No matter what your mission, your nonprofit must protect financial and physical assets, human resources and relationships, and all the intangibles that keep your organization going, such as community goodwill and your reputation. And if you don’t have comprehensive risk control procedures and strong internal controls, you aren’t doing enough to prevent financial and other serious losses.
What are the biggest risks?
Nonprofits are susceptible to risk in every area — from staff hiring and volunteer recruitment to proper spending of donations and investing reserve funds. Risk management is the only way to spot and head off many potential disasters before they happen.
The first step in risk management is to identify potential perils, starting with people — employees, volunteers, donors and clients. Your organization’s assets, including physical property and such financial assets as cash and investments, are another major area of risk. And don’t forget your goodwill with donors, volunteers, clients and the community, or the activities that allow you to generate revenue and raise funds. Finally, as the IRS increases its scrutiny of nonprofits, remember that your tax-exempt status is always potentially at risk.
How is your organization special?
Those are general risks, but your nonprofit also likely has specific ones. For example, your budget may rely heavily on the success of an annual fundraising event or clients may use your services primarily because of your association with other local nonprofits.
Identify the one or two strengths that define your reputation in the community. Then ask: What would we do if forces beyond our control challenged them? Could we develop new funding sources or continue at a new location?
What’s the plan?
After you’ve identified the risks that create the greatest challenge to achieving your mission, develop a risk management strategy that suits your organization. If yours is like most nonprofits, managing and protecting financial resources is a major concern. So address any acts that could contribute to the loss of financial assets by establishing management and accounting controls. In general, the biggest threats to financial assets are theft or fraud; misuse of funds by not following the donor’s restrictions; poor investment decisions; and inappropriate selection of partners and affiliates.
Your internal controls should address proper oversight by senior management and board members, authorization and transaction documentation, the physical security of assets and early fraud detection.
To develop risk reduction policies and internal controls, appoint a team that includes management, board members, various program managers and outside financial and legal advisors. For the most critical risks, the team should create procedures to avoid them completely, modify your nonprofit’s exposure to them or, in a worst-case scenario, recover from them.
If, for example, you determine that your IT network is at risk for hacking, you might decide to:
- Consult with an IT security expert;
- Upgrade software and equipment;
- Limit staff members with network access; and
- Begin storing data offsite.
Remember that risk management is an ongoing process, so the team must continually review procedures and address emerging risks.
Who can help?
Risk management is one of the major challenges of running a nonprofit — but you don’t have to do it alone. Contact MFA’s Nonprofit Team today to learn more.