In the corporate world, formal risk management programs have become routine. In the nonprofit world, guidance has been more sparse, demand historically more muted, and adoption more sporadic. Nevertheless, leading nonprofit support organizations now advise nonprofits to adopt risk management programs. In this installment of our essay series, we explore why.
Emerging Standards for Nonprofit Risk Management
Organizations committed to nonprofit advancement have increasingly recognized that nonprofits must apply risk management principles in their operations. Independent Sector speaks of a board’s obligation “to review regularly the [nonprofit’s] need for general liability and directors’ and officers’ liability insurance, as well as take other actions necessary to mitigate risks.” (Independent Sector 2015.) The notes accompanying this standard are even more explicit: “board members of a charitable organization are responsible for understanding the major risks to which the organization is exposed, reviewing those risks on a periodic basis, and ensuring that systems have been established to manage them.”
Other organizations agree. The Standards for Excellence Institute similarly states that “[o]rganizations should make every effort to manage risk and periodically assess the need for insurance coverage in light of the organization’s activities and its financial capacity.” (Standards for Excellence 2014.) The District of Columbia Bar specifies that “[e]very nonprofit organization needs to create a risk management plan and review it annually.” (DC Bar 2013.) And the Human Services Council of New York states that nonprofit “boards, in conjunction with staff, must be engaged in risk assessment and implement financial and programmatic reporting systems that enable them to better predict, quantify, understand, and respond appropriately to financial, operational, and administrative risks.” (HSC of New York 2016.)
Even when infrastructure organizations do not expressly mention risk management, they often emphasize implicitly emphasize risk management principles. Thus, when a leading group of nonprofit consultants and thought leaders published The Performance Imperative in February 2015 to guide “high-performance” nonprofits, the imperatives did not expressly mention risk management. The imperatives did, however, emphasize the need for “internal monitoring and continuous improvement” and noted that high-performing nonprofits “constantly assess not only what the organization should be doing but also what it should stop doing, with an eye to redirecting scarce resources to the highest-opportunity areas.” (Leap of Reason 2015.) That is the language of risk management.
Thus, emerging standards of conduct emphasize that nonprofits need to be aware of the threats and opportunities they face. The processes nonprofits adopt to create and act on this awareness cannot be ad hoc, but instead must become operational routines. “[G]reater risk awareness is becoming an expected best practice in overall governance of an organization.” (Beasley 2011.) As the standards above show, what was once demanded only of public, for-profit companies is becoming an essential component of nonprofit operations and governance: “Because some of the calls for greater risk awareness appear to be coming from voices associated with for-profit corporations, some may naively conclude more effective risk oversight is a corporate issue that isn’t relevant to not-for-profits. That perspective is dangerously wrong.” (Id.)
Why such increased attention to risk management for nonprofits? While scandal and worries about technology play roles, the main driver is the nonprofit model itself.
Whiffs of Scandal?
Larger organizations in the private sector have adopted risk management on the heels of 20 years of financial gyrations and allegations of corporate mismanagement. In banking, the Basel II accords, adopted by the Basel Committee on Banking Supervision in 2001, provided banks with specific guidance about operational risk practices, supervision of those practices, and necessary disclosures about risk. (Segal 2009.) In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Enterprise Risk Management – Integrated Framework, which provided a thorough framework for helping corporate management understand and apply risk management principles. (COSO 2004.) In 2009, the International Organization for Standardization adopted ISO 31000, which is a framework for dealing with risk management. (ISO 2009.) In 2010, the US Securities Exchange Commission adopted regulations requiring disclosures by publicly traded companies about risk management. (SEC 2010.)
Although nonprofits have not received nearly the scrutiny of large corporations in the private sector, nonprofits have not been immune to scandal:
- In March 2016, the Wounded Warrior Project fired its CEO and COO after news reports alleged wasteful spending. (Gibbons-Neff 2016.)
- In January 2016, Goodwill Industries of Toronto declared bankruptcy after facing an “acute cash crunch,” leading its CEO and board of directors to “resign en mass.” (Gray 2016.)
- In late 2014, the largest social services agency in New York, the Federation Employment and Guidance Service (FEGS), failed suddenly, leading to substantial public soul-searching by regulators and observers. (McCambridge 2016.)
