Manage Risk With Intention This Year

Did external forces nudge your mission off course temporarily or push it onto a new path in 2025? Or did possibilities (risks) you embraced or shunned propel your team into unforeseen challenges? Were your forecasts for the year slightly or substantially off course? What inaccurate assumptions or presumptions wound up being mission sink holes or siren calls?

In his book The Prediction Trap, Randy Park reminds us that “there are typically many twists and turns on the way from A to B. But partly because our memories fade… when we look back, we tend to remember a straight line… Then, when we think ahead, we extrapolate this remembered past into the future.” Referring to this troubling tendency as the “trap of extrapolation,” Park urges us to be resolute in anticipating, not forecasting—or predicting—the future.

To weather the storms and avoid being complacent during periods of calm, nonprofit teams must adopt a mindset of resolved readiness. We must get ready to be ready for the disruptions, surprises, and rewards that we cannot fully envision. Nonprofit leaders must also accept that discomfort and uncertainty are constant companions. Feeling uncomfortable and uncertain is a human response to the unknown. Your mission is to turn those feelings into catalysts for curiosity, learning and growth. Nonprofit teams will navigate a risk landscape in 2026 that is both familiar and newly urgent. Surviving and thriving requires thoughtful preparation, strong governance, and a commitment to resilience.

Preparing for disruptions to normal operations is the best defense and inspiring hope for your mission. In this edition of Risk Insights, the NRMC team beckons readers to focus on nine concerning risk realms. For each realm, we suggest question prompts to help you develop a readiness road map. We recommend you start with #1. After tackling your ‘elephant’ risk, choose the realms for which you are least prepared. Gather a creative, diverse team and get ready for a candid discussion, beginning with the prompts.

#1: The Elephant Risk in Your Room

My mother’s final wish before immigrating to the U.S. in 1964 was to visit the elephants at the London Zoo in Regents Park, Westminster. For Mum, elephants represent strength and good luck; her room in my home features copious and colorful representations of these majestic mammals. Whether you’re watching a nature special or visiting a wildlife park or sanctuary whose residents include elephants, it’s hard not to notice the elephant in the room.

When we think about the top risks—concerning, exciting and potentially disruptive possibilities—our missions face, there is often an ‘elephant in the room.’ This elephant can be seen and sensed from different angles and perspectives, but somehow smart, well-intentioned leaders find a way to talk around it, not about it. I have observed teams that are eager and willing to address routine risks but shirk from talking together about the outsized risk on everyone’s mind.

The proverbial elephant in the risk room might manifest in:

• The reluctance to replace long-serving members of a board with leaders whose backgrounds and lived experience reflect the community you serve
• Discounting the potential impact of newer, smaller organizations who are potential competitors
• Ignoring the poor performance of a senior leader or function and the toll that poor performance has on organization-wide results and staff morale
• Failing to recognize that the needs and preferences of the nonprofit’s clientele have changed
• Ignoring the gap between the nonprofit’s professed values and the actual experience of working in the organization

In his book An Insider’s Guide to Risk Management, David Rowe writes that “In some cases, management has a vague sense of the threat but finds it more comfortable to ignore the ‘elephant in the corner.’ Forcing recognition of the threat may also be a difficult and unpopular task, but it too is an essential risk management responsibility.”

During the coming year, the NRMC team invites and challenges you to name the elephant risk in your nonprofit. To understand and act on the heretofore unaddressed risk, ask:

