Frequently Asked Questions

Risk and Risk Management

What is risk management?

Risk is anything that can derail your nonprofit from accomplishing its mission. Risk management is a discipline for identifying risks, assessing how serious or severe the risks are, and determining ways to address that uncertain future with a goal of avoiding or minimizing harm and financial losses. Risk management focuses on those events or occurrences that may cause injury or harm to a nonprofit’s clients, its assets (including employees and volunteers) and its reputation.

  • The web site of the Nonprofit Risk Management Center offers a free online Basic Risk Management Tutorial with suggestions on how to integrate risk management into everyday operations.
  • My Risk Management Plan Version 2.0 is a free update to all current My Risk Management Plan users.
  • Plan modules listed in red have been updated, however, plans written using the original release and with original modules will not be effected.
  • My Risk Management Plan Version 2.0 allows for multiple account holders, making it easier to collaborate on a custom risk management plan.
  • My Risk Management Plan Version 2.0 runs optimally using the latest versions of your browser.

What are the most common risks facing nonprofits?

The frequency of a particular risk will depend on what activities your nonprofit is engaged in. Youth-serving organizations and those serving vulnerable persons are always concerned about the safety of their clients in the hands of volunteers or staff who provide services. Yet, the most common risk for those organizations may be related to the fact that the clients are being transported every day in vans, exposing them and the driver to a possible motor vehicle accident. A serious risk that every nonprofit faces is the risk that its reputation or good will in the community could be eroded by any number of circumstances, from a surly receptionist to financial improprieties. Each nonprofit needs to conduct an assessment of its activities to determine what its own most common risks may be. Statistically, if your nonprofit has any employees, it is probable that at some point the organization will be faced with an employment-related claim. Common claims in the property and casualty area include slips, trips and falls and motor vehicle accidents.

What sorts of events could cause us to lose our tax-exempt status?

Your organization’s articles of incorporation probably mirror the IRS regulations under Code Section 501(c)(3) by providing a fairly specific checklist of what to avoid: (i) operating so that more than an insubstantial part of the nonprofit’s activity furthers a purpose(s) other than its charitable purpose; (ii) conferring private benefit (usually financial) on other entities or individuals; (iii) supporting or opposing a candidate for public office; and (iv) upon dissolution, distributing remaining assets to someone, or something, other than the government or another tax-exempt organization. Many times the first enforcement step is for the IRS to impose penalties, called “intermediate sanctions” against the nonprofit, the person who received the excess benefit and board members who approved the nonprofit’s actions. However, in egregious situations the IRS will move directly to revoke an organization’s status. Some specific circumstances that can cause a charity to lose its tax-exempt status are:

  • Taking out an ad in the paper encouraging readers to vote for a particular candidate
  • Running a commercial activity through the nonprofit that has no relation to the mission and/or that takes up more than an insubstantial amount of time, energy and resources, so that it overshadows the charitable activities of the organization.
  • Engaging in a transaction that results in compensation to an individual or to another organization that exceeds the fair market value of the goods or services rendered to the nonprofit.
  • Failure to file the organization’s annual report, IRS Form 990.

How should we prioritize all the possible risks facing our organization?

To prioritize your risk management ‘to do’ list, you need to determine which risks are most likely to occur, as well as which risks will result in the most severe harm. This exercise is called a “risk assessment.” For some organizations, losing power or water damage due to severe weather may be a frequent occurrence that has been successfully managed so that if it happens in the future there may be minimal disruption and financial impact; while for others, a catastrophic loss such as a child drowning, may be extremely unlikely given the supervision and safety procedures in place, but, because of the severity of the loss, risk management procedures at the waterfront/poolside are a high priority for that nonprofit.

  • The Nonprofit Risk Management Center offers risk assessment consulting services to assist nonprofits with an overall assessment of their unique risks. Often a review of a nonprofit’s insurance program is completed simultaneously so that the nonprofit has a better idea of whether its various risks are adequately addressed through insurance.

What is a Risk Management Plan?

Just as a nonprofit might design a strategic plan to address its goals and outline how to achieve them, similarly, a risk management plan is a way to identify risk management goals, strategies to achieve them, measurable outcomes, as well as who will be accountable. A risk management plan may include policies that the nonprofit already has, or articulate goals to adopt in the future. Generally the risk management plan is developed by a committee that includes staff and board and adopted by the board as part of the board’s overall commitment to good governance.

  • The Nonprofit Risk Management Center offers an online tool to assist nonprofits develop a customized risk management plan that can incorporate existing policies or help your nonprofit develop new ones. To begin developing a customized Risk Management Plan for your nonprofit, click here. For more information on My Risk Management Plan, click here.

What is a Risk Management Committee and who should be on it?

Often we are so busy running around in our nonprofit worlds that taking time out to focus on risk management can seem daunting. Many organizations designate a “risk manager” or a committee charged with the responsibility for identifying risks and suggesting ways to reduce a nonprofit’s exposures. An effective committee is one that is comprised of a diverse group of people who interact with the nonprofit in different ways and therefore may be able to identify a wider spectrum of risks. However, risk management is most effective when everyone, from board members to paid staff, to volunteers—and even clients—is alert to risks and asks “what can go wrong?” and is encouraged to make suggestions and find creative solutions to prevent injuries, harm to property and reputation, and financial loss.