Nonprofits and Risk Management
When you ask the internet what a nonprofit organization is, you get several answers. Many of those answers have to do with setting up a nonprofit and obtaining a tax-exempt status. More than being a form of business that is not required to pay taxes, nonprofit organizations have two unique challenges that many for-profit businesses don’t have to deal with.
Many nonprofits have paid staff, including their back office, an executive director, or even an executive leadership team. In addition to their employees, many nonprofits have a volunteer workforce that gets involved in every level of work within the organization, including volunteer boards of directors. Other businesses have customers who purchase products, and many nonprofits also sell products, but they are not generally the primary driver of revenues. Nonprofits are often funded by the donations and memberships purchased by those who support the mission of the nonprofit organization.
The risks faced by nonprofit organizations are very similar to those faced by other businesses. They can face supply chain risks. They deal with talent issues. They have revenue troubles. Another risk that nonprofits face at least as much as other businesses is reputational risk. In some ways, the downside of reputational risk is greater for nonprofits than for other businesses.
What Is Reputational Risk?
Reputational risk is the risk that the reputation of a business is damaged in the marketplace due to the actions of the business. What are the primary ways a reputational risk can manifest for a nonprofit?
They got hacked. Let’s face it. Many businesses do not have the appropriate cybersecurity in place because they think it’ll never happen to them. Nonprofit organizations are no different. They may think that their data isn’t useful to anyone. Except for their client list, giving lists, contact information for executives, and plans for their future. Any nonprofit with any kind of internet presence is subject to the potential of being hacked.
The reputational damage here comes in as the public loses faith in the organization’s ability to keep their information secure. People will begin to wonder if they can join using the online portal or if their information is secure on their member page. Volunteers might be concerned that their contact information could be compromised. All of these ideas could keep members, donors, and volunteers from continuing to join, donate, or volunteer.
They made a bad employment decision. It’s not likely that there will be any reputational harm done if they hire a facilities maintenance manager that doesn’t do a good job keeping the buildings in good condition. But if they hire an accounting team member who steals $500,000 over a three-year period, that’s newsworthy and will result in reputational damage.
The bigger the nonprofit, the more open they will be to criticism related to the hiring and firing of executives within the organization. Another similarity that nonprofits can have to other businesses is that executives can be expensive to hire and getting that wrong can result in reputational damage. I’ve seen where organizations have hired executives from outside of their affinity group.
In that case, everything worked out fine, but the organization had to deal with pushback within from the membership and suffered a degree of reputational damage.
Someone did something. Nonprofit organizations are not immune to the poor decisions of people, especially the poor decisions of leadership. People in every business make bad decisions. The president of a Fortune 100 company decides to invest heavily in a tech startup because it could be bigger than Google. Six months later, the CEO of the startup is being walked out of the company headquarters in handcuffs for lying about the product the company was working on. This could affect the reputations of both companies.
If you’re talking about a nonprofit organization, the effect on the company’s reputation can be even more severe.
Certainly, a nonprofit can make poor investment decisions, but they are often barred from certain investments.
What if the president of the nonprofit gets up at a convention and makes a speech that causes the organization to go in a different direction related to their leadership? What if they do it quietly until someone makes it public? That’s a big reputational hit.
So what can be done once the reputational damage is done?
Communicate Internally
The people within the organization will know what happened. At least, they’ll know what they heard happened. The organization must begin to immediately tell the whole team what happened.
Tell every detail. What happened? Who was involved?
How did the organization come to the decision that they made? What’s going to happen next?
If the organization does not communicate these things to their internal staff, members, volunteers, donors, and anyone else connected with it, all of these concerned parties, will take what details they know, mix them with the rumors on social media, fill in the blanks with their own imagination, and tell everyone what they “know.”
Getting in front of whatever the issue is will be the best way to stop the rumor mill and keep some of the members and volunteers from quitting.
Communicate Publicly
Bad news never goes away. It only gets worse the longer it sits waiting for someone to tell it. If the event is not immediately communicated publicly, the public will assume that the organization didn’t want to say anything because it was hiding something — which it was hiding. Organizations don’t talk about things that they don’t want other people to talk about. The problem with not talking about a bad event is that it’s the only thing that the public will talk about.
If it was ever a good idea to hide a bad thing from the public eye, that time has come and gone. The world of 24/7 news and social media is a recipe to get an organization’s bad news in front of as many eyes as possible and if someone else is releasing the bad news, they are going to put their bent on the story. They will control how the story comes out, what details are included, and what the headline looks like.
No nonprofit organization can keep bad news from getting out, but they can control how it comes out and what is communicated — if they take the opportunity to do it.
Communicate Honestly
This simple truth that what we learned back in kindergarten still applies. Tell the truth. Tell the whole truth. Don’t embellish. Don’t hide details. There is no need-to-know list.
Even if the organization tries to get in front of the bad event and tries to tell the team and the public what happened, if they do not tell the truth, they are still going to look like they are hiding something. In the end, it all means the same thing, rather than controlling the reputational damage, the organization inflicts additional reputational damage.
No one wants to tell the whole story about how they messed up, but people have a massive capacity to forgive and understand when someone simply says that they did something, or they were responsible for something, and they recognize that it was a bad decision. Every impulse from corporate counsel to personal egos will be to give some limited bit of information that doesn’t really say anything but all that does is delay the inevitable because once one detail of a bad decision comes out, more will follow. It’s better to tell the truth up front.
Communicate Continually
It seems like you should be able to tell the story once and let it be, but the problem is that it doesn’t actually work that way. The organization will need to keep telling their story again and again. This is especially true as details come out, or as the results of the bad event become clearer.
It is much better to come out early with whatever information is available at that time and then when more information is available, put that out as well. There is a sheriff that is well known for having press conferences whenever there is an arrest in the county. He is known to say that he will give out all the information that he has immediately and that you should expect more information to come out over several days as the department finds out more about the case.
How Can the Organization Recover?
Any organization that suffers a reputational loss should consider carefully how they intend to mitigate the damage and recover from it. Mitigation is one thing. It’s limiting the scope of the immediate damage. Recovery is another thing altogether. Recovery is about restoring the reputation that was damaged.
The best way to recover is similar to the way this damage is mitigated. It’s about making informed changes so that the event that caused the reputational damage doesn’t happen again. Then, communicate with every stakeholder what is being done.
Repairing reputational damage is similar to repairing a relationship where trust was broken. It’s all about doing better, and being open and honest with each other.