Why Nonprofits Need Risk Management

Nonprofits play a significant role in the US economy:

  • In 2013, nonprofit organizations provided 5.4 percent of the US gross domestic product — a total of $905.9 billion.
  • Nonprofits employed approximately 13.5 million paid workers in 2007. Adding the full-time equivalent of volunteer hours, the nonprofit sector employed 18 million full-time equivalent workers, making it “the largest workforce of any US industry – larger than construction, larger than finance and insurance, even larger than retail trade and all of the branches of manufacturing combined.” (Salamon 2012.)
  • Nonprofits comprise half the nation’s hospitals, almost half the institutions of higher education, close to 80 percent of vocational rehabilitation facilities, approximately 80 percent of day cares, almost all operas and orchestras, one out of every five nursing homes, and about one third of private clinics and home health care facilities. (Id.)

Impressive as those figures are, they understate the importance of nonprofits in our communities. Nonprofits often provide essential goods and services for those who are most at risk. They address the needs of those who, because of age, health, socioeconomic status, or power relationships, cannot operate effectively on their own in our economy.

If our economy is an engine, nonprofits are a vital lubricant. Nonprofits reduce friction, helping the otherwise sharp edges of society function more safely and productively.

Nonprofits strive for sustainability, growth, and responsiveness in order to meet their important role in society. Relatively few, however, have adopted one of the most powerful nonprofit tools for improving resilience and agility: risk management.

The Need for Nonprofit Risk Management

Our survey research from nonprofits in many communities across the United States show that few nonprofits have robust risk management strategies. In fact, only about 1/3 of all nonprofits report having formal risk processes in place. That’s a scary number for at least four reasons.

  1. Nonprofits are vulnerable.

As described in the short video below, the nonprofit business model is extremely challenging even in the best of times.

Given a chance, nobody would invest in a business that runs on the nonprofit model. It’s simply too risky. COVID-19 and its aftermath, political and social unrest, racial reckoning, and a host of other issues only compound the difficulties.

  1. Standards around the nation say nonprofits need risk management processes.

Independent Sector speaks of a nonprofit board’s obligation “to review regularly the [nonprofit’s] need for general liability and directors’ and officers’ liability insurance, as well as take other actions necessary to mitigate risks.” (Independent Sector 2015.) The notes accompanying this standard are even more explicit: “board members of a charitable organization are responsible for understanding the major risks to which the organization is exposed, reviewing those risks on a periodic basis, and ensuring that systems have been established to manage them.”

Other organizations agree. The Standards for Excellence Institute, whose benchmarks have been adopted for use in 12 states, similarly states that “[o]rganizations should make every effort to manage risk and periodically assess the need for insurance coverage in light of the organization’s activities and its financial capacity.” (Standards for Excellence 2014.) The Principles and Practices for Florida Nonprofit Excellence (also used by many other states) echo that “[n]onprofits should periodically assess their risks and purchase appropriate levels of insurance to prudently manage their liabilities.”

The District of Columbia Bar specifies that “[e]very nonprofit organization needs to create a risk management plan and review it annually.” (DC Bar 2013.) And the Human Services Council of New York states that nonprofit “boards, in conjunction with staff, must be engaged in risk assessment and implement financial and programmatic reporting systems that enable them to better predict, quantify, understand, and respond appropriately to financial, operational, and administrative risks.” (HSC of New York 2016.)

In short, nonprofits that do not adopt risk management put themselves out of step with best practices.

  1. Risk management standards are tightening because of increased social distrust and unease.

Larger organizations in the private sector have adopted risk management on the heels of 20 years of financial gyrations and allegations of corporate mismanagement. In banking, the Basel II accords, adopted by the Basel Committee on Banking Supervision in 2001, provided banks with specific guidance about operational risk practices, supervision of those practices, and necessary disclosures about risk. (Segal 2009.)

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Enterprise Risk Management – Integrated Framework, which provided a thorough framework for helping corporate management understand and apply risk management principles. (COSO 2004.)

