How Nonprofit Organizations Manage Risk Authored by

How Nonprofit Organizations Manage Risk Authored by

 
 
 
 
 
 
 
 
 
How Nonprofit Organizations Manage Risk
Authored by:
Ron Matan, CPA 
Bridget Hartnett, CPA
Published 
Summer 2011
 
 
 
ABSTRACT
The objective of this white paper is to define risk as it applies to the 
nonprofit sector, identify the key areas of risk unique to these 
organizations and provide a detailed analysis of the types of risk 
faced by the nonprofit community.  
 
The authors include suggested methods and processes for efficiently 
and effectively managing the juggling act required by all nonprofit 
leaders to balance risk and reward.


 
 
Table of Contents
 
 
 
1. Define Risk Management and Enterprise Risk Management for 
Nonprofit and Social Services Organizations 
 
 
2. Provide a Detailed Analysis of the Areas Vulnerable to Risk in the 
Nonprofit Community  
 
 
3. Discuss Solutions for Managing and Balancing Risk and Reward 
 
 
4. Case Study  
 
 
5. Sample Risk Management Plan 
 
 
6. Conclusion 
 
 
7. Citations  
 
 
8. About the Authors 
 
 
9. About Sobel & Co.  
 

 
1. Define Risk Management and Enterprise Risk Management for 
Nonprofit and Social Services Organizations
 
 
A recent article, Increasing Risk Awareness for  Mission  Critical  Objectives          
of Nonprofit Organizations, published by the America Institute of Certified    
Public Accountants (AICPA), states, greater risk awareness is becoming an 
expected best practice in overall governance of an organization.  Knowing that 
organizations, including not-for-profits, must assume risks if they want to further 
their mission, executives are now seeing the strategic value of being more 
informed about those risks that might positively or negatively affect their mission 
goals and objectives.  
 
It is obvious that the nonprofit community is as susceptible to the dangers posed 
by potential risks as they work to achieve their goals, as is the for-profit business 
community.  
 
However, the concept of risk and risk management is seen through a unique 
lens when applied to the nonprofit sector because, unlike the corporate world 
where business owners and CEOs determine policy, in the nonprofit world so 
many of these critical decisions are left to the volunteer leadership, such as 
board members, and to paid staff.  It is this group of nonprofit influencers who  
will be ultimately held responsible for deciding how conservative or adventurous 
the nonprofit should be, what approach to take regarding managing risk, and  
how the risk can be shared by the organizations stakeholders.  This distinction 
between the for-profit and nonprofit decision makers is important to bear in mind 
 
Risk Management is defined as the process that is adopted to plan for the 
possibility that events may cause harm to an organization, focusing specifically 
on risk associated with board members and volunteers, staff, programs and 
events, services offered, operations, technology and financial management   
 
Enterprise Risk Management (ERM) as a process goes one step further,  
enabling nonprofit leaders to ensure that their objectives are being met while 
identifying and managing both internal and external risks across the entire 
organization. By analyzing the vulnerability of the entire enterprise, the 
leadership is able to link all of the related risks to the organizations key  
initiatives and by doing so can better and more efficiently mitigate the impact of 
risk within each circumstance.   
 

 
 
For the purposes of this white paper, risk is more broadly defined and complex 
than simply ensuring protection against disaster by instituting Directors and  
Officers insurance policies, safeguarding funds, or obtaining the accurate 
coverage in the organizations Property and Casualty plan. While it is more 
common to focus on insurance policies that safeguard the organization from     
law suits of all kinds, nonprofits also need to address the  more  subtle  risks       
that are often taken to enable them to achieve their mission. If, for example, they 
assume too conservative an approach they may follow a path that limits the 
ability of the group to reach its goals.  On the other hand, an unreasonable 
amount of risk may be equally as poor a strategy. 
 
It makes more sense that nonprofits that integrate corporate governance, 
strategic planning and risk management are better  able  to  meet  their  mission       
and achieve their vision as they strike a balance between pursuing their growth 
goals and addressing the risks related to those initiatives. 
 
Each organization can scrutinize the most obvious areas that are likely to have 
risks associated with them such as strategic activities, financial activities, 
operational activities, compliance initiatives and reputational concerns. 
 