• What possibility looms large for our mission, purpose, people and programs, but is painful to speak about?
• What events or circumstances have caught us by complete surprise? What threats have we denied until it was too late?
• What changes in our environment or circumstances—beyond our control—make us most uncomfortable?
• What bold moves or changes invoke fear or hesitancy in our team?
• What is our boldest vision for the coming year? What are we doing now that impedes progress towards that vision?
• What practice or program are we hanging on to, despite its irrelevance, diminishing value, or declining participation?
• In what ways do our actions fall short of our professed values?
• What makes it hard to speak about the elephant risk(s) in our midst? What could we do to lessen the sting of speaking about this important possibility? (e.g., agree to speak honestly but without blame, focus on building readiness versus dwelling in regret, identify a handful of silver linings related to the risk, etc.)
• What are some of the promising outcomes or developments that could happen if we address this risk this year?
• What powerful lessons could we learn by focusing on our elephant risk?
• How could we cushion the downside impacts of acting on this risk?
• How can we distribute the weighty aspects of this risk versus putting too much pressure in one area or team?
• What does our mission look like in the future without this elephant risk in our midst?

Further reading and resources:

Obsessing Over Risk Issues? That’s Okay, If You Do It Right

What Your Nonprofit Needs to Know About Change

Navigating Disruptive Change with a Risk-Aware Mindset

#2: Financial Fragility and Revenue Volatility

We enter 2026 with many organizations operating on razor-thin margins, buffeted by unpredictable government funding, shifting donor behaviors, and rising operational costs. Government grant freezes and funding uncertainty have made reliance on a single or narrow set of revenue streams perilously risky. Organizations that lack diversified income—blending individual giving, earned revenue, foundation support and strategic partnerships—may find their financial stability in jeopardy. Forecasting and building reserves aren’t luxuries; they are essential to mission continuity.

Yet no nonprofit team relishes the opportunity to draw attention to weaknesses in the financial structure of the mission and organization they love. We are hard-wired to project confidence and positivity—keys to attracting mission supporters, new financial support, and keeping staff morale strong. Yet most nonprofits have a financial Achilles’ heel that will not heal itself. That issue will only grow more acute in times of stress unless you address it.

Financial Jeopardy Readiness Road Map:

To prepare your mission for increasing financial challenges and revenue volatility, ask:

• What aspects of our financial structure would surprise our strongest supporters (e.g., inadequate cash reserves, total debt, history of slow and late payments, deficit spending, etc.)? What steps will we take in 2026 to address this weakness?
• Which funding stream or source feels most fragile? What signs point to its fragility?
• What steps (immediate, short-term) could we take if a vital funding stream or source were to end in 2026? Can those funds be replaced, or are the only options trimming or ending the programs and services it supports? Can the services supported by those funds be delivered in a new way that might cost less? Could those services or programs be continued if we discontinue something else?
• Which funding stream or source feels most secure? What are the potential consequences if we are dead wrong and our confidence is misplaced? What steps will we take in 2026 to bolster, grow, or leverage that stream of financial support?
• Which ambassadors of our mission (such as board members, long-time volunteers, creative staff, or resourceful consultants) might have bold ideas about ways to address weaknesses in our financial health?

Further Reading and Resources:

When Financial Stress Hits Your Nonprofit, Try These Steps

Heads Up: Why Fortified Fiscal Oversight is Key to Financial Well Being

Is Financial Oversight Your Weakest Link?

Scope Out Scenarios to Inspire Confidence During Disruption

#3: Fusion Frenzy

Resources to support the administrative infrastructure for strong, effective programming have long been hard to come by. That will likely increase, and the pressure on sister and adjacent nonprofits to merge will reach a frenzied pitch. Funders and other constituents who advocate mergers see the opportunity to trim overhead expenses by consolidating administrative functions in a newly merged entity. In NRMC’s experience, nonprofit teams are often encouraged to consider consolidating when visible weaknesses and wounds make the organization vulnerable. Loss of a major funding source or revenue stream, emergence of a well-funded competitor, a scandal involving a founder or prominent leader, and crippling debt are just a few of the challenges that threaten a nonprofit mission and trigger the call to consider a merger. Ideally, your team will think through the opportunities and challenges mergers might bring before you reach that point.

