Nonprofit Risk Management &
Insurance Audit

1. About This Tool

Most small nonprofits know they have insurance. They could not tell you, off the top of their head, what their D&O limits are, what their cyber deductible is, whether their auto policy covers volunteers driving personal vehicles, or what their broker will say at next year's renewal. They have no written risk register. Their crisis plan, if it exists, is in the Executive Director's head. They have never had a board-level conversation about risk appetite. And then something happens.

The cost of professional risk management has always been the barrier: insurance brokers don't do enterprise risk consulting, risk consultants charge $200+ per hour, and most nonprofit boards do not include someone with formal risk management background. Meanwhile, the things that put nonprofits out of business are almost always risk-management failures — allegations of misconduct involving beneficiaries, embezzlement by a trusted insider, a ransomware attack that exposes donor data, a wrongful termination lawsuit, a vehicle accident with inadequate coverage.

The Nonprofit Risk Management & Insurance Audit tool walks your organization through a five-step onboarding profile, then produces seven generators covering enterprise risk management, insurance, and incident response — all tailored to your revenue, employee count, programs, and risk profile.

2. Getting Started

Who this is for

• Executive Directors who own organizational risk by default and need to formalize what is currently in their head
• Board members on governance, audit, finance, or risk committees who need to fulfill fiduciary oversight
• Operations or compliance staff who maintain the insurance file and incident log
• Treasurers reviewing insurance budgets and renewal recommendations
• Anyone preparing for an audit, accreditation review, or major funder due diligence that touches risk management

What you will need to complete the org profile (5 minutes)

• Organization name, state, EIN, mission
• Approximate annual revenue
• Number of employees (full-time + part-time)
• Approximate number of active volunteers
• Whether you have a physical office or program location
• Whether your work uses vehicles (owned, leased, or staff/volunteer personal)
• Whether you serve vulnerable populations (children, elderly, persons with disabilities, persons in crisis)
• Whether your work handles cash or significant donor data

What you will need to fully complete the Insurance Coverage Inventory (varies)

You will need the declarations pages ("dec pages") from each active insurance policy. Your broker should be able to send these in a single email if you do not have a digital file.

• General Liability (GL) policy declarations
• Directors and Officers (D&O) policy declarations
• Cyber Liability policy declarations (if separate from GL/D&O)
• Crime / Fidelity bond declarations
• Workers Compensation declarations (if employees)
• Commercial Property declarations (if physical location)
• Commercial Auto declarations (if vehicles used)
• Any umbrella, professional liability, abuse/molestation, or other specialty policies

3. Onboarding Wizard

The onboarding wizard runs once and saves to your browser. You can re-run or update the profile any time from the dashboard.

Step 1 — Organization Basics

Name, state, EIN, founding year, and a short mission statement. These are used as merge fields throughout the generated documents.

Step 2 — Size and Scale

Annual revenue, employees, and active volunteers. Revenue drives several recommendation thresholds (insurance coverage limits, recommendation of an Umbrella policy, recommendation of a formal Risk Committee versus integrating with Finance Committee). Employee count drives Workers Compensation requirements, EPLI recommendations, and whether HR-related risks should be elevated.

Step 3 — Operations Profile

Three questions that drive substantial changes in your generated documents:

• Physical location — activates Commercial Property recommendations and adds property-specific sections to Risk Register and Crisis Plan
• Vehicles — activates Commercial Auto and Non-Owned/Hired Auto recommendations (the latter is the coverage most often missing when staff drive personal vehicles for work)
• Vulnerable populations served — activates Abuse and Molestation coverage discussion, two-adult rule, background check protocols, and program-risk additions to the Risk Register

Step 4 — Data and Cash

Whether you handle donor financial data, whether you collect beneficiary data subject to HIPAA/COPPA/FERPA, and whether you handle cash or near-cash assets. These drive cyber coverage recommendations, crime/fidelity bond recommendations, and breach-notification considerations.

