Nonprofit

Nonprofit Risk Management: Protecting Your Organization, Your Volunteers, and the People You Serve

VolunteerBadge Team·June 11, 2026·16 min read

On this page

What Is Nonprofit Risk Management?Board Liability: What Directors Are Actually Responsible ForInsurance: The Coverage Every Nonprofit NeedsFinancial Fraud: The Risk That Destroys Organizations From the InsideData Security and PrivacyVolunteer Vetting: Your Most Direct Risk Management ToolChild Protection Policies: The Highest-Stakes Area of Nonprofit RiskIncident Response: What to Do When Something Goes WrongBuilding a Risk Register: Knowing What You Are ManagingThe Culture of Risk Awareness

Risk is not something nonprofit leaders talk about enough. Not because they do not care about it, but because the word itself feels like a distraction from the mission. You started your organization to serve people — not to spend board meetings reviewing risk matrices. But every year, nonprofits that were doing meaningful work shut down, face lawsuits, or lose the trust of their communities because they ignored risks that were entirely predictable and manageable.

This guide is written for Executive Directors and board members who want to understand the real risks their organizations face and build practical systems to manage them — without turning your nonprofit into a compliance bureaucracy. We cover board liability, insurance, financial fraud prevention, data security, child protection, and — critically — why volunteer vetting through background checks and identity verification is one of the most important risk management tools available to any nonprofit.

What Is Nonprofit Risk Management?

Risk management is the process of identifying things that could go wrong, assessing how likely they are and how severe the consequences would be, and then deciding what to do about them. For nonprofits, "things that could go wrong" fall into five broad categories:

  • Strategic risk: Your funding model becomes obsolete. A major funder exits your space. A policy change eliminates the need for your program.
  • Financial risk: Cash flow gaps, fraud, mismanagement, or an IRS audit with findings that cost more to resolve than you have in reserves.
  • Legal and compliance risk: FCRA violations, charitable solicitation registration failures, employment law violations, or loss of tax-exempt status.
  • Reputational risk: A media story, a social media incident, or a volunteer misconduct event that damages your organization's credibility in the community.
  • Operational risk: Data breaches, facility incidents, volunteer injuries, or program disruptions that interrupt service delivery.

None of these risks can be eliminated entirely. But all of them can be reduced to acceptable levels with the right policies, the right insurance, and the right hiring and vetting practices.

Board Liability: What Directors Are Actually Responsible For

Board members of nonprofit organizations are protected from personal liability in most circumstances by the doctrine of the business judgment rule — which holds that directors who act in good faith, with reasonable care, and in the best interests of the organization are not personally liable for the outcomes of those decisions. But "in most circumstances" is not the same as "always," and there are specific areas where board members can face personal exposure.

The Duty of Care

Board members have a legal duty to act with reasonable care in the governance of the organization. In practice, this means attending board meetings, reading financial reports, asking questions when something seems wrong, and making governance decisions with the benefit of adequate information. A board member who rubber-stamps management decisions without review, never reads the 990, and does not ask how major donations are being spent is failing their duty of care — and could face personal liability if harm results.

The Duty of Loyalty

Board members must put the interests of the organization above their personal interests. Self-dealing — voting to approve a contract with a company you own, or accepting personal benefits from a vendor who does business with the organization — is a violation of the duty of loyalty that can result in personal liability and IRS sanctions, including excise taxes under Section 4958 of the Internal Revenue Code.

Unpaid Payroll Taxes

This is the area of personal liability that most board members do not know about until it is too late. Federal and state payroll taxes — the withheld income taxes and FICA contributions from employee paychecks — are held in trust for the government. If a nonprofit fails to remit these taxes, the IRS can pursue personal liability against any person who was responsible for the failure to remit and who willfully failed to do so. This includes board members who knew about the problem and did not take action to correct it. The IRS calls this the "Trust Fund Recovery Penalty," and it is one of the few situations in which nonprofit directors can face genuine personal financial exposure.

