By Ted Bilich
Non-profits often don’t have processes for inquiring about the risks they face, prioritizing those risks, and how to responding to them. For most, risk management begins and ends with insurance, their only safety net.
This leaves non-profits exposed. Because they do not have significant cash reserves, because demand for services routinely outstrips capacity, and because they perceive donors as penalizing them for spending money on “infrastructure” (including training, management, and staff development), non-profits already resemble tight rope walkers on a windy night. And having no risk management program, however, means most non-profits wear blindfolds too.
Private foundations may feel comfortable providing grants in such circumstances. Such funders answer only to “the fund,” comprised of the assets of one or more wealthy individuals. Corporate social responsibility funders, however, answer to shareholders. Each time they extend money to a grantee, they put the company brand on the line. They cannot extend their brand to an organization that places the corporate name at risk. Thus, CSR funders face at least three competing objectives:
- They want to support organizations that do good in their communities, and
- They want to maximize the impact of their donations, but
- They need to avoid any embarrassments resulting from their charitable efforts.
All three interests are served by taking steps to ensure that non-profits receiving funds have effective risk management processes. Non-profit risk management must change, and corporate funders are leading the way.
Emerging Standards Require Non-profits to Employ Risk Management
Risk management—a defined, routine commitment to gather, evaluate, and respond to threats and opportunities—has become a standard feature of public corporations in the United States. Risk management programs allow companies to capture cost savings, reduce catastrophic losses, lower insurance costs, drive down the cost of capital, and increase a company’s investment value. Organizations involved in non-profit advancement have recognized that similar risk management discipline should apply in the non-profit sector (see sidebar). Why? Because non-profits, like public corporations, use other people’s money to achieve their purposes, and because risk management is sound business. Non-profits must take reasonable steps to be aware of the risks they face so that they can fulfill their stewardship obligations over donor funds, advance their missions, and achieve sustainability over time.
The call for non-profit risk management has achieved greater urgency because of developments in the sector over the past few years. A 2013 report from the Washington Post noted that between 2008 and 2012, more than 1,000 U.S. non-profits had disclosed in federal filings significant diversions of assets as a result of wrongdoing by non-profit personnel. In November 2016, Goodwill Omaha announced “sweeping” changes in management practices and the exit of numerous officials after a newspaper investigative report disclosed significant potential wrongdoing senior personnel. In March 2016, the Wounded Warrior Project fired numerous senior officers after reports of wasteful spending and mismanagement. In late 2014, the largest social services organization in New York City (FEGS) suddenly closed as a result of financial mismanagement.
The vast majority of non-profit leaders diligently and selflessly serve their organizations’ missions. But even the best non-profits face numerous challenges: funding pressures, staffing stresses, uncertainties raised by serving needy populations, encroachment from for-profit competitors, and volunteer management issues. If a non-profit has not even performed a risk inventory as a first step toward a risk management program, it cannot competently chart a path forward. Any non-profit “strategic plan” adopted without risk management in place is little more than hope. That’s bad for non-profits—and it’s very bad for corporate funders.
Funders’ Donations and Reputations are at Risk
Every funder wants to maximize the impact of its donations. They want to fund non-profits that are effective and resilient. They don’t want to have programmatic funding fail to achieve its objectives because of unanticipated reversals within the program itself or within some other area of the non-profit.
Furthermore, funders do not want to be associated with failure—particularly high-profile failure. With the benefit of hindsight, few funders would want to have committed resources to the Wounded Warrior Project, FEGS, Goodwill Omaha, or other spectacular embarrassments without at least having asked—before funding—whether the non-profit had a solid risk management program in place.
The downside of high-profile non-profit embarrassments is especially acute for CSR programs. CSR programs make tremendous philanthropic contributions, but such programs face continued criticism from skeptics who claim they are “an inappropriate use of capital [and] distraction of time and resources from business activities that will accomplish more.” However unjustified that criticism may be, CSR donors must be particularly mindful to ensure that non-profit donations do not create reputational risk for their companies. With CSR, as in medicine, the prime directive must be “first do no harm.”
