By: Bryan Clontz, CFP®, CAP® and Jason Havens, JD

I. Introduction

Nonprofits, in the course of carrying out their daily activities and pursuing their missions, face risks. These risks may have negative or positive outcomes. Like any other organization, this means that nonprofits can benefit from risk management. Speaking generally, nonprofits face risks that impact four broad harm categories – risks involving people, property, income, or goodwill.[1] Risk management “helps identify, assess, and control” contingencies that might affect these categories.[2]

Enterprise risk management (“ERM”) takes a more holistic approach. Compared to traditional risk management, ERM looks at something resembling a risk portfolio – the organization’s aggregate risks. It “enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”[3] This means nonprofits may respond to identified risks by balancing potential risks against efficient and effective deployment of limited resources.[4] This paper seeks to outline the ERM process for nonprofits, including identifying risk areas, outlining risk management approaches, describing alternative responses, and outlining real world examples.

II. Functional Risk Management Areas

This section evaluates some of the identifiable areas in which risks to nonprofits exist. It further describes how these risks can impact the nonprofit organization in each of the four harm categories. These risk areas include legal risks, operational risks, financial risks, risks involving human resources, fundraising risks, and governance risks.

1. Legal Risk

Legal risk as a category is typically one that seems initially obvious, in the sense that today’s litigious society creates an ever-present fear of lawsuits. However, as a risk category, it comprises more than just the classic civil suit (although being sued for negligence – or worse, an intentional tort – is definitely a risk that should be managed). Further, it can negatively impact a nonprofit in ways beyond the income statement alone.

State law provides for the creation of the basic legal form of a nonprofit.  One or more settlors (or grantors) may create a charitable trust, typically known as a wholly charitable trust, the oldest of which were established near the beginning of common law in England.[5]  State laws vary greatly, however, and we have selected our home state of Florida as an example. Relatively few Floridians realize that Florida law adopts English common law except to the extent “...inconsistent with the Constitution and laws of the United States and the acts of the Legislature of [Florida].”[6]  In addition to common law principles, charitable trusts are generally governed by Chapter 736 of the Florida Statutes, more commonly known as the Florida Trust Code.[7]

The other legal form of a nonprofit is what the Florida Statutes officially describe as a not for profit corporation, based on an earlier version of the American Bar Association’s Model Nonprofit Corporation Act; this paper will describe the corporate form as a nonprofit corporation.[8]  Florida has updated its nonprofit corporation statute several times since its original enactment in 1990.  Like other states, an incorporator usually forms the nonprofit corporation by filing articles of incorporation with the Florida Department of State.

Several important characteristics distinguish a wholly charitable trust from a nonprofit corporation.  For example, the trustees of a wholly charitable trust owe fiduciary duties to the general public, and the charitable purposes of any Florida charitable trust are enforceable by the attorney general and also by the settlors “...among others....”[9]  In contrast, the directors of a nonprofit corporation owe fiduciary duties only to the nonprofit which they serve.[10]

In addition, decisions of a nonprofit corporation’s board of directors are subject to the business judgment rule, much like their for-profit counterparts.[11]  As a result, those directors must simply act in good faith and serve in the best interests of the nonprofit corporation.[12]  Trustees of a wholly charitable trust, on the other hand, must adhere to the much stricter fiduciary principles applicable to all trusts, including charitable trusts.[13]

These distinctions might entail greater risks for what this paper will collectively describe as nonprofit managers, depending on whether they are serving as trustees of a wholly charitable trust or directors of a nonprofit corporation.  For example, donors may sue the trustees of a wholly charitable trust in order to enforce the terms of an outright gift.  Donors generally may not sue the directors of a Florida nonprofit corporation unless they have run afoul of the business judgment rule, despite attempts to impose charitable trust law principles in the nonprofit corporation.[14]

On balance, trusts are well established as one of the most protective structures available.  There is no statutory option to dissolve a wholly charitable trust, which is specifically available in the nonprofit corporation context.[15]  The Florida Trust Code does generally provide creditors with access to a trust that lacks a spendthrift provision.[16]  If a trust contains a valid spendthrift clause, however, creditors generally cannot reach the assets.[17]  Consequently, a wholly charitable trust might ultimately protect both the charitable purposes and the assets better than a Florida nonprofit corporation would.  This paper was not meant to provide a comprehensive review of all state law variances, but using Florida as the example should highlight many of the key common statutory provisions.

