How nonprofit boards should tackle risk management

Nonprofits deal with any number of possible risks in their day-to-day operations, such as cybersecurity threats and fraud, any of which could potentially result in major consequences. 

Several experts familiar with risk management at nonprofits discussed the best practices for preventing and addressing risks during NYN Media’s virtual Nonprofit BoardCon event on Thursday. 

“I would say (to) focus on two things,” said Michelle Yanche, executive director of Good Shepherd Services. “One is being aware of the risks that are inherent in the work and constantly scanning for them and trying to prevent them. … And on the other side is response, when something does go wrong.”

One measure that Karin Kunstler Goldman, deputy bureau chief at the New York State Attorney General's Charities Bureau, said is among the most recommended: ensuring that large expenditures require the approval of more than one person if a vendor has access to the organization’s money. “I don’t think anyone who isn’t directly responsible to the organization should have access to the funds,” she said. Another recommendation Goldman proposed was to limit the number of credit cards a nonprofit has and monitor their use, to ensure that they aren’t being misused for personal expenses.

The importance of preparation was stressed by several of the panelists. Keith Mulvihill, vice president at Lockton Companies, an insurance brokerage firm, said his company often asks clients how they would deal with a hypothetical cybersecurity breach. “It’s amazing the looks we’ve gotten over the years of just (the executive committee) looking across the table at each other kind of saying like who’s got this and how many organizations really haven’t thought that through.”