Risk Management Basics for Nonprofit Boards

Risk management is one of those governance topics that sounds like it belongs to large organizations with compliance departments. For a small nonprofit with two staff members and a part-time board, it can feel like overkill.

It isn't. Small nonprofits are actually more exposed to certain risks than large ones — they have fewer internal controls, thinner financial cushions, and less redundancy. A fraud incident, a lawsuit, a grant clawback, or a leadership crisis that a larger organization could absorb might be existential for a small one.

Nonprofit board members have a duty of care — a legal obligation to govern with reasonable attention and prudence. That includes being aware of the major risks facing the organization. You don't need a formal risk management program. You do need to understand what you're responsible for watching.

The four categories of nonprofit risk

Financial risk is the most immediate concern for most small nonprofits. It includes:

• Revenue concentration (too much income from one grant or donor)
• Cash flow problems (grant reimbursement timing, seasonal fundraising)
• Unauthorized transactions or fraud
• Audit findings or financial reporting problems
• Loss of a major funding relationship

The board's role is oversight, not management. The executive director and financial staff manage the money; the board ensures the systems for managing it are sound. This means reviewing financial statements regularly, asking questions about variances, and ensuring the organization has adequate internal controls — separation of duties, authorization requirements, bank reconciliation.

Legal and compliance risk covers the obligations that come with nonprofit status:

• IRS compliance — annual Form 990 filing, unrelated business income, excess benefit transactions
• State registration — charitable solicitation registrations in states where you fundraise
• Employment law — worker classification, wage and hour compliance, anti-discrimination
• Contractual obligations — grant agreements, vendor contracts, leases
• Governance compliance — following your own bylaws, proper meeting procedures, conflict of interest policies

The board doesn't need legal expertise across all of these, but it does need to ensure someone is paying attention to each area and that there's a process for flagging legal questions to qualified counsel.

Reputational risk is harder to quantify but can be as damaging as any financial loss:

• Leadership misconduct by the ED or board members
• Program failures or client harm
• Association with controversial funders or partners
• Social media incidents
• Mission drift that erodes community trust

The board manages reputational risk primarily through its governance practices: strong conflict of interest policies, clear ethical standards, an accessible whistleblower mechanism, and thoughtful oversight of the executive director.

Operational risk covers the systems and capacity the organization depends on:

• Key person dependency — what happens if the ED leaves suddenly?
• Technology failure or data loss
• Facility risks — fire, theft, accessibility
• Vendor or contractor failures
• Program disruption from external events

Operational risk is largely the ED's domain to manage, but the board should ask questions about succession planning, data security, and organizational continuity — particularly if the organization would struggle to function without one or two key people.

A simple risk assessment process

You don't need a consultant or a formal framework. You need a conversation.

Once a year — often as part of strategic planning — the board should set aside 30 minutes to walk through the major risk categories and ask: What are the three or four things that could most seriously harm this organization in the next year? How likely are they? How prepared are we?

A simple heat map — likelihood on one axis, impact on the other — is enough structure for most small boards. The goal isn't a comprehensive risk register; it's a shared awareness of where the organization is most exposed.

Insurance: the first line of protection

Board members often don't know what insurance the organization carries. They should.

Directors and Officers (D&O) insurance protects board members personally from liability arising from their governance decisions. This is the most important coverage for board members. If your organization doesn't have it, get it before the next board meeting.

General liability covers physical harm to people on your premises or arising from your programs.

Workers' compensation is legally required if you have employees in most states.

Commercial property covers equipment, furniture, and other physical assets.

Cyber liability is increasingly important for organizations that store donor data, client records, or financial information digitally.

The board should review coverage annually — usually as part of the audit committee or finance committee's work — to ensure limits are adequate as the organization grows.

Internal controls: the fraud prevention basics

Fraud in small nonprofits is more common than most boards realize, and it most often involves a trusted insider — a long-tenured staff member, a financial manager, sometimes a volunteer with access to accounts.

The most effective prevention is separation of duties:

• The person who authorizes payments shouldn't be the person who processes them
• The person who reconciles bank accounts shouldn't have signatory authority
• Someone other than the check writer should open and review bank statements

For very small organizations where one person handles most financial functions, compensating controls matter: the board treasurer or executive committee should review bank statements directly, on a rotating basis. Regular surprise audits of petty cash and expense accounts are also low-cost deterrents.

The board isn't there to audit every transaction. It's there to ensure the systems make fraud difficult and early detection likely.

Red flags boards should know about

Certain patterns should prompt closer scrutiny:

• Financial reports that are consistently late, incomplete, or confusing
• The ED or financial staff resisting board review of bank statements
• Unusual expense categories or unexplained variances
• Vendor relationships that aren't competitively sourced
• Staff turnover in financial roles
• Lack of a clear audit trail for major expenditures

These aren't accusations. They're invitations to ask questions. A board that never asks hard questions about finances is a board that's not doing its job.

What a minimal risk management practice looks like

For most small nonprofits, a reasonable risk management practice involves:

1. Annual risk review — 30-minute board conversation about top risks, at least once a year
2. Insurance audit — Annual review of coverage types and limits by the finance committee
3. Internal controls checklist — Annual confirmation that separation of duties is in place
4. Succession acknowledgment — Board awareness of what happens if the ED is suddenly unavailable
5. Conflict of interest annual signing — All board members and key staff sign annually
6. Whistleblower policy — Written policy that provides a safe reporting channel

That's not a compliance burden. It's a governance baseline that most small nonprofits can maintain without additional staff or outside resources.

---

Board Manager helps nonprofit boards track compliance signing, maintain governance records, and stay organized across terms and committees. Start for free.