Nonprofit Risk Management: Expect the Unexpected

A large institution that provides hundreds of millions of dollars in grants every year shared a secret with me.

They would be reevaluating nearly 1,000 recurring grants to determine whether their nonprofit recipients were fiscally and operationally sound enough to carry out their intended impact. In other words, nonprofits that have been counting on a large grant year after year might get nothing very soon.

True story. And yikes.

It’s challenges like these that can be avoided with a risk management program.

Here’s the rub: nonprofits that deploy strong risk management programs are better poised to deliver impact and therefore are more likely to receive more needed grant money. However, nonprofits that don’t examine the potential risks to the organization leave them exposed to failed programs, losses in grants and even full collapse. These weaker nonprofits often have boards and staff loath to acknowledge that their programs could fail lest it scare away prospective donors and partners. Yet failure numbers are stark: The National Center for Charitable Statistics estimates that 30% of nonprofits do not show financial activity 10 years after filing for tax exempt status.

The Case for Nonprofit Risk Management

With grantors tightening their belts, nonprofits should be scrutinizing their finances and operations NOW. Nonprofit reserves and endowments are not designed to sustain a nonprofit continually under threat of financial collapse like the challenges we’ve seen over the last three years, even if those funds are managed expertly.

When nonprofits are exposed to excessive operational risk—the likelihood of a process breakdown at the organization—nonprofit reserves are tapped at a higher rate to fund the cost. Donors then become increasingly concerned about the ability of nonprofits to deliver on their mission.

Nonprofits that implement a risk management program can demonstrate to potential donors that they take financial and operational governance seriously. Let’s put it this way: you don’t want donors and grantors to figure out your nonprofit’s risks and failings before leadership does.

But let’s back up. What is “risk” actually?

The textbook definition of Risk is an unintended, unexpected or unwanted event or condition with a specific likelihood of occurrence that impedes a target objective. In other words, a bad thing that could wreck a mission.

What are examples of risks that nonprofits could be exposed to?

• Big donor walks away
  
  
• Lawsuit
  
  
• Staff injury
  
  
• Hacker breaches systems
  
  
• Confidential data made public
  
  
• Key staff member resigns
  
  
• Egregious program error
  
  … to name but a few.
  
  

To embark on a nonprofit risk management program, we recommend a basic 3-step process for nonprofits of all sizes to show donors and grantors that the organization is thinking about potential challenges around the corner.

1. Identify potential risks that could threaten the operations of the organization,
   
   
2. Prioritize risks by severity, likelihood and their ability to be detected before the risk has an effect and
   
   
3. Monitor and Control key risks to prevent or limit effects.
   
   

Step 1: Identify Risks

Merely documenting the potential challenges a nonprofit faces to achieve its goals could put the organization in a stronger position. For example, recognizing a new impact might divert needed funds away from core programs. Or that recruiting a large board in an effort to boost donations would also lead to reduced board participation and accountability.

There are a few principles to follow when brainstorming risk to ensure a broad set of risk scenarios.

Conduct in a group environment to limit individual bias.

Ensure independent and diverse perspectives across staff and board members.

Allow for a generous number of risks across a broad set of categories.

Be specific about the impact this risk will have on your organization.

The Fishbone Diagram, or Ishikawa, is a powerful tool for uncovering problems and sorting them into valuable categories. Named after Dr. Kaoru Ishikawa, an engineering professor at the University of Japan, the Fishbone Diagram helps organizations understand potential failures or weaknesses in a visually effective way.

A Fishbone is created by showing 1) a potential organizational failure at the diagram’s fish head, 2) major causes of the failure as ribs of the fish and 3) root-causes as tiny bones shooting off the ribs. Below is a simple example of a Fishbone Diagram in action using risk categories from the Community Resource Exchange’s Fitness Test (CREFT).

Any nonprofit risk brainstorming exercise can be customized to the organization’s operating style and culture. For organizations that are large and complex, where a great deal of input is required, nonprofit risk brainstorming can be completed at the departmental level, with results collected and compiled over time. Smaller organizations can complete a Fishbone together during a one-time interactive workshop.