According to Charles Tate, in an article entitled So What is Risk Assessment? 
these activities can be defined as follows: 
 
Strategic activities which include the quality of programs, the organizations 
physical capacity, the success with which the nonprofit achieves its mission, the 
demographics of donors, the transparency of the group, and the management    
of the changing expectations of donors, clients and staff, especially when  
funders are seeking quantitative measurements as proof of impact and different 
outcomes prevail rather than as initially anticipated; 
 
Financial activities which include efficient use of office space, personnel, 
deferred capital maintenance, cost of capital (debt), cost of programs and 
services, management of endowments, cost of new technologies and the use of 
all resources; 
 
Operational activities  which include systems related to finance, technology and 
administration along with internal controls, security, internet access, electronic 
records (ex., donor databases), human resources and succession; 
  
Compliance concerns which include regulatory accountability and 
implementation of processes that can impact the ability to attract federal funding, 
tax exemption status, and contracts; 
 
Reputational concerns which include mistakes in any of the above areas, 
leading to damaging or diminishing the organizations reputation and perhaps 
future fund raising. 
 
 

 
2. Provide a Detailed Analysis of the Traditional and Non-Traditional           
Areas Vulnerable to Risk in the Nonprofit Community
 
 
Identifying and assessing areas at risk is a key to managing the process for 
nonprofits, especially as new, more complex assessments are proving to be 
important for decision making.  Nonprofit leaders must keep an eye on traditional 
sources of risk while also learning to link mission critical strategies with key risks.  
Reviewing the organizations top strategic initiatives (programs, events, service 
offerings) is one way to begin identifying those areas of greatest exposure for the 
group. 
 
Here are some of the most common areas that have a high potential for risk: 
 
  Special Events and Other Fundraising Risks 
A nonprofit can be at risk on several different levels regarding both individual 
fundraising and fund raising through special events.  
 
When hosting a major event such as a Gala, a blood drive, a golf outing, a 
Bowl-a-thon or any other similar program, there is always risk attached.       
No matter how well planned, the event can be a disaster if anything goes 
wrong.  To side step the possibility of risk, the nonprofit can adopt some 
preventative measures when preparing for any event.  
 
To begin with, the event must be mission appropriate.  Keep in mind that the 
event represents the organization and supports its vision.  The event must be 
carefully crafted and thoughtfully executed so that it can not only  promote    
the organization but also meet its social and financial goals.  The bigger the 
event, the bigger the audience, thus the more planning that is required          
for success.  To accomplish this, there should be an event director and a 
committee, whenever possible, devoted to planning, directing and managing 
every logistic detail and ensuring continuous communication.  In addition, all 
activities surrounding the event must be reviewed for safety precautions to 
eliminate the possibility of injury.   
 
There are other types of risk surrounding fundraising besides those that   
occur during a special program.  Of course, not all fundraising is done through 
major events.  In fact, most nonprofits count on individual donors for the 
majority of their revenue generation.  Whether using a list broker for direct 
mail and email campaigns or sending messages to Twitter followers, 
nonprofits can run into all sorts of challenges and risks when interacting     
with donors on a personal level.     
 
The laws governing nonprofit solicitations and the deductibility of individual 
contributions have grown much more complex over the years. Current 
regulations require donors and beneficiaries to keep precise records and       
to report on the scope of their financial involvement.  

 
When communicating with individual donors, the nonprofit should avoid 
aggravating the donor with repeated solicitations or violating privacy 
concerns; accepting a donation from someone who doesnt embrace the 
same values and ethics as the nonprofit, or handling bequests inappropriately. 
Donations of real property can also be a source of risk for a nonprofit      
either because the organization doesnt conduct appropriate due diligence on 
donated property when valuing the benefits of such a donation or because 
there is a potential legal liability if the donated property is found to contain 
environmental hazards.  Remember that real estate donations may not end 
up being as lucrative as they appear and take all precautions to alleviate risk.           
 
 Volunteer 
Risk 
Volunteers are the life blood of the nonprofit world.  Many organizations rely 
heavily on their volunteers to take on formal responsibilities, such as when 
they accept the role of board member, as well as to drive many of the 
programs and fund raising efforts.  While most volunteers are passionate 
about the mission and dependable regarding their duties, nonprofits need to 
be aware that there can be some surprises if they do not prepare properly.  
Understaffed and overworked nonprofits can tend to accept volunteers   
based on the warm body theory taking any warm body and putting them    
to work on projects and programs.  This can lead to incredible risk if there is 
no vetting process to ensure that volunteers meet a certain criteria.  And even 
with a process for checking out the volunteers in place, there can still be 
issues that put the group at risk.  There is always the possibility that the most 
energetic and engaged volunteers can land the organization in hot water if 
they are not given the appropriate tools and education.  
 
With this in mind, training programs should be mandatory for volunteers, 
depending on their role within the organization.  All board members should 
attend orientation programs where they learn of the scope of their 
participation and the expectations regarding their contributions of time and 
resources.   
 
