People today live with more uncertainty than in the past. To some extent, this is because new technology and vehicles of communication, not to mention a more global social, political, and economic environment, have created a new vision of how society functions as a whole. Imbedded in this new world, the not-for-profit plays a significant role in recognizing and overcoming uncertainties, attempting to improve the quality of life, and moving toward sustainability in a more complex world. This is accomplished not only on a global scale, but also community by community.

It is safe to say, without sounding naïve, that not-for-profits strive for the common good, each unique to its individual mission and the community it represents. Community is not just defined by geographic terms, but also by the needs of the community, be they medical, behavioral, economic, religious, educational, or cultural. The modern social, political, and economic environment brings with it, in its diversity and ability to operate within its own framework, a renewed sensitivity and awareness of risk. People and institutions face myriad risks daily and make decisions with such risks in mind. Acknowledging risk in advance can help identify the degree of success or failure of future plans. In the modern world, however, many new risks are constantly developing due to the changing society and marketplace. Faced with all this, what is the responsibility of any not-for-profit to confront its risk environment? What can and should any organization do to mitigate and manage those risks and continue to maintain confidence and sustainability in its mission?

Internal Risk Considerations

Broadly speaking, risks can be categorized as either internal or external. Internal risks come from elements within the operations of an organization, including risks involved with running programs to meet its mission and the related administrative, fiscal, and other management efforts to support these programs. Each organization has its own unique structure, key operating elements and personnel, but the following items are always relevant when making internal risk assessments.

Program-related risks.

All contracts with funders, particularly government sources, should meet the legal and regulatory requirements of such contracts, and all services provided should meet the requirements for those qualified to perform and receive such services. In addition, all other requirements for funder or donor requests and mandates should be adhered to in the application of such funds to the programs identified. All facilities involved in the not-for-profit’s mission must meet local codes of maintenance and related legal ordinances on usage and security of such facilities. Finally, all regulatory requirements pursuant to and consistent with other organizations in the not-for-profit industry should be followed strictly.

Administrative, personnel, and support risks.

Background checks should be performed on all personnel, not only to prevent potential legal and other undesirable past issues, but also to ensure that all potential personnel have the capability to perform their prospective duties. Appropriate levels of insurance should be in place for all applicable needs, including facilities, personal injury, professional misconduct, directors and officers, and business interruption insurance, as well as all other property and casualty applicable to the not-for-profit’s operations. Of course, all regulations relating to payroll and related employee benefits should be followed to the letter. All board members, volunteers, and other interested parties should be kept up to date on the organization’s activities, particularly during implementation of new programs, onboarding of new management, or other significant changes in operations. Communication with donors and the public should be monitored to ensure timeliness and clarity. Finally, strong measures should be in place to protect all sensitive internal data and operating systems, whether in electronic or hard copy form.

External Risk Considerations

In addition to these internal risks, not-for-profits should also be aware of significant external risks. These can be easy to identify, but can also appear more remote, and therefore more difficult to detect. Areas to consider include the following:

  • Outside payroll services, including employee benefit providers;
  • Insurance agents and contractors;
  • Vendors that provide maintenance, security, and other services to the facilities;
  • Outside professionals, including accountants, attorneys, bankers, investment advisors, public relations agents, and other professionals;
  • New laws and regulations regarding industry standards, personnel, and other issues;
  • The character, background, and reliability of potential donors and other funders;
  • Security for all systems provided by outside consultants used in operations, including fiscal, HR, development, and fund-raising.

Nothing on the above lists is new to maintaining effective operational control, but successful control requires a new sense of awareness based on modern complexities and more comprehensive due diligence. Failure to properly assess risk can result in financial loss, unnecessary harm and exposure, and ultimately increased reputational risk. Reputational risk supersedes individual concerns and thrusts an organization into the spotlight, not only for employees, clients, board members, donors, and volunteers, but also for the public and marketplace at large. Most consequences of risk failure can be overcome with appropriate attention and action, but reputational risk is the hardest. Do the individuals and organizations the not-for-profit relies on meet the criteria of professional reliability, integrity, ethics, insurability, fiscal strength and sustainability, and good reputation within their respective industries? Organizations must examine these questions deeper and more carefully than in the past.

Each not-for-profit organization has its own nuances and mission statement, but the modern world requires a renewed level of scrutiny and management oversight than ever before. Data theft, corruption, and government scrutiny are all on the rise, as are public awareness, concern, and doubt as to the culture, viability, and sustainability of many industries and organizations. Many organizations are hiring compliance officers and risk managers to address these issues, and in surveys, many CFOs within the not-for-profit industry list risk awareness and assessment as increased mandates in their job description.

Each organization must do what it deems necessary to control its own environment. To use a familiar phrase, it takes only one bad apple to spoil the barrel; each organization must respond if and when it sees its sector’s environment threatened by outside influences. It is imperative to keep a pulse on one’s surroundings; when in doubt, ask, and when confronted by reality, respond accordingly.

Even not-for-profits cannot escape the nuances of the modern world; ignorance is no longer bliss, and inaction can no longer be tolerated. Everyone must be as proactive as possible and continue to deal with new threats. Indeed, not-for-profits are especially beholden because of the greater public awareness surrounding them.

The not-for-profit industry will continue to thrive, grow, and be relevant because it meets the needs of so many and is highly respected and appreciated. That status carries a responsibility that cannot be abrogated. Risks will continue to be a part of day-to-day life, but everyone must do what is necessary to control and mitigate the consequences of such risks.

Ron Ries, CPA, CGMA is a Partner at WeiserMazars LLP, New York, N.Y. He currently sits on the boards of several not-for-profit organizations.