4 Strategies for Proactive Risk Management at Your Nonprofit

When everything is going well at your nonprofit, risk management may not seem like a priority. It’s easy to become comfortable in your organization’s day-to-day practices and relationships without giving a second thought to difficult situations that might come up. However, if those challenges eventually arise, a solid risk management strategy can help your nonprofit recover more quickly.

Many organizations’ risk management plans focus on the steps they’ll take to mitigate problems once they’ve occurred. While mapping out these types of plans is important, you should also focus on taking proactive steps to avoid putting your nonprofit in risky situations in the first place.

To help your organization prevent risks, here are four strategies you can incorporate into your plans:

1. Identify and Prioritize Different Types of Risks
2. Strengthen Your Organization’s Internal Controls
3. Conduct Independent Financial Audits
4. Outsource Some Nonprofit Roles

Let’s get started with an overview of what nonprofit risk is and what types of risks organizations like yours are most likely to face.

1. Identify and Prioritize Different Types of Risks

Jitasa’s risk management guide defines nonprofit risk as “the probability that something bad (damage, injury, liability, loss, etc.) might occur. This might be due to internal circumstances at the organization itself or external factors that pose a greater social risk.”

There are many different types of situations that fall under this definition. Some of the most common nonprofit risks include:

• Cyber security violations. Most nonprofits collect and store data about their donors, campaigns, and finances. Violations of cyber security can leave this data unprotected and expose sensitive information.
• Fraud. There are several types of nonprofit fraud—some intentional and some unintentional. A few common ones include false expense claims, misrepresentation of data on financial statements, and fundraising fraud (in which a scammer impersonates a nonprofit to collect donations under the guise of charity and pockets the money they raise).
• Theft. Although nonprofits are often composed of good, trustworthy individuals, there are still times when someone close to an organization steals its money or technology. This can happen if individuals who haven’t been vetted properly are given access to resources they shouldn’t or if the nonprofit’s internal systems are faulty.
• Compliance. In order to maintain their tax-exempt status, nonprofits are subject to many regulations that for-profit organizations aren’t. Ensuring these guidelines are followed should be part of their risk management plans.

Which of these risks affects your organization most significantly will vary. Conduct an operational analysis in which you identify all potential risks and prioritize them based on which ones are most likely to occur. Then, you can start taking the appropriate steps to prevent those risks.

2. Strengthen Your Organization’s Internal Controls

Internal controls are policies and procedures that nonprofits put in place to help avoid risky situations. While their main purpose is often to address compliance risks, they can also help prevent fraud and theft.

Here are some examples of popular nonprofit internal controls:

• Requiring two signatures on checks over a certain amount. This process helps catch any errors in payments before they’re submitted and ensures no one person at your organization is held responsible if any mistakes fall through the cracks.
• Reconciling bank statements monthly. Comparing the transactions recorded in your nonprofit’s bookkeeping records with those registered in your bank accounts allows you to confirm that all funds are properly accounted for and quickly address any discrepancies.
• Having your board review financial reports. The purpose of your nonprofit’s board is to provide oversight, and they can serve as a second set of eyes on your reports because they operate outside of your finance department.
• Adopting a conflict of interest policy. Outlining the steps for identifying and addressing conflicts of interest helps prevent your board members and leaders from making decisions that prioritize their personal interests over your organization’s needs.

In addition to helping your organization proactively manage risks, internal controls build trust with donors and stakeholders. By ensuring regulatory compliance and fostering reliable reporting practices, your organization can maintain a positive reputation in your community.

3. Conduct Independent Financial Audits

Since nonprofits are subject to different guidelines than for-profit organizations are, their audits also look somewhat different. Nonprofits by definition are exempt from federal taxes, so most nonprofit financial audits are conducted by independent external auditors instead of the IRS.

There are some situations in which conducting audits may be necessary for your organization to avoid compliance risks. To determine whether this is the case, you should check:

• Your nonprofit’s bylaws. Some nonprofit founders stipulate that their organization will need to undergo regular audits to promote financial accountability.
• Your state’s requirements. Many states have a threshold for dollars received annually (usually around $500,000) that triggers an audit requirement for nonprofits operating in that state.
• The amount of federal funding your organization receives. If your nonprofit accepts more than $750,000 from the federal government annually—including federal funding passed through your state government—you’ll need to undergo an audit.
• Grant application requirements. Some grantmakers accept tax returns or other financial statements as proof that your organization will handle funding responsibly if you win their grant. However, others might specifically ask for an audit report.

Even if your nonprofit isn’t required to undergo independent financial audits, conducting one can contribute to proactive risk management. An external auditor can provide an outside perspective on the way your organization handles its finances and recommend areas for improvement—including risk prevention opportunities.

4. Outsource Some Nonprofit Roles

In addition to conducting independent audits, another way for your nonprofit to gain external perspectives on opportunities for proactive risk management is outsourcing certain functions. Outsourced professionals often have experience working with a variety of nonprofits, so they bring expertise and a deep understanding of industry best practices to address your organization’s unique challenges.

There are several nonprofit roles that lend themselves well to outsourcing, including:

• Information technology department. External IT professionals can help your organization implement data security measures and train your staff to recognize and prevent cybersecurity violations.
• Human resources professionals. Consultants and services specializing in nonprofit HR can run your payroll, review your compensation and hiring policies, and ensure compliance with labor laws, among other functions.
• Financial management services. Working with an outsourced nonprofit chief financial officer (CFO) or accountant can provide holistic financial and strategic expertise when it comes to internal controls, audit preparation, reporting, and more.

When hiring any of these outsourced professionals, make sure to vet potential providers carefully. Ask them about their experience with risk management and what safeguards they put in place to ensure a successful partnership.

In addition to encouraging proactive risk management, implementing the above strategies can benefit your nonprofit day to day. When your organization is aware of potential risks, sets a high standard for accountability through internal controls and regular audits, and seeks the expertise of outsourced professionals, you’ll be in a better position financially and operationally.