Merger Readiness Road Map:

To prepare your mission for external pressure to merge or consolidate, ask:

• What aspects of our financial structure are objectively healthy? (e.g., cash flow, balance sheet, revenue growth, funder mix, etc.)
• What is our financial Achilles’ Heel? How are we financially fragile? (e.g., cash flow, debt, fundraising volatility, declining results in a key revenue category, etc.)
• In what ways could our reputation—what others believe about us—differ from our self-esteem (how we feel about the organization)?
• What would a savvy outsider invited into our inner circle see as our greatest weakness—financial, programmatic, people-related or something else?
• What asset or strength would a sister or adjacent nonprofit be eager to emulate or acquire?
• Who are our worthy rivals? What strengths of those rivals should we learn more about and potentially emulate?
• What practical steps could we take—this year—to address structural or financial weaknesses? Why haven’t we taken those steps? What is holding us back?
• What are the clear—or cloudy—signals that a merger may be right for a mission?

Further Reading and Resources:

“Mergers and Acquisitions as a Strategic Tool for Nonprofit Growth,” by George Tsiatis, Stanford Social Innovation Review

“Nonprofit Mergers Gain Steam: When They Make Sense, What They Cost and How Foundations Can Help,” Baldwin CPAs

The Nonprofit Mergers Workbook, Parts I and II, by David La Piana/La Piana Associates

#4: Undue Influence

In the article “Undue Donor Influence: What It Is, Why It Matters, and How Nonprofits Can Protect Their Mission,” the authors characterize undue donor influence as a “controversial topic many prefer to avoid.” They add that donors may have “strong opinions, conditions, and expectations…” that may “shape the nonprofit’s priorities, and in extreme cases, redefine its mission.” If this feels eerily familiar, you’re not alone.

Over the years the NRMC team has worked with and coached several nonprofit teams that have experienced nearly suffocating pressure from a dominant funder. While every mission needs enthusiastic supporters, when a funder’s outsized influence is unrelenting, erratic decisions and activities sap and derail the energy and talents of a professional team. We believe that the possibility—the risk—of undue influence has swelled with the growth in the population of high-net-worth philanthropists. How much are these philanthropists contributing in funds and potential mission influence? According to one source, giving in 2024 by the top 25 U.S. billionaires topped $241 billion.

Yet when nonprofit teams gather to engage in blue-sky thinking about mission-advancing possibilities, they almost always mention the emergence or arrival of a generous, high net worth donor. Competitions for mega-grants further fuel the hopes and dreams of dedicated teams working to raise the funds their missions require. And in recent times many nonprofits that dutifully complied with the onerous terms and requirements of federal grants learned the painful lesson that a grant award could be frozen, cancelled or clawed back by an administrative freeze or recission.

It’s important to remember that hands-off benevolent billionaires are unicorns; far more common are the high-net-worth individuals who want to support nonprofit missions and bring their influence, as well as dollars to the table.

Undue Influence Readiness Roadmap:

To prepare your mission for potential undue influence by a current or future donor/funder, ask:

• What reluctant actions have we taken due to pressure by a donor/funder? If we could approach that decision differently today, what could or would we do?
• What onerous requirement (in a contract or grant agreement) did we accept under pressure? How will we approach similar requirements going forward?
• What are the signs or indicators that we should decline or counter a donor or funder’s request or demand (post-award)? What are the ways that we might communicate a respectful “no”? What experience can we draw on to say “no” kindly and authentically?
• Does our gift acceptance policy help us manage the risk of undue or outsized influence by a donor or funder? If not, what policy, guidelines or guardrails would be helpful?

Further reading and resources:

“Undue Donor Influence: What It Is, Why It Matters, and How Nonprofits Can Protect Their Mission”

“How to Grapple with Undue Funder Influence Recommendations from a Workshop,” Open Global Rights

#5: AI Reckoning

During a recent AI Risk Assessment for a large nonprofit led by NRMC, we conducted a simple survey to uncover the ways artificial intelligence was supporting and guiding teams. We began the project thinking that although AI use had not been encouraged or sanctioned, the human beings in the organization were likely using AI in interesting ways. The survey results confirmed that hunch.

