Risky Business

Q: What are some of the risks common to all not-for-profits?

A: As we wind down the year and get ready to turn the corner on the start of a new decade, it is always a good idea to identify key areas where not-for-profit organizations—irrespective of their purpose, structure or operations—might face potential risk. Identifying and understanding areas of risk are the first steps to managing those risks successfully.

Finances, and related issues, are one of the key areas of potential risk for any not-for-profit. It is essential that the voluntary and paid leadership understand their revenue model, expenses, and reserves (including the adequacy of their liquid/cash assets) and assure themselves that their organization is financially sustainable. In addition, not-for-profits also should take steps to minimize their potential exposure to fraud. Experience shows that not-for-profits too frequently seem to lack a full appreciation of their risk of fraud, whether it is perpetrated by someone inside the organization (e.g., an employee submitting multiple expenses for the same amounts) or outside the organization (e.g., a vendor that bills for services not provided).

Unfortunately, the “trusting” nature of not-for-profit leaders and members can result in a sense that their staff is above suspicion. Most often, that is true, but it is not universally so. Thus, organizations should proceed on a “trust, but verify,” not a “blind trust,” basis. To minimize the likelihood of fraud, all not-for-profits, whether large or small, should have effective fraud controls in place and adopt appropriate policies and procedures.

Another area of risk for organizations typically is their lack of succession planning—whether it be for key paid staff or, on a more regular and frequent basis, for volunteer leaders. With respect to the volunteers, the potential problems stem from inadequate leadership development, recruitment and training. Organizations must always work to make sure that they are providing broad-based and meaningful training for their volunteers, and that there is an adequate pool of future leaders waiting in the wings. For the paid staff, the risks often arise from inadequate planning and a lack of appreciation of the problems associated with an unplanned succession. If an organization has a long-standing, elderly CEO, they likely are thinking (and, hopefully, planning) for succession. But, all too often, organizations with younger and healthy CEOs don’t recognize and plan for the possibility of their sudden departure. They should.

Yet one more area of potential risk that, anecdotally, appears to be getting more attention (which is a good thing) is in the area of governance. It is essential that well run and managed not-for-profits review every aspect of their governance and assure that they reflect “best” practices. Such a review can involve everything from (i) assuring that their bylaws are up to date, reflect the realities of their day-to-day operations and practices, and are in compliance with state law, to (ii) following good conflict of interest disclosure practices and managing those conflicts, and (iii) to understanding the roles of the board, the CEO and the staff. As a general rule, organizations should adopt and enforce a suite of good governance/risk management policies, including those addressing antitrust, finances, employment practices, whistleblower protection, use of intellectual property, records retention and more.

Generally, it is important to bear in mind that having adequate policies in place to identify potential crises and how best to respond to them will do much to manage and mitigate risks. For example, not-for-profits should know what to do if a fire destroys their offices or if their server or telephone system goes down. Similarly, they should know how to respond if a disaster, natural or otherwise, prevents or disrupts their annual meeting. Each organization is different and should identify both the general type of disasters that might occur and those that are unique to them. For every scenario, they should have plans in place in case X, Y or Z happens. Organizations shouldn’t be naïve about their crisis planning. They will not have the luxury of choosing the kind of disaster they will have to manage.

No organization can avoid all risks, and they should not expect to be able to do so. What they should do is consider the risks applicable to every organization, along with those unique to them; adopt and implement policies and procedures that provide guidance on how to proceed under ordinary operating conditions and respond in the event of a crisis; and, under all circumstances, stay alert to potential problems. While not all risks can be avoided, many can be mitigated if the organization recognizes the problem early and takes swift and appropriate responsive action.

The answers provided here should not be construed as legal advice or a legal opinion. Consult a lawyer concerning your specific situation or legal questions.