News and Information about the nonprofit sector in Massachusetts. Check back frequently to keep informed.
January 20, 2022
Managing a Nonprofit Means Managing Risk
By Leigh Tucker

Leigh Tucker
Leigh Tucker
Nonprofits under the strain of reduced revenues, frequently coupled today with greater demand for their services, should regularly assess their exposure to a variety of risks, which, if left unchecked, could diminish their ability to function.

Although most, if nearly all nonprofits, acknowledge the importance of fully understanding the risks they face, the press of daily operations often means they don’t make the time to fully assess those risks #147; whether they are large, medium, or small organizations.

While only the very largest nonprofits will have a chief risk officer on board, it frequently makes organizational sense to assign the risk assessment function to the chief financial officer. She or he likely have the financial information and analytic tools to quantify risks.

A recommended best practice in managing risk is to identify the top 10 risks your organization faces, annually at the least. Then, develop risk assessment checklists to help quantify the magnitude of those risks. Finally, create and implement policies and procedures aimed at mitigating those risks.

The key risk areas that most nonprofits need to consider include:
  • Strategic risk — Issues that impact high-level goals and the organization’s mission
  • Operational risk — Issues that could affect the ability of the organization to manage itself day-to-day
  • Financial risk — Issues that could negatively affect the organization’s asset
  • Compliance risk — Conditions that could impair the organization’s ability to comply with applicable laws and regulations
In addition, the following risk areas ought to be evaluated on a regular basis:

Revenue risk — Because nonprofits are often dependent on the willingness of one or two revenue providers to continue to fund them, the best way to mitigate the risk of losing this funding is to develop other sources.

Contractor risk — When is a contractor no longer a contractor but actually an employee? According to the IRS, the general rule is that an individual is an independent contractor if the nonprofit for whom the services are performed has the right to control or direct only the result of the work and not the means and methods of accomplishing the result. Laws regarding the definition of a contractor have recently been tightened even further. It’s best to consult a legal advisor on how to properly classify workers.

Interdependency risk — These are risks that a nonprofits takes on by aligning with another organization, supplier, or contractor. You can protect yourself through legal indemnity, but it’s important to know if your partner can put you at risk based on how they conduct their business.

Data risk — The news continues to report stories about bank or credit card records being stolen, lost, or compromised. It’s happening not only via the Internet, but also through low-tech methods such as theft of data discs and tapes. Backing up data is important and establishing guidelines and procedures on who can access data is equally vital. HIPAA (the Health Insurance Portability and Accountability Act) heightens the issue by imposing strict sanctions on those who fail to protect health care records they maintain.

In addition, Massachusetts will implement new regulations next January that require nonprofits and businesses to safeguard personal information they may own, license, store, or maintain on state residents.

Leigh Tucker, who directs the Nonprofit Client Practice at Accounting Management Solutions, Inc., has counseled nonprofits for more than 20 years. Call him at 781-419-9220 or email

Posted: July 2009
SUBSCRIBE FREE – Keep current with the Wednesday Report emailed to you free each week. Click here.
Got news, advice, resources? Send it to