« How your organization handles personal data is about to change | Main | Lead with inspired authenticity: chuck the checklist and find your why »

Nonprofit risk management 101

JengaNonprofit organizations are, by definition, on a mission. In pursuit of their missions, they may engage in risk-reward scenarios that for-profit businesses can’t afford to tackle. To further their cause, many nonprofit leaders accomplish more with less funding than seems possible. Unfortunately, limited resources create risk exposures. This may lead nonprofit management and boards to believe they can’t afford a risk management program. But they can’t afford not to.

Public trust is foundational to nonprofit organizations’ sustainability. Left unmanaged, risks can result in all sorts of losses: donors, employees, members, patrons and grants. Often, it’s not until a critical event occurs that risk management moves up the priority list.

In our experience (although risk management can seem overwhelming — especially for smaller organizations), it’s worth the time and resources.

Frequently faced risks

Following are some common situations we’ve seen and some tips for avoiding them:

Unplanned executive retirements create challenges. A large nonprofit unexpectedly found its entire senior leadership team retiring within the same year. The organization’s current leadership had not proactively identified and developed the next generation of leaders and scrambled to fill key positions.

Key takeaway: Seventy-five-million Baby Boomers — the largest birth group in U.S. history — are entering retirement. In the United States, there are 10,000 people turning 65 every day. Succession planning should be on every organization’s risk-management to-do list.

Revenue concentration leads to loss of funding. Another nonprofit relied on one major funder to support more than 50% of its budget. To the organization’s surprise, the funder announced it was changing focus and would not provide any more resources. The nonprofit found itself in a crisis, laying off half of its employees and cutting programs dearly needed in the community.

Key takeaway: Auditors and those with audit backgrounds know that revenue concentrations are risky and should be disclosed in the financial statement notes. It’s important to go a step further. Auditors can provide additional value by connecting the dots about the risks we identify through the audit. In communicating the overall operating risks to the rest of the organization, remedial action can be taken.

Cybercrimes endanger far more than data. Lastly, we would be remiss not to mention the issues we’re seeing with cybercrime. Cybersecurity events often require embarrassing public announcements. And they can cost a fortune to repair. Beyond the harmful effects on those whose private data is compromised, a cyberattack can deal a powerful blow to an organization’s reputation.

Key takeaway: Nonprofits of all sizes can take steps to develop and implement sound policies and train staff on how to recognize phishing attacks. While a risk management plan may not prevent negative events from occurring, it will help your organization better understand its risks and promote faster recovery when something does occur. The AICPA has developed a cybersecurity risk management reporting framework to help organizations demonstrate that they are managing cybersecurity threats and have implemented effective controls to detect, respond to, mitigate, and recover from these events. Learn more at aicpa.org/cybersecurityriskmanagement.

All three of these crises could have been reduced, if not avoided entirely, with a little more time devoted to risk management — specifically, risk identification and mitigation strategies.

Key questions to identify and mitigate risks

Consider these questions as part of your risk identification and mitigation efforts:

  • What are our major risks? (What keeps our board members and management up at night?)
  • How do we know we have identified all risks?
  • What is our mitigation plan to reduce the negative effects of the identified risks?

More and more nonprofits are seeking board members with financial and risk management expertise. For more information, tools and resources to help not-for-profit board members and other professionals, visit the AICPA’s Not-for-Profit Section. You’ll find a comprehensive resource library covering topics in not-for-profit accounting and financial reporting, assurance, tax compliance, and governance and management, along with the latest news and learning opportunities related to those topics.


Robert J. Fleming, CPA, is a Senior Consultant with Clark Nuber P.S., serving over 750 not-for-profit organizations in the Seattle area.

Mitch Hansen, CPA, is a Shareholder in Clark Nuber’s audit and assurance practice where he primarily works with not-for-profit and governmental organizations.

Risk courtesy of Shutterstock.


Comments are moderated. Please review our Comment Policy before posting.
comments powered by Disqus


Subscribe in a reader

Enter your Email:

CPA Letter Daily