By: Suzann Smith, MBA​

​

“When written in Chinese, the word ‘crisis’ is composed of two characters. One represents danger and the other represents opportunity.”
– John F. Kennedy

​

The quote above may be familiar, but the truth behind it hits differently today. Crises are no longer slow-moving events. They unfold in hours — sometimes minutes — and nonprofits are not immune. From cyberattacks and misinformation to donor volatility, organizations are being tested in new ways. And while headlines often spotlight corporate crises, the social sector faces its own set of risks that can be just as damaging.

 

Melanie Lockwood Herman of the Nonprofit Risk Management Center — an excellent resource for nonprofits — highlights 10 of the most common threats facing organizations:

​

1. Lack of cash flow

2. Ineffective fiscal oversight

3. Fraud

4. Reputation risk

5. Lack of succession planning

6. Ineffective staff exits

7. Lack of crisis policies

8. Dissatisfied donors

9. Unmanaged board conflicts

10. Lack of good governance practices

 

Today’s landscape adds even more:

1. Cybersecurity breaches

2. Misinformation and online reputational attacks

3. Staff burnout and sudden turnover

4. Political polarization affecting mission delivery

If those are the dangers, the opportunity is this: every one of these risks can be managed — and even transformed into a chance to strengthen your organization — with the right preparation.

Below are practical ways to build that readiness before, during and after a crisis.

 

BEFORE: Build Your Resilience

 

Risk management isn’t a paperwork exercise — it’s a leadership discipline. It starts with naming the risks that could disrupt your work and building systems to lessen their impact.

 

A recent report showed an alarming disconnect: senior nonprofit leaders ranked “risk management and legal issues” among their top priorities, while mid-level managers ranked them much lower. That gap itself is a risk. When the people closest to operations aren’t equipped or empowered to address risks, blind spots grow.

 

We encourage leaders to treat risk management as a core leadership function. One of the best times to conduct a customized risk assessment is when developing or updating your organization’s strategic plan. Use that time to review:

 

1. Personnel policies

2. Insurance coverage

3. Contracts

4. Financial controls

5. IT and cybersecurity protections

6. Succession plans

7. Crisis communication protocols

 

If they are outdated, enlist board members or volunteers with relevant expertise to help refresh them.

 

Most organizations practice fire drills — but far fewer practice what to do if their system is hacked, a donor posts a public complaint or a news story misrepresents their work. At your next executive team meeting, identify your top five risks and discuss openly what would happen if they materialized. The goal isn’t to scare people — it’s to uncover gaps while you still have time to fix them.

 

Example:

One of our clients used this process to test its readiness for a cyber breach. The exercise exposed that only one staff member had access to key recovery systems. That single discovery led to redundancies, stronger protocols and a faster response plan. A simple conversation delivered a major payoff.

 

DURING: Respond with Clarity and Confidence

 

A crisis is the worst time to learn crisis communication. Emotions run high. Information changes quickly, and the pace outstrips the perfect phrasing you wish you had time to craft.

 

Matthew W. Seeger’s work on crisis communication underscores several best practices nonprofits should adopt long before a crisis hits. We share these below with our thoughts layered on:

 

1. Designate a trained spokesperson — ideally more than one.

2. Build a media and stakeholder contact list — and build relationships now, before a crisis occurs.

3. Develop release procedures and internal communication pathways — and practice them like you would a fire drill.

4. Be transparent — even when you don’t have all the answers.

5. Communicate early and often to staff, board, partners and the public.

6. Collaborate with credible outside sources when needed.

 

The goal is simple: maintain trust. People don’t expect perfection, but they do expect honesty, timeliness and competence.

 

AFTER: Capture the Lessons Learned

 

Once the crisis is over, leaders are often exhausted and eager to move on. But this is the moment that defines long-term trust. An after-action review allows you to unpack what happened, what worked, what failed and how you can strengthen your systems. If your organization’s credibility is undermined by a crisis, leaders must acknowledge the situation openly, address mistakes and clearly communicate what has changed to earn back partners’ trust. This re-building effort may take time, but it will be worth the effort.

 

Why This Matters

Embedding risk management into everyday leadership — not just emergencies — builds an organization capable of weathering uncertainty and emerging stronger on the other side.

 

We encourage you to devote one upcoming executive meeting to identifying your top risks and ensuring your policies, systems and communication plans are ready for whatever comes next. It’s one of the highest-return investments you can make in your mission. And it can be a great team-building exercise.

 

We’d love to hear what your organization is doing to rethink risk — share your ideas and experiences with us.

​

​