San Diego Workforce Partnership, a San Diego nonprofit agency funded primarily by government grants, recently made the news when its former facilities manager was convicted of embezzling over $450,000 from the nonprofit over the course of five years. The facilities manager was responsible for approving janitorial invoices and directed the agency contractors to purchase various items including prepaid debit cards, which he then stole. To cover up the purchases, the manager created false invoices for facilities services and approved them for payment.

Stories like this one are very common in the nonprofit world. The exposure to the nonprofits is not only financial – think about the pastor of the Willow Creek Community Church accused of having inappropriate behavior with staff or the misconfigured server of the St. Louis-based BJC HealthCare that exposed personal information for over 33,000 patients – both of these stories published just this past month!

After reading these stories, it is perhaps even more surprising to read the results of the 2018 survey “The State of Risk Oversight” published by the Poole College of Management at North Carolina State University. According to the survey only 18 percent of the nonprofits have mature or robust risk management oversight. Overall, risk management practices are more developed at larger organizations, whereas many nonprofits are smaller in size, with limited staff who are very passionate about what they do, but often have limited risk management training. In the current environment, however, the importance of the formal risk management plan cannot be underestimated.

In order to make a comprehensive risk assessment nonprofits should look at their risk exposure from seven commonly identified basic angles:

1. Financial. The risks in this area encompass everything from weak internal controls leading to embezzlement or other fraud, to credit or investment risks, to inaccurate financial statements caused by errors or fraud.
2. Regulatory/Compliance. Many nonprofits can relate to the risks in this area. Nonprofits are subject to an ever-increasing number of regulations from the federal government, its agencies, the IRS, and state and local authorities. Many grantors impose their own requirements as a condition of receiving the grants. As a result, it is very common for even small nonprofits to have a compliance officer on staff, as navigating the various compliance standards and rules is becoming a full-time job.
3. Operational. These risks deal with the business processes and include vendor and contractor relationships, engagements with various business advisors and consultants, communication between the various departments and successful service delivery.
4. Strategic. Strategy includes the long-term planning of the nonprofit, and the risks in strategic planning relate to proper governance, ethical culture, succession planning, service lines compatibility and the external economic environment.
5. Technology. Technology risks are easily among the most concerning for both nonprofits and commercial entities. Many nonprofits are struggling with technology transitions, software limitations and inability to run comprehensive reports, loss of data, and, of course, unauthorized access and cyber fraud. It is a sad truth that nonprofits are especially vulnerable to cyberattacks due to limited IT resources and little staff training on risks and exposure.
6. Employment/Human Resources. Employee recruitment and retention is widely cited as an overarching problem for nonprofits. Because nonprofits are often unable to offer competitive compensation and are frequently under-resourced, they are subject to higher rates of employee burnout and turnover.
7. Reputational. The risks in this area are often a consequence of events in the previous categories. In the age of social media and an increasing popularity of online reviews, it is very easy to damage the brand and get negative publicity, and the effects of the reputational damage are often hard to repair.

What is the best approach to implementing a formal risk management strategy?

Like any other change, it requires buy-in from the top and throughout the organization. A risk management strategy should not be created behind closed executive doors or in board meetings. To get a truly representative picture of concerns and risks the nonprofit faces, feedback from all levels of the nonprofit, including representatives from the board, must be collected.

Here are the best practices in creating the risk management plan:

1. Start with a committee consisting of representatives of the Board and the various departments across the organization.
2. Conduct a series of brainstorming meetings with as many employees as you can manage, to get the initial universe of potential risks. To streamline the process, ask for risks relating to the employee’s immediate responsibilities area. Be careful of groupthink – it helps to have the discussion participants do some homework and send their feedback by email prior to the meeting,
3. Once feedback is collected, discuss the responses as a committee, group and sort them by general area, then pare it down to a manageable and relevant list.
4. Map the risks identified in the previous step on a risk assessment matrix and assign the probability and impact to each risk. You don’t necessarily need a pretty red-yellow-green impact risk matrix to accomplish the purpose. This step can be as formal (with numeric ratings) or informal as you prefer.
5. Meet with organization leaders responsible for each risk area to identify responses to each risk.
6. Revisit the risk map and related responses at least once a year to ensure relevancy and comprehensive approach.

Creating and maintaining a comprehensive risk management plan is no easy task, but the benefits of having one are hard to argue with. Not only are nonprofits with formal risk strategies able to better respond to adverse events and implement change, they are also more likely to stay out of the news and concentrate on fulfilling their mission.