One large subcategory within legal risk relates to compliance with the applicable laws and regulations. Managers of nonprofits should regularly assess whether they are complying with the applicable federal, state, and local rules.[18] For example, these laws and regulations can involve the nonprofit’s status as an employer, rules involving fundraising, or things as seemingly mundane as operating vehicles.[19] For nonprofits involved in humanitarian efforts, it can even include counterterrorism regulations.[20]

Similarly, nonprofit managers should ensure that they maintain proper accreditation. Nonprofits are required to register with state agencies and provide annual reports in most states if they undertake fundraising activities in the state – a requirement that is made more complex by the advent of the internet.[21] Further, nonprofits must be sure to maintain their 501(c)(3) status with the Internal Revenue Service.[22] There can also be accreditation requirements for individuals or activities.

Nonprofits should also be aware of the risks relating to financial impropriety, whether it is intentional or merely due to negligence. Maintaining 501(c)(3) status and state registration is important, but fraud and embezzlement can be a serious risk to the organization too. The average manager may believe that such serious financial misdeeds could never happen in their organization, but having inappropriate controls can leave the organization “in an extremely vulnerable position.”[23]

These legal risks can have a large impact on the financial health of the nonprofit. However, if the organization is adversely impacted by some legal risk, it can also affect other harm categories. Most obviously, there can be a negative impact on stakeholder goodwill regarding the organization, as legal problems are rarely good public relations. Further, people within the organization can be impacted in the same way – employee and volunteer morale is vital to nonprofits. Even property can be impacted if, for example, there is a judicial lien.

2. Operational Risk

Operational risks are perhaps more intuitive than the ins and outs of regulatory requirements. However, it covers an extremely broad range of activities that the nonprofit regularly engages in. These are the risks involved in carrying out the day-to-day activities of the nonprofit.

This means, for example, risks involving simple things like the security of nonprofit assets – is the office locked after hours?[24] It also includes interactions with third parties, both those providing products and services to the organization, and those receiving products and services from the organization.[25] Managers should assess whether the products and services pose a risk to employees, volunteers, or third parties, both in their transport and operation.

Further, operational risk involves process elements – what are the risks relating to “timeliness, accuracy, authorization, and completeness” of the activities in question?[26] Risks associated with planning these process elements come into play as well. Managers should ask if the right people were involved in the planning stages to minimize risk.

These operational risks can directly impact each of the four harm categories. Improperly or inefficiently carried out operations may alter the nonprofit’s finances or property in any number of ways. Even if finances or property are not directly affected, people and goodwill can be adversely impacted by operational failures. Hence operational risk encompasses both a broad range of activity and affects a broad range of the nonprofit’s assets.

3. Financial Risks

Financial risks to the nonprofit are those involving revenues, expenses, the allocation of those expenses, and the monitoring of each. These financial issues inform each other and create a greater picture of the organization’s financial risk. This risk area can be summed up in a single question: Is the organization at risk of running out of money? Of course, it is not that simple, but that query can serve as a jumping-off point and as the ultimate worst-case scenario.

Bookkeeping, accounting, and financial controls are all important ways to minimize financial risk, but these monitoring methods can themselves create risk if improperly carried out.[27] If not properly managed, the monitoring methods can fail to detect or misrepresent problems with revenue streams and expenditures.[28] As with legal risk, these issues can emerge without anyone intending them to – sometimes negligence is all it takes.

