High-profile nonprofit failures and scandals have increased scrutiny of the nonprofit sector in recent years. In late 2014, the largest social services agency in New York, the Federation Employment and Guidance Service, suddenly closed due to financial mismanagement. In January 2016, Goodwill Industries of Toronto declared bankruptcy, leading its CEO and board of directors to resign. And in March, the Wounded Warrior Project fired its CEO and COO after reports of wasteful spending.
According to a 2013 investigative report from the The Washington Post, between 2008 and 2012, more than 1,000 major US nonprofits disclosed in federal filings that they had suffered a “significant diversion” of assets from internal wrongdoing.
It’s no secret that nonprofits are ill-equipped to address risk. In 2015, for example, the Utah Food Bank announced that a data breach exposing donor names, addresses, credit card information, and security codes may have impacted eight percent of its donors. Technology often requires significant capital, and nonprofits do not have the same access to capital resources as their for-profit peers.
As with the Sarbanes-Oxley Act of 2002, which ushered in regulations to enhance corporate responsibility and combat fraud, leading organizations committed to nonprofit advancement have begun to emphasize that nonprofit risk management—a defined, routine commitment to gather, evaluate, and respond to threats and opportunities—is a nonprofit duty. Some examples:
The call for nonprofit risk management is clear. But although nonprofits are increasingly aware of the need to adopt risk management, there’s still little guidance about when and how they should adopt such a program, or what it should look like in its early stages. Having trained and counseled large and small organizations for more than 25 years, I now work with nonprofits to use risk management principles to enhance sustainability. Based on this work, I urge the following basic approach.
When to Start
During the “idea” and “start-up” stages of a nonprofit’s lifecycle, when the focus is on viability, risk management programs are not cost-effective. If founders focus on process—even a virtuous one like risk management—it diverts resources from critical early-stage efforts. It can also undermine the experimentation and “creative destruction” that fuels early-stage nonprofits. At the beginning, risk management will likely begin and end with insurance, which can shift some of the responsibility to a third party and provide some safety net for many potential exposures.
Toward the end of the start-up phase, however, nonprofits reach distinct milestones. They begin to undergo regular independent audits to attract and retain high-quality donors. They consider whether to engage in strategic planning. They face the challenges of expanding the board of directors’ skill set (from “working” to “governance”), formalizing job responsibilities, and adopting policies and procedures throughout the organization. At this juncture, which marks a transition toward the “growth” phase of the nonprofit lifecycle, developing a risk management process becomes essential for at least five reasons:
- Priorities: Organizations can’t understand their true priorities until they understand the negative risks (threats) and positive risks (opportunities) they face throughout the organization.
- Planning: Nonprofits can’t effectively engage in strategic planning until they understand the risks they face.
- Performance: Organizations need donors to trust that they’re exercising effective stewardship over funding resources.
- Sustainability: Although nonprofits may focus on services to current users, during the growth phase, they become increasingly aware of the need to provide service to recipients into the future.
- Insurance Insufficient: Insurance, which merely shifts the impact of defined risks to others, fails to provide any early warning or practical response mechanisms for emerging threats and opportunities.
How to Start
These steps can help nonprofits make risk management a standard operating procedure:
Understand context. Gather together current strategic and operational plans, and mission and value statements so that everyone involved in implementation can clearly assess where the organization stands, what it stands for, and what it wants to accomplish. These documents may change after exposure to the risk management process, but they can help frame priorities.
Develop a timeline and set goals. An effective risk management program isn’t something organizations adopt overnight. Nonprofit should develop a phased, deliberate process with metrics to measure success. Year one may focus on training a core senior management group, year two on building out risk management capacity on the board, and year three on training for line personnel.
Perform a risk inventory. Nonprofits should survey threats and opportunities across all functions of the organization (see below).
Senior staff, one or more “line” personnel, and possibly one or more board members and/or stakeholders should take part in this initial risk inventory. Line personnel help senior staff avoid groupthink and tunnel vision, and provide additional insight into how the organization is performing its work on a daily basis.
Create and use a risk register. Nonprofits should engage in prioritization exercises to rank identified risks, then gather them in a “risk register”—a prioritized punch list of threats and opportunities that describes who within the organization “owns” any given risk, what responses are they are applying, and when the organization should follow up. That risk register should become a standard agenda item in staff meetings to focus staff on the most pressing, high-value issues facing the organization.
Implement a risk cycle. After identifying and prioritizing risks, the third step is to proactively respond to them. Responding includes researching and measuring emerging issues, mitigating threats, developing opportunities using pilot programs (for example, beginning a new programmatic initiative or modifying a current program to see whether results improve), and declaring certain activities off-limits (through policies and procedures, and documented processes). The fourth step involves periodic evaluation of those responses to see what works, what needs improvement, and what else can be done. And then—critically—a risk cycle requires looping back through the process perpetually to institutionalize a culture of learning, improvement, agility, and responsiveness.
Seek funder support. The Human Services Council of New York has noted, “Private and governmental funders should help build [nonprofits’] capacity to [to perform risk management] by facilitating access by nonprofit staff and board members to professional development, technical assistance, and coaching.” Funders are increasingly receptive to the important role of risk management in nonprofit sustainability. Ultimately, it’s in funders' interests to ensure that grantees are spending money with an eye toward long-term resilience and stability.
Increase sophistication incrementally. After implementing basic risk management tools, nonprofit teams can consider ways to improve effectiveness. This could include:
- Developing staff positions dedicated to risk management, process improvement, and quality assurance within the organization
- Improving data gathering processes to better inform decisions
- Improving prioritization processes by training personnel to more effectively estimate the likelihood and effect of potential events
- Increasing the sophistication of modeling the potential financial impacts of different scenarios
Expense and Competing Priorities
Nonprofits may argue that risk management costs too much—but a single liability incident can easily cost tens of thousands of dollars, not to mention reputational damage and staff distraction. A nonprofit with a $1 million budget should be willing to allocate one or two percent of that budget to initial risk management efforts. Starting the process above doesn’t require substantial budget outlays, and efforts can grow or change over time.
Others may argue that risk management isn’t a priority, but unless organizations perform a risk inventory, they can’t really assess their true priorities. Effective stewardship demands reality-based decision-making, and that requires risk management.
An effective risk management program can provide reasonable assurance that an organization remains agile and responsive in the face of uncertainties. It’s unsurprising, therefore, that risk management is an emerging nonprofit best practice. Indeed, as in the for-profit sector, where publicly traded organizations are increasingly held to account for their risks, an effective risk management program will soon become a minimal criterion for nonprofit credibility in the marketplace.