 Financial 
Risk 
Insufficient internal controls, programs that continuously run at a deficit or 
ineffective fundraising activities can all put the organization at risk. 
 
It is equally as important for executive directors  and  boards  of  nonprofits        
to have strong internal controls in place to deter or prevent fraud as it is for      
the for-profit business owner or CEO.  The waste or theft of the organizations 
assets can be avoided with proper controls and separation of duties. This is 
particularly important for organizations that have only a few staff members 
performing all the administrative tasks.  Under these circumstances, the 
bookkeeper may be opening the mail, paying the bills, handling the incoming 
revenue, and even preparing payroll.  If so, the organization is in an extremely 
vulnerable position. 

 
That trusted employee, given the right conditions, can begin to take 
advantage of the boards trust and the opportunities they have for 
mishandling funds due to few checks and balances on their daily activities. 
 
Costly and inefficient programs can also put the organization in a dangerous 
financial situation as can fund raising activities that are not carefully
 
managed and measured.  To mitigate these issues, nonprofits can rely on 
accurate budgets and financial forecasts to keep them out of trouble. 
 
The budget, prepared by the treasurer or others with a strong financial 
background, should reflect the organizations ability to accomplish its mission. 
 
Reasonable (conservative) opportunities for generating revenue, including 
fundraising, donations and grants, as well as a realistic assessment of all 
costs related to achieving the groups mission, are all a part of the budget 
process.  Resources are distributed and programs developed based on the 
picture that is portrayed by the budget.  If the budget does not reflect a  
truthful representation of the groups financial standing, the organization can 
be at risk. 
    
Lastly, while poor financial decisions and investments can always pose a 
problem, as can unexpected economic shifts (as we have been experiencing 
for the last few years), with careful use of outside professional advisors such 
as financial management experts, this risk can frequently be minimized. 
 
 Staffing 
Risk 
Employers at both for-profit and nonprofit organizations are always
vulnerable to claims from angry employees, but the nonprofit sector, with its 
reputation for carrying out the greater good, bears an additional burden of 
responsibility to staff.  Because of this reputation for perpetuating good will, 
nonprofits face additional obstacles regarding fair treatment.  Employees may 
unfairly anticipate that the nonprofit environment will be more nurturing and 
supportive than that of a corporate institution.  Many future employees also 
expect that a nonprofit organization will offer a more informal, easy-going 
atmosphere than that of a typical business environment.  Sometimes nothing 
could be further from the truth!  Nonprofits are forced to do more with less, 
and executive directors are stretched beyond their limits as they deploy 
limited resources to provide much needed programs and services for their 
constituents, while in many instances relying on sometimes undependable 
volunteers to fill in the gaps.  Instead of a warm, welcoming and relaxed 
atmosphere, employees may find themselves in tense situations as they 
scramble to attract donors and serve the community at the same time in    
order to carry out the organizations mission.      

 
It is not surprising that 85% of all insurance claims filed under Directors and 
Officers (D&O) Liability policies are employment related.  The percentage is 
high, indicating that any nonprofit is at risk in this area.   
 
To address the concern of staffing risk, nonprofit leaders need to institute the 
same employment practices as their for-profit counterparts.  Even though this 
may seem especially burdensome for a small organization, nonetheless, they 
should adopt reasonable employment practices, including the following: 
 
-Write and continuously review employee manuals and handbooks for both 
paid staff and volunteers (having written manuals ensures consistency and 
helps avoid ambiguity and confusion) that include all personnel policies 
 
-Write and continuously review hiring, disciplinary and termination procedures 
 
-Develop written job descriptions, complete with specific areas of 
responsibility 
 
-Support the board of directors who are engaged in performance reviews for 
the Executive Director and include a written evaluation and compensation 
suggestions 
 
-Remind all staff of both the nonprofits anti-harassment policy and its whistle 
blower protection policy 
 
-Provide a safe, clean, healthy environment that is designed to prevent 
accidents 
 
-Involve the board of directors in all staffing decisions and policy making  
 
  Restricted Grants Risk 
Nonprofit organizations struggle to gain adequate funding, and in many cases 
are very eager to apply for grants that can help them close the gap between 
revenue and costs.   
 
With current government cut backs and individual donations slowing, many 
nonprofits have turned to grants as an alternative.  The competition is fierce 
and the desire to gain the grant may cause some nonprofits to over promise 
when they are making their case. 
 
If the grant is awarded and the nonprofit cannot fulfill its part  of  the        
bargain, the leadership is putting the entire organization at risk.  Restricted 
grants, by their very definition, have strings attached.  It is the responsibility   
of the nonprofit to recognize these limitations and weigh the costs and 
benefits associated with the grant before applying.  This means  reading       
the application completely to gain a full understanding of the expectations of 
the funders.  

