It’s a big world out there. As a nonprofit, there are plenty of opportunities to take and tough decisions to make. But with everything you do, there’s some amount of risk that comes with it. It can be hard to know where you’re vulnerable and which bases you forgot to cover. That’s where we come in. Risk management is something that needs to be a priority for nonprofit and for-profit businesses alike―especially today.
The Alliance for Nonprofit Management defines risk management as, “[…] a discipline for dealing with the possibility that some future event will cause harm. It provides strategies, techniques, and an approach to recognizing and confronting any threat faced by an organization in fulfilling its mission.”
It’s a defined, routine commitment to gather, evaluate and respond to threats and opportunities.
Now, this could mean a bunch of different things. For nonprofits, it may mean assessing finances, screening volunteers, reducing liability, training employees, or increasing cybersecurity.
Nonprofit and for-profit businesses have to account for a lot of the same risks, but there are different levels of protection that nonprofits have to cover, while for-profits don’t. The responsibility to protect donors’ contributions of time and money is even harder to control under a constrained budget. There are plenty of things that could cause potential issues for a nonprofit. I’ll just name a few.
Risk management is also essential because it helps nonprofits to understand the threats and opportunities that they’re facing and then prioritize the issues. From there, organizations have the tools and information they need to make a plan going forward. It’s also super helpful for seeing where your organization is at in terms of your performance and sustainability for the future.
As a nonprofit, you don’t wanna make the mistake of thinking of cybercrime as a “what if” risk: meaning you might think you don’t need to prepare for it because it’s so unlikely. But trust us, the risk is real. It’s about time to get serious about cybersecurity. If you do any of these with your organization, it’s time you start developing a plan to prevent risks:
Many nonprofits store information that’s protected by law as confidential. If that information gets breached, it harms not only the people whose data was stolen but also the nonprofit organization could face liability for the breach.
Do a risk assessment. You can start by taking an inventory of all the data that your nonprofit collects and make sure you know where it’s stored. The Nonprofit Technology Network has a template assessment tool to make it easy to organize your info.
Make sure you understand your context by gathering your current strategic plans and mission statements so that you and your team know where your organization stands and where it’s going. This will make it easier to set goals and to create a timeline for where you want your organization to end up. Having an effective risk management strategy isn’t something you can just throw together in one meeting. It takes time to develop something that works well for you.
So to summarize: Identify the risks, prioritize the issues, respond to the problems, then assess and improve your approach.
A big reason many nonprofits aren’t protected from risks is simply they don’t have the funds or resources to do it. For a small, struggling nonprofit, there are more pressing issues―like staying afloat for another year. Ideally, you would be able to hire someone to assess your risks and prevent issues like data breaches. But there are other ways to protect your information without breaking the bank.
There are plenty of free resources online to help guide your plan and implementation. Here are a few helpful articles:
Each organization is different, so some tools will work better than others for you. Here’s a small list of programs you could consider to protect your data.