The more substantive risks in the financial area relate to the sufficiency of revenues versus expenses. This can include revenues from fundraising, but it can also include income streams from investments, and insurance payments. Insufficient revenues obviously restrict the nonprofit's ability to carry out its vision. For example, a sudden market downturn could sharply reduce income from investments. Therefore, proper management of risks relating to revenue streams is essential.

Similarly, the aggregate expenses and how individual expenditures are made can hinder a nonprofit’s operations even with sizeable revenues. Wasteful or inefficient programs present a considerable risk.[29] Further, unexpected disasters can create deficits if there is insufficient insurance.

Nonprofits face financial risks the same way any for-profit organization does. However, because nonprofits so often have limited resources, they must be mindful of their risk exposure in monitoring financial details, in producing revenue, and in managing expenses. These risks obviously impact the broad harm area of finance generally, but can also directly affect the people the nonprofit works with (particularly employees). In a less direct manner, financial risk can also harm the nonprofit’s goodwill, along with its property (investment property in particular).

4. Risks to Human Resources

This risk area comprises the human element. Important factors for nonprofit management to be aware of include risks involving management of employees and volunteers, along with screening and training procedures. Generally, the risks in this area tend to mitigate or exacerbate risks in other areas.

Management of employees and volunteers can have a huge impact on organizational culture, and indeed, the success or failure of the nonprofit in achieving its goals.[30] Risks can be created or mitigated depending on management policies. These policies can include “the type of behaviors encourage[d] by management; the methods used to reward employees; the approach to consistently enforce[ing] policies and procedures.”[31] Classic human resources concerns such as sexual harassment and “hiring, disciplinary and termination procedures” are concerns for nonprofits just as they would be at for-profits.[32] Management attitudes and policies can therefore directly impact risky employee and volunteer behavior.

Further, screening and training procedures come with risks as well. The financial constraints of nonprofits can mean that management will accept volunteers and employees “based on the ‘warm body’ theory – taking any warm body and putting them to work on projects and programs.”[33] Not only can this lead to risks due to unqualified persons acting on the nonprofit’s behalf, but it can also risk letting qualified persons go underutilized. Training programs (or the absence thereof) can influence risk exposure for similar reasons.[34]

Clearly, risks to human resources involve the larger harm category of people – how these policies affect management, employees, volunteers, and all stakeholders. However, it can also have a direct impact on finances (this is where lawsuits so often start, unfortunately). Human resource risks can also have goodwill ramifications to a nonprofit, given the reputational element involved in both. Even property could be at risk due to, say, theft as a result of insufficient screening procedures.

5. Fundraising Risks

This risk area is one that involves factors unique to nonprofits. First, there are the risks associated with actual fundraising drives and events. Second, there are the larger market and demographic conditions which can influence fundraising even if the individual events are perfectly executed.

Fundraising events – or really any special event – come with risks different from those seen in the day-to-day, operational category. The nature of a special event means that it is different, and hence, it follows that the attendant risks will be as well. Food poisoning at a charity dinner, for example, would be a disaster, and is a risk not typically encountered in daily business operations. A rather unfortunate case in Atlanta involved a donor host’s deck collapsing and injuring a large number of guests. These sorts of risks have to be identified in the planning stages. Another example, and this is not a hypothetical, was a special skeet shooting donor outing with an open bar.

As mentioned in the discussion of financial risks above, market conditions can impact revenue both positively and negatively. Although a recession might drive down charitable giving overall, it can also lead to an increase in poverty-focused giving.[35] Different demographics and accompanying shifts can impact fundraising as well. The religious appear to give more, as do those affected by the issues the nonprofit engages.[36] Unlike fundraising drives and events, these risks do not emerge from the nonprofit’s activity, but they nonetheless are important.

While fundraising risks directly impact finances, they also affect the other three harm categories. Increased or decreased revenues impact people (the balance of employees versus volunteers comes immediately to mind) and property (the need to acquire it or liquidate it). From a goodwill perspective, the relative success of fundraising predicts future success – larger nonprofits are more able to raise money because they are better known.

