By Alex Davis, Board Chair, Group 36
A lot of nonprofit “governance problems” don’t look like legal problems – until the day they do.
A grant comes in with “standard” conditions. A donor wants an update by Friday. A board member offers a vendor intro that solves an urgent problem. Someone posts an impact story that feels true – but isn’t fully documented. In the moment, it’s just getting work done.
Then a different set of questions arrives: Who approved this? Where’s the documentation? Was there a conflict? What policy governed the decision? And when those questions come from a funder, an auditor, a journalist, or a state charities regulator, governance stops being a “board topic.” It becomes what it really is: legal risk management for charitable assets.
Two numbers explain why this matters even in high-trust environments. Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations points to a governance problem hiding in plain sight: in 32% of cases, organizations had a lack of internal controls, and in 19% of cases, existing controls were overridden. In other words, the risk isn’t just bad actors – it’s weak oversight and decision pathways that make it easy to bypass safeguards.
Modern nonprofits operate in a tighter accountability loop: decisions are faster, communications are public, and “proof” is expected on demand. Governance becomes risk management not because everyone is doing something wrong, but because the cost of ambiguity is higher.
The IRS reinforces this logic by asking nonprofits to disclose governance and policy practices in Form 990 Part VI – and it explains that this information can help the IRS assess the risk of noncompliance.
That doesn’t mean every practice is legally required everywhere. It does mean governance is treated as a risk signal by the broader ecosystem.
So what does “good governance” look like in a way that’s both legally defensible and operationally realistic?
Nonprofit directors are commonly described as having three core fiduciary duties: care, loyalty, and obedience. The National Council of Nonprofits outlines these duties and what they mean for board service.
In practice, these duties are less about abstract ethics and more about whether a board can later show it acted responsibly:
Here’s the governance trap: many boards confuse presence with process. Fiduciary duty is not “attend meetings.” It’s whether decisions were informed, conflict-aware, and mission-aligned – and whether that can be demonstrated later.
Which leads directly to the most common stress test of “loyalty”: conflicts of interest.
A conflict of interest is not automatically wrongdoing. It’s a risk condition. It becomes dangerous when it’s hidden, unmanaged, or handled casually.
Best practice is to require regular disclosures and set clear expectations so potential conflicts surface early and can be handled appropriately.
And Form 990 Part VI asks about conflict-of-interest policies because the sector now treats this as baseline governance hygiene.
Mini case study:
A board member introduces a vendor: “They’re great, and they can start next week.” The nonprofit is understaffed and relieved. The contract gets signed quickly. Months later, the organization learns the board member has a financial relationship with the vendor (a partner, spouse, referral fee, or shared ownership). The work may be fine. The price may be fair. But the credibility problem is immediate: Was the conflict disclosed? Did the board manage it? Was there a competitive process? If the answer is fuzzy, the organization’s governance story is now fragile.
A defensible pattern is boring by design: disclose early, recuse when appropriate, document what happened.
But even strong COI practices won’t save an organization if it can’t answer a simpler question: who was allowed to commit the organization in the first place?
If you want the highest-leverage governance upgrade without adding bureaucracy, define decision rights: who can approve which commitments – and when escalation is required.
Many “compliance problems” are really approval problems. They happen when a nonprofit makes a commitment – contractual, financial, or public-facing – without a clear approval path, and later can’t prove how the decision was made.
This shows up in a few predictable places:
Nonstandard grant terms signed under time pressure,
Restricted gifts accepted without fully understanding operational requirements,
Program expansions approved without a risk review,
Public impact claims made without substantiation.
You don’t need to push every decision to the board. You need an approval model tied to risk: routine decisions delegated with guardrails; higher-stakes decisions reviewed by executive leadership and a finance/operations lead; the highest-stakes decisions escalated to a board committee or the full board.
That’s governance as design – not governance as performance.
And once decision rights are clear, you can see which policies actually matter.
Most nonprofits don’t lack policies. They lack policies that operate.
Form 990’s governance section reflects a practical reality: policies aren’t paperwork – they’re the routines that make oversight consistent, especially around conflicts and core accountability habits.
The IRS has also published governance guidance discussing risk areas such as conflicts and diversion of assets, highlighting why internal controls and governance practices matter.
A useful policy is one that answers: What do we do when X happens? Who decides? What documentation is required?
That’s why a small set of “risk-reducers” tends to outperform a large set of documents: conflict-of-interest workflow, document retention, whistleblower channel, and a delegation-of-authority approach aligned to decision rights.
But policies only become defensible if the organization can prove they were actually used. That proof usually lives in one place.
Minutes are the record that turns governance into something real. They’re not a transcript. They’re a decision record – who was present, what was reviewed, what was approved, how conflicts were handled, and what authority was delegated. When scrutiny arrives, minutes are often the first place an outsider looks to understand whether oversight actually happened.
Mini case study:
A funder asks how a budget reallocation was approved mid-grant. If the organization can point to a clean approval path and minutes noting the decision and rationale, it looks like mature governance. If the organization has only emails and memory, the same decision can look like a compliance risk.
This is why minutes aren’t admin work. They’re a risk-control tool.
If you want meaningful improvement fast, focus on traceability – because traceability is what survives scrutiny.
Governance isn’t there to slow the mission. It’s there to protect the mission when speed, money, and scrutiny collide.
This article is informational and not legal advice.
Learn more about governance and decision-making support through our Strategic Consulting.
About the Author
Alex Davis is a founding member of Omni Law P.C. and serves as Board Chair at Group 36. His work focuses on strategic legal guidance around deal structures and complex transactions, with experience advising startups, established companies, investors, and executives across multiple industries. He has held in-house counsel roles in the media industry and is admitted to practice in California, New York, New Jersey, and Pennsylvania.
Sources & Further Reading
National Council of Nonprofits – Board Roles and Responsibilities
IRS – Form 990, Part VI: Governance (policy and governance disclosures)
IRS – Governance and Related Topics: 501(c)(3) Organizations (PDF)