Risk management is a critical, yet often neglected, component of a nonprofit’s success. Nonprofits face a variety of risks that can impact their operations and the sustainability of their programmes. Proactively identifying, assessing, mitigating, and managing any potential risk is essential for ensuring mission continuity, responsible resource management, and stakeholder trust.
What type of risks do nonprofits encounter?
Some risks that nonprofits typically encounter relate to:
1. Financial stability
Funding for nonprofits is often uncertain; there is no fixed revenue stream. Philanthropic grants and donations can be impacted by shifts in donor priorities, government policies, and geopolitical situations, diplomatic relations, trade policies, international conflicts, and more.
Compliance adds another layer of risk. Regulations relating to CSR, FCRA, and income tax require constant vigilance. Changes to these regulations, such as the 2020 FCRA restrictions on sub-granting and caps on administrative costs, can have significant consequences on an organisation’s financial stability.
2. People
Nonprofits, especially those that are service-oriented, rely heavily on hyperlocal talent. Hiring, training, and capacity-building efforts for team members should comply with essential labour laws. Non-adherence to wage and labour laws can lead to penalties and even reputational risk.
3. Data security
Many nonprofits collect personal data from and about the people participating in their programmes. The data collected can be anonymised and secured, yet data leaks pose a major risk. They can potentially erode trust and compromise beneficiary privacy. It is very important to prioritise data protection to safeguard sensitive information, keep up to date with new data laws (such as the DPDP Act), and comply with them.
4. Governance and leadership
A strong board that is aligned with a nonprofit’s mission is essential for effective governance. Without robust governance structures, nonprofits are at risk of internal conflicts, instability, and mismanagement. Succession planning is also crucial for ensuring organisational continuity. In fact, failure to plan for leadership transitions can disrupt an organisation’s capacity and capabilities, hindering its ability to fulfil its mission.
5. Reputation management
Reputational risks can manifest in various ways. As nonprofits increasingly utilise social media to build their online presence, they expose themselves to risks. Information provided online can be easily misinterpreted, and trolls or accounts with malicious intent can exploit these platforms. Since social media channels serve as a nonprofit’s public face, negative online experiences can significantly affect an organisation’s reputation.
These are indicative risks that nonprofits are likely to encounter. Every organisation should assess and weigh the risks to which it is vulnerable in the context of its operations and financial circumstances.
How can nonprofits ensure effective risk management?
Here are some steps that nonprofits can take.
1. Identify and prioritise risk: Start by conducting a comprehensive risk assessment to identify potential risks and vulnerabilities. Then consider prioritising them based on their potential impact on your organisation’s mission, stakeholders, and resources.
2. Develop a risk management plan: This should outline the strategies and measures to mitigate, transfer, or accept the various risks that have been identified. The plan should be tailored to your organisation’s specific needs and risk profile. There are two components to a risk management plan. The first is the risk management policy, which outlines the framework for identifying and mitigating various risks at an organisation. It should specify the roles and responsibilities of different team members, the frequency at which the risk management framework should be reviewed, and the individuals responsible for this review process. The second is the risk register, which is a repository for documenting and tracking identified risks. The risk register helps document each risk, understand its probability of occurrence, identify its impact, allocate responsibility, and lay out the mitigation steps. (Refer to this document, which captures the key components of a risk register.)
3. Nurture strong governance and leadership: Robust governance structures and strong leadership are essential for overseeing risk management. This includes regular management meetings, board meetings, transparent decision-making processes, and clear lines of accountability. At Educate Girls, we believe that risk management is not just the responsibility of the CEO, CFO, or finance head; department heads and managers are also equally responsible.
4. Ensure compliance: Establish a system to ensure that your organisation complies with all relevant laws and regulations, which may vary depending on the nature of your work as well as geographic location.
5. Monitor your plan: Regularly review and update the risk management plan to adapt to changing circumstances and emerging risks.
6. Be flexible and agile: Your risk management plan should be a guide and not a rule book. It should be adaptable to the changing needs and realities of your organisation and shouldn’t limit innovation and problem-solving.
Our experience with risk management
At Educate Girls, a recent experience prompted us to rethink our approach to risk management. In 2023, we decided to phase out a programme in Rajasthan that we had run for 16 years. We had been working with students in grades 1 to 8 across 11 districts and had observed that the schools were performing consistently well against mainstream benchmarks such as ASER. Girls were staying in school and were learning essential life skills. Therefore, we decided to shift our efforts to students in grades 9 to 12, who were in greater need of our support. As a result, we had to let go of more than 600 team members.
To ensure that this transition was as smooth as possible, we provided these team members with six months’ notice, support from our outplacement cell, and three to six months of severance pay. However, one employee filed a complaint with the chief minister’s office, which led to an enquiry. While we received all the necessary clearances, this incident prompted an organisation-wide conversation on risk management. Our board suggested that we maintain a risk register—to monitor everything that could impact the organisation’s existence and its mission.
We brought our senior management, state management, and frontline workers together to identify potential risks that our organisation might face. We crowdsourced more than 500 potential risks and then whittled these down to a list of approximately 30, focusing on those that present an existential threat to Educate Girls. We now track these risks on a quarterly basis and discuss them in training sessions and review conversations. Managers across the organisation are cognisant of the nature and degree of the risks they are responsible for mitigating.
What did we learn?
Our experience with risk management has taught us the following:
1. Gradual culture shift: Risk management entails changes in behaviour and culture, making it a gradual process that can take two to three years. Initially, it’s beneficial to take a comprehensive approach, covering a wide scope and delving deep into the range of risks that an organisation faces. This will result in more focused efforts towards identifying and responding to those risks that pose the greatest threat.
2. Focusing on key risks: It’s important to prioritise the three to five most critical areas of risk, as trying to address everything can lead to inefficiency. We adopted processes to maintain simplicity, avoiding overly technical methodologies and regression models. This strategy promoted a practical understanding of risk throughout the organisation.
3. Embedding risk in workflows: Integrating risk management into daily workflows is essential; it should be embedded in an organisation’s operations instead of being treated as a separate task. Regular check-ins and standing meetings should incorporate risk management discussions, ensuring they become a natural part of the business rhythm rather than an additional burden.
4. Building a bottom-up risk culture: Creating a strong risk culture within the organisation is crucial. We facilitated this by organising discussion circles across teams and hierarchical levels to encourage a bottom-up approach, while ensuring that senior leadership drives the initiative and remains accountable. These ongoing discussions are integrated into our regular review cadence, keeping the topic of risk continually in focus.
—
Know more
- Explore AccountAble—a periodical that covers various aspects of nonprofit regulation and accounting.
- Check out the Centre of Advancement of Philanthropy’s blog, which covers legal and compliance-related developments for nonprofits in India.
- Read about what nonprofits need to know when complying with CSR and FCRA regulations.