 
Complicated scenarios are becoming more common, and the burden is on    
the nonprofit to manage the funds provided by the restricted grants 
appropriately.  Here are some suggestions provided by the Nonprofit Risk 
Organization regarding restricted grants: 
 
-Pursue restricted grants with caution and accept the temporary nature of all 
projects supported with restricted funds.  (Be especially careful when hiring 
project specific staff for programs that may not be sustainable) 
 
-Acknowledge, identify and monitor the strings which accompany a restricted 
grant.  Read all agreements, donor letters and other funding documents. 
 
-Carefully monitor all expenditures for restricted grant projects to ensure that 
spending does not exceed grant revenues. 
 
-Avoid restricted grants that require institutional growth or projects that may 
not be sustainable once the funding cycle is over. 
 
-Plan carefully and communicate expectations to key parties. 
 
-Always assess your grant-seeking practices, prospective funders, and 
partnership opportunities in relation to the organizations mission and goals. 
 
 Reputation 
Risk 
Reputation risk in the nonprofit sector can bring a loss of confidence in the 
organization, resulting in a decline in demand for its services, diminishing 
donor support, fewer volunteers, or even a withdrawal of strategic alliances 
and collaboration partners.  The nonprofit may not even be aware that its 
reputation is being tarnished until some of the situations described above 
occur repeatedly.  Most assume that they are protecting their good reputation 
and keeping it from risk by providing good services for constituents and 
following established policies.  But this is not always the case, especially in 
todays technology driven climate.  Poor scores on sites like Charity Navigator, 
inadequate or missing information on GuideStar, the voice of bloggers, 
unhappy donors who take to complaining on Facebook, or even a special 
event gone awry can all bring reputation risk to even the most well regarded 
organization.  
 
To combat these challenges, nonprofit leaders must listen to their 
stakeholders, ask their board for advice, and consider all feedback as 
essential.  Every nonprofit should provide communication channels that 
encourage compliments, complaints and concerns as well as suggestions for 
improvement.    
 
Conducting an occasional survey of donors and volunteers can help bring 
their opinions to light.  In this way, a nonprofit can identify what they are    
doing that is effective, what their supporters most appreciate, and if they    
refer others to the group (the sign of a truly loyal supporter is a referral). 

 
 
It is important to remember that a dollar value cant be placed on a good 
reputation - and it isnt covered by an insurance  policy  as  some  other         
risks are!  A strong reputation is key to attracting donors, volunteers and 
constituents by building credibility, confidence and trust.  
 
To protect its reputation from risk, the organization needs to be proactive,   
ask questions, listen to answers, and stay in touch with all stakeholders, 
encouraging an open and candid dialogue.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
3. Discuss Solutions for Managing and Balancing Risk and Reward 
 
 
 
Before presenting solutions for managing risk, two questions that beg an answer 
are How much risk is appropriate? and Who should determine the level of 
risk? 
 
While volunteers, staff and donors may make this determination, as stewards for 
the community, they are acting on behalf of all those who benefit from their 
mission.  This responsibility complicates the situation. The ambiguity of who 
bears the risk, and what levels of risk taking are appropriate, impacts directly on 
nonprofit decision making notes Dennis Young in his working paper for the 
Nonprofit Studies Program at Georgia State University.      
 
Whether leaning toward a conservative approach because they are reluctant to 
take chances with resources entrusted to them by others or embracing a more 
entrepreneurial approach founded on the idea that they are expected to lead 
social change, the influencers with the nonprofit need to carefully weigh all 
options and elect a systematic, strategic approach that supports their mission 
without being irresponsible. 
 
To begin such a process, the nonprofit can establish a committee to develop      
its risk management program.  Committee members should be included from 
various segments of the nonprofit, including administration and operations, 
finance, volunteers, programming, and development.  Select board members and 
the executive director should be included as well. 
 
The next step to managing risks is identifying those situations (perhaps isolate 
the Top 10) where it is anticipated that risk is most likely to impact the nonprofit 
organization, from loss of grants to special events to facilities management to 
volunteer management to fundraising and everything in between.  
 
There are also unanticipated situations that can occur.  Perhaps changes in the 
community have taken place and they are contemplating offering new programs 
to address shifting issues; perhaps it is necessary now to expand capacity; a 
change in vision may necessitate the firing of the Executive Director, or 
diminishing funds may encourage collaborating or even merging with another 
organization with a similar mission.  In each of these unexpected scenarios, the 
nonprofit needs to be able to execute a fair decision that will lead to success 
without incurring unacceptable levels of risk.     
 
