Not-For-Profit Board Governance and Internal Controls

Reading Time: 4 minutes


While not-for-profit and for-profit organizations differ in several ways, such as funding and taxes, they are undifferentiated in two fundamental ways: identifiable risks and needed governance. For each, organizational risks and governance are related, as strong governance can aid in monitoring and curtailing risks. The three pillars of corporate governance – transparency, accountability and security – run parallel to a successful internal controls framework and are the foundational blocks to risk management and a need for governance, ensuring the organization will thrive.

Governance & Management

In not-for-profit organizations, there is governance and management, with each being equally important to the success of the organization. The governance function, which is conducted by the Board of Directors, is responsible for oversight, large-scale planning and ensuring the organization is fulfilling its purpose. The management function, consisting of an executive director and other key employees, is responsible for day-to-day operations and tackling the action plans set forth by the organization.

One example of how these two leadership functions work together is regarding policies and procedures: a valuable tool for any organization. The Board of Directors is responsible for developing, reviewing and approving procedures over key functions, while management is responsible for ensuring these procedures are rolled out and followed, communicating the effectiveness back up to the Board. Together, the two leadership groups foster a responsibility supporting strategic and operational objectives. It is this tone-at-the-top, in which the concept of risk management is promoted and pushed down to the organization.

Risk management

The risk oversight function of the Board of Directors is a governance issue within the oversight responsibilities of the Board. Since not-for-profit organizations have limited resources and budgets, they are more sensitive to potential losses due to fraud, accounting errors and reputational damage. For this reason, the importance of active risk management amongst the Board should be a key focal point. As a team, the Board of Directors and management must work to identify risks the organization faces, implement action plans for how to prevent the risks, and monitor the effectiveness of the implemented controls (revising as needed).

To understand why risk management is crucial to the organization, Boards need to understand the risks that could impact the organization from operating and being unable to fulfill its mission. Two of the most highlighted areas for risk pertain to financial reporting and information technology (IT). The organization relies on raising and utilizing funds; therefore, financial controls are crucial. Organizations must implement procedures to monitor and control the use of its financial resources so that they are allocated to the mission of the organization. Further, the majority of organizational functions and tasks are completed using information technology; therefore, IT controls are vital.

How to Mitigate Risks

Understanding the various organizational processes and asking, “what is the risk” or “what can go wrong” is the first half of the equation. The second half is figuring out how the organization plans to mitigate risk and monitor success. There are four strategies that can be applied to manage risk:

  1. Accept the Risk – This occurs when no action is performed, and the organization operates with the status quo.

2. Avoid the Risk – This mitigation strategy is utilized when the activity with risk is ceased. For example, there might be a fundraising tactic for the organization where the risk outweighs the reward, which would not be pursued under risk avoidance.

3. Mitigate the Risk – This pertains to the activity and procedures in place to lower the risk to a more acceptable level. For example, if there is a risk of fraudulent checks being cut, the mitigating control would be to require two signatures on the check for dual approval.

4. Transfer the Risk – This involves moving the risk to a third party, for example, eliminating the risk of accounting errors or grant application by outsourcing the function to an experienced accountant or grant writer.

Having a third-party internal auditor perform an evaluation of your not-for-profit organization can help it better achieve its mission. This fresh perspective, along with additional industry insights, can be utilized to ensure the risks your organization experiences are appropriately addressed and monitored. If your organization needs additional assistance in identifying risks and generating mitigation strategies, contact the team at Sikich.

Click here to watch a webinar recording on this topic.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author