Many years ago, when I was comparing notes with a fellow CEO on the nonprofit organizations we respectively led, we agreed that while “nonprofit” was our organization’s tax status, it certainly wasn’t how we managed our organization’s operations or resources.
We were running businesses, albeit ones with a charitable purpose, and we had a fiduciary responsibility to protect our organization from potential threats. I urge you to adopt this same approach when it comes to managing risk in any tax-exempt organization.
Most board members know to ask about Director and Officer Liability insurance. But insurance should be your last line of defense, not your first. In fact, the best approach to risk management is to behave as though you don’t have insurance. Take away that safety net from your thinking and I believe you will manage risk much more effectively.
Board and staff members need to think long and hard about how their organization operates and where they have risk. If you are in a leadership role, a couple of good basic questions to ask yourself are: “What keeps me up at night?” “What are the worst things that could happen to our organization?” “What would we do if any of them happened to us?” and “What could we do to eliminate or reduce the chances of that bad thing happening?”
Because tax-exempt organizations are as diverse and complex as for-profit businesses, it is impossible to offer a one-size-fits-all solution to risk management. Nonetheless, I want to offer a few suggestions with the caveat that every organization is different and that your organization will likely have to address some risks that are unique to your organization’s mission and purpose.
The first step is identifying areas of high risk in your organization’s operations. These include, but are not limited to, financial and internal controls, operational oversight, cybersecurity, employee negligence/unacceptable behavior and reputational risk. Once you have identified these risks, you need to think deeply about how you and your colleagues can prevent or at least reduce these risks. I recommend that you write down all these potential risks and prevention methods so that you can use them to create written policies and procedures. Having good written policies and procedures in place is critical to managing risk.
However, having strong policies and procedures won’t help if they’re not implemented, so you must ensure that everyone in your organization understands and follows them. Ongoing training and enforcement are equally critical. A periodic review of all these elements is also well-advised as people and situations change over time. And, since people are at the heart of managing risk, take the time and care to recruit, hire and retain the best people possible. This applies to board members, too. Doing adequate due diligence, including performing background checks, on the individuals who will work and/or volunteer at your organization helps reduce organizational liability.