Other scandals and allegations of mismanagement have also dotted the landscape (Nagourney 2011; McElhatton 2011; Edmondson 2015), leading at least one observer to wonder whether nonprofits are “rotting from the head down.” (Bowman 2102.)
That last statement overstates the issue. The vast majority of nonprofit employees are honest and responsible. Nevertheless, the nonprofit sector does have a heightened risk of embezzlement. In a 2015 survey of employee theft, the second highest concentration of thefts occurred in the nonprofit sector, trailing only the financial sector. (Hiscox USA 2015.) According to an investigative report published in the Washington Post in 2013, between 2008 and 2012, more than 1,000 nonprofits in the United States disclosed in federal filings that they had suffered a “significant diversion” of assets, including “theft, investment fraud, embezzlement and other unauthorized uses of funds.” (Stephens & Flaherty 2013.)
The Washington Post report focused on the American Legacy Foundation, which was formed with funds from the settlement of national tobacco litigation during the 1990s. The board of that foundation included state attorneys general, state governors, at least one US senator, and a member of the Obama Administration. According to the report, foundation officials believe that one of their personnel engaged in questionable billing practices involving more than $3 million.
The same article noted other significant diversions of nonprofit resources. The Maryland Bible Society reported that its former secretary took $86,000 by misusing checks and credit cards and creating a false report to cover her tracks. The Virginia Scholastic Rowing Association reported that a former bookkeeper’s embezzlement cost the organization up to $500,000. In 2012, the Miami Beach Community Health Center lost $7 million to embezzlement by its former chief executive officer. In 2011, the Maryland Legal Aid Bureau lost up to $2.5 million through the actions of a finance director and an accomplice. That same year, AARP reported embezzlement incidents totaling more than $230,000.
The Post analyzed data only from larger nonprofits, since smaller organizations were exempt from reporting such diversions to the IRS. Yet smaller organizations are not immune. For example, Send Thee Community Outreach was a small nonprofit in eastern Virginia run by Cindy Hall and her mother, Stephanie Almond. The nonprofit sought and received funding from the federal government to provide food for needy children. Hall and Almond then falsified documents and exaggerated the number of children being fed. The scheme was simple. At meal sites, administrators were instructed to use pencil to tally the number of lunches in pencil. Tally sheets were then altered to inflate the number of children served. In October 2015, mother and daughter were indicted on federal fraud charges. In early 2016, they pleaded guilty. (Matray 2015; Green 2016).
These scandals reverberate within the sector. When one nonprofit suffers a diversion of resources through theft or embezzlement or suffers some other unforced error or reversal, shock waves travel outward from the source. The organization itself may fail. Even if it survives, it may spend years recovering its ability to fund raise and sustain operations. Members of its board of directors suffer reputational harm, and the organization finds it more difficult to recruit additional directors. Moreover, evidence or allegations of fraud in one nonprofit undermine charitable giving for other organizations. The entire sector faces greater scrutiny and skepticism. Thus, all nonprofits share an interest in adopting basic processes to make themselves more risk-aware.
New Technologies, New Concerns
Concern about technology also spurs interest in nonprofit risk management. Nonprofits are often ill-equipped to address emerging cyber issues. In mid 2015, for example, the Utah Food Bank announced that eight percent of its donors (more than 10,000 individuals) may have been impacted by a data breach that exposed donor names, addresses, credit card information, and credit card security codes. (Utah Food Bank 2015.) Nonprofits have been “slower to adapt to the threat environment and allocate their often scarce resources to cyber preparedness and protection” than for-profit and government entities, despite repeated warnings “to understand the risks posed by cyber breaches and data hacks, to engage their boards and leaders on these issues, and to allocate funds and resources to cybersecurity.” (Bell & Inbar 2015.) Unfortunately, in an increasingly technologically dependent economy, nonprofits are at a disadvantage. Technology often requires significant capital, and nonprofits do not have the same access to capital resources as their for-profit peers.
Nonprofit Risk Conundrum – Risk Averse in Risky Settings?