Step 5 — Current Risk Maturity

A short self-assessment: Do you have a written risk register? A current crisis plan? An annual broker review? A board-level risk discussion? This does not gate any features — it adjusts emphasis in generated documents (e.g., if you have no crisis plan, the Crisis Plan generator opens with a more foundational tip).

4. Using the Generators

Seven generators across three categories. Each follows the same pattern: read the tip, fill in fields on the left, watch the live preview on the right, mark complete when satisfied, export when ready.

Recommended order for a first-time user

1. Coverage Inventory first — you will spot what you do not actually know about your own insurance, and the Gap Analysis depends on it
2. Gap Analysis second — run while the inventory is fresh; surfaces critical gaps to take to your broker
3. Risk Register third — with insurance in context, you can score risks knowing what is and is not covered
4. Crisis Plan fourth — can borrow material from the Risk Register
5. Annual Insurance Review — whenever you are 60-90 days from primary policy renewal
6. Risk Committee Charter — when ready to formalize board-level risk oversight
7. Incident Report Template — not built proactively; opened and customized when an incident occurs

5. Exporting Documents

Three export options on every generator:

• Download as Word (.docx) — formatted with headings, bullets, and the BYC document style. The default for documents going to the board.
• Download as HTML — for posting on a private intranet or sending as an email attachment that everyone can open.
• Copy to Clipboard — plain text formatted with Markdown-style emphasis. Useful when pasting into Google Docs, an existing template, or a board portal.

6. Insurance Fundamentals for Nonprofits

Before diving into specific coverage lines, a few concepts make the rest of this guide make sense.

The five things insurance does (in order)

1. Pays the defense — the carrier appoints lawyers and pays them, whether or not the claim has merit. This is often more valuable than the indemnity payment because legal defense of even a meritless claim can run $100k+.
2. Pays the indemnity — if a judgment or settlement is reached, the carrier pays up to the policy limit.
3. Provides risk management resources — most carriers offer free training, sample policies, hotlines, and risk consulting. This is the most under-used benefit of having insurance.
4. Forces a discipline — the renewal questionnaire alone surfaces issues most organizations would not otherwise document.
5. Transfers risk you cannot afford to absorb — the right limits convert a catastrophic loss into an affordable annual premium.

Defense inside vs. outside the limit

This is one of the most important coverage details, and one most boards never ask about. With defense outside the limit, the carrier pays defense costs in addition to the policy limit — meaning your $1M of D&O coverage is fully available to pay a judgment. With defense inside the limit, defense costs erode the policy limit — meaning a long defense can leave you with little or nothing for indemnity. For nonprofit D&O, defense outside the limit is the better structure.

Claims-made vs. occurrence

General Liability is usually occurrence-based — the policy that was in force when the incident happened pays, regardless of when the claim is made. D&O, Cyber, and Professional Liability are usually claims-made — the policy in force when the claim is made pays. Claims-made policies require continuous coverage; if you let a claims-made policy lapse, you lose coverage for incidents that occurred while it was in force unless you buy extended reporting ("tail") coverage.

Limits, sublimits, and aggregates

A policy will typically have a per-occurrence limit (max payout per claim) and an aggregate limit (max payout across all claims in the policy year). Sublimits cap specific coverage areas within the broader policy — for example, a $1M Cyber policy might have a $250k sublimit for regulatory fines. Always ask: what is the sublimit on the specific exposure I care most about?

Deductibles, retentions, and SIRs

The amount you pay before insurance kicks in. Deductibles are typically paid by the carrier and billed back to you. Self-Insured Retentions (SIRs) are paid directly by you and must be exhausted before the carrier participates. SIRs often come with the right to control defense within the SIR — useful or dangerous depending on perspective.

