Assessing and Managing Your Nonprofit’s Risk

Nonprofits face a host of risks that can threaten their financial health (or even their very existence). Don’t be caught unprepared for these challenges. Proactively assessing and managing those risks allows you handle them more easily if they arise.

Here’s a rundown of the common risks nonprofits face, according to James Moore partner Corinne LaRoche and director Tiffany Edwards.

Loss of funding

It’s easy to take funding for granted when it’s given year after year. But conditions can change quickly and that money can disappear. Prepare a contingency plan that can be activated if funding sources you’ve traditionally relied upon dry up.

Wages and turnover

Because of the nature of nonprofit work, many organizations rely on minimum-wage employees. Yet states nationwide are significantly increasing their minimum wage rates.

Consider how your organization may be affected as wages rise—including the impact of employee turnover. Between wage increases and more employee demands, hiring and retaining talent is more difficult than ever. And high turnover can negatively influence the quality of service you provide.

Take a good look at your compensation structure (both wages and benefits) and see what adjustments you can make. Although budgets are particularly tight in the nonprofit realm, keeping up as best you can with the hiring marketplace will help you minimize this risk.

Insurance

Many organizations overlook the importance of insurance. Your CEO and/or CFO should review insurance policies on a regular basis to ensure your coverage is adequate. Know your deductibles, and make sure you’re not overpaying on premiums. “If you have somebody on your board who is in the insurance industry, having them review your contracts annually would be a huge help,” Corinne said.

Cybersecurity

Cybersecurity loopholes continue to be a bane for many nonprofits. Cloud-based software can be hacked, shut down or locked. Credit card information can be stolen. Employees can mistakenly click on a link in a phishing email and introduce ransomware.

There are several steps you can take to reduce your risk of a cyberattack. But one of the best things you can do is educate your staff.

“Training your employees to be super-careful about this, and helping them understand what could happen if they do click on a malicious attachment is crucial to keeping your organization safe,” Corinne said.

Transition planning

Many nonprofits are closely tied to a particular personality or legacy. When a key person retires or is otherwise unable to continue working, these organizations can be left in the lurch. And that puts your nonprofit at risk for instability.

Plan for vital leadership and staffing transitions before they are at hand.

“Have those conversations,” Corinne said. “Sometimes they’re hard, because you never want to make somebody feel like they’re being forced out. But you can say, ‘I know how much you care about this organization. I want to make sure that it continues to thrive even after you’ve left.’”

Start with simple questions like whether staff will be able to access the building, how to obtain banking passwords and how to draw funding in an emergency. Make sure protocols are put in writing, and keep in mind that many Baby Boomers are nearing retirement.

Fraud

Chances are it’s not a question of whether your nonprofit will experience fraud, but of when. Fraud isn’t only committed by employees within an organization. Increasingly, external parties are responsible—making the risk greater than ever. Here are common examples of external fraud:

Check fraud: A check from your organization might fall into the hands of a cyberthief, who could use that check and signature to create fakes. Often the thief tries depositing small amounts into your bank account to see if they go through. If these attempts are successful, they ramp up their efforts.

“This is why it is so important to monitor your bank activity,” Tiffany said. “Do mid-month account reconciliations. Because as soon as you see the problem, you need to be on the phone with the bank. They will lock down your account.”

Tiffany recommends enacting a positive pay process as a preventative measure. When checks are presented to the bank for payment, the bank compares the check with an image uploaded by your accounting team. If everything matches, you will not be contacted. If there is a mismatch, you’ll get an exceptions report, and the check won’t be cashed. While this service does come with a fee, it’s crucial to implement to reduce your risk (and especially if your organization has already experienced check fraud).

Invoice fraud: This fraud commonly happens when a hacker has learned how you digitally process invoices. The thief will create a fake vendor invoice (marked with your approval) and send it to the person responsible for making payments. They’ll even use an email address similar to that of the vendor. “Unless your staff is really paying attention, they can very quickly miss it,” Tiffany said.

Enacting strict controls on adding vendors to your system, using a secure portal for payments and segregating duties can help prevent invoice fraud.

Vendor fraud: This is commonly done via a vendor change form on which the ACH information has been altered. If you must send this kind of information via email, consider using a secure file exchange service. Also, call the vendor to verify the change.

Misappropriation of cash: Internal fraud often involves employees’ misappropriation of cash. This risk can be greatly reduced with strong internal controls, like requiring dual signatures on checks for significant amounts and multiple layers of approval. Segregating duties is also important; separate parties should enter new vendors, enter actual AP invoices, initiate checks and sign checks.

“Just because your organization is small doesn’t mean you shouldn’t implement strong controls,” Tiffany said. “Treasurers and board chairs can be used as signers on bank accounts or in the approval process, and many times, they’re willing to help.”

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.