Although scandal and worries about lagging technology may raise awareness about the need for risk management within the nonprofit sector, the true driver is more basic and intractable. At bottom, nonprofits have a perverse business model. As I mentioned in a LinkedIn article announcing this series, imagine opening the following business:
- Your fondest wish is to have that business no longer be necessary.
- You have no access to capital. If you want a major improvement, you cannot get people to take an investment stake in your business in exchange for stock. You aren’t allowed.
- You charge well below market for any goods or services you provide – if you charge anything at all.
- You rely on strangers to give you money to run your business.
- Those who give you money do so for many different reasons, but many would like nothing more than to have you be in a position to stop what you’re doing.
- You are judged by how much of what you take in in revenue you expend directly on your customers. The less you spend on anything other than direct programmatic work, the better.
- You pay your employees less – sometimes far less – than what they could earn in other lines of work.
- You are not supposed to make a profit. If you do, people will look you askance.
- You rely on secondhand and outdated equipment to run your business.
- You often rely on people you don’t pay anything at all to perform critical services for your organization.
That business model — repellant to any venture capitalist or entrepreneur — is the everyday reality for the average human services nonprofit. In her book Ready or Not: A Risk Management Guide for Nonprofit Executives, Melanie Lockwood Herman emphasizes the irony:
“As instruments of social societal change, nonprofit organizations and leaders who run them exemplify risk-taking each and every day. Creating an organization based on an idea about changing the world you live in is, in itself, a risky endeavor, fraught with uncertainty. Relying on the labor of an army of volunteers – none compelled by the promise of a paycheck to show up for the assignment at hand – is also risky. Betting the ability to deliver needed programs on the availability of government contracts, foundation grants, the proceeds from special events or individual donations seems risky at best, foolishly speculative at worst.” (Herman 2011.)
Despite these challenging dynamics, many would be unsettled by the notion of nonprofits as high rollers. An entrepreneur in the private sector is expected to take risks. He uses founders’ money to do so. If the startup reaches out for additional funds through stock investment, funders expect the business to take risks and provide a return on the investment. In fact, systemically, as a society we expect most startups to fail: “People go to business school to learn how to do well while ensuring their survival – but what the economy, as a collective, wants them to do is to not survive, rather to take a lot of imprudent risks themselves and be blinded by the odds. Their respective industries improve from failure to failure.” (Taleb 2012).
Nonprofits don’t have that luxury. Nonprofits tend to address the needs of more vulnerable populations. Such needy end-users cannot afford to have nonprofits make unwise, ill-informed decisions with their scarce resources. If a nonprofit is blindsided by unexpected threats or misses important opportunities to improve performance, vulnerable end-users suffer.
Furthermore, nonprofits are governed differently from for-profit businesses. Nonprofit leaders are not using their own personal resources, but rather other people’s money. Unlike a for-profit corporation, a nonprofit has no “owners.” We can reasonably expect a for-profit organization’s owners to keep track of their investment. They have a sound reason to do so: if the organization fails, they lose their money. With sole proprietorships and partnerships, the law presumes that ownership interests will be closely tied to day-to-day operations. With larger, publicly held organizations, the law imposes governance obligations, including (in some cases) reporting requirements, auditing requirements, and detailed regulations about internal operations.
By contrast, a nonprofit’s staff and board of directors are almost never the organization’s principal funders. They don’t have the same “stake” that for-profit organizations’ owner/operators have. A nonprofit must abide by state laws relating to certain basic governance principles, and in the United States federal law relating to charitable organizations impose certain additional obligations. Yet nonprofit staff and boards are using other people’s money to achieve some vision of the public good. A nonprofit puts donor money at risk based upon an explicit or implicit promise that the money will be well spent. The concept of an “aggressive” nonprofit is unsettling.
As a result, nonprofits need to be especially aware of threats and opportunities and agile in responding to them. As a sector, nonprofits face enormous and diverse risks. As in the biblical story of the three servants (Matthew 25:14-30), we expect much of the nonprofit sector, even when they are given little.
In our next essay, we will describe research showing that institutional funders are beginning to turn their attention to nonprofit risk management practices within their grantee communities. In other words, the smart money is beginning to pay attention to whether the nonprofits they fund engage in regular, routine processes to identify and address the risks they face. Where the smart money goes, nonprofits should follow.