power your advice

How Risk Management Allows Nonprofits to Deliver Impact

Written by: Katharine Earhart | Alesco Advisors

A community museum had it made.

A local philanthropist was passionate about the museum’s mission and made substantial annual donations to the nonprofit for close to a decade. These major gifts allowed the museum to keep exhibits fresh, throw lavish annual galas and pay staff above market salaries. So when this vital donor decided to retire out of state and cease donations all together, the museum’s operational weaknesses, otherwise obscured by the high-dollar gifts, were now brought to light. Namely ticket sales had been in a slump for nearly two years, the annual gala, while always sold out, was not paying for itself and the museum’s endowment fund had been underperforming for years in a bull market.

It’s challenges like these that can be avoided with a risk management program.

Many public and private companies deploy strong risk management programs to protect their bottom line and shareholders. However, nonprofits rarely examine the potential risks to the organization leaving them exposed to failed programs, losses in grants and even full collapse. Boards and staff are loath to acknowledge that their programs could fail lest it scare away prospective donors and partners. Yet failure numbers are stark: The National Center for Charitable Statistics estimates the 3 in 4 nonprofits do not show financial activity 10 years after filing for tax exempt status.


Endowments and board advised funds are not designed to sustain a nonprofit continually under threat of financial collapse, even if those funds are managed expertly.

When nonprofits are exposed to excessive operational risk, endowment funds are tapped at a higher rate to fund the cost, requiring increased investment risk to meet a higher required return. Donors are increasingly concerned about the ability of nonprofits to deliver on their mission.

Nonprofits that implement a risk management program can demonstrate to potential donors that they take financial and operational governance seriously.

Maya Tussing and Katharine Earhart of Alesco Advisors recommend a basic risk management program that can be implemented in three steps:

1. Identify potential risks that could threaten the operations of the organization,

2. Prioritize risks by severity, likelihood and their ability to be detected before the risk has an effect and

3. Monitor and Control key risks to prevent or limit effects.

Step 1: Identify Risks

Not understanding the cost of a nonprofit’s goals could mean the difference between leadership and collapse. For example, developing a new impact program to broaden the nonprofit’s mission divert needed funds away from core programs. Or recruiting a large board with access to needed donations and grants could lead to reduced board participation and accountability.

There are a few principles to follow when brainstorming risk to ensure a broad set of risk scenarios.

1. Conduct in a group environment to limit individual bias.

2. Ensure independent and diverse perspectives across staff and board members.

3. Allow for a generous number of risks across a broad set of categories.

4. Be specific about the impact this risk will have on your organization.

Step 2: Prioritize Risks

After identifying a broad set of risks, the inclination will be to mitigate everything. But that would go against the principles of risk management. Preventing every risk is costly, distracting and virtually impossible. Prioritization focuses risk mitigation toward mission critical activities. Two key risk factors should guide your assessment.

1. Severity of the risk impact, that is the dollar, physical or health costs

2. Likelihood of the risk having an effect

Ranking risks by each of these factors doesn’t require deep pockets or specialized knowledge. A simple High/Medium/Low scoring system and a bit of objectivity can be sufficient for a nonprofit new to risk management.

Step 3: Monitor and Control Risks

A risk management program is toothless without implementing action plans before the threats take effect. Solutions to protect the organization from downside risks will be unique to the particular nonprofit, but answering these questions will put the nonprofit in good standing to implement a risk control program.

1. What data are leading indicators of risk?

2. What action can be taken to limit loss?

3. What action can be taken to prevent loss?

4. What action can be taken to transfer loss, i.e. insurance?

5. What resources would be required to monitor risk data and implement preventative and limiting controls?

Risk Management allows nonprofits to deliver impact.

Implementing a few strong controls to mitigate the most significant risks allows nonprofits to focus on what is most important: delivering impact. Large and small organizations implementing programs to limit the downside effects of risk are leaders in their fields. These leaders can expand with less threat to their existing programs and budgets. They demonstrate strong governance to donors, grantors and board members. Not only does it save organizations in the face of crisis, it allows philanthropy to thrive, enriching and aiding the communities that need it.