Each organization may have its own concerns, but they also need to be alert      
to common risk issues such as being responsible for a guest becoming injured     
at a fund raising event, a technology glitch that breached the confidentiality         
of donors gifts, or an employee theft.  The smart nonprofits will assess all 
possibilities and prepare for them.  

 
This also means disaster preparedness.  For further information on this, please 
see our white paper, Disaster Planning and Business Continuity for Nonprofit 
Organizations: Preparing for Disruption published in Spring 2010. 
 
The third step necessary is for the committee to assess each area of risk and 
determine how likely it is to occur.  This is critical because the list for potential 
risky situations is long, and given the nonprofits limited resources and time,      
the expectation of risk must be prioritized to allow attention to be paid to those 
areas that will do the most harm. 
 
In the current environment, risk and risk management are board responsibilities. 
As such, for those nonprofits that have an audit or finance committee, or an 
executive committee that assumes these functions, these committees should be 
expanding their role to include not only financial reporting, but also assessing   
the organization for risk.  While the Sarbanes-Oxley Act of 2002 does not 
mandate an internal audit for nonprofits, many organizations of all sizes are 
enforcing some component of risk assessment and the implementation of  
internal controls at a level practical for their size and resources.  
 
For the board in general and the audit committee specifically, identifying risk is     
a good start, but the critical step is to develop the policies that in all likelihood  
will prevent it from occurring. Controls are only effective when they are 
implemented consistently and updated and reviewed regularly. Everyone 
involved must understand the risk management processes and adhere to       
them without exception.  Training may be needed to ensure responsibilities  are    
carried out. 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 

 
4. Case Study  
  
 
 
   In order for an organization to determine its long term goals and identify the    
best approach for achieving those goals, it is imperative to align its strategic 
direction with its key risks.  Successful strategic initiatives must be designed      
to accommodate the views and requirements of a variety of constituents.  In 
other words, organizations need to implement a process that is  designed           
to attain long term goals while managing those key risks that prohibit the 
organization from attaining its mission.  In order to achieve these strategic growth 
milestones, organizations will be faced with roadblocks which form the 
cornerstone of an organizations risk assessment.   
 
 Whether it is a for-profit or nonprofit entity, certain risks will be prevalent in all 
organizations, while other risks are unique to the organization and its objectives.   
 
In addition, nonprofit organizations face a regulatory and operational environment 
that is constantly changing.  As a result, they  should  always  be  seeking  ways      
to improve the efficiency, effectiveness and security of their operations.  One of 
the best ways to do this, and stay ahead of the inevitable changes, is to perform 
an annual risk assessment.  
 
A Risk Assessment is the process of identifying all the risks to and from an 
activity while assessing the potential impact of each risk.  
 
 
CASE STUDY 
 
As this real world case study demonstrates, the first step in implementing a      
risk assessment is to become familiar with the organizations strategic plan and 
any risk factors or deficiencies identified by their external auditors.  Additional 
considerations should be made as to whether there has been turnover in key 
management positions and the overall moral of the employee base.  
 
What the initial interaction showed was that this nonprofit client had a strategic 
growth initiative that focused on competing for discretionary dollars in a weak 
economy, continuing to remain a viable entity, implementing the right mix of skills 
and diversity found within the Board of Trustees, and having an overall cohesive 
vision.  These strategic initiatives are common in many non-profit organizations 
and certain key risks are associated with these initiatives.   

 
The following were the risk categories that were identified as integral to the 
nonprofits strategic growth initiative: 
 
  Operational Risk:  The possibility that sloppy, inadequate, ineffective 
or incompetent back office activities will interfere with normal healthy 
business functions. 
  Strategy Risk: The risk that the organization hasnt carefully 
established viable plans for operations, finance and asset/liability 
management. 
  Fraud Risk: The possibility that deals made are not genuine or 
bonafide.  Fraud risk also includes the chance that deals are not arms 
length, that deals are not legal or that there is increased risk of 
misappropriation of assets. 
  Market Risk: The risk that investments, etc. will decline as a result of 
fluctuating markets and/or the risk of not being properly hedged. 
  Compliance/Regulatory Risk: The possibility of engaging in 
transactions that violate laws, statutes, etc. 
  Legal Risk: The possibility of lawsuits. 
  Environment Risk: The possibility of environmental issues arising in 
real estate owned or on properties which the organization operates. 
  Management Risk: The possibility that the competency, judgment   
and integrity of management and their actions will jeopardize the value 
of net assets.
To proceed, meetings were scheduled with the operations and line staff, the 
executive team and members of the board to disclose the risk  tolerance  of        
the organization.  This information, coupled with the information gathered during 
the planning stage, was pivotal to indentifying and scoring the individual risks    
and risk categories. 
 
