How to protect your mission from the risks no one talks about.
Every year brings new nonprofit risks — some obvious, some hidden. If you work at a nonprofit, you already know about familiar worries: funding cuts, staff burnout, donor fatigue. But some of the most serious risks are not the ones people talk about at conferences. They’re quieter, technical, and easy to miss – until they suddenly cause lost donations, damaged trust, or a crisis you never expected. Here are five risks that many nonprofits aren’t tracking – and simple steps to reduce them. No jargon, no panic – just the basics everyone should know in 2025.
Every organization sends newsletters, fundraising appeals, and thank-you notes. But in 2024, Gmail and Yahoo introduced new safety rules for bulk emails. If your system isn’t set up correctly, those emails may now land in spam folders or be rejected entirely – and you may never notice.
What’s going on:
Email providers now require every sender to “prove who they are.” This is done through simple digital ID settings – called SPF, DKIM, and DMARC – that your tech person or email platform can enable. Without them, email filters assume you might be a scammer.
Why it matters:
In 2024, nonprofits raised $2.63 in email-sourced revenue per subscriber. If your list has 10,000 contacts, that’s about $26,300/year from email alone. Even a 10% drop in deliverability can mean $2,600 in lost donations – simply because messages never reached the inbox. New Gmail/Yahoo rules (SPF, DKIM, DMARC, one-click unsubscribe, low complaint rates) make deliverability a must-fix in 2025.
What to do:
Ask whoever manages your Mailchimp, Gmail, or domain to confirm that SPF, DKIM, and DMARC are active. Use a single sending address (not many random ones), keep complaints below 0.3 %, and make it easy to unsubscribe.
Ten years ago, privacy rules were mostly a corporate issue. Today, almost twenty U.S. states have their own data-privacy laws. Each state sets different requirements for how you collect, store, and delete personal information.
What counts as personal data?
Names, emails, donation history, volunteer forms, photos from events, and even survey answers – almost everything you store about real people.
Why it matters:
A well-intentioned nonprofit can accidentally break these rules simply by keeping old mailing lists or sharing data with a contractor who stores it elsewhere. Regulators rarely target charities, but public trust can disappear fast if a donor or beneficiary feels their data was misused. And donors do care: a 2025 survey found ~69% worry their information might be hacked or stolen. Keep lists current, know where data lives, and be clear with vendors about protection and deletion.
What to do:
Make a quick inventory: what personal data you collect, where it lives, who can see it, and when you delete it. Add a short privacy statement on your website and keep your mailing lists clean. And if you ever test an AI tool on real data – make sure it doesn’t “learn” from it unless you have permission.
Cyber-crime isn’t just a problem for banks. Nonprofits hold donor records, grant agreements, and payroll data – valuable information for hackers. The most common attack is Business Email Compromise (BEC) – when criminals imitate a real staff member and send fake payment instructions.
A real-world example:
In 2020, Philadelphia hunger-relief nonprofit Philabundance wired $923,533 to a fraudster after receiving a spoofed invoice that looked like it came from its construction vendor. The genuine vendor’s emails were quietly filtered out, so the transfer looked routine. The loss was discovered only weeks later, when the real vendor asked where the payment was.
What to do:
Use two-step verification (2FA/MFA) on all email and accounting systems.
Double-check every request to change bank details – by phone, not by replying.
Limit how many people can approve payments.
Ask your accountant or IT support to review your controls once a year.
These steps cost almost nothing and prevent the majority of losses.
“Safeguarding” means making sure no one is harmed through your programs – physically, emotionally, or financially. For example, if you work with children, seniors, refugees, or survivors of violence, you have a duty to keep them safe not only from outsiders but also from staff, volunteers, or partner groups.
Why it matters now:
Large foundations and international donors increasingly require written safeguarding policies before they fund a project. Even small community groups need at least a simple version – because one incident of neglect or misconduct can undo years of trust.
What to do:
Write a short code of conduct for staff and volunteers.
Appoint one person as a safeguarding contact (someone people can safely talk to).
Provide a short training or handout on how to recognize and report problems.
Add a safeguarding clause to your partner or subgrant agreements.
You don’t need a 40-page manual – a one-page policy and clear process already make a difference.
It’s uncomfortable to think about, but many nonprofit losses happen inside the organization: falsified receipts, duplicated reimbursements, or someone quietly diverting funds. Most cases happen because people trust each other too much and there are no checks and balances – not because anyone planned to steal.
Why it matters:
According to the Association of Certified Fraud Examiners (ACFE), organizations without anti-fraud training lose twice as much to internal theft as those with basic controls. The typical case lasts a year before it’s discovered.
What to do:
Make sure no single person both authorizes and records a payment.
Review bank statements monthly.
Require two signatures (or approvals) for any transfer over a set amount.
Create a simple, anonymous way for staff or volunteers to report concerns – an email inbox works fine.
Mention ethics and integrity at least once a year in team meetings.
A culture of transparency is the best protection.
None of these five risks are dramatic. They won’t appear on TV news, and they don’t require a crisis consultant. But they are the quiet causes of many nonprofit losses – financial, reputational, and emotional. The good news is that each one can be reduced with a few hours of attention, not huge budgets. Think of this as routine maintenance for your mission – like checking the smoke detector before lighting a candle.