Protecting Your Nonprofit With Third-Party Risk Management

Nonprofit organizations play a crucial role in society, focusing on important causes like environmental conservation, humanitarian aid, and community development. Nonprofits often collaborate with third parties, like vendors, service providers, and even other nonprofits, to streamline operations and make their mission-driven work more effective. However, it's important to recognize that working with third parties comes with its own set of risks. Third parties expand the risk landscape for nonprofit organizations, introducing potential liabilities that must be effectively managed.

Effective third-party risk management (TPRM) is crucial for ensuring compliance, minimizing harm, and protecting your reputation. This blog outlines key regulatory requirements for nonprofits and how third-party risk management helps nonprofits maintain third-party compliance. Implementing this practice will help you navigate challenges and achieve your goals effectively.

Essential Regulations for Nonprofit Organizations and Their Third Parties 

Nonprofit organizations are bound by a wide range of laws and regulations, covering areas such as taxes, privacy, data protection, employment, intellectual property, anti-corruption, lobbying, and financial reporting. In the U.S., nonprofit organizations must adhere to the Internal Revenue Code Section 501(c)(3). They’re also required to comply with the False Claims Act, which prohibits fraudulent claims for payment, and the Anti-Kickback Statute, which prohibits referral incentives. 

Nonprofits must also comply with the Foreign Corrupt Practices Act to ensure ethical conduct in international business. Moreover, the Lobbying Disclosure Act mandates transparency in lobbying activities. Compliance with these regulations is paramount for nonprofit organizations and all their affiliated entities or third parties.

Here's a brief overview of the regulatory environment for nonprofits:  

1. Fundraising regulations: In the U.S., nonprofit organizations must comply with various state regulations when soliciting funds. Familiarity with the Charitable Solicitation Act and the Unified Registration Statement is also crucial for public fundraising efforts.
2. Data privacy laws: The regulatory framework for privacy in the United States is complex and involves a combination of federal and state laws. Unlike many other countries, there is no single federal law that governs all aspects of privacy. Instead, privacy in the U.S. is addressed through laws and regulations that are specific to particular sectors. Some privacy laws, like many state privacy laws, exempt nonprofit organizations from compliance. 
   However, some types of data are regulated by different laws. For example, healthcare data is regulated by the Health Insurance Portability and Accountability Act (HIPAA) and financial information falls under the Gramm-Leach-Bliley Act (GLBA).
3. Employment laws: Equal Employment Opportunity (EEO) laws prohibit discrimination based on protected characteristics such as race, color, religion, sex, national origin, disability, and age. The main focus of EEO laws is to prevent discrimination in various employment practices, including hiring, promotion, and termination. Here’s two considerations under EEO requirements:
   
   • Fair Labor Standards Act (FLSA): Within EEO there’s the FLSA, which is the primary federal labor law that sets minimum wage, overtime, recordkeeping, and child labor standards. Nonprofits must adhere to FLSA regulations concerning employee compensation and working conditions.
   • Volunteer work: While volunteer labor is an essential aspect of nonprofit organizations, it doesn’t automatically exempt them from labor laws. The FLSA outlines that individuals may volunteer their services to nonprofit organizations that are religious, charitable, civic, humanitarian, or similar in nature without being covered by the FLSA. However, there are limitations to this exemption. 
     
     For example, it’s generally not allowed for individuals to volunteer in commercial activities that are run by a nonprofit organization. If volunteers engage in regular commercial activities, such as providing veterinary services for a fee, which leads to sales or business being conducted, they may be subject to FLSA protections on an enterprise basis.
   Some states have enacted additional labor laws that nonprofits must follow. However, they must still comply with FLSA regulations for paid employees.
4. Financial reporting and transparency: The Sarbanes-Oxley Act of 2002 was created in response to corporate scandals like Enron and Tyco. It mainly applies to publicly traded companies, but it also affects nonprofit organizations. Two SOX provisions apply to all entities, including nonprofits: Retaliation Against Whistleblowers and Document Destruction. Nonprofit leaders should examine SOX provisions and state laws and consider adopting governance best practices.
5. Local state law requirements: Staying informed on local laws can be challenging as requirements often vary from state to state. When managing a nonprofit, ensuring your vendors adhere to the applicable laws and regulations is crucial, so seeking guidance from legal experts that specialize in nonprofit regulations can provide insights into compliance. With their expertise, you can have peace of mind, knowing your organization is positively impacting your community while abiding by the law.
6. Global nonprofit regulations: With data protection and privacy laws varying from country to country, nonprofits must navigate complex regulations. This is especially critical for nonprofits that operate in multiple countries, as keeping track of ever-changing regulations can be time-consuming. It’s important to have a comprehensive understanding of the relevant laws and regulations and stay up to date on changes. 

