It’s a big world out there. As a nonprofit, there are plenty of opportunities to take and tough decisions to make. But with everything you do, there’s some amount of risk that comes with it. It can be hard to know where you’re vulnerable and which bases you forgot to cover. That’s where we come in. Risk management is something that needs to be a priority for nonprofit and for-profit businesses alike―especially today.
What do we mean by “risk management”?
The Alliance for Nonprofit Management defines risk management as, “[…] a discipline for dealing with the possibility that some future event will cause harm. It provides strategies, techniques, and an approach to recognizing and confronting any threat faced by an organization in fulfilling its mission.”
It’s a defined, routine commitment to gather, evaluate and respond to threats and opportunities.
Now, this could mean a bunch of different things. For nonprofits, it may mean assessing finances, screening volunteers, reducing liability, training employees, or increasing cybersecurity.
Why do you need it?
Nonprofit and for-profit businesses have to account for a lot of the same risks, but there are different levels of protection that nonprofits have to cover, while for-profits don’t. The responsibility to protect donors’ contributions of time and money is even harder to control under a constrained budget. There are plenty of things that could cause potential issues for a nonprofit. I’ll just name a few.
- Fundraising fraud: It’s a possibility that people could use your brand and logo to create a fake event or cause and keep the profits for themselves. This not only harms you but also your donors. Their money would be gone, when they were expecting to be giving it to a trusted organization. This might risk losing your donors’ trust and you could be held liable for the losses of your donors.
- Theft: The fear of being stolen from is relevant for both nonprofits and for-profits. It could be from anyone―clients, third-party vendors or employees. For any small organization, any lost dollars are a big deal and they can make a huge impact on their ability to function day-to-day.
- Regulatory compliance: Nonprofits have to make sure they’re following the regulations set by the IRS in order to maintain their tax-exempt status. They have to demonstrate that they’re using funds for a charitable cause and not for any personal, financial or political gain. Risk management can help to double-check that your organization is in the clear.
- Data security: For too many nonprofits, cybersecurity isn’t a priority. Over half of the nonprofits―55 percent―surveyed in the November 2018 “State of Nonprofit Cybersecurity” report have created a policy to guide their approach to the risk of cybersecurity, but nearly 39 percent don’t have any policy and 6 percent said they didn’t know if they did or not. Data breaches are an unfortunate, but very real, concern in having a business today. In order to keep your donor data safe from online threats, it’s important for your organization to have at least some protection.
Risk management is also essential because it helps nonprofits to understand the threats and opportunities that they’re facing and then prioritize the issues. From there, organizations have the tools and information they need to make a plan going forward. It’s also super helpful for seeing where your organization is at in terms of your performance and sustainability for the future.
The growing need for cybersecurity
As a nonprofit, you don’t want to make the mistake of thinking of cybercrime as a “what if” risk: meaning you might think you don’t need to prepare for it because it’s so unlikely. But trust us, the risk is real. It’s about time to get serious about cybersecurity. If you do any of these with your organization, it’s time you start developing a plan to prevent risks:
- Conducting e-commerce: processing donations or event registrations
- Storing and transferring “personally identifiable information.” This can mean employee records or personal information about your donors.
- Collecting information about the habits of donors, patrons, newsletter subscribers and volunteers.
Many nonprofits store information that’s protected by law as confidential. If that information gets breached, it harms not only the people whose data was stolen but also the nonprofit organization could face liability for the breach.
Where to start:
Do a risk assessment. You can start by taking an inventory of all the data that your nonprofit collects and make sure you know where it’s stored. The Nonprofit Technology Network has a template assessment tool to make it easy to organize your info.
Make sure you understand your context by gathering your current strategic plans and mission statements so that you and your team know where your organization stands and where it’s going. This will make it easier to set goals and to create a timeline for where you want your organization to end up. Having an effective risk management strategy isn’t something you can just throw together in one meeting. It takes time to develop something that works well for you.
So to summarize: Identify the risks, prioritize the issues, respond to the problems, then assess and improve your approach.
Resources to get you started
A big reason many nonprofits aren’t protected from risks is simply they don’t have the funds or resources to do it. For a small, struggling nonprofit, there are more pressing issues―like staying afloat for another year. Ideally, you would be able to hire someone to assess your risks and prevent issues like data breaches. But there are other ways to protect your information without breaking the bank.
There are plenty of free resources online to help guide your plan and implementation. Here are a few helpful articles:
- Cybersecurity for Nonprofits – National Council of Nonprofits
- Call for Nonprofit Risk Management – Stanford Social Innovation Review
- Embracing ERM in Your Nonprofit – Nonprofit Risk Management Center
- Essential Policies to Have in Place at Your Nonprofit – Church Mutual Insurance Company
Each organization is different, so some tools will work better than others for you. Here’s a small list of programs you could consider to protect your data.
- Risk Management Tools – Capterra