6. Governance Risk

A final area of risks to consider involves governance. This includes both risks relating to the organization’s structure, and to upper management or the board of directors. Structural risks mean failing to have the proper oversight and control mechanisms in place.[37] Essentially, there are not the necessary checks and balances in place within the organization’s structure, nor are there external groups monitoring (for example, independent auditors). As a result, negligence and fraud can go undetected until it is too late to correct them.[38]

Related to structural risks due to lack of monitoring are having the proper upper management and board members in place. Conflicts of interest can be a governance risk, as well as both an operational and legal risk.[39] Additionally, board members who are unqualified or unengaged can present a risk as well, because of the potential for a monitoring failure.[40]

This risk area can impact all four harm categories, because of how it involves the nonprofit’s core structure, along with upper management and the board of directors. Risks in these areas affect both central concerns of the organization, and those most able to manage the organization. Hence there are clear effects on the nonprofit’s finances, people, property, and goodwill in the community.

III. General Risk Management Approaches

Having addressed what sorts of risks nonprofits can face, this section turns to developing a framework for managing those risks. It suggests a five part, step-by-step approach: 1) deciding who will be involved in the risk management process, 2) identifying and evaluating risk areas, 3) developing a plan to manage those risks, 4) implementing that plan, and 5) reviewing the risk areas and updating the response. Below each of those steps is discussed in more detail.

1. Deciding Who Will Be Involved in the Enterprise Risk Management Process

In a sense, answering the question of who should be involved in ERM at a nonprofit is easy – everyone should be involved, from the board down to brand new employees and volunteers.[41] It should be a part of the organizational culture – hence it will be more holistic than traditional risk management. More specifically, though, the ERM process should begin at the top of the organization.[42] In larger nonprofits, a Chief Risk Officer might be appointed.[43] Regardless of the size of the organization, “it is essential to assign responsibility to a committee or team composed of representatives of various departments within the organization.”[44] That committee may be created by, or report to, the board and upper management – either way, it should consist of a broad cross section of the nonprofit’s team.

2. Identifying and Evaluating Risk Areas

Next, the nonprofit’s chosen ERM team should begin identifying which risks threaten (or could potentially even benefit) the organization. Properly identifying risk areas requires “a knowledge of your organization, its social and legal context, its mission and its activities.”[45] This can begin by having the team members individually identify risk areas, but should also include a broader survey of the organization as a whole. This can be informal investigations carried out by the ERM team, or it can be a more formal “risk identification survey form” distributed to “compile an inventory of risks.”[46] Even third parties can be helpful in determining what the nonprofit’s risk areas are[47] – these could include beneficiaries, sponsors in the community, or service providers.

Of course, identification alone is not enough. Once a list of risk areas has been compiled, the ERM team should begin evaluating and prioritizing them. “Identifying which risks are most likely to take place and cause the most harm to an organization can make the development of strategies to manage each risk more seamless.”[48] This process is important because nonprofits frequently have limited resources, so the team should identify which risks likely need resources devoted to them.[49] One way to decide is to “link mission critical strategies and key risks.”[50] That means identifying “risks that are likely to impact the agency’s ability to accomplish core strategic initiatives important to the achievement of its mission.”[51] Another way to state this is that risks should be prioritized based on both their likelihood of happening, and on their potential impact on the organization – the ERM team should address risks which have a high likelihood of serious adverse effect first.[52]

3. Developing a Plan to Manage Risks

Once the nonprofit has identified and prioritized the specific risks it faces, the next step is, naturally, to deal with them. The ERM team “should develop policies and procedures designed to mitigate the likelihood risk will occur.”[53] This planning process should also recognize and incorporate existing controls, strengthen weak controls and augment strong ones.[54] Risk management typically incorporates four alternative strategies – retention, reduction, transfer, and avoidance.[55] These plans should be formalized, and balance implementation costs against the likelihood and degree of harm.[56]

The nonprofit’s ERM plan should also include responses to unanticipated contingencies. The unknown nature of these events makes it difficult to plan specific responses in advance, but these “[c]risis management procedures” should outline general tactics.[57] These might include things like identifying a chain of command, putting in place notification procedures, and general response steps.[58]