In an article published by The Bridgespan Group last summer, the authors contrast potential differences in risk and value between internal and external AI use. They invite readers to prioritize six dimensions (access to data/privacy, access to data/retraining, outcome fairness/bias, testing and quality assurance, informed consent, and dependency/continuity risk) in both use cases, noting that “outcome fairness may be a priority when it comes to externally facing AI efforts,” while efficiency may be paramount for an internal use, such as summarizing highlights of an internal meeting. The article includes thought-provoking questions to assess the risks of an AI project along the six dimensions.

AI Readiness Roadmap

NRMC encourages nonprofit teams to enthusiastically explore AI’s powerful potential with careful measures to address its significant downside risks. Nonprofit teams that vow and act to ‘reckon’ with AI adoption—across the full spectrum of exciting to concerning possibilities—will be in the strongest position to navigate the disruptions, surprises and opportunities that lie ahead.

To do so, ask these questions:

• Do we know how and why staff—at all levels and across dispersed teams—are already using AI? If not, how can we efficiently uncover that information with an open, learning mindset?
• What blue-sky potential uses of AI can we envision?
• What are the pressure points AI tools could relieve? What mission-critical tasks or activities are manual and repetitive? What inconsistencies or errors could be detected using an AI tool?
• What tasks or activities would be strengthened with more time on oversight and human review, and less time on manual processing?
• What surprising or exciting uses of AI emerged from our staff survey?
• What guardrails should we consider to manage the risks of privacy violations and confidentiality breaches, bias and harm to constituents, loss of trust from key supporters, overreliance on automation and weakening of professional judgement and accountability, vendor dependence and hidden costs?

Further reading and resources:

Three Very Human Qualities to Help You Manage AI Risk

A Step-by-Step Framework to Mitigate AI Risk

Hype vs. Benefit: A Nonprofit Tech Leader’s Perspective on AI

AI Resources Guide for Nonprofits, Independent Sector

AI Can’t Be Ignored: Exploring the Opportunities for Nonprofits and the Social Sector, The Bridgespan Group

#6: Executive Turnover: Planned and Otherwise

People are the heart of every nonprofit mission; executive turnover—both planned and unplanned—can disrupt a charitable mission and impede the priorities and programs that bring the mission to life. The NRMC team believes managing the departure of an experienced senior leader isn’t simply an HR ‘to do’ item; it’s a strategic risk with wide-ranging impacts. Navigating these transitions requires equal doses of acceptance (every top performing staff member will leave your nonprofit some day!) and planning.

NRMC urges all nonprofits to anticipate disruptive turnover in 2026. Leadership transitions, particularly as long-tenured executives retire without robust succession pipelines, expose your organization to capacity gaps precisely when communities and constituents depend on the services and support your mission delivers every day.

If the prospect of losing top performers and valuable contributors in 2026 makes you want to crawl back into 2025, hang on. You already have the resources to make meaningful progress to manage this inevitable risk.

Succession Readiness Roadmap

To address gaps in turnover readiness, ask:

• Is our CEO Succession Plan clear about the steps the Board—and others—will take upon the unexpected departure, absence, or notice of the upcoming departure or retirement of our CEO?
• Has each member of our executive leadership or management documented their critical tasks and responsibilities? Has a back-up for all these tasks been identified? If not, how soon can that happen?
• What immediate steps will we take upon the departure of each senior staff member (e.g., appoint an interim, shift duties to others for X weeks or months, delay certain activities, or something else)?
• Are the position descriptions of all senior roles up-to-date? If not, how soon can those documents be refreshed to reflect the reality of current operations?
• How well do our job descriptions reflect not just where we’ve been, but where we’re going?