Non-profits Need Funders to Make Risk Management a Priority
Non-profits are already vulnerable to a “starvation cycle,” spending too little on infrastructure in an effort to satisfy funder desires for programmatic expenditures. If non-profits do not believe funders care about risk management, they will not spend resources on essential risk management functions. Thus, funders protect themselves—and the non-profits they support—merely by asking about whether a potential grantee has implemented basic risk management. By asking about risk management, funders raise the stature of this important discipline. Indeed, if all funders began requiring risk management as a condition of funding, that step would revolutionize non-profit management.
As a result, funders should ask a non-profit three basic questions before committing any significant resources:
- Does the non-profit have a risk management program that formalizes a sustained commitment to gather, evaluate, and respond to threats and opportunities throughout the organization?
- When did the non-profit last perform a structured risk inventory to assess and prioritize threats and opportunities throughout every function in the organization?
- Aside from insurance, what specific steps does the non-profit take to reduce exposure to downside risks?
A non-profit that does not have a risk management program, cannot identify the last time it performed a risk inventory, and cannot specify steps it has taken to mitigate and control threats is a poor candidate for immediate programmatic funding.
Many or most non-profits will land in that category. Risk management simply has not been a priority. It is unfair to penalize them for being normal, and thus exposed. Thus, the questions above should not end your inquiry, but rather begin it. If a non-profit with programmatic promise has not taken steps to begin risk management, a CSR funder can provide capacity building funding as a prerequisite to programmatic funding. For a small investment, a non-profit could perform a thorough risk inventory, train senior staff about the risk management process, and provide basic board training on non-profit risk management. By funding such training, a CSR funder may dramatically increase the non-profit’s ability to sustain and grow its programmatic efforts in good times and bad. The funder would also have an explanation for shareholders who second-guess the grant if something later goes awry.
In short, a CSR funder should adopt a three-phase process with new grantees:
- Ask whether they have a risk management program (using the three questions above);
- If not, fund awareness and training; then
- Provide programmatic funds upon completion of the training.
What About Current Grantees?
Most CSR funders do not ask directly about risk management as a part of internal due diligence prior to funding. As a result, most face the troubling question of what to do about these current grantees. Here, another three-step process allows a CSR funder to assess the current risk profile of its grantees and take meaningful, reasonable, deliberate steps to enhance risk management within its portfolio and defend its brand:
- Survey your current grantees to determine what steps they currently take to address risks. Even without formal risk management programs, they may have elements of a process in place. This data can provide a baseline for improvement of your portfolio over time.
- Choose some number of grantees to receive risk management awareness training, to grow a cadre of grantees who are aware of basic management tools.
- Fund risk management functional training for some number of those grantees who have received risk awareness, so that they begin using risk management tools to avoid missteps, enhance sustainability, and increase programmatic effectiveness.
Over time, this strategy can build confidence that the CSR program is taking responsible steps to protect and defend the company brand while advancing the company’s philanthropic interests.
Ted Bilich runs Risk Alternatives LLC, which helps non-profits and startups develop risk management programs. He has counseled non-profits, served on many non-profit boards, and speaks regularly on risk management and process improvement topics.
 A Call for non-profit Risk Management (Stanford Social Innovation Review).
 Inside the Hidden World of Thefts, Scams and Phantom Purchases at the Nation’s Non-profits (Washington Post).
 Goodwill Omaha Refocuses on Mission As More High Paid Executives Depart, Other Sweeping Changes Occur (Omaha World Herald).
 Wounded Warrior Project Spends Lavishly on Itself, Insiders Say (New York Times).
 The Wrecking of a Blue-Chip New York Non-profit (Politico).
 See, e.g., The Coming End of Corporate Charity, and How Companies Should Prepare (Forbes); cf. The Truth About CSR (Harvard Business Review).