Ed Fahey, CPA, Audit Stockholder and President of RINA in the San Francisco office.
Edward FaheyCPA / Partnerview bio

A Look at Not-for-profit Risk Management

Risk Management Matrix


Every industry has its own specific risks, including the not-for-profit sector.
Managing Risk

Risky jump between shipsWhile adequate insurance such as directors and officer’s liability or property and casualty coverage is essential to managing risk, an organization must also assess activities which, if mismanaged, might get in the way of its mission.
Managing risk for a not-for-profit organization often includes three broad areas:

  1. Money
  2. People
  3. Reputation

1. Money

Fundraising—as well as fund management—is a big risk focus for not-for-profits. The laws governing solicitation are complex and require detailed record keeping. In addition, when in-person fundraising events return, they should be led by an event director supported by a dedicated committee to review safety, logistics, communication, and coordination. Also, the committee should evaluate the need for special event insurance.
For financial management, internal controls, including separation of duties, should be in place to adequately control the risk of fraud and waste. Budgets prepared by staff or partners with strong financial backgrounds will provide an accurate picture of the organization’s financial risk, and an internal controls study can highlight areas of concern regarding fraud.

2. People

Volunteers are the backbone of not-for-profit organizations. But they all should meet certain criteria clearly communicated through policy.
Volunteer education is also important. Volunteers should be onboarded with some form of mandatory training.
Effective not-for-profit organizations must regularly review and update employment policies, job descriptions, performance evaluations, employee handbooks, and whistle-blower protection policies. They must also update employee screening standards for both paid and volunteer staff.

3. Reputation

A strong reputation improves demands for services, volunteer and donor support, and options for partnering.
To reduce reputational risk, leaders must create and maintain open and trusted communications with all constituents and staff. If a reputation-damaging event does occur, a well-prepared crisis management plan and public relations partner can help mitigate risk after the fact.
Potential Points of Risk for Not-for-Profits
Group considering risk
Keeping in mind the three broad areas of risk, a not-for-profit should analyze these components for potential problems:

  • Corporate structure (e.g., whether the organization’s activities and assets should all be in one legal entity or perhaps separated to protect from excessive liability)
  • Governing documents (e.g., whether the articles of incorporation and bylaws contain all appropriate provisions and whether the organization’s actual governance practices conform to the governing documents)
  • Data security (i.e., data breaches are an unfortunate, but very real, concern in having a business today so it’s important for your organization to have protection)
  • Policies and policy manuals
  • Tax-exempt status and compliance
  • Financial condition and financial controls
  • Insurance coverage
  • Human resources
  • Child molestation (for organizations that serve children)
  • Key operational areas
  • Public relations
  • Physical safety
  • Leadership succession

The Risk Management Plan

To keep on top of potential pitfalls, an organization needs to develop and regularly update its risk management plan. A risk management plan simply details the not-for-profit’s risk profile and mitigation strategies.
An effective risk management plan is one that addresses risk in all aspects of the organization’s activities. The risk management plan should also be proactive rather than reactive – identifying risks before they become liabilities and taking appropriate steps to lessen them.
While the actual conduct of risk management activities is the responsibility of management under the authority of the CEO, the board should evaluate the organization’s risk management strategy since the board has ultimate responsibility for oversight.
The board Considering RIskshould work with the CEO to ensure that:

  • Risks are identified and assessed as to likelihood of occurrence and severity
  • Risks are prioritized
  • Management has determined the extent to which identified risks have been dealt with
  • Appropriate steps are taken to reduce identified risks to acceptable levels.

Reducing risk by implementing preventive measures is, of course, different from insuring against such risks.  In addition to overseeing the adequacy of risk mitigation, the board should ensure that the organization maintains adequate insurance coverage with respect to applicable risk areas.

Risk management is a team effort that requires ongoing communication and collaboration between the board members, management, and staff.
Risk management initiatives are essential because they help organizations understand the threats and opportunities that they’re facing. The organization can then prioritize the issues, create a plan, and move forward.
Take the steps:

  • Identify the risks
  • Prioritize the issues
  • Make a plan
  • Respond to the problems
  • Assess and improve your approach

Make risk management a priority in your organization today before the “risks” become tomorrow’s unfortunate “realities”

Contact RINA

Join Our Mailing List