Further reading and resources:

Avoid Transition Trauma with a CEO Succession Plan

How to Create a Cross Training Action Plan

Managing Executive Turnover Risk

#7: Digital Transformation and Cybersecurity Vulnerabilities

Nonprofits face significant, highly impactful risks in technology transformation and cybersecurity. The concerning possibilities include data breaches of sensitive donor, employee/volunteer and client information; financial losses from targeted attacks; and operational disruptions that can halt essential services. The transition to digital systems, including online donation platforms and cloud-based collaboration tools, introduces concerning vulnerabilities that must be acknowledged and managed with care. In some instances, a lack of dedicated IT staff means legacy systems may not be updated or replaced systematically, leaving them susceptible to exploitation by hackers and costly mistakes by insiders.

Specific cybersecurity threats to nonprofits include phishing scams, where employees are tricked into revealing sensitive data; ransomware attacks, which encrypt critical data and demand payment; and third-party vendor risks, where a breach at an external service provider can compromise the nonprofit’s data and systems operability. Human error due to a lack of cybersecurity awareness training among staff and volunteers can also open the door to attackers. The continuous, rapid evolution of technology regularly presents new challenges and potential vulnerabilities.

Cyber Readiness Roadmap

To address gaps in technology readiness, ask:

• Have we taken an inventory of all data collected? Do we update that inventory regularly? Where is it stored? Who has access to stored data? How is it protected?
• Have you implemented regular cybersecurity awareness training and phishing simulations for all staff and volunteers to help them recognize and report potential threats? Do your staff and volunteers attend and complete the trainings? Do you offer and do they take updated trainings?
• Do we regularly implement technical safeguards like requiring use of strong, unique passwords, enforcing multi-factor authentication (MFA) everywhere possible, keeping all software and systems updated with the latest security patches, and using encryption for sensitive data?
• Have we established and socialized clear data privacy policies? Do we have an incident response plan to guide actions during a breach? Do we have vendor management policies for vetting third-party providers and setting safeguards for third-party provider access to and use of our data?
• Do we have regularly scheduled backup systems and practices for all critical data? Are the backups to a secure, off-site, and offline location that can provide quick recovery from ransomware attacks or other on-site system failures?
• Are we leveraging possible discounted or donated services from tech companies?
• Do we regularly consult with IT experts to establish a strong security posture without overwhelming internal resources?
• Have we reviewed our cyber liability insurance, including our application for coverage or renewal of coverage, to ensure that we have implemented all the controls referenced in the application?  Are we clear about the policyholder conditions and reporting expectations of our cyber policy?

Further reading and resources:

The Cybersecurity Skills Your Nonprofit Needs

Build Your Cybersecurity Breach Defenses Before It’s Too Late

Cybersecurity for Nonprofits Resource Hub, NTEN

 #8: Geopolitical, Social, and External Pressures

Political shifts, regulatory changes, and social polarization influence nonprofit funding landscapes, advocacy environments, and community needs. Nonprofits engaged in public discourse or that operate across borders must continually assess how external forces—including geopolitical instability—affect their ability to lean into mission and steward resources responsibly.

Geopolitical instability and ongoing conflicts create volatility, impacting supply chains and regional economies, which can disrupt global operations for international relief organizations. Political polarization may lead to unpredictable shifts in government funding and an increase in scrutiny from various groups. Economic pressures such as persistent inflation and rising operating costs are compounding the problem, as donor giving struggles to keep pace, leading to potential funding gaps and an increased demand for services.

Ongoing staff burnout and retention issues are exacerbated by heavy workloads, stagnant wages, and growing frustration with the perceived inability to make tangible impact. A lack of trust, both internally with employees and volunteers, and externally with donors, can affect credibility and the ability to garner support. The rapid spread of misinformation and disinformation can also damage a nonprofit’s reputation. In addition, nonprofits are also vulnerable to general external risks, including natural disasters and climate-driven extremes that can cause serious program disruptions as well as a surge in demand for those services.

