but many nonprofits are at risk of someone close to the organization taking money or misappropriating organizational resources.
- Compliance: Nonprofits are subject to rules and regulations that for-profit businesses are not. One example of this is the requirement to file a 990 with the IRS. Failure to do this can have catastrophic results, including losing 501(c)(3) status—hence, it is a risk!
5 Steps to Create a Strong Nonprofit Risk Reduction Strategy
We know risk is scary! But with the right strategies, you can absolutely mitigate and minimize risks to your nonprofit. Keep reading to learn how!
1. Identify Risksd
It’s impossible to plan for and mitigate risks if you don’t know what risks exist for your organization. The first step in an intentional risk management strategy is performing a risk assessment.
A risk assessment aims to identify risks specific to your nonprofit organization and its operations, finances, technology, and culture. This assessment also provides a basis for future training and learning opportunities and helps to highlight needed risk mitigation strategies.
Before beginning the risk assessment, you need to create a risk committee and determine who will lead the efforts of this group. It is important to have a designated individual in charge of these efforts so that the process is streamlined and centralized.
You’ll also need to decide how the information uncovered by the risk assessment committee will be reported throughout the organization to your leadership, executive team, and Board of Directors. Again, there should be a documented and designated process to ensure that information is consistently reported to the appropriate channels.
Here’s an example of how this could play out in a nonprofit organization:
During the risk assessment process, the committee discovers that the nonprofit organization’s Liability Insurance and Directors' and Officers' insurance policies have expired and were not renewed. This is a big risk!
Nonprofits need general liability insurance to cover claims of bodily injury or property damage caused by accidents. Nonprofits also need Directors & Officers Liability insurance, which provides coverage for the members of the Board of Directors, the officers of the organization, and the organization itself for any claims made against it.
Without these types of insurance policies, nonprofits are at risk of costly lawsuits or litigation against the organization, its board members, and officers.
If your organization doesn’t have the capacity or the expertise to tackle the risk assessment, don’t panic. You can hire a professional to help! The Nonprofit Risk Management Center offers many resources for nonprofit organizations, including a list of consulting services.
Bottom line, the purpose of identifying risks is to make them visible to every stakeholder in your organization that is involved in the risk management process. You cannot effectively analyze and mitigate risks if you don’t know what they are.
2. Analyze the Risks
Once you have identified a risk (or risks), it’s time to analyze it! It’s important to understand the risk's scope and the link between it and its potential impact on the nonprofit.
To determine the severity of the risk, you need to analyze the number of functions within your nonprofit the risk affects. Some risks can bring an entire organization to a standstill, while some risks will only result in minor inconveniences; it’s critical that you identify which risk you’re dealing with.
Here are two questions you can ask yourself to begin the analysis process:
- How likely is this risk to occur?
- If the risk does occur, what will the impact be on my nonprofit?
When you’re determining the likelihood of a risk occurring, you can rate the risk on a scale from 1 to 5.
- Rare - very unlikely to happen
- Unlikely - it probably won’t happen, but there is a small possibility
- Possible - likely to occur sometimes, but not frequently or regularly
- Likely - likely to occur regularly
- Certain - occurs most of the time
You can use a similar scale to rate the impact of the risk:
- Insignificant impact: little or no impact on the nonprofit’s operations, reputation, or future health. There is a very small chance of complaints from stakeholders or litigation.
- Minor impact: potential for a small impact on the nonprofit’s operations, reputation, and future health. Complaints from stakeholders and litigation might be possible.
- Moderate impact: could lead to some disruption of operations or negative publicity. Complaints and litigation are both probable.
- Significant impact: the organization’s day-to-day operations would be disrupted, and the nonprofit would receive negative publicity. Formal complaints and litigation would both be likely.
- Major impact: operations would be interrupted for a long period of time, and major negative publicity would occur. Litigation would be significant and likely, and the risk would result in resignations/terminations of senior managers. The organization’s stakeholders and beneficiaries would lose confidence in the organization. Future health would be jeopardized.
When you’re analyzing risks, it’s important to work with a group of people that are familiar with your organization and its inner workings to ensure that you have accurate responses to the above questions.
Once you have conducted this exercise and rated your risks and their potential impacts, you have the foundation you need to begin evaluating and mitigating the risks that ranked highest on your scale.
3. Evaluate the Risks
Okay. So, you’ve identified and analyzed the risks to your nonprofit organization. You likely have a list of risks and their respective rankings regarding impact and likelihood. Now what?
You must rank and prioritize the risks on your list based on how quickly they should be addressed and treated. Some risks might be very time-sensitive—for example, if you have a financial audit approaching, any financial risks should be treated immediately.
Some risks might allow for a slower response time, which is totally okay! That will free up your time to focus on the more urgent risks.
4. Treat the Risks
Each risk that your risk management committee identifies needs to be eliminated, if possible. If it can’t be completely eliminated, it needs to be contained as much as possible.
This might sound overwhelming—but don’t panic. A key piece to successfully eliminating risks is to connect with experts in the field in which the risk belongs.
If your risk is legal, you should connect with a lawyer that has experience working with nonprofits. Similarly, if the identified risk is financial, connect with a CPA firm with a history of serving nonprofit organizations.
All relevant stakeholders on your risk management committee should be a part of the conversations with the experts so that they can fulfill their obligations to the committee by overseeing and supporting the mitigation of risk.
5. Monitor & Review the Risks
The good news is that if you’ve made it this far, you’re almost ready to start risk management in your organization!
The bad news is that some risks will always be present despite everything you've learned.
Market risk is an example of one risk that can’t be eliminated. If your nonprofit has investments, for example, in an endowment, or stocks, market risk (the risk of financial loss resulting from movements in the market), will need to be monitored constantly. There is no way to eliminate this risk without eliminating the investments the risk is tied to.
Here’s another thing to remember—risks are always evolving. This means that the way you manage and mitigate them will also change. This is why constant monitoring of the risks is important! It isn’t a “once and done” activity, but should occur regularly throughout the year.
Your risk management committee should oversee this and create a documented plan outlining how risks will be regularly monitored. You can even include this process in your organization’s bylaws for an additional accountability measure.
Wrapping Up: Everything You Need to Know About Nonprofit Risk Management
Nonprofit risk management is a continuous process that requires time and oversight in order to be successful. This might feel exhausting—after all, it’s a project that never ends! But ultimately, a solid risk management strategy will save you and your nonprofit time and money in the short and long term. It’s so worth it to put in the work!
We provided you with five super useful strategies to begin a risk management process in your nonprofit organization. If you embrace these steps, you’ll be well on your way to creating a robust risk management plan which in the long run will make your nonprofit healthier, stronger, and more successful. It’s a win-win!