4. Implement the Plans

Of course, the next step is to put the plans the ERM team developed into action. The ERM team should identify the persons within the organization that will be responsible for implementing the plan, and begin putting the procedures in place.[59] ERM examines risk throughout the organization, and the implementation should reflect this. It should be nonprofit-wide, with all employees and volunteers made aware of it in some manner. Further, everyone should be “expected to play a part in controlling and minimizing risks.”[60] It should incorporate existing practices,[61] and effectively communicate procedures and actions that need to be taken. Importantly, for the purposes of the final step, all parties involved with the nonprofit should be have some method of giving feedback on the program.

5. Reviewing Risk Areas and Updating Responses

ERM cannot be effective if it is treated as a one-time project. Considering “the dynamic nature of risk … [t]he initial risk assessment process will need periodic updating and the organization will need to be attuned to the need to identify new and emerging risks.”[62] Organizational changes “such as new staff members, funding issues and modifications to service delivery” can alter, create, or eliminate risks from earlier incarnations of the plan.[63] Further, there may be legal and regulatory changes that the updated plan needs to address.[64] The ERM team will need to consider these changes, and update the risk management plan accordingly. As above, the revised plan will then need to be implemented across the organization. This process can be repeated at regular intervals or as needed, both to improve existing processes and to more accurately reflect risks the organization faces.

IV. Risk Management Response Alternatives

This section discusses in more depth the different risk management strategies an organization can utilize. No single strategy is a cure-all, and sometimes the best response is more than one. As mentioned above, the four strategies are retention, reduction, transfer, and avoidance. What follows is a brief description of each.

Risk retention is what happens when no action is taken in anticipation of a risk and is also known as self-insurance. This can occur intentionally, when the risk is recognized, but a response is not cost effective (due to low likelihood or low potential impact).[65] However, risk can also be retained unintentionally, which can be problematic for nonprofits. This might occur when the risk should or could have been recognized, but, for whatever reason, was not.[66] For example, a nonprofit might accept a piece of real estate from outside the state not knowing what risks may come along with property. Nonprofits should minimize their exposure to unintentionally retained risk, while making conscious decisions to selectively retain prudent risks.  For example, perhaps a nonprofit increases its commercial insurance deductible. 

Risk reduction involves, as its name suggests, a reduction in either the likelihood of the risk being realized, or in the severity of its impact.[67] It is “probably the most used risk management strategy.”[68] Policies and procedures in place that either mitigate harm from the risk or prevent it from occurring are ways of utilizing risk reduction.[69] For example, mitigation might be appropriate when there are clear ways to reduce harm after the risky event occurs, while prevention may be a better option when the harm would be difficult to control. Either way, reduction means someone in the nonprofit is recognizing and taking steps to reduce that risk.

Risk transfer is the shifting of risk to a third party. This is most commonly achieved in one of two ways: by service contract, or by insurance contract.[70] The former involves having a third party service provider accept the risk as part of the contract, while the latter involves periodic payments in exchange for reimbursement of the cost of the risk event insured.[71] These move at least some aspect of the risk to some party that is external to the nonprofit. Another possible method of risk transfer is by use of indemnity clauses, which would require contractual agreement that a third party would pay for any claims made against the nonprofit due to liability emerging from the relationship between the parties.[72]

Risk avoidance is perhaps the most intuitive risk management strategy. Risk avoidance eliminates the risk by not engaging in the activity which gives rise to it.[73] This strategy is appropriate for nonprofits when they “cannot offer a service while ensuring a high degree of safety.”[74] Due to limited resources, nonprofits simply may not be able to effectively engage in another risk management strategy, leaving them with avoidance as their only option.[75] However, in some situations, it may not be an option at all, when the risky activities in question “form the core of a not-for-profit organization’s existence.”[76]

V. Risk Management Case Studies

This section includes examples of nonprofits engaging in risk management, as a result of various projects or enterprises. It includes discussion of the risk areas, as well as analysis of each nonprofit’s response to the risks it faced. The three case studies examined are a small 4-H program, a Catholic school, and a theatre company.