Geopolitical, Social, and External Pressures Readiness Roadmap

To address gaps in socio-political readiness, ask:

• Have we explored the full possibilities of our advocacy capacity under current laws and regulations? Can we partner with other organizations to advance an advocacy agenda that supports the success of our mission? Do we have or can we develop relationships with networks and associations that support our mission?
• Are we fostering a culture of transparency and psychological safety in the workplace? Do we invest in professional development, competitive compensation, and provide access to mental health resources?
• Have we developed a clear crisis response plan that includes communication strategies and contingency plans? Is the plan shared across the organization? Do all members of the team know it exists, where to find it and their roles and responsibilities in a crisis?
• Do we engage in regular environmental scanning to monitor key economic and policy indicators? Do we regularly meet to discuss potential indicators and develop practical action plans to navigate any necessary change processes?

Further reading and resources:

9 Steps to Foster Psychological Safety and Build a Risk-Aware Culture

Take Action on Risk: Make a Plan, Not a List

Communicating During a Crisis

#9: Ethical Risk

Many of the risks described in prior sections include a layer of ethical risk. The rapid adoption of AI for fundraising and operations introduces new challenges such as algorithmic bias and the ethical use of donor information. Concurrently, heightened donor expectations for transparency, combined with complex funding streams and economic volatility, may increase the risk of financial mismanagement or the “appearance of impropriety” in how funds are used. Internal challenges, including staff burnout, can stress an organization’s ability to provide an inclusive, equitable culture amidst external pressures and political polarization. To address these potential ethical risks, nonprofits should implement practical, proactive strategies.

Ethical Risk Readiness Roadmap

To address ethical risk readiness, ask:

• Do our operational and governance practices—from the front lines to the board level—align with our written policies, including our bylaws?
• Have we established clear, board-approved policies for the ethical use of technology, including guidelines for data handling, accuracy validation, and human oversight of all relationship-based communications?
• Have we recently reviewed and strengthened our internal financial controls? Do we have and enforce strict conflict-of-interest policies that emphasize the importance of speaking up to disclose potential conflicts? Do we periodically refresh our grantmaking or grant/gift acceptance policies?
• Do we provide transparent, consistent and accurate regular financial reports to our Board?
• Do we provide training to staff and volunteers on recognizing and meeting the legal requirements, regulations and expectations associated with our work?
• Are we cultivating a knowledgeable board with relevant expertise to provide appropriate governance of our activities?
• Do we work with our board in ways that promote opportunities for meaningful board engagement?
• Do we have a succession plan or active succession strategies for board officers and members?

Further reading and resources:

An Eye for Ethics: Quelling Confusion about Ethical Quandries

“Ethical Breakdowns,” by Max H. Bazerman and Ann E. Tenbrunsel, Harvard Business Review

“Creating an Ethical Workplace,” by Dori Meinert, Society for Human Resource Management

Connect to Steer Your Mission Through Disruption and Change

In his book How Things Are Made, Tim Minshall writes “…manufacturing works best when everything is stable: predictable demand, reliable supplies, smoothly running machines, happy workers. But nothing stays stable – customers are finicky, suppliers can’t always supply, machines break down and workers. . . well, are people. Then, on top of that, you have all those disruptions that span the immediate crises (pandemic, wars, etc.) to the slower-burn changes (the arrival of a new technology or a change in social attitudes). And sometimes, you get the hideous combination of all those things at once.”

The year ahead will test the resilience of nonprofit organizations in anticipated and surprising ways. The organizations that survive and thrive will be those that double down on making connections across real and imagined distances, incorporate risk awareness into strategy-setting, commit to strengthen governance, and make bold investments in people, systems and sustainable impact. Risks should not be seen narrowly as ‘threats’ to the mission of a nonprofit; nonprofit teams should manage risk with intention to ensure that the mission and strategic priorities of their organizations flourish in the unpredictable and turbulent times ahead.

Melanie Lockwood Herman is the Executive Director of the Nonprofit Risk Management Center. She invites your questions about any of the topics and guidance in this article at Melanie@nonprofitrisk.org or 703-777-3504.