Step 2: Prioritize Risks

After identifying a broad set of risks, the inclination will be to mitigate everything. But that would go against the principles of risk management. Preventing every risk is costly, distracting and virtually impossible. Prioritization focuses risk mitigation on mission critical activities. Two key risk factors should guide your assessment.

1. Severity of the risk impact, which is often measured in dollar terms, but can assessed with respect to reputation or legal impact.
2. Likelihood of the risk having an effect, i.e., the chance of occurrence within a month, year or longer.

Information about the individual risks informs how severe or likely the effects of a nonprofit risk incident could potentially be. This information can be hard data, (e.g., donor records, response time, number of errors, foot traffic, etc.) or it can be anecdotal evidence, based on the experience of staff, board members, partners and sometimes customers. But most importantly, the more information an organization can obtain about its risks, the easier it can assess Severity and Likelihood to prioritize those risks. With those assessments complete, we now only need to analyze the risks to see which ones stand out.

Ranking risks by each of these factors doesn’t require deep pockets or specialized knowledge. A simple High/Medium/Low scoring system and a bit of objectivity can be sufficient for a nonprofit new to risk management.

One easy mechanism to prioritize risks is to plot them against a matrix with Likelihood along the bottom of the chart (called the “x-axis”) from “Rare” to “Certain” and Severity along the left side of the chart (called “y-axis”) from “Insignificant” to “Catastrophic”.

Risks that land in the red area of the plot—indicated with a #1—should be addressed first. These are risks that are potentially severe AND have a high likelihood of occurring if nothing is done to limit or prevent the resulting damage. For example, organizations with one major donor that props up the organization are highly likely to be left with a significant funding gap.

Risks that land in the amber area of the plot—indicated with #2—are next to be considered. These risks are potentially severe but have a lower chance of occurring or have a smaller financial or operational impact but are very likely to occur.

By separating risks in this way, the organization can take a planned and deliberate approach to managing risks without having to guess what makes the most sense from a financial, time or mission perspective.

Step 3: Monitor and Control Risks

Now this is where the rubber hits the nonprofit risk road!

A risk management program is toothless without implementing plans to either prevent or limit the effects of risks. Solutions to protect the organization from loss will be unique to the nonprofit, but every nonprofit should be asking these four questions to fully implement a risk management program.

1. What information do we receive before the risk has an impact on the organization
2. Are we able to react to this information? If so,
   what action can be taken to limit the cost of impact?
   what action can be taken to prevent impact?
   can we buy insurance to cover this risk?
3. If we can prevent or limit nonprofit risk incidents, how much does it cost?
4. How does the cost of control (i.e. dollars, staff, other resources) compare to the cost of doing nothing?

Risk Management allows nonprofits to deliver impact.

Implementing a few strong controls to mitigate the most significant risks allows nonprofits to focus on what is most important: delivering impact. Large and small organizations implementing programs to limit the downside effects of risk are leaders in their fields. These leaders can expand with less threat to their existing programs and budgets. They demonstrate strong governance to donors, grantors and board members. Not only does it save organizations in the face of crisis, it allows philanthropy to thrive, enriching and aiding the communities that need it.

Talk to the financial experts at Fairlight Advisors to learn more about managing your nonprofit’s investments. Schedule a free consultation today! 

The following two tabs change content below.

• Bio
• Latest Posts

Fairlight Advisors

At Fairlight, we are uniquely positioned to combine our investment experience with a strong working knowledge of the nonprofit ecosystem in order to bring targeted and effective solutions to bear on today’s nonprofit needs. We work with both teams and individuals to manage risk and optimize investments so our clients’ time is free to continue their primary social mission. We’re hands-on, personal, and we get results.

Latest posts by Fairlight Advisors (see all)

• Financial and Investment Challenges Faced by Nonprofits with Large Philanthropic Gifts - September 27, 2023