At the onset of the risk assessment, an employee from the organization identified 
the risk categories that were affecting the organization and determined the risk 
factors for each risk category.  Risk factors were the criteria used to identify the 
relative significance of, and likelihood that, conditions/events may occur that 
could adversely affect the organization.  Risk factors for this nonprofit included: 
 
  Managements Tone from the Top:  This is the ethical (or unethical) 
atmosphere in the nonprofit environment as perceived by the 
employees and board members.  Management's tone has a trickle-
down effect on everyone involved, which means it is likely that if top 
managers uphold ethics and integrity so will employees.  But if upper 
management appears unconcerned with ethics and focuses solely on 
the generating of funds or donations, employees will be more prone to 
commit fraud because they feel that ethical conduct isn't a priority.  

 
  Complexity of Process: The scope and complexity must be 
measured, so each process should be reviewed and a determination 
made as to how complex the process is.  Each process should be 
rated based on this assessment, (high, moderate, or simple). 
  Volatility of Process:  This risk factor poses the question regarding 
how easily the process can change.  Each process should be rated 
based on this assessment (high, moderate, or simple). 
  Materiality of Process:  To determine materiality, the organization 
must be able to address the financial impact of the process on the 
nonprofit. The materiality of each process should be rated high, 
moderate or low, based on this assessment. 
  Volume:  To address volume, the organization must understand how 
many units are at risk and how often is the process performed within 
the organization. Each process should be rated based on an 
assessment of volume as high, moderate, or low.
After the nonprofit had a clearer understanding of the risk categories and risk 
factors it potentially faced, and had an understanding of how much risk the        
key people in the organization were willing to accept, it was time to focus on      
their operations manager and their business processes. 
 
The nonprofit developed a scoring system for the risk factors, typically (1 for high 
risk, 2 for moderate and 3 for low).  While documenting these risks the nonprofit 
categorized the risks (operational, financial, strategic, etc.) and subsequently, 
scored the risks.  After the risk activities were scored, the nonprofit ranked the 
risks from high to low risk.
As a result of this process, the board of directors gained a solid understanding     
of the risks in the organization and a roadmap to improve their internal control 
structure.  As importantly, this nonprofit understood the obstacles / roadblocks 
to accomplishing their strategic initiatives and directives.  
 
 
 
 
 
 
 
 
 

 
5. Sample Risk Assessment Plan Outline 
 
 
 
This outline below, provided as a template from the Risk Management Tool Kit 
website, provides some guidance and ideas for nonprofit leaders to consider 
when drafting their own plan. 
TABLE OF CONTENTS 
1.0INTRODUCTION 
1.1 Purpose and Objectives  
 
(A Risk Management Plan should begin with a forthright statement that explains 
the groups philosophy concerning risk and risk management.  This introduction 
sets the tone for the plan, by laying a foundation based on the organizations 
approach to risk.) 
2.0 PROGRAM SUMMARY 
2.1 Description 
2.2 Acquisition Strategy 
2.3 Program Management Approach 
3.0 RISK-RELATED DEFINITIONS 
3.1 Technical Risk 
3.2 Schedule Risk 
3.3 Cost Risk 
3.4 Risk Ratings 
4.0 RISK MANAGEMENT STATUS AND STRATEGY 
4.1 Risk Management Status 
4.2 Risk Management Strategy 
5.0 ORGANIZATION 
5.1 Program Office 
5.2 Responsibilities  
6.0 RISK MANAGEMENT STRUCTURE AND PROCEDURES 
6.1 Risk Planning 
6.2 Risk Assessment 
   Identification 
   Analysis 
   Risk Rating 
   Risk Prioritization 
6.3 Risk Handling 
6.4 Risk Monitoring 
Risk Management Information System (RMIS), Documentation, and Reports 

 
6. Conclusion 
 
 
 
With all the changes taking place today, nonprofits face risk from many different 
situations.  Along with the traditional risks that accompany financial decisions, 
managerial activities or human resource issues rising from interaction with staff 
or volunteers, there are other less traditional types of risk that are appearing on 
the horizon.  
 
For instance, quickly growing technological advances have brought great 
advantages as well as the potential for major consequences.  Nonprofits have  to 
carefully guard their databases, protecting the confidentiality of donors.  Names 
and contact information cannot be shared, and caution has to be taken against 
the dangers of hackers and other technological glitches that jeopardize the 
volunteers, donors and constituents.  
 