Insurance: The Coverage Every Nonprofit Needs

Insurance does not prevent bad things from happening. It limits the financial damage when they do. Every operating nonprofit should maintain at minimum the following policies:

Directors and Officers (D&O) Liability Insurance

D&O insurance protects board members and officers from personal financial liability arising from claims related to their decisions in those roles. Employment practices liability (EPLI) coverage — which covers wrongful termination, harassment, and discrimination claims — is often bundled with D&O or available as a rider. A board without D&O insurance will struggle to recruit qualified independent directors who understand their personal exposure. Annual premiums for small nonprofits typically start around $1,000 to $2,500.

General Liability Insurance

General liability covers bodily injury and property damage claims arising from your operations. If a visitor trips and falls at your facility, if a volunteer damages a client's property, or if someone is injured at an event you host, general liability is the policy that responds. Most nonprofit leases and event venue contracts require it. Premiums depend on your activities, revenue, and risk profile — typically $500 to $3,000 per year for small organizations.

Commercial Property Insurance

If your organization owns or leases office space, computers, equipment, or program assets, property insurance covers loss or damage from fire, theft, and certain weather events. Inventory the value of all organizational assets annually and make sure your coverage limits reflect replacement cost, not depreciated book value.

Hired and Non-Owned Auto

If any of your staff or volunteers use personal vehicles for organizational business — running errands, transporting clients, delivering supplies — your general liability policy does not cover accidents in those vehicles. Hired and non-owned auto coverage fills that gap. It is inexpensive (often a few hundred dollars per year as an endorsement) and critically important if your programs involve any transportation activities.

Volunteer Accident Insurance

Volunteers are not covered by your workers' compensation policy (which covers employees only). If a volunteer is injured while performing services for your organization, your general liability policy covers claims by third parties, but it does not cover the volunteer's own medical expenses or lost wages. Volunteer accident insurance — sometimes called volunteer medical expense coverage — is typically very affordable (under $500 per year for most nonprofits) and provides a basic safety net for injured volunteers.

Cyber Liability Insurance

Nonprofits collect sensitive data: donor financial information, beneficiary personal information, employee records, and volunteer background check results. A data breach can cost tens of thousands of dollars to remediate and report. Cyber liability insurance covers the cost of breach notification, credit monitoring services, regulatory defense, and first-party losses from ransomware or business interruption. Given that the average cost of a nonprofit data breach now exceeds $150,000, this coverage is no longer optional for any organization handling significant amounts of personal data.

Financial Fraud: The Risk That Destroys Organizations From the Inside

Financial fraud is more common in nonprofits than most sector leaders want to acknowledge. According to the Association of Certified Fraud Examiners' Report to the Nations, nonprofits experience a median fraud loss of $75,000 per incident — and the median scheme lasts 18 months before discovery. Small organizations with fewer than 100 employees are disproportionately affected because they typically lack the segregation of duties and internal controls that would catch fraud earlier.

The Most Common Nonprofit Fraud Schemes

  • Expense reimbursement fraud: Employees submit false or inflated expense reports. This is the most common fraud in small organizations.
  • Check tampering: Employees intercept, forge, or alter organizational checks. Particularly common in organizations where one person handles both accounts payable and bank reconciliation.
  • Skimming: Cash or check donations are intercepted before they are recorded. Organizations with cash-intensive fundraising events — bake sales, ticket sales, collection plates — are especially vulnerable.
  • Payroll fraud: Ghost employees on the payroll, inflated hours, or unauthorized compensation increases.
  • Vendor fraud: Fictitious vendors controlled by an insider, or kickback arrangements with real vendors.

Controls That Actually Work

The most effective fraud prevention controls are also the simplest. Require two signatures on all checks above a modest threshold. Require the Executive Director's signature on any check payable to a board member. Ensure the person who approves expenditures is different from the person who records them and different from the person who reconciles the bank statement. Have a board member — not management — review the bank reconciliation monthly. Conduct a surprise audit or at least a surprise review of financial records at least once per year. These controls do not require a compliance staff. They require clear policies and consistent enforcement.

Data Security and Privacy

Nonprofits handle sensitive personal information across multiple data streams: donor giving records and credit card information, beneficiary case files containing health, financial, and family history data, employee personnel files, and volunteer background check results. Each of these data streams is subject to different regulatory frameworks — state privacy laws, HIPAA (if you provide health-related services), PCI-DSS (if you process credit cards), and state data breach notification laws.

