Even if you don’t yet have a formal risk management program, you still likely use some forms of risk management.  We refer to these as Foundational Risk Management Elements (FRaMEs) that can help manage risks while you’re considering a more formal risk management program.  Some of these foundational elements are probably already in place at your nonprofit, working behind the scenes to manage risk. 

In this second installment of our series on foundational elements of risk management (our earlier article is here), we review core documents and policies your nonprofit should have in place to provide confidence to stakeholders that your organization takes transparency, accountability, and ethics seriously. While the specifics of Articles of Incorporation, Bylaws, and the Whistleblower, Ethics, Conflict of Interest, and Sexual Harassment Prevention policies may differ depending on the state where you incorporated and other details, all of these documents are intended to set forth clear guidance for employees and board members.  Among other things, the existence of and adherence to these governance documents can help funders of your organization, as well of recipients of your organization’s mission, know there is less risk of issues manifesting around lack of transparency and ethics.

Articles of Incorporation

When you formed your nonprofit, you filed articles of incorporation with your state. These articles defined your organization’s initial mission and composition and are principal accountability materials for your organization.

Impact on Risk Management: You should review your articles of incorporation to ensure that there are no inconsistencies between your current practices and the information you have provided to state officials. If you spot any inconsistencies, talk to a lawyer about whether and how to respond.


Your bylaws are your institutional operating manual. They explain how the organization governs itself.

Impact on Risk Management: Again, you should review your bylaws to ensure that your current operations comply with the written description. Remedy any discrepancies.


Ethics Policy

Your organization may call this a “code of ethics,” “conduct of conduct,” or something similar. By any name, the intent is to provide a clear policy that only the highest ethical standards will be acceptable within your organization. That National Council of Nonprofits gives great guidance on this subject.

Impact on Risk Management: A code of ethics provides comfort for your funders and stakeholders that you are complying with basic ethical standards. It also ensures that employees know the ethical framework in which they are expected to perform their tasks.

Whistleblower Policy

Publicly traded companies (and many privately-owned ones) are required by law to have whistleblower protection. But the law doesn’t apply to nonprofits, and the IRS doesn’t require a whistleblower policy in order for a nonprofit to be tax exempt. So your organization doesn’t need one, right?

Nothing could be further from the truth. The DC Bar Pro Bono Center has a succinct explanation of the value of a written policy, encouraging it for “at least three reasons. 1 Establishing a whistleblower policy is a proactive response to the IRS’s increased interest in good governance policies. 2. Protecting whistleblowers is an essential component of an ethical and open work environment. 3. A written whistleblower policy that is vigorously enforced sends a message to the organization’s board members, managers, employees and volunteers as well as to the IRS and the public that the organization will not tolerate misconduct.”

Impact on Risk Management: A whistleblower policy goes hand in hand with ethics. If you have a whistleblower policy, employees have greater confidence that policing ethical violations will not lead to retaliation. They will be more likely to come forward, thus increasing the chance that potential violations are flagged and addressed before they lead to additional harms. Whistleblower policies also inhibit potential wrongdoers: if they know those who would police misconduct will have a safe and confidential way of raising red flags, they may think twice before acting wrongfully.

Conflict of Interest Policy

While most if not all nonprofits have a conflict of interest policy and are able to respond in the affirmative on the IRS Form 990, is your policy and process the best governance it can be?  If your policy is sitting on a proverbial shelf, it may not be. Once again, the National Council of Nonprofits has some tips and pointers for robust governance that you may want to read to see if your organization is doing all it can to ensure it is free from interests that run counter to the mission.

Impact on Risk Management: Potential conflicts of interest can get nonprofits in substantial trouble — both reputationally and legally. If you don’t have one, adopt one.

Sexual Harassment Avoidance Policy

This is the last in the series of good governance policies we will discuss that mitigate transparency risk.  Sexual harassment in the workplace is a problem for governments, and public and private companies.  Is it any greater risk for nonprofits?  It could be.  Many nonprofits don’t have sufficient size or budget to have any full-time HR staff.  The function may be outsourced, may lie with leadership, or may be spread among many team members.  Does your team know the rules? Is there a clear policy to guide them?  Don’t let an incident be your wake-up call.

Impact on Risk Management: Sexual misconduct is intolerable, and such allegations can hobble a nonprofit. The Nonprofits Insurance Alliance Group has a sample harassment policy. Your Director’s and Officer’s insurer may also have a sample and be willing to provide advice.

Next up in the series:

Employee handbook

Written job descriptions and segregation of job duties

Policy and procedure manuals

Curious and don’t want to wait for the next article to be posted?  Drop us a line at info@riskalts.com or using the form on CONNECT above and we will reach out.


Because we care about nonprofit risks, we provide blog posts like this one to help nonprofits thrive.