Managing a Nonprofit Means Managing Risk
By Leigh Tucker
Although most, if nearly all nonprofits, acknowledge the importance of fully understanding the risks they face, the press of daily operations often means they dont make the time to fully assess those risks whether they are large, medium, or small organizations.
While only the very largest nonprofits will have a chief risk officer on board, it frequently makes organizational sense to assign the risk assessment function to the chief financial officer. She or he likely have the financial information and analytic tools to quantify risks.
A recommended best practice in managing risk is to identify the top 10 risks your organization faces, annually at the least. Then, develop risk assessment checklists to help quantify the magnitude of those risks. Finally, create and implement policies and procedures aimed at mitigating those risks.
The key risk areas that most nonprofits need to consider include:
Revenue risk Because nonprofits are often dependent on the willingness of one or two revenue providers to continue to fund them, the best way to mitigate the risk of losing this funding is to develop other sources.
Contractor risk When is a contractor no longer a contractor but actually an employee? According to the IRS, the general rule is that an individual is an independent contractor if the nonprofit for whom the services are performed has the right to control or direct only the result of the work and not the means and methods of accomplishing the result. Laws regarding the definition of a contractor have recently been tightened even further. Its best to consult a legal advisor on how to properly classify workers.
Interdependency risk These are risks that a nonprofits takes on by aligning with another organization, supplier, or contractor. You can protect yourself through legal indemnity, but its important to know if your partner can put you at risk based on how they conduct their business.
Data risk The news continues to report stories about bank or credit card records being stolen, lost, or compromised. Its happening not only via the Internet, but also through low-tech methods such as theft of data discs and tapes. Backing up data is important and establishing guidelines and procedures on who can access data is equally vital. HIPAA (the Health Insurance Portability and Accountability Act) heightens the issue by imposing strict sanctions on those who fail to protect health care records they maintain.
In addition, Massachusetts will implement new regulations next January that require nonprofits and businesses to safeguard personal information they may own, license, store, or maintain on state residents.
Leigh Tucker, who directs the Nonprofit Client Practice at Accounting Management Solutions, Inc., has counseled nonprofits for more than 20 years. Call him at 781-419-9220 or email firstname.lastname@example.org.
Posted: July 2009