In risk management as elsewhere, it pays to follow the smart money. In the nonprofit sector, the smart money tends to come from foundations, which provide substantial resources for long-term investments in social change. What does nonprofit smart money say about nonprofit risk management? According to original research we performed during 2016 and 2017 involving personnel from more than 100 foundations, the smart money is very concerned. In fact, although 85 percent of foundation interviewees believe nonprofits need risk management, nearly three out of four do not think nonprofits will adopt robust risk management programs unless funders make it a priority or the nonprofit faces a crisis.
Risk Alternatives interviewed personnel from 110 U.S. foundations, with total annual giving of more than $7 billion. The foundations included private, corporate, and community foundations. They included some of the largest foundations in the United States, as well as many smaller institutions. We worked off of a common script of questions and performed live interviews, usually of about 20 minutes duration, but often stretching for more than an hour. As far as we know, this is the first research asking foundation employees their views about grantee risk management practices ever performed in the sector.
Foundation personnel are worried that nonprofits should be adopting formal risk management practices, but believe that nonprofits do not have the awareness or resources to do so on their own.
1. Funders worry about nonprofit risk management practices.
Approximately 85% of those interviewed agreed that nonprofits need risk management, defined as a routine process of identifying threats and opportunities and dealing with them in the regular course of business. Some 74% of interviewees, however, believe that nonprofits are unlikely to adopt risk management unless either funders make it a priority or the nonprofit faces a crisis.
As one interviewee stated, nonprofits “have neither the time nor the money to learn about or apply risk management. If they are under $1 million [in budget], they are just scraping by. In larger organizations, it is a matter of nonprofits being under-resourced.” Another interviewee expressed a common view: “nonprofits are very reactionary. If it’s not a problem yet, they don’t act. Many of them don’t have the necessary tools [to begin risk management processes], and most do not believe they have the necessary resources.”
2. Funders and grantees lack a common vocabulary for discussing risk management.
Foundation personnel repeatedly noted that during due diligence they don’t ask about risk management at all (70%) or “as such” (28%). (Explaining “as such,” interviewees observed that they may ask about issues that touch on risk, but they do not ask about risk management programs.) They noted that they lack a common vocabulary for discussing risk management issues: grantmaking personnel at foundations are well-versed in financial and program issues, but are unfamiliar with risk management practices. Indeed, many foundation personnel noted that they were unsure to what extent their own foundation engaged in risk management.
3. Funders recognize nonprofits are financially vulnerable.
Most interviewees (86%) believe nonprofits are financially fragile in the sense of having limited financial reserves. As one interviewee noted, “yes, that’s exactly right. In fact, nonprofits tend to be penalized for having significant reserves.” Another observed, “It is the unusual nonprofit that can move up a little bit from the day-to-day operations and realize the need for investment and business processes.”
4. Funders believe nonprofits remain hesitant to propose nonprogrammatic funding, including money for risk management.
Nonprofits focus on mission and chronically under-spend on infrastructure. According to interviewees, nonprofits worry that getting a grant for infrastructure support will preclude programmatic support during the same funding cycle. Although interviewees noted dramatic progress among some funders (thanks in part to advocates like Grantmakers for Effective Organizations), funders still prefer funding programmatic activities rather than what they perceive as “overhead” – including infrastructure investments like risk management.
“Nonprofits have a caution that is born of years of being picked to death by ducks, so they are not thinking about the long-term,” one foundation executive director noted. “They tend to roll their eyes about infrastructure investments. Quite often they run great programs but then something happens, and they may not even realize that it’s an existential crisis.” Another seconded that notion, adding that “the general experience is that nonprofits don’t like to raise [capacity building] because they feel that they are vulnerable if they do.”
Funders believe nonprofits should adopt risk management programs. They think nonprofits that do not adopt such programs will expose themselves to potential catastrophic losses. But nonprofits cannot be expected to make such infrastructure investments on their own. Everyone in the sector — funders, grantees, and end users of nonprofit services alike — benefits from nonprofits adopting risk management. Funders should raise awareness among their grantee pools, create a common vocabulary for discussing nonprofit risk management, and provide financial support for nonprofits who embark on risk management processes. (We have a free report about a proposed funder approach here.)
In our next essay, we will provide a common vocabulary for discussing risk management concepts.