1. The 4-H PetPALS Program

The 4-H PetPALS program was implemented to increase community ties between youthful 4-H members, their pets, and seniors in care facilities.[77] Program administrators had to identify a number of risks, including transmission of illness, animal misbehavior, or inappropriate behavior by a 4-H member. These presented potential risks in a number of risk areas. The potential for litigation due to an animal bite, for example, might not only be a financial risk, but could impact the organization’s people and goodwill, as well. Transmitting an illness or aftereffects of misbehavior present similar risks as well.

Recognizing these potential risks, program administrators had to develop and implement risk management strategies. They developed plans to prevent the transmission of illness by limiting potential exposure. To ensure good behavior by animals, they were to be screened for good socialization skills in advance. And to respond to any crises, there was to be adequate supervision. These strategies largely utilize the risk reduction strategy. However, there is also a clearly recognized degree of risk retention – the program administrators obviously sensed that some risk was unavoidable when pets, children, and the elderly were brought into close quarters. This example shows that even seemingly simple community programs can create a large number of risks for the nonprofit, and that risk management is important even in small, informal enterprises.

2. Siena College

Siena College presents a different situation. As a Catholic girls’ school, it faced a much greater array of risks, on a much larger scale (with over 700 students and around 100 staff members) – in many ways this was true nonprofit ERM in action.[78] The school’s board realized over a period of years that it needed to develop better governance practices relating to risk management. It proceeded to create a risk management team that was tasked with drafting policy guidelines, identifying risks, evaluating and prioritizing those risks, producing a plan, and implementing that plan.

The religious nature of the institution provides an example of how ERM should incorporate the nonprofit’s mission. The Catholic values of the school informed its entire ERM process, because those values meant that it both assessed and responded to risks differently than a Jewish, Baptist, or secular school would. At the same time, it faced the same legal, operational, financial, human resources, fundraising, and governance risks that any nonprofit of a comparable size would – risks that would impact finances, people, property, and goodwill. By implementing the ERM process, the school was able to assess, catalogue, and begin action on major risks. Indeed, simply by going through this process, the school was utilizing risk reduction strategies with regards to governance risk relating to the organization’s structure. Siena College did not stop there however – it recognized the value of ERM as a continually-evolving process, and planned multiple phases to accommodate changing needs.

3. The Touring Theater Company

The final case study is an example of how a nonprofit can be harmed by not engaging in ERM. In this case, a nonprofit touring theater company used volunteers recruited by the local theater to act as extras and chorus members in its production.[79] One such volunteer was backstage, and slipped and fell, breaking her wrist. She sued the touring company, and it was found liable for failing to keep its workplace safe. This is an example of unintentional risk retention – the theater company retained the risk of such workplace accidents, but clearly had no expectation that the volunteer would be injured.[80]

In response, the theater company chose a risk avoidance strategy going forward – it would not engage volunteers in any production going forward. This is an unfortunate example of a situation where risk management strategies could have been used in advance to avoid, or at least minimize, harm to finances, people, and goodwill. Had it engaged in risk reduction or transfer techniques, it may have been able to shield itself from the harms it ultimately suffered. Instead, it suffered financial losses, as well as likely harm to community goodwill and to its people (by no longer using volunteers).

VI. Conclusion

Enterprise risk management is a valuable tool for nonprofit organizations. It provides a way to identify and manage the aggregate organizational risk. This paper outlined the types of risks nonprofits face, general risk management approaches, alternative response strategies, along with discussing three case studies.

Each organization has different values, missions, leadership styles, and attitudes towards risk. Accordingly, there is no “one size fits all” solution for nonprofits looking to institute ERM strategies. Hopefully nonprofit managers can use points from this paper as a starting point to develop their own successful enterprise risk management programs.