Minimum Data Security Standards

  • Encrypt laptops and mobile devices that store organizational data
  • Use multi-factor authentication on all organizational accounts — email, cloud storage, accounting systems
  • Maintain a data retention and destruction policy — delete records you no longer need
  • Limit access to sensitive data to people who genuinely need it for their work
  • Have a written incident response plan so you know what to do within the first 24 hours of discovering a breach

Volunteer Background Check Data

Background check results are consumer reports under the FCRA and must be handled with particular care. They should be stored securely, accessible only to the people responsible for screening decisions, and retained only as long as required by your document retention policy. If you are using a platform like VolunteerBadge, background check results are stored in the platform and accessible only to authorized administrators — which reduces the risk that paper copies or unsecured digital files will be mishandled.

Volunteer Vetting: Your Most Direct Risk Management Tool

Among all the risk management practices available to nonprofits, volunteer vetting through background checks and identity verification has the clearest and most direct connection to harm prevention. A volunteer who should not be working with children, who uses a false identity to pass a background check, or who has a history of financial fraud working in your donation processing operation is a risk that no insurance policy eliminates. Prevention is the only effective response.

Why Background Checks Are Not Enough on Their Own

This is the part of volunteer risk management that most organizations get wrong. They run a background check on the name and date of birth the volunteer provided on their application. They receive a clear result. They approve the volunteer. And they believe they have done their due diligence.

But what if the volunteer provided false identifying information? A background check run against a false name or date of birth returns results for a person who may not exist or may not be the person in front of you. The check itself is accurate — it just checked the wrong person's record. This is not a hypothetical risk. It happens regularly in both employment and volunteer screening contexts, and it is entirely preventable with a single additional step: identity verification.

Identity Verification: How It Works and Why It Matters

Identity verification requires the volunteer to prove that the identity they submitted on their application is their real identity — by scanning their government-issued ID. A driver's license, passport, or state identification card contains information that is difficult to fake and easy to verify against the application data. The volunteer scans their document using any smartphone camera — no app required, no special equipment. The scan confirms the name and date of birth match what was submitted on the application.

VolunteerBadge handles both background checks and identity verification in a single platform. Volunteers complete identity verification first — scanning their government-issued ID from any smartphone in under two minutes. Only after identity is confirmed does the background check run, ensuring the check is conducted against the volunteer's verified legal identity. This two-layer approach is particularly important for organizations working with vulnerable populations, but it is sound practice for any nonprofit volunteer program.

What Your Screening Policy Should Cover

A written volunteer screening policy is not optional. It is the document that demonstrates your organization took reasonable precautions — which is the standard courts apply when evaluating negligent supervision claims. Your policy should specify: who must be screened (recommendation: everyone, including board members), what types of checks are run (criminal background check, sex offender registry, and identity verification at minimum), the timeframe for completing checks before a volunteer begins serving, what types of findings disqualify a volunteer automatically, and who makes screening decisions. Review the policy annually. Document that you reviewed it. Make sure every staff member who works with volunteers knows it exists and understands it.

For more on what a volunteer background check includes and what it finds, see What Shows Up on a Volunteer Background Check. For FCRA compliance requirements specific to volunteer screening, see the FCRA Compliance Guide for Nonprofits.

Child Protection Policies: The Highest-Stakes Area of Nonprofit Risk

For any nonprofit that works with minors — youth programs, after-school services, camps, tutoring, sports, religious education, mentoring — child protection is not just a risk management issue. It is a moral and legal obligation that requires specific policies beyond a standard background check.

The Two-Adult Rule

No volunteer or staff member should ever be alone with a child without another adult present. This policy — sometimes called the "two-deep leadership" rule or the "two-adult rule" — is the single most effective child protection measure an organization can implement. It protects children from abuse. It also protects volunteers and staff from false allegations. Document this rule in your volunteer handbook. Train every person who works with youth on it. Enforce it consistently.

Mandatory Reporter Training

In most states, anyone who works with children in a paid or volunteer capacity is a mandated reporter under state law — meaning they are legally required to report suspected child abuse or neglect to the appropriate authorities. Many nonprofit volunteers do not know this. Many do not know the signs of abuse. Mandate annual mandated reporter training for everyone who works with minors. Document completion. Many states offer free online training modules.

