Financial risks may be the most obvious threats to the well-being of not-for-profits, but you need to be aware of other risks as well — from your reputation in the community to your physical property. If you don’t have a comprehensive risk management plan, your organization may be courting danger.
Your risk list
To develop a risk management plan, first identify possible scenarios that could jeopardize your organization, such as:
- Financial losses
- Dishonest staff, donors or grant recipients
- Threats to physical and intangible property
- The unexpected departure of key employees
- Loss of community goodwill
- Revocation of tax-exempt status
To focus on the most likely risks, do some analysis and ask questions. For example, are your funds invested in high-performing but risky securities? Can you be sure board members adhere to your conflict-of-interest policy? Increasingly, cyber security issues threaten all types of organizations, including not-for-profits. Does your staff know how to keep your data safe?
Identify your areas of greatest risk exposure and then determine how you’d act if forces beyond your control challenged them. Your preferred responses should be woven into your organization’s crisis response plan. But it’s also smart to create polices that prevent these potential crises.
Prioritize financial threats
Managing and protecting financial resources is the biggest challenge to not-for-profits, so start building your risk management plan there. Address any acts that could lead to the loss of financial assets — including theft, fraud, misuse of funds, poor investment decisions and inappropriate selection of sponsors and partners.
Then establish policies and procedures to prevent such losses. For instance, by requiring your organization to maintain a certain amount in a cash reserves account, your board can manage the risk of a budget shortfall or financial emergency.
Formal internal controls also are essential. Create and document processes for authorizing transactions, securing assets, and preventing and detecting fraud.
Cover all the bases
Don’t try to develop a risk management policy alone. To ensure you’re covering all the bases, involve your board, managers, insurance company, legal counsel and financial advisors. Depending on the risk, you might also want to talk to staff members and volunteers for a ground-level perspective.
If, for example, your organization serves children, you can’t afford to overlook a single risk. Some measures may seem obvious, such as obtaining liability waivers from parents, conducting criminal background checks on adults who will work with the children, and maintaining up-to-date records of the children’s allergies and medications. But have you considered a photo-taking policy? What about procedures to follow in the event of an accident? Do staff members and volunteers know what to do if they spot a stranger lurking outside your playground?
After you develop a detailed plan to address such risks, communicate it to staff and volunteers and provide training, if necessary. Also keep in mind that risk management is an ongoing process, so your not-for-profit should continually review and revise policies and procedures to address emerging risks.
Insurance also helps not-for-profits offset risk. Aside from general (or commercial general liability) policies, some specialty products are available, including:
- Accident and injury
- Product liability (if your not-for-profit sells anything to the public)
- Directors and officers (D&O)
- Professional liability (malpractice)
An insurance professional can help you decide which policies you need, and provide information about limits, deductibles and cost.
Of course, insurance won’t solve all of your risk issues. Tax-exempt status and fundraising capacity can’t be protected by insurance. And not even the best or most inclusive insurance policy will help you repair damage to your reputation. That’s why you need a complete risk management plan.
Positive Side Effects
The risk assessment process is actually very helpful with increasing the board’s understanding of the organization and helping them focus on what is important. Even long-term board members will learn something new about the organization as the risks are discussed.
Risk management is a complex undertaking. You likely already have some policies and procedures in place, but to ensure you’ve taken steps to mitigate the biggest and most costly risks, consult with your accounting and legal advisors.