A Nonprofits Guide to Risk Management

A Nonprofits Guide to Risk Management
Ken Lynch
November 5, 2019

Doing something for a good cause doesn’t mean that the world will treat your organization leniently. From cyber-attacks to fraud cases, nonprofits also function in an ocean of threats. One in every four nonprofits that were hit by a fraud scandal barely managed to last past the three-year mark.

Risk is a staple of running a nonprofit organization. While your cause might benefit the masses, failing to look into your risk landscape could have negative consequences in the future. With a great risk management plan, proactively dealing with threats to your organization becomes a walk in the park.

Here is how a risk management plan can protect your nonprofit:

What is Risk Management/Planning/Assessment?

Understanding what a risk management plan is can be the first step to eliminating common threats to your organization. At its core, it is a plan meant to identify business risks and come up with solutions for mitigating them. It should address issues that face it both currently and in the future. A detailed plan should include information about everyone who will be in charge of risk monitoring, the ranks of the various risks, the risk control measures to undertake, and the cost of risk mitigation.

Why Risk Management is Essential For Nonprofits

Nonprofits have the responsibility to protect their donor’s contributions and time, while at the same time working under a constrained budget. Sadly, there is a bevy of risks that could compromise this data protection. If any of these risks affect the credibility of the organization, the chances are that current and potential donors might shy away from further contributions. Some of them include:

1. Fundraising Fraud

In some cases, cybercriminals may work under the façade of your organization and defraud potential donors. All they might need is to set up a website and use your organization details and logos. Some might also use phishing attacks to target innocent donors. Such risks have, for some time, plagued the nonprofit world. A simple trick, such as online reputation management, might suffice to keep such incidents from occurring.

2. Regulatory Compliance

Nonprofits have to comply with many regulations. For instance, you have to comply with IRS rules by proving that the cash you collect as a nonprofit is used for charitable activities. On the other hand, you have to comply with the GDPR in case you have donors from Europe or do some activities from there.

The GDPR is meant to ensure that you protect the data privacy of anyone who comes into contact with your organization. Nonprofits also need to be compliant with ADA regulations. This is meant to ensure that you factor in the needs of people with disabilities throughout your nonprofit’s undertakings.

3. Data Security

As a nonprofit, you might need to store a lot of client details, from their credit card numbers to their names and addresses. These can be gold mines for hackers. For instance, if you fail to use secure servers in storing such data, the chances are that this data can be used for identity theft. Not only can this damage your reputation, but it can also result in fines from the different security regulatory bodies. Identifying such risky parts of your organization and working to mitigate them is essential.

Creating a Strong Risk Management Program

Identifying the Risks

The first step to creating a strong risk management program is to identify the threats that your nonprofit will be functioning in. You can start by brainstorming the obvious risks. Next, you can use other methods to research on the less-obvious risks. This includes consulting cybersecurity experts, reading historical studies, and even conducting market surveys.

Assessing and Ranking the Risks

Once you have a well-outlined list of the risks that your nonprofit might face, the next step is to assess the impact they could have on your organization and the likelihood that the risk will occur. In the interest of scarce resources, it might be ideal to identify the risks that pose the greatest threat to the continuity of the organization.

This is why it is essential to rank the risks. Be sure to use a risk matrix to rank the risks your nonprofit is bound to face. Ideally, you should give the biggest emphasis on the risks that have the highest likelihood of happening and pose the greatest threat to the organization.

Mitigating The Risks

When it comes to risk mitigation, there are four paths to follow; transferring the risks, avoiding the risks, reducing the risks, and accepting the risks. For any risk that seems too big for your organization to handle, but there are businesses or individuals that can help you handle them, transfer it to them. This can be done by taking insurance coverage or outsourcing the various roles.

For any risk that is too trivial to have any impact on the organization, it might be best to just accept it. You can simply ignore it by failing to commit resources to it. In case you can handle a risk in-house, look for ways to mitigate it. For instance, you can install firewalls to keep hackers away from your internal network.

Lastly, if any risk is too huge for you or any other third-party to deal with, simply avoid it. These can include risks that may cost you too much to mitigate or those whose mitigation will yield relatively small benefits.

Monitoring The Risks

Risk landscapes are ever-dynamic. Today’s risk can easily shift into something else tomorrow, making your current mitigation steps obsolete. Even worse, new risks may come up with time. As such, it is vital to keep an eye on the effectiveness of your current risk control measures. In case changes need to be made, do so. Ideally, you should have specific individuals in charge of monitoring certain risks to improve accountability.

Risks affect both for-profits and nonprofits. The organizations that manage to co-exist well with their risk landscape are the ones that will go far. If you want to keep your nonprofit sustainable, risk management ought to be an integral part of your daily operations.

The Gist

Risks are a part of every business or organization including nonprofits. From fraud, regulatory compliance, and data security, there are many ways your nonprofit could run into challenges that would stop you from furthering your mission. However, if you prepare for the future and create a risk management program, your organization will be prepared for any challenges that come your way.


About the Author

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.


Request a demo

Morweb provides the right mix of strategy, design, non-technical software, and customer support to manage and grow not just a website, but an engaging online presence.