Other technological advances, such as the increased use of social media, 
provide opportunities for nonprofits at the same time they create critical concerns. 
Through technology such as Facebook, Twitter, websites and blogs, donors and 
constituents can easily locate a nonprofit organization, spread the word regarding 
its mission, sign up to get involved or engage in on-line giving.  However, all of 
these amazing communication tools have a dark side that presents risk for the 
organization.  Once a statement is made on-line it becomes public, taking on a 
life of its own and reverberating throughout the local, regional and even global 
community in seconds.  Bloggers are free to speak their mind with little or no 
censorship and friends can share good news and gossip on Facebook that 
can enrich or destroy the nonprofits reputation.   
 
Competition from other similar nonprofits also creates a risky situation.  There 
are more nonprofits now than ever before, and all compete for the mind share 
and heart share of the same audience.  In any economy, the fight for the 
discretionary dollar is intense.   
 
Finally, the demand for better measurement and transparency has caught up 
with the nonprofit world just as it has impacted the for-profit business community. 
Websites like Charity Navigator gather information about nonprofits from sources 
like the 990 forms and, by implementing an elaborate rating system, evaluate 
and judge the effectiveness of the nonprofit.  Their independent and unbiased 
recommendations regarding the viability and trust worthiness of the organization 
can have a significant positive impact on the groups success, or can put it at 
tremendous risk for loss of reputation and standing in the community it serves.    
 
To address all of these types of scenarios, the smart leaders of nonprofit 
organizations, both large and small,  are assuming a more structured, disciplined 
approach to managing all risk factors across the entire organization wherever 
they routinely occur, while putting simple processes in place to prevent risk from 
happening in the first place.  

7. Citations 
 
Enterprise Risk Management on a Budget. Corey Reinker. May 2011. 
www.watkinsmeegan.com.  
 
So What is a Risk Assessment? Charles Tate. January 2010. 
www.tatetryon.com. 
 
Managing Risk Within Nonprofit Organizations. White Paper Nonprofit Series. 
Pacific Continental Bank.  
www.therightbank.com. 
 
How Nonprofit Organizations Manage Risk. Dennis R. Young. June 2003. 
Georgia State University. Andrew Young School of Professional Studies. 
 
Managing a Nonprofit Means Managing Risk. Leigh Tucker. July 2009. 
www.massnonprofit.org. 
 
Managing Risk in Budget Forecast. The Nonprofit Risk Management Center. 
www.minnesotanonprofits.org. 
 
Managing Risk. Thomas A. McLaughlin. The NonProfit Times. February 2008. 
 
Staffing the Nonprofit Workplace Steering Clear of Pitfalls. 
www.nonprofitrisk.org 
 
Why Risk Management in Relation to Volunteers? 
www.nonprofitrisk.org 
 
Financial Risk Management: Key to Your Nonprofits Health 
www.nonprofitrisk.org 
 
The Road to Safety 
www.nonprofitrisk.org 
 
Managing Special Events Risk 
www.nonprofitrisk.org 
 
Managing Restricted Grants: Routine or Risky Business? 
www.nonprofitrisk.org 
 
The Eye of the Beholder: Managing Reputation Risk 
www.nonprofitrisk.org 
 
Dont  Be Ensnared By the Risks of Fundraising 
www.nonprofitrisk.org 
 
www.mitre.org 
 
www.myriskmanagementplan.org 
 
Case Study provided by Noah Kessler, Sobel & Co. 

 
8. About the Authors

Bridget Hartnett 
 
Bridget Hartnett, CPA, a member of the Firm at Sobel & Co., has more than 
thirteen years of experience in public accounting which she draws on to 
provide high level services for clients.  
 
Experience in the Nonprofit Niche 
Bridget spends most of her time working closely with clients in social     
services and nonprofit areas, including educational institutions.  As a member 
in the firms Nonprofit and Social Services Group, Bridget supervises the  
audit engagements conducted by Sobel & Co. for the Cerebral Palsy 
Association of Middlesex County, the Youth Development Clinic of Newark 
and Catholic Charities of the Trenton, Metuchen and Newark dioceses, 
Freedom House, and C.J. Foundation.  In addition, she handles all of the 
firms education audits and holds a Public School Auditors license.  Bridget   
is also responsible for reviewing and overseeing the preparation of nonprofit 
tax returns. 
 
