Please ensure Javascript is enabled for purposes of website accessibility

Spring Cleaning Your Risk Management Policies

April 8, 2026

Spring has a way of making things obvious.

You notice what’s outdated. What’s cluttered. What hasn’t been touched in a while.

Risk management is a lot like that.

Most nonprofits do not ignore risk on purpose. It just quietly drifts to the side while day-to-day work takes over. Policies get written, saved somewhere, and left alone until a problem forces everyone to look at them again.

Spring is a good time to change that.

Not with a giant overhaul. Just a thoughtful reset. A chance to make sure your policies still match the way your organization actually works.

Why this matters more than most teams think

A lot of nonprofits assume that once a policy exists, that box is checked.

But policies age fast.

Programs change. Teams grow. People leave. Technology shifts. New vendors come in. Remote work becomes normal. A process that made sense two years ago might already be out of date.

That is usually how risk sneaks in.

Not through one dramatic mistake. Through small misalignments that build up over time.

A short review now can save your organization from a much harder conversation later.

Start with what has changed

Before you open any documents, start with real life.

Ask yourself a few basic questions.

  • Have we added any new programs or services?
  • Are staff or volunteers working differently than they were last year?
  • Are we collecting, storing, or sharing more data than before?
  • Have approval processes changed because of team growth or turnover?
  • Are we relying on more outside vendors or software platforms?

If your operations have changed, your policies should probably change too.

Focus on the policies that matter most

You do not need to review every document with the same level of intensity. Start with the policies that carry the most weight.

Conflict of Interest Policy

This one matters more than people sometimes realize.

A clear conflict of interest policy helps protect decision making, preserve trust, and reduce the chance that a board or leadership issue turns into something bigger. The National Council of Nonprofits says a conflicts of interest policy is perhaps the most important policy a nonprofit board can adopt, and it recommends that it be in writing and reviewed regularly.

You can link to this resource in the blog:

National Council of Nonprofits: Conflicts of Interests

When you review your own policy, make sure it is not just technically in place. Make sure people actually understand it and know when to disclose a potential conflict.

Whistleblower Policy

A whistleblower policy gives people a safe and credible way to raise concerns.

If staff, volunteers, or leadership do not trust that process, concerns often surface later in messier and more damaging ways. This policy should be easy to understand, easy to access, and supported by a culture that takes concerns seriously.

This is not just about compliance. It is about accountability.

Financial Controls and Approval Processes

This is one of the most practical areas to review.

  • Who can approve payments?
  • Who has access to financial accounts?
  • What checks are in place to prevent errors or misuse?
  • Do your controls still make sense for your current team size?

The IRS encourages charitable organizations to consider governance and management policies, including conflicts of interest, investments, document retention, and whistleblower protections, as part of good organizational practice.

You can use this IRS resource as a reference:

IRS Publication 4221-PC

This is one of those areas where “we’ve always done it this way” can become a problem fast.

Data Privacy and Cyber Practices

If your nonprofit takes online donations, stores donor information, uses cloud tools, or relies on shared systems, cyber risk is already part of your world.

CISA provides cybersecurity resources to help organizations understand, manage, and reduce cyber risk.

You can link to:

CISA Cybersecurity Resources

This does not mean every nonprofit needs a huge cybersecurity playbook. But it does mean your policies should reflect reality. Who has access to donor data? How are passwords handled? What happens if someone clicks the wrong link or a system gets compromised?

Those are policy questions now, not just IT questions.

Incident Response Plan

This is one of those things people do not think about until they really wish they had.

If there is a data breach, a fraud concern, or a reputational issue, who is responsible for what? Who needs to be contacted first? What gets documented? Who communicates internally and externally?

You do not need a huge manual. You just need a plan people can actually follow.

Simple beats impressive here.

Policies only help if people know they exist

This is where a lot of organizations stumble.

A beautifully written policy does not do much if no one remembers it, understands it, or uses it.

After reviewing your documents, ask a more uncomfortable question:

Would the people here actually know what to do if a problem came up?

Sometimes the answer is not rewriting the whole policy. Sometimes it is a short conversation at a staff meeting. Or a reminder during onboarding. Or a quick board discussion once a year.

Policies work better when they feel connected to real decisions, not hidden in a folder.

Small changes can do a lot

This does not have to become a giant spring project.

Often the most useful updates are the smallest ones.

  • Clarifying who approves what.
  • Updating job titles.
  • Removing steps no one follows anymore.
  • Making sure the written process matches the real one.

That kind of cleanup is not glamorous, but it is incredibly valuable.

Where insurance comes into the picture

Policies and insurance are more connected than many nonprofits realize.

Insurance is there to support the way your organization actually operates. If your policies are outdated, unclear, or disconnected from reality, that can create confusion at exactly the wrong moment.

A spring review is a good chance to look at both sides of the equation.

Do our internal policies reflect how we work?
Does our coverage reflect the risks that come with that work?

When those two things line up, organizations tend to feel a lot steadier.

The goal is not perfection

Good risk management is not about having a perfect binder full of policies.

It is about alignment.

Your policies should match your people, your operations, your leadership structure, and your real-world exposure. When they do, they quietly support the mission in the background.

When they do not, that is when preventable problems start to show up.

Take the next step

If it has been a while since your organization reviewed its risk management policies, spring is a good excuse to do it.

Not because anything is necessarily wrong.

Just because things have probably changed.

A short review now can bring clarity, reduce stress, and help your team move forward with more confidence. And if you are not sure whether your policies and your coverage still fit together, our team is ready to help!

Published by 
Will Bauer

Recent Blog Posts

Read, Learn, Share

Risk Management
April 8, 2026

Spring Cleaning Your Risk Management Policies

A spring policy review helps nonprofits reduce risk, stay aligned, and make sure coverage still fits how the organization operates.

Read Article
Risk Management
March 24, 2026

What to Do After a Data Breach: A Nonprofit Response Guide

A data breach can feel overwhelming. Taking calm, clear steps helps nonprofits respond effectively, protect trust, and recover faster.

Read Article
Property & Casualty
March 13, 2026

Cyber Liability Risks Every Nonprofit Faces in 2026

Cyber threats now affect nonprofits of every size. Understanding common risks helps protect donor data, systems, and public trust.

Read Article
see all posts