Providing services through a nonprofit organization involves risks that are no different from what a for-profit organization will encounter. The reason is because service delivery or implementation of projects or social activities requires human interactions that have the potential for pure risk or may be affected by pure and speculative risks. The term "pure risk" generically refers to unavoidable natural risks. On the other hand, speculative risks
FIGURE 16.3 Types of corruption.
are voluntary and preventable risks, such as an investment in a stock. Common pure and speculative risks that can affect a nonprofit organization include, but are not limited to:
- Loss of assets due to fraud, corruption, employee theft, robbery
- Damage to property (e.g., facilities, equipment, computers, and records) as a result of natural causes, fire, negligence, or faulty equipment
- Liability losses (harassment, privacy, auto related, and disability) due to accidents or negligence of employees or volunteers
- Security problems, such as defective door locks, insecure equipment, work injuries, and lack of an information backup system
- Loss of revenue or increased costs due a financial crisis or inflation
- Loss of employee productivity due to employee illness, lack of motivation, drug and alcohol abuse, smoking, or obesity
Nonprofit organizations must be aware of these risks, and adopt policies and strategies to identify and manage them in a manner that can create a safe working environment and save money that the organization could lose if the risks are not properly managed. You can ask your consultant to help you categorize risks as being of high, moderate, or low severity and frequency. Figure 16.4 is a matrix that may be helpful when conducting risk assessment.
Based on the internal and external environments, nonprofit organizations can categorize their potential risks as being of high, moderate, or low frequency. Each organization is best positioned to define what constitutes a high-, moderate-, and low-frequency risk.
RISK MANAGEMENT AND RISK-MANAGEMENT POLICY
As indicated in other contexts, risk management is a structured approach used to assess threats, develop strategies to control the risks associated with the identified threats, and implement actions and procedures to minimize them, and possibly transform them into opportunities.
A risk-management policy is a set of guidelines and procedures adopted by an organization or an entity to identify, define, prevent, mitigate, and administer risks related to the overall functioning of the organization or entity. A risk-management policy provides specific guidelines regarding the assessment of potential risks related to the operation of a nonprofit organization, as well as a set of strategies, procedures, actions, and resources to address them (Box 16.1).
FIGURE 16.4 Risk frequency and severity analysis matrix.
Box 16.1 Sample Risk-Management Policy Items
- Confidential and proprietary information
- Conflicts of interest
- Crisis-management plan
- Donor recognition
- Fiscal management
- Employment discrimination
- Abuse prevention
- Copyright law violations
- Board succession planning, recruitment, and orientation
- Child protection
- Safety in the workplace
- Sexual abuse
- Sexual harassment
- Social media, computing, and acceptable use of technology equipment
- Volunteer conduct and volunteer recruitment
- Whistle-blowing and fraud prevention
- Workplace violence and harassment prevention
- Codes of conduct
- Public relations
- Services to people with disabilities