How To Handle Risk Management for Your Nonprofit


Risks expose us to the potential for serious injury or loss. Accidents have no bounds, happening to anyone or anything — including your nonprofit.

Most catastrophes start with a problematic choice, or at least a protocol that does not emphasize prevention and mitigation. With so much on the line, you must formulate risk management policies so that you can stay on top of any threats to your nonprofit’s bookkeeping and other sensitive areas. 

Let’s go!

No time to read this article now? Download it for later.


What Is Nonprofit Risk Management?

Risk management is one of the most important tools you have to maintain stability within your organization. It allows you to put the right measures in place to protect yourself against everything from legal liabilities to natural disasters. When you implement the right policies, you can prevent catastrophes from happening or, at the very least, know how to handle them when they arise.


Who Is in Charge of Risk Management?

Risk management is every board and staff member’s responsibility. No one person should solely be responsible for your risk management policy. Each group should have a different role to play. For example, staff and board members may:

  • Manage distributing the office keys and explaining their rules for use 

  • Complete monthly building security checks 

  • Maintain a log for volunteers and other visitors 


What Are the Most Common Risks for Nonprofits?

There are a few risks that tend to come along with running a nonprofit. These include: 

  • Fundraising fraud. Someone can easily copy your logo or brand onto a shirt or website. Unsuspecting donors may then donate to them. At best, this can result in patrons losing trust in your organization. At worst, you can be held legally liable. 

  • Natural disasters. Your organization needs a plan of action for any climate hazards relevant to the area in which your nonprofit resides or conducts business. 

nonprofit-risk-management-common-risksEva definitely doesn't want these risks coming back to bite her!

  • Theft. Unfortunately, many nonprofits are at a high risk of theft. They are so focused on helping their beneficiaries that they do not realize that others do not have the same good intentions. Just like a storefront on a busy city street, your nonprofit needs to put preventative and protective procedures in place. 

  • Data leaks. Data breaches happen in every industry. With the proper data security, you can avoid leaking sensitive information about your nonprofit’s operations, employees, and beneficiaries.

  • Accounting noncompliance. Nonprofits have specific bookkeeping rules that they have to follow. Your organization should conduct regular assessments, generally in the form of audits, to ensure that it remains in compliance with generally accepted accounting principles (GAAP). 


How To Identify Potential Risks for Your Nonprofit

Spend some time brainstorming what challenging circumstances your organization could experience. This is called a nonprofit risk assessment. Start by evaluating: 

  • The security of your organization’s headquarters. Complete a security check of this building. Does every door have a working lock? Who has access to the keys? Is there a protocol for getting a key? Are there specific hours in which only certain people can access the building?

  • Your organization’s financial health. Meet with your accountant or treasurer to ensure that your organization is financially well. Consider your nonprofit budget process, including your program budget and your operating budget. Do you need to start using nonprofit budgeting software or bookkeeping services to manage your finances? Or, will a nonprofit budget template do the trick?

  • Who has access to your means of spending. Identify who has access to all of your organization’s credit cards, debit cards, and bank accounts. What safety protocols are in place to ensure only people who are authorized to use them can?

  • Your organization’s data security. Check your website and passwords. Are you using a trusted website builder? Are your passwords stored in a secure digital vault? Are your passwords different enough from each other that a hacker could not access all of your accounts with just one password?

Now, take a look at any previous incidents that threatened your organization’s wellbeing. Consider what steps you took to address each issue and how well that action plan worked. During this evaluation:

  • Define success: Define what your organization sees as risk management success. Since there is no way to completely avoid all risks, maybe that just means you contained the damage that a catastrophe caused.

  • Define failure: You also need to define what would qualify as a failure. Failure may have cost your organization in the past, but analyzing what went wrong can prevent this in the future. 

  • Address recurring situations: If an issue has plagued your organization more than once, this is a red flag. Getting to the root cause of this issue should be your priority so that you can strengthen your risk management policy to prevent it in the future.


How To Rank Your Risks

Now that you know what risks to look out for, it is time to rank these risks. Here are a few factors that you should take into consideration as you sit down to tackle this task: 

  • The likelihood that an event will occur

  • The financial costs associated with it

  • The potential for injury or loss

  • The extent of the injury or loss

  • When and how often you encounter it

  • The potential effects on your reputation

Based on these factors, rank your potential risks from most important to least important. Keep these ratings in mind as you are determining how detailed to get about them in your risk management policy.

Pro Tip: Hire the Nonprofit Risk Management Center (NRMC) or another consulting firm to complete a risk assessment of your internal controls. They are experts at discovering potential issues and raking them. The cost to hire a professional can far outweigh the cost of putting your organization at risk. 


What To Include in Your Risk Management Policy

Your risk management policy should address the risks that your nonprofit is exposed to at this very moment. However, you do not have to start completely anew. If you have a current policy, now is the time to pull it out for revisions.

nonprofit-risk-management-what-to-includeSalma is taking notes on what to include in her risk management policy!

If you do not have a risk management policy already, read through your risk assessment. For each potential risk you have identified, include three sections:

  • The procedures to put in place to prevent or minimize this risk

  • The timeline to follow if this risk happens

  • Case examples of what this risk looks like

When you are finished creating your risk management policy, draft a shortened version of it in the form of an easy-to-read guide. Have this guide approved by the board of directors and discussed at the next all-hands meeting so that everyone is on the same page about how to prevent, minimize, and handle risky situations. 

But do not stop there! Regularly revisit your risk management resources as new risks arise or old risks become obsolete. At the very least, set up a quarterly meeting with the leadership team to walk through the policy and determine if it needs changes.

Pro Tip: The NRMC and other organizations and companies offer risk management templates to help you get started. These templates can provide you with a framework for your nonprofit’s risk management strategies and priorities.


Final Thoughts

Risk management is one of the most important ways to protect your nonprofit. By identifying risks and ranking them, you can cut the guesswork out of handling unforeseen events.

While it is impossible to avoid all risks, a risk management policy provides a clear process for moving forward when they become a reality. This safeguards your organization, allowing for continued growth and success. 

Enjoyed the article? Download it to keep or share with others!



💡What is nonprofit risk management?

Nonprofit risk management is the process your organization has in place for handling harmful situations that may arise. Find out more. 

🔑 What are the most common risks for a nonprofit?

Nonprofits often have the same risks as businesses, including fraud, natural disasters, theft, and cybersecurity. Find out more. 

📝 Who is in charge of risk management in a nonprofit?

Risk management is the role and responsibility of a combination of people. Depending on your policy, this can include employees, board members, and executives. Find out more.


The Holy Grail of Nonprofit Tips ✨
Get all of the information you need to efficiently manage your nonprofit with our monthly newsletter.

What to Do Before Buying a Membership Database Software

16 min read

A Detailed Breakdown Of Nonprofit Accounting Basics

10 min read

How to Build the Perfect Nonprofit Board of Directors

5 min read