5 Steps to Develop a Nonprofit Risk Management Strategy

When everything is going well for your nonprofit, it’s easy to become comfortable with your day-to-day operations and not consider the possibility that your situation could change. However, in times of uncertainty or difficulty, having risk management policies in place at your organization could very well be a lifesaver.

Nonprofit risk refers to the probability of something happening that has a negative impact on your organization. Knowing what these risks are and planning ahead to mitigate them can protect your organization’s reputation, improve relationships with stakeholders, and increase your chances of financial sustainability during periods of economic turbulence, among other benefits.

In this guide, we’ll walk through five steps your nonprofit can take to develop a risk management strategy, including how to:

1. Identify Potential Risks

2. Assess Each Identified Risk

3. Develop Mitigation Tactics

4. Implement Your Plan

5. Adjust Your Strategy Over Time

As you go through this process, keep in mind that there may be times when your organization decides to take some risks to facilitate growth. Solid risk management policies will not only help mitigate unwanted risks, but also keep the risks you choose to take under control so they can help you accomplish your goals without becoming a hindrance to your growth plan. Let’s dive in!

1. Identify Potential Risks

To begin the risk management process, you’ll need to identify what types of risks could potentially occur. Doing so will help you develop more effective policies and procedures for what to do in specific situations.

Jitasa’s guide to nonprofit risk management outlines four categories of risk that organizations like yours commonly encounter, including:

• Cybersecurity violations. While increased reliance on technology has created several benefits for nonprofits (such as online fundraising and virtual event capabilities), it also comes with the risk of data breaches that expose sensitive information, particularly donors’ contact and payment details.

• Fraud by impersonation. Since employer identification numbers (EIN) are often available online, a scammer can feasibly obtain a nonprofit’s EIN and download its branded materials. That way, the scammer can pose as the nonprofit, raise money under the guise of charitable donations, and keep the cash for themselves.

• Theft. If a nonprofit’s internal systems are faulty or individuals who haven’t been vetted gain access to resources they shouldn’t, it can lead to situations where someone close to the organization steals money or equipment.

• Compliance. Nonprofits are subject to some specific rules in order to remain exempt from federal taxes, such as following their state’s fundraising guidelines and filing the Form 990 on time each year. Maintaining compliance can mitigate the risk of losing that tax-exempt status.

There are sample checklists available online that you can use to self-identify which risks could pose a threat to your organization. Or, you could work with an auditor or consultant if you feel you could benefit from an external perspective.

2. Assess Each Identified Risk

No matter how many potential risks you identify, it’s important to determine each one’s priority before you start deciding how to mitigate them. You can do this by assessing the likelihood and impacts of each risk.

To determine the probability of a risky situation occurring, do some research into past incidents at your organization and at other nonprofits that have been reported in the news. Review any data you can find on these incidents and analyze your current situation to see how much of a threat that risk poses. 

In terms of impacts, consider how great the risk’s consequences would be as well as the manner in which your organization would be affected—financially, reputationally, operationally, or in another way. By taking the step of prioritizing your risks, you can put more time and resources into mitigating the ones that are the most likely to occur and would have the most negative effect on your nonprofit.

3. Develop Mitigation Tactics

Next, go through your prioritized list of potential risks and brainstorm ways you could mitigate each one. These plans should cover not only the steps to take if the risk were to occur but also ways you can prevent these risks from becoming a problem in the first place.

Some mitigation tactics your nonprofit could try include:

• Establishing new policies or procedures. Reviewing how you approach your nonprofit’s routine operations can mitigate all kinds of risks. For example, ensuring sound staff compensation policies allows your organization to comply with employment regulations and reduces the potential for fraud.

• Re-evaluating internal controls. In addition to operating procedures, your organization should have mechanisms in place for the specific purpose of detecting and preventing errors. This is why many nonprofits require two signatures on payments over a certain amount—if a mistake occurs, it’s less likely that the person who accidentally authorized the incorrect payment will be suspected of theft.

• Cleaning up stored data. NPOInfo’s guide to nonprofit data hygiene explains that regularly removing outdated, incorrect, or duplicated data from your nonprofit’s systems reduces a variety of risks, from developing inaccurate budgets to missing out on key fundraising opportunities.

• Ensuring contract drafts are up to date. If your nonprofit hires external professionals to help with specific projects, you’ll need to provide a contract outlining the parameters of the engagement. It’s helpful to have a contract template on hand that you can revise for each contractor, and regularly reviewing the draft ensures you don’t sign an outdated contract that no longer aligns with your organization’s policies.

Additionally, make sure to review and revise your internal documentation, especially your employee handbook. Making your policies and procedures available to all staff members in writing is one of the easiest ways to protect your organization.

4. Implement Your Plan

When you’re ready to implement your mitigation strategies, delegating tasks to different individuals at your nonprofit will be essential. Getting your entire organization involved in the process ensures everyone understands the purpose of risk management and their role in it.

The main parties involved in implementing your plan will be:

• Board members. In most cases, your nonprofit’s board of directors will either oversee the implementation process themselves or appoint a risk management committee to provide oversight. If you have a qualified member, you can appoint one person as the designated risk manager who takes the lead on implementation.

• Staff members. Each of your employees will be responsible for managing the risks that are most applicable to their roles. For example, your human resources department will work to prevent risks related to hiring and compensation.

• Outsourced professionals. Risks can easily go unchecked when staff members become too busy to check in with each other, so outsourcing some responsibilities can ensure your organization is adequately staffed and protected. Fundraising consultants, graphic designers, and accountants are all excellent roles to outsource.

To achieve the best possible results from your implementation process, make sure to conduct one or more risk management training sessions with these stakeholders and check in regularly on the progress being made.

5. Adjust Your Strategy Over Time

Nonprofit risk management is an ongoing process. By putting renewed effort into your strategy each year, you’ll ultimately save your organization time and resources long-term. 

Revisit your mitigation plan regularly, assess how well you’re managing risks based on that plan, and make changes as necessary. It may also be useful to adjust the priorities you’ve assigned to each risk as circumstances change.

Also, consider conducting an annual nonprofit audit, even if your organization isn’t required to do so. Getting an external auditor’s perspective on your internal controls and procedures can help you continue to improve your risk management strategy.

By adapting the steps above to your nonprofit’s needs and situation, you’ll be well prepared to prevent many risks before they become a problem for your organization, in addition to handling any challenges that still arise. You can avoid ending up in the news for the wrong reasons—more than that, you’ll be more likely to maintain the relationships and effectively manage the funding needed to further your organization’s mission.