What "A.M. Best" means and why it matters

A.M. Best is the rating agency that scores insurance carrier financial strength. A or better is the typical board-policy minimum. Carriers below A- may be cheaper but introduce the risk that the carrier itself becomes insolvent during a long-tail claim. Your broker can confirm any carrier's current rating.

7. The Seven Key Coverage Lines

Most nonprofits need most of these. The right combination depends on size, programs, and operations — which the Gap Analysis tool surfaces using your org profile.

General Liability (GL)

Covers bodily injury and property damage claims arising from your operations — the classic "slip and fall" coverage but much broader. Required by most landlords, most funders, and most contracts. Standard limits: $1M per occurrence / $2M aggregate for orgs under $500k revenue; $2M / $4M for $500k-$2M; $5M / $10M or more for larger. Almost always occurrence-based.

Directors and Officers (D&O)

Covers your board, officers, and the organization itself against claims arising from decisions made in their governance/management capacity. The most important coverage for the board, period. Recruiting quality board members without D&O coverage is increasingly difficult and arguably a governance failure. See Section 8 for a full deep dive.

Cyber Liability

Covers data breaches, ransomware, regulatory fines, breach-notification costs, business interruption from cyber events, and (often) social engineering / wire fraud. No longer optional for any nonprofit holding donor financial data, beneficiary records, or significant personally identifiable information. See Section 9.

Crime / Fidelity Bond

Covers employee dishonesty — embezzlement, forgery, computer fraud, funds transfer fraud, theft of money or securities. Often required by funders and accreditors. Critical for any org that handles cash, processes donations, or has multiple staff with financial access. Often confused with cyber coverage; they are different and you typically need both. Standard limit floor: $250k.

Workers Compensation

Required by state law in nearly every state for organizations with employees (thresholds vary; some states require it at the first employee, others at 3-5). Pays medical costs and lost wages for work-related injuries. Volunteers are typically not covered by WC — volunteer injuries are covered (or not) by GL.

Commercial Property

Covers physical assets — building (if owned), contents, equipment, and often business interruption. Triggered by your org profile if you have a physical location. Common gap: under-insuring contents (computers, AV, program supplies, donated items in inventory). Conduct a contents inventory at least every 3 years.

Commercial Auto / Non-Owned and Hired Auto

If your org owns vehicles, Commercial Auto is straightforward. The often-missed coverage is Non-Owned and Hired Auto — covers your org's liability when staff or volunteers drive their personal vehicles for org business. Without it, your only protection is the driver's personal auto policy, which may exclude commercial use. Standard limit: $1M minimum.

Specialty: Abuse and Molestation

Critical for any org that serves children, elderly, persons with disabilities, or other vulnerable populations — including youth programs, mentoring, after-school, summer camps, religious programs, eldercare, foster care, and similar. Sometimes available as an endorsement to GL or D&O; sometimes a standalone policy. The Gap Analysis tool flags this as a critical gap for any org that selects "serves vulnerable populations" in the profile.

Specialty: Umbrella / Excess Liability

Sits above your primary GL and Auto policies, paying claims that exceed those underlying limits. Recommended for orgs with $1M+ revenue or higher-risk programs. Cost-effective way to add capacity — $1M-$5M of umbrella often costs less than doubling primary limits.

Specialty: Professional Liability / Errors and Omissions

Covers claims arising from professional services your org provides — counseling, social services, technical assistance, training, advisory services. Often confused with D&O; they cover different exposures. If your org provides professional services to the public or to other organizations, ask your broker whether E&O is appropriate.

8. Directors and Officers (D&O) Insurance Deep Dive

D&O is the most important and most misunderstood coverage in the nonprofit insurance portfolio.