Social Media and Communication Policies

Require that all communication between volunteers and youth participants occur on organization-monitored channels, not personal social media accounts or private messaging apps. Predatory relationships frequently begin through private digital communication that bypasses organizational oversight. A clear policy requiring that all volunteer-youth communication be visible to a supervisor or guardian is a meaningful protection.

Screening Is Not Sufficient Without Supervision

A background check and identity verification are the floor, not the ceiling, of child protection. They screen out people with known histories of harm. They do not screen out people who have not yet been caught. Policy, supervision, training, and a culture where staff and volunteers are comfortable reporting concerns are the layers of protection that catch what background checks cannot.

Incident Response: What to Do When Something Goes Wrong

Despite the best policies and controls, incidents happen. A volunteer is accused of misconduct. A data breach exposes donor records. A beneficiary is injured in a program activity. An employee files a complaint with the EEOC. Your organization's response in the first 24 to 72 hours after an incident often determines whether the situation remains manageable or escalates into an organizational crisis.

The Incident Response Checklist

  • Ensure immediate safety: If anyone is in immediate danger, that is the first priority — above documentation, above communications, above everything else.
  • Notify the board chair immediately: The Executive Director should notify the board chair (and if warranted, the full executive committee) within hours of discovering a significant incident. No board should learn about a significant organizational crisis through a news story.
  • Preserve evidence: Do not delete records, communications, or documentation related to the incident. If litigation is foreseeable, litigation hold procedures apply immediately.
  • Engage counsel: For any incident with potential legal consequences, engage legal counsel before making public statements. Statements made without legal guidance can waive privileges and create additional liability.
  • Notify insurers: Most liability insurance policies have notice requirements — they require you to report potential claims promptly. Failure to notify your insurer can void coverage.
  • Communicate carefully: If public communication is required, keep it factual, empathetic, and non-speculative. Do not assign blame. Do not speculate about causes or outcomes. Express genuine concern for those affected.

Building a Risk Register: Knowing What You Are Managing

A risk register is a simple document — it can be a spreadsheet — that lists every significant risk facing your organization, how likely it is to occur, how severe the consequences would be if it did, and what controls you have in place to reduce the likelihood or severity. Update it annually at a board meeting. It does not need to be elaborate. It needs to be honest.

A nonprofit that has identified, documented, and discussed its key risks — even without implementing every possible control — is in a fundamentally better position than one that has never thought systematically about what could go wrong. The process of creating and reviewing a risk register often surfaces issues that leadership assumed were being managed but were not.

The Culture of Risk Awareness

Policies and insurance are important. But the most effective risk management tool in any organization is a culture where people feel safe raising concerns before they become problems. Staff members who fear retaliation for flagging issues do not flag issues — they watch the problem grow until it becomes a crisis. Volunteers who witness policy violations but do not trust leadership to respond appropriately stay silent.

Build a culture where questions about risk are welcomed, not treated as obstacles to the mission. Create clear channels for reporting concerns — including an anonymous option if possible. Respond visibly when concerns are raised, even if your response is "we looked at this and here is why we concluded it is not a problem right now." The mission is the reason you exist. Risk management is what allows the mission to continue.

For nonprofits ready to take the next step on volunteer vetting, VolunteerBadge offers $5 background checks, full identity verification from any smartphone, and built-in FCRA compliance — all in a single platform designed specifically for nonprofit organizations. No monthly fees. No contracts. Just the screening infrastructure your organization needs to serve your community safely.

VolunteerBadge

Ready to stop overpaying for background checks?

Full national criminal checks at $5. Free address history. FCRA compliant from day one. No monthly fees, no contracts.

Create Free Account

Legal Disclaimer: The content on this page is for informational purposes only and does not constitute legal advice. VolunteerBadge and ScreenForge Labs, LLC are not law firms and do not provide legal counsel. FCRA requirements and applicable laws vary by jurisdiction and circumstances. For guidance specific to your organization, please consult a qualified attorney.

AI Content Transparency: We use AI tools to assist in the research and drafting of our blog content. That said, the opinions, perspectives, and editorial judgment in every article reflect the author's genuine views and real-world experience. We believe in full transparency about how content is created — because trust matters as much in publishing as it does in background screening.