Philanthropic and Social Service Commitment 
Bridget carries her commitment to social services beyond the work place to 
include her personal involvement in several areas, such as at St. Benedict's 
school in Holmdel where she is always available for volunteering for projects 
and special events as needed as well as giving her resources and time to 
various childrens charities, such as the New Jersey Chapter of Make-A-Wish 
and others.  She is also a volunteer with professional business  groups  in     
the New Jersey community, including Monmouth Ocean County Nonprofit 
Committee and the Western Monmouth Chamber of Commerce where she 
helped to found the successful Young Professionals Group and currently 
serves as Co-Chair and founder of their newly formed Nonprofit Committee. 
Bridget is also an active member of the New Jersey CPA Societys Nonprofit 
Interest Group. 
 
Professional Credentials 
As a licensed Certified Public Accountant in New Jersey, Bridget is a member 
of both the American Institute of Certified Public Accountants (AICPA) and the 
New Jersey Society of Certified Public Accountants (NJSCPA). 
 
Educational  Background 
Bridget graduated with her Bachelor of Science degree from Montclair State 
University.  
 

 
Ron Matan 
 
Ron Matan, member in charge of Sobel & Co.s Nonprofit and Social Services 
Group, brings a unique blend of public accounting and business acumen to 
every client engagement.  A key member of Sobel & Co.s Leadership Team 
since joining the firm in 1997, Ron works primarily with non-profit 
organizations, including United States Department of Housing and Urban 
Development (HUD) projects, A-133 engagements, and low income housing 
tax credit programs (LIHTC).   
 
Experience in the Nonprofit Niche 
As member in charge of the firms Nonprofit and Social Services Group         
(A-133 and HUD audits and LIHTC programs), Ron is responsible for the  
firm-wide quality of this practice area and is the firm liaison for the AICPAs 
Government (Nonprofit) Audit Quality Center.  With over 35 years experience 
in public and private industry and accounting experience with all types of 
nonprofit and social service organizations, Ron brings a unique blend of 
knowledge and insight to these specialized engagements.  Ron is a Certified 
Tax Credit Compliance Professional and is listed in the Guide which is 
circulated to all State Agencies Allocating Tax Credits as well as the Internal 
Revenue Service.  He has also taken courses in advanced training for peer 
reviews and performs peer reviews of other accounting firms.  
 
Philanthropic and Social Service Commitment 
Ron is a member of the Board of Directors of First Occupational Center where 
he serves as Treasurer and is a member of the Education Committee for the 
Mid-Atlantic Chapter of the Society of Association Executives.  Ron is a 
member of both the Plainfield Neighborhood Health Center Board (where he 
serves as Treasurer) and Union County Educational Services Foundation 
Board.  Ron was the former treasurer and board member of Kids Peace 
Treatment Centers for emotionally disturbed children, located in Bethlehem, 
Pennsylvania.   
 
Professional Credentials 
Ron is a Certified Public Accountant licensed to practice in New Jersey,     
New York and Pennsylvania.  He is a member of the American Institute of 
Certified Public Accountants and the New Jersey Society of Certified Public 
Accountants (NJSCPA).  Ron has been elected as Vice-Chairman of the PKF 
North Americas Nonprofit Committee, and in June 2004, Ron was appointed 
to the New Jersey Society of Certified Public Accountants Peer Review 
Executive Committee.  Ron is also a member of the NJSCPAs Nonprofit 
Interest Group.  
 
Educational Background 
Ron is a graduate of Kings College in Wilkes-Barre, Pennsylvania, where he 
received a Bachelor of Science Degree in Accounting 


9. About Sobel & Co.  
 
 
Sobel & Co. is a middle market accounting and consulting firm with 
headquarters in Livingston, New Jersey that has been providing nonprofit and 
social service organizations in the New York/New Jersey metropolitan area 
with audit, accounting, tax and advisory services since its inception in 1956.   
 
The firm is distinctive in its approach to the nonprofit community because of 
its sincere passion for serving this sector.  As it says on the Sobel & Co. 
website, We work with the nonprofit sector because we feel good helping 
those who do good; we have a passion for helping nonprofit organizations 
achieve their mission of helping the world's most vulnerable.  
 
The firm currently works with more than 175 nonprofit organizations with 
revenues ranging from $100,000 to over $60,000,000.  Based on this depth of 
experience, the professionals in the nonprofit group are keenly familiar with 
the issues facing nonprofits and they will apply this knowledge to bring added 
value to every engagement. 
 
As a further demonstration of the firms commitment to the nonprofit 
community, several complimentary programs are offered throughout the year. 
These include quarterly webinars, roundtable discussions and an annual 
symposium on timely and relevant topics.  Newsletters, articles, benchmark 
reports, surveys and white papers are also distributed to the nonprofit sector 
to provide them with access to cutting edge information.