All organizations face risks, but when bad things happen to not-for-profits the consequences can be especially devastating – though the loss of public trust and goodwill, if not financially.
Because not-for-profits may have even more to lose than for-profit entities, their executive directors and boards must make risk management a priority. Good practices in this area signify an organization’s commitment to responsible operation.
A risk can be anything the might occur that could jeopardize a not-for-profit’s tangible and intangible assets and threaten its ability to achieve its mission. Risks usually fall into one of the following categories:
People – Will employees, volunteers or clientele be harmed or cause harm?
Property – What are the risks to facilities equipment, proprietary information or intellectual property?
Income – What is the likelihood of losing significant revenue from grants, contributions or other income?
Reputation and stature – What might tarnish the organization’s public image or endanger its tax-exempt status?
Some examples of misfortune that could befall a not-for-profit include:
- A volunteer bus driver under the influence of drugs has an accident while transporting children,
- A fire breaks out in an organization’s office, destroying valuable equipment and records, or
- Workers file a lawsuit alleging they were wrongly denied overtime pay.
Because risks can arise in so many areas and without warning, planning for them can be difficult. But in its simplest form, risk management revolves around three basic questions:
- What can go wrong?
- What can we do to lessen the possibility that something will go wrong?
- How can we protect ourselves legally and financially if something bad does happen?
Effective risk management begins with recognizing that not all risks are equal. Some risks, such as employment-related claims or fraud committed by an employee, are always a possibility, but most organizations also have certain vulnerabilities related to the nature and scope of their work.
Identifying organizational risks requires input from staff, volunteers and outside advisors, such as lawyers and accountants. For instance, the volunteer coordinator could help identify volunteer-related risks, and an auditor might evaluate adequacy of the organization’s internal controls.
Not only is this approach logical – those working in the operational areas being reviewed have the best vantage point for spotting risks – but it helps build buy-in for any later recommendations.
Although many people contribute their insights, an individual or small group – often a risk management committee – should take the lead in developing a plan to manage risks. The committee might include volunteers, employees and possibly an outside advisor.
The process of evaluating and ranking risks then begins. The goal should be to focus first on probable risks with the potential for the greatest negative impact. For instance, an organization that relies heavily on volunteers to drive services to children would concentrate much of its risk prevention efforts on properly screening volunteers.
As you evaluate risks, review your policies and procedures and develop or revise them to reduce high-priority risks. For instance, an organization might add an extra layer of protection to the process of screening volunteers to take steps to improve documentation in this area. Some activities may even be deemed too risky to continue, such as field trips for children to a community pool.
During your review, document everything, such as policies pertaining to personnel, conflicts-of-interest, Internet usage, financial management and internal controls.
Many organizations make the mistake of assuming that having high ethical standards eliminates the need for written policies, but policies are the backbone of any compliance or risk management plan. They also play a role in training and educating staff members and volunteers.
Organizations should continually monitor their risk management practices to see how well they’re working with a comprehensive review annually, if possible. Key performance indicators can be established to function as an early warning system.
In the financial area, for instance, an indicator might be a budget overrun. To address this, review the monthly budget each time it is exceeded, to identify the reason for the overrun and evaluate the importance of the underlying problem. Another precaution might be to monitor volunteer and staff turnover quarterly, to detect personnel problems requiring attention.
Even with sound practices in place, not-for-profits should still prepare for worst-case scenarios. In addition to general liability insurance, directors’ and officers’ insurance is often used to enhance protection.
Business continuity planning also plays an important role in preparing for unforeseen events that could jeopardize the ability to maintain normal operations.
An Effective Program
A risk management program doesn’t have to be elaborate to be effective. Its complexity should reflect a not-for-profit’s specific risks and the resources available to minimize them. What’s critical is that organizations make time to identify probable risk, use a system to evaluate and rank them, and put strategies into place to lessen them.