10 Best Practices for Nonprofit Third-Party Risk Management 

Failing to comply with U.S. and global regulations can result in legal, reputational, and financial consequences, even when a third-party vendor is at fault. Nonprofit organizations must ensure the security of their operations by implementing effective third-party risk management programs.

Effective third-party risk management involves identifying potential risks, assessing their likelihood and impact, and taking action to mitigate them. It also involves continuous monitoring and incident response planning, among other practices. 

Here are 10 best practices for nonprofit third-party risk management:   

1. Follow the third-party risk management lifecycle: Nonprofits should cover the entire third-party lifecycle, from onboarding to offboarding. The third-party risk management lifecycle involves rigorous regular risk assessment, due diligence both during onboarding and periodically after that, continuous risk and performance monitoring, issue management, and, if necessary, termination of the third-party relationship.
2. Identify and assess risks: Potential third-party risks include cybersecurity and information security, finance, reputation, or compliance. It’s important to assess the likelihood and impact of these risks and prioritize them based on the highest risks. 
3. Perform due diligence: When engaging in business relationships with external third-party entities, conduct thorough research to ensure all parties involved are trustworthy and reliable. This includes requesting and reviewing documentation from the third-party vendor. This process, known as due diligence, helps mitigate potential risks and safeguard against any negative outcomes that may arise from the partnership. 
4. Use subject matter experts (SMEs): Consult with skilled professional SMEs in various risk domains such as cybersecurity, legal, compliance, and financial to review third-party practices, controls, and documentation. SMEs should provide a qualified opinion on their sufficiency. 
5. Implement clear contracts: Contracts with third-party vendors and partners should include clear language about expectations and responsibilities, such as data security and privacy requirements, service level agreements (SLAs), and right to audit and breach notification clauses. 
6. Develop an incident response plan: Third-party vendors must have a plan for responding to incidents that may occur, such as natural disasters, cyberattacks, accidents, or employee misconduct. These plans should be tested on a regular basis to ensure they work as intended.
7. Continuously monitor third-party vendors: Regularly monitor known, new, and emerging third-party risks and take action to mitigate them, such as cybersecurity audits, financial control measures, or background checks for staff and volunteers. This also includes regular audits of third-party vendors to ensure their systems are secure and up to date. 
8. Establish performance metrics: Establish and track metrics to measure the effectiveness of your third-party risk management efforts, such as the number of incidents prevented, the rate of regulatory compliance, or even the amount of money saved with third-party risk management. 
9. Maintain documentation and records: Keep thorough records of all third-party risk management activities, such as incident reports, contracts, due diligence documentation, and compliance documents. 
10. Educate staff and engage stakeholders: It’s important to educate staff on third-party risk management policies and procedures, emphasizing the importance of third-party risk management, cybersecurity awareness, and data protection. Third-party risk management efforts can benefit from stakeholder involvement through measures such as risk committees, surveys, or townhall meetings.

Third-party risk management goes beyond a mere checklist – it’s the cornerstone for ensuring compliance, safeguarding donors and employees, and preserving the nonprofit’s reputation and resources. Developing and improving third-party risk management is crucial to safeguarding the well-being of all parties involved.

Nonprofit organizations can take proactive measures by adopting third-party risk management best practices. By implementing effective third-party risk management, nonprofits can fulfill their mission and make a meaningful impact on the world.