In 2009, the International Organization for Standardization adopted ISO 31000, which is another framework for dealing with risk management. (ISO 2009.) In 2010, the US Securities Exchange Commission adopted regulations requiring disclosures by publicly traded companies about risk management. (SEC 2010.)

At bottom, this push for risk management and compliance stems from worries about accountability and management of “other people’s money.” Nonprofits also use “other people’s money.” Unsurprisingly, they too have faced greater scrutiny in the wake of scandal:

  • In March 2016, the Wounded Warrior Project fired its CEO and COO after news reports alleged wasteful spending. (Gibbons-Neff 2016.)
  • In January 2016, Goodwill Industries of Toronto declared bankruptcy after facing an “acute cash crunch,” leading its CEO and board of directors to “resign[] en mass.” (Gray 2016.)
  • In late 2014, the largest social services agency in New York, the Federation Employment and Guidance Service (FEGS), failed suddenly, leading to substantial public soul-searching by regulators and observers. (McCambridge 2016.)
  • In January 2020, New York City filed suit against Childrens Community Services alleging a “massive fraud” in the provision of homeless services.

The threat to nonprofits is real. In a 2015 survey, the second highest concentration of employee thefts occurred in the nonprofit sector (trailing only the financial sector). (Hiscox USA 2015.) According to an investigative report published in the Washington Post in 2013, during a five-year period more than 1,000 nonprofits in the United States disclosed in federal filings that they had suffered a “significant diversion” of assets, including “theft, investment fraud, embezzlement and other unauthorized uses of funds.” (Stephens & Flaherty 2013.)

When trust in nonprofits is “sink[ing] to new lows,” nonprofits need to make every step count. That path is fraught with peril.

  1. New technologies create new threats.

Nonprofits are ill-equipped to address emerging cyber issues. In mid 2015, for example, the Utah Food Bank announced that eight percent of its donors (more than 10,000 individuals) may have been impacted by a data breach that exposed donor names, addresses, credit card information, and credit card security codes. (Utah Food Bank 2015.)

Nonprofits have been “slower to adapt to the threat environment and allocate their often scarce resources to cyber preparedness and protection” than for-profit and government entities, despite repeated warnings “to understand the risks posed by cyber breaches and data hacks, to engage their boards and leaders on these issues, and to allocate funds and resources to cybersecurity.” (Bell & Inbar 2015.) An article on the Candid blog Philantopic noted that “more than 50 percent of [nongovernmental organizations] now report they have been targeted by a cyberattack.”

Unfortunately, in an increasingly technologically dependent economy, nonprofits are at a disadvantage. Technology often requires significant capital, and nonprofits do not have the same access to capital resources as their for-profit peers.

The Promise of Nonprofit Risk Management

In the face of these nonprofit challenges, organization leaders might feel overwhelmed or frozen in inaction. Yet standing still is also risky — in fact, the most dangerous act is hesitation in the face of a compelling need for decisive change. Risk management allows an organization to act with increased confidence and resolve, aware of threats and alert to opportunities. In fact, as we will explain in future posts in this series, beginning a risk management process can lead to immediate, significant benefits:

  • Clarity, as the organization gains a better understanding of the range of threats and opportunities it faces.
  • Identification of low-hanging fruit — important threats and opportunities that may be addressed with little expenditure and enormous potential return.
  • Engagement, as team members feel that they are rewarded for speaking up to identify and address risks.
  • Buy-in, as team members develop a greater appreciation of the interrelationship of different functions within the nonprofit.
  • A solid basis for short-term actions, as the process identifies and prioritizes pressing issues.
  • A strong foundation for long-term planning, as the organization will have a greater understanding of the context in which it operates, including its current and potential reach.

If those benefits are achievable even at the outset of a successful nonprofit risk management process, shouldn’t you at least consider that journey?

Nonprofits Build Strength Together (BeST)

Risk Alternatives sponsors and curates an online group for nonprofit leaders who want to build resilient organizations.

To stay informed about this group, called Nonprofits Build Strength Together (BeST), click the button below.