A Collaborative Approach

A key responsibility for the board is to ensure that the nonprofit maintains an adequate approach to risk management. While the actual conduct of risk management activities is the responsibility of leadership staff under the authority of the president or CEO, the board should evaluate the nonprofit’s risk management strategy. The board has the ultimate responsibility for oversight.

An effective risk management plan is holistic...

An effective risk management plan is holistic, addressing risk in all aspects of the nonprofit’s activities. The risk management plan should be proactive rather than reactive. It should identify risks before they become liabilities and take appropriate steps to mitigate them. It is an ongoing, recurring process.

The Risk Assessment Process

The board or its appropriate committee should work with the CEO to ensure on an organization-wide basis that:

• Risks are identified and assessed as to likelihood of occurrence and severity.
• Risks are prioritized.
• Leadership staff has determined the extent to which identified risks have been mitigated.
• Appropriate steps are taken to reduce identified risks to acceptable levels.

10 Areas of Risk to Consider

In addressing the nonprofit’s overall risks, some key risk areas warrant attention. They include, but are not limited to, the areas described below. I have provided some brief commentary about each of these areas of risk common to nonprofit organizations today.

1. Corporate Structure

Many nonprofits operate within one legal entity – typically a not-for-profit corporation. That one corporation typically conducts all of the activities of the nonprofit (including those that have more inherent risk than others). It also owns all of the assets of the nonprofit (real estate, investments, cash, etc.). In today’s litigious society, a nonprofit that owns significant assets, and that conducts risk-generating activities, should consider whether a one-entity legal structure is appropriate for risk mitigation purposes. A nonprofit wishing to avail itself of a multiple-entity structure should do so under the advice of excellent legal and tax counsel with specific experience in this area.

2. Tax Compliance

Compliance with applicable federal and other tax laws is a critical element of overall risk management. An overview of key tax compliance considerations is provided in Chapter 9 of my book, Nonprofit Finance (Updated First Edition).

3. General Legal Compliance

Compliance with applicable law is, of course, a fundamentally important element of risk management for a nonprofit. Areas of law for which noncompliance can have significant implications include, but are not limited to:

• Laws addressing the legal manner of governance of the nonprofit
• Compliance with the nonprofit’s own governing documents (articles of incorporation and bylaws)
• Compliance with key contractual agreements
  • Significant vendor contracts
  • Significant customer contracts
  • Significant loan agreements (including financial covenants)
• Human resources (labor, wage, healthcare, and employee benefits laws)
• Healthcare privacy laws
• Data and donor privacy laws
• Copyright law
• Laws governing the handling of donor-restricted funds
• Laws governing investment practices by nonprofit organizations
• Laws governing charitable solicitation and fundraising practices
• Laws governing the reporting of actual or suspected child abuse
• Zoning and land use laws
• Laws governing nondiscrimination in public accommodations
• Building codes

Some law firms offer proactive assessment services. These are sometimes referred to as “legal audits.” They can help identify legal compliance issues that warrant attention.

4. Child Molestation Risk

For nonprofits that serve children, child molestation risk warrants special attention due to the severity of the damages that can occur. In recent years, an increasing number of high-liability claims have been made against nonprofits due to actual or alleged child molestation. Claims of that type can be devastating not only to the victims but also to a nonprofit and its leadership, both reputationally and financially. 

5. Data Security

Bad guys are continuously inventing new ways to attack and/or obtain sensitive data from people, government, businesses, and nonprofits. Technological capabilities continue to increase. We live in an increasingly connected world, so every nonprofit must consider the security of its sensitive data and employ reasonable steps to protect it.

6. Insurance Coverages

One significant aspect of risk management includes ensuring that the nonprofit has appropriate insurance coverage for its significant risks. The evaluation of insurance coverage should include consultation with both legal counsel and highly experienced insurance agents. Nonprofits frequently discover during or after a crisis that they don’t have insurance coverages that they thought or assumed they had. Carefully evaluating the adequacy of insurance coverages is a critically important element of overall risk management. More detailed information about important types of insurance coverage to consider is available in Chapter 11 of my book, Nonprofit Finance (Updated First Edition).

7. Internal Financial Controls

A fundamental element of financial risk management involves ensuring that the nonprofit has an adequate and appropriate internal control structure in place with respect to financial activities. More detail on the topic of internal control is provided in Chapter 7 of my book, Nonprofit Finance (Updated First Edition).

8. Physical Safety

A risk area of much more prominence today than in the past is that of physical safety. Physical safety risks can arise in many ways, including safety hazards in a nonprofit’s facilities, transportation, and even violent confrontations (workplace violence, active shooters, etc.). Since physical safety risks can take so many different forms, a nonprofit should consider engaging the services of experts to assist them in addressing particular risk areas. Engaging and relying on the advice of experts in particularly high-risk areas can not only reduce physical safety risks but can also help the nonprofit mount a legal defense in the event it is sued by a plaintiff claiming that the nonprofit was negligent.

9. Leadership Succession

Many well-run and well-governed nonprofits suffer missionally and financially when a talented and charismatic leader retires or otherwise leaves the employment of the nonprofit. When such a departure comes suddenly and unexpectedly, the impact can be particularly severe. A nonprofit’s board must realize that, in many cases, the departure of a gifted leader with no succession plan creates a significant risk for the nonprofit – a risk that warrants attention.

10. Public Relations

Controversial, adverse, high-profile publicity can be an unexpected and unwelcome guest for any nonprofit. In some cases, circumstances may require the assistance of a public relations (PR) firm. It can be an added element of stress for the nonprofit to have to identify and hire a PR firm in the middle of a crisis. If the nonprofit can proactively identify and establish a good relationship with a PR firm, that firm can jump right in to help in the unfortunate event that a crisis warrants PR assistance.

###

Mike Batts is the managing partner of BMWL. He has more than 30 years of experience serving nonprofit organizations. Mike is a board member and former chairman of the board of ECFA. He advises nonprofit organizations on matters related to board governance, financial oversight, tax compliance and strategy, risk management, corporate structure, international activities, and other related topics. Mike has authored several books. He has also actively engaged in nonprofit legislative matters at the federal and state levels.

Learn more about Outcomes magazine.