12.05.2023 | Linda J. Rosenthal, JD
Nonprofits & Risk Management: Attitude Adjustment Advice
In What’s Next After the Tax Exemption Letter? we noted that there’s lots of information available about how to start a nonprofit and get the all-important “determination letter” from the IRS awarding federal tax exemption.
But what happens then? There is much less advice and direction about how to get from Point A, the formation stage, to Point B, the time when the group can and should start its program activities.
First up is learning about applicable fundraising laws and rules, followed by setting up an initial budgeting and accounting system, and then considering initial staffing needs (beyond the founders) as well as office or program space.
This is also a good time for the board of directors to discuss adopting additional written corporate policies related to governance, finance, compensation, conflicts of interest, and employees.
See, for instance, “Written Governance Policies: Which Ones Should Nonprofits Have?” and “When the Revenue Agent Comes Calling.”
That second article is a good segway into the topic at hand: It’s never too early to start thinking about risk management. What are the possible risks that a nonprofit should want to prevent – or at least minimize – and also insure against. Taking a quick peek at some of our other, earlier, posts should give a fair idea of the types of perils a nonprofit can face.
Start with Nonprofit Insurance Needs: Common Risks and then jump over to Charity Embezzlement: Thwart It With Good Controls. Look at Nonprofits and Cybersecurity: Make it a Priority as well as Nonprofits and Disaster Preparedness. Then check out Volunteers: A Primer on Possible Perils. Conclude this quick overview with the aptly titled One of those Days . . .
That brings us back to the point of this post: “risk” doesn’t miraculously go away if an organization’s board of directors and staff are so freaked out that they ignore it or handle it inadequately.
Risk Management: The Alternative is Worse
In a recent article, Ted Bilich of Arlington, Virginia firm Risk Alternatives, has an interesting take on risk management for nonprofits focusing on much-needed attitude adjustment.
In 8 Reasons Why Nonprofit Risk Management Is Not Nearly as Scary as the Alternatives, he begins with the key issue: “One of the most persistent myths about nonprofit risk management….is that nonprofits have good reasons why they don’t do it.” He notes the usual excuses: (1) not enough time and money; (2) the organization is small, so there can’t be much risk; and (3) no one in the organization knows where to begin.
“But a deeper dive,” he writes, “shows the issue is simple: Fear.”
The excuses for procrastination are real but entirely beside the point. “People fear risk management.” “They worry about it. They avert their eyes. They whistle in the dark. But is nonprofit risk management scary? Not one bit — especially compared to the alternatives.”
Risk Management: Eight Reasons to Plunge In
Among the most useful tools for a nonprofit in tackling risk management is an attitude adjustment: one that begins with correcting some of the persistent myths about this important issue and continues by viewing risk management as a constructive opportunity instead of a debilitating menace.
Mr. Bilich’s article is well worth the read; here, we summarize his all-important eight reasons to get past the all-too-common stumbling block of fear.
- “Risk management is simple.” It’s not true that it necessarily requires “complex financial modeling, expensive crystal balls, and significant time commitment from staff.” While large groups may need a comprehensive, complicated program, “most nonprofits benefit from risk management simplicity.” It’s not “rocket science,” Ted Bilich explains. “It’s simply part of the bedrock of sound organizational behavior.”
- “Risk management includes opportunities, as well as threats.” Risk is not always “thunder and lightning in the distance.” He compares it to a child learning to ride a bike. There was risk, but it “was exhilarating. Confronting that risk opened up new vistas”; broadening “the distance” it was possible to “travel from home and get back safely before dinner.” He continues: “Risk is not bad. It simply is.” It’s an “acknowledgment that we don’t know for sure what will happen next. By not being afraid of risk, by sometimes even being willing to encourage risk, an organization can end up stronger.” While some risks are “threats,” others are “opportunities.”
- “Risk management is incremental.” Plunging in doesn’t require a lot of money upfront. The first step is a “risk inventory”: a “process of identifying threats and opportunities.” It can be a “toe-in-the-water approach for free on its own.”
- “Risk management reduces unproductive worry.” Anyone old enough to read this post knows that anxiety is debilitating, so “substituting clarity for anxiety can reduce organizational stress.” This process doesn’t erase worries; instead, it “separates productive worries from unproductive ones.”
- “Risk management provides a foundation for nonprofit improvement.” Having an ongoing program of pinpointing “current threats and opportunities,” is a “solid basis for continuous improvement over time,” especially with the most high-risk threats.
- “Risk management is the right thing for nonprofits to do.” Board members are “responsible for understanding the major risks to which the organization is exposed, reviewing those risks on a periodic basis, and ensuring that systems have been established to manage them,” according to the Principles for Good Governance and Ethical Practice by Independent Sector and the laws of many states.
- “Failure to perform risk management causes errors and disputes.” It also exposes nonprofits to “preventable accidents” and opens up opportunities for fraud – especially internal fraud. Instead, adopting a clear “risk-management process creates a tenor of compliance.”
- “Your nonprofit’s reputation is at stake.” Too many current news headlines underscore that a nonprofit with a stellar reputation built over decades can see it destroyed in “mere minutes.” Not recognizing foreseeable risks can result in catastrophic damage.
“So is risk management scary?” asks Mr. Bilich. “No,” he responds. “Failing to do risk management is scary. Nonprofits already perform high-wire acts. They cannot afford to do that blindfolded.”