What D&O actually covers

• Side A — personal asset protection for directors and officers when the organization cannot or does not indemnify them (e.g., insolvency, indemnification prohibited by statute)
• Side B — reimburses the organization when it indemnifies directors and officers
• Side C — covers the organization itself for claims naming the entity ("entity coverage")

The Employment Practices Liability Insurance (EPLI) question

Many D&O policies include an EPLI rider that covers employment-related claims (wrongful termination, discrimination, harassment, retaliation, failure to accommodate, wage-and-hour violations). For any org with employees, this is essential. Three ways to structure it:

• Included in D&O — convenient, often cost-effective for small orgs; check sublimits
• Separate EPLI policy — typically broader coverage, higher limits, costs more
• Not carried — significant exposure; the Gap Analysis flags this as a critical gap for any org with employees

Why nonprofits get D&O claims

1. Employment claims — #1 source of nonprofit D&O claims (which is why the EPLI rider matters)
2. Donor or funder disputes — restricted gift misuse, donor-imposed condition disputes, grant compliance
3. Breach of fiduciary duty — financial mismanagement, conflicts of interest, self-dealing
4. Whistleblower retaliation — firing or marginalizing employees who report concerns
5. Regulatory investigations — state AG, IRS, state charity regulators
6. Beneficiary claims — allegations of inadequate services or harm

Common D&O pitfalls to avoid

• Coverage limits frozen for 10 years — while the org's revenue, budget, and risk profile have all grown. Revisit limits in every Annual Insurance Review.
• Defense inside the limit — for nonprofit D&O, defense outside the limit is better.
• Insured-vs-insured exclusion taken too broadly — some policies exclude claims one director brings against another. Ensure carve-backs for whistleblowers and former directors.
• Prior-acts exclusion when switching carriers — the new carrier may exclude acts that occurred before the switch. Buy tail coverage when changing carriers.
• Failure to notify the carrier of changes — new programs, new locations, M&A activity, major personnel changes can affect coverage if not reported.

9. Cyber Liability Deep Dive

Five years ago, cyber liability was optional for many small nonprofits. Today, it is essential for any org handling donor financial data, beneficiary records, or significant employee data. Ransomware actors specifically target small nonprofits because they pay (operations cannot stop) and they often have weak controls.

What cyber liability covers (typical structure)

First-party coverages (your org's own losses)

• Breach response costs — forensic investigation, legal counsel, notification, credit monitoring offers, call center
• Business interruption — lost revenue and extra expense during a cyber-related outage
• Cyber extortion / ransomware — ransom payments (subject to OFAC sanctions screening) and associated costs
• Data restoration — cost to restore data that has been corrupted or destroyed
• Social engineering / wire fraud — often sublimited; covers fraudulent wire transfers induced by spoofed emails

Third-party coverages (claims against your org)

• Privacy liability — claims arising from unauthorized access to or disclosure of confidential information
• Network security liability — claims arising from your network being used to harm a third party
• Regulatory defense and fines — defense of regulatory investigations; payment of fines where legally insurable (varies by jurisdiction)
• Media liability — libel, slander, copyright infringement arising from your content
• PCI fines and assessments — if your org accepts credit cards

What cyber liability does NOT cover (most policies)

• Property damage to your physical equipment (covered by Commercial Property)
• Bodily injury arising from cyber events (covered by GL in some cases)
• Intentional acts by an insider (covered by Crime/Fidelity)
• Patent infringement
• Failure to maintain disclosed security standards (a common exclusion if you misrepresent your controls)

Cyber underwriting today

The cyber insurance market hardened dramatically in 2020-2023. Carriers now require evidence of basic controls before binding or renewing coverage:

• Multi-factor authentication (MFA) on email, remote access, and privileged accounts
• Endpoint detection and response (EDR) on all endpoints
• Backup with offline or immutable copies tested at least annually
• Email security gateway with anti-phishing and spoofing protection
• Documented incident response plan
• Security awareness training for all staff at least annually
• Vulnerability and patch management program

If you do not have these in place, your premium will be higher, your limits lower, and your sublimits more restrictive — or you may not be able to obtain coverage at all. The Build Your Club Document Retention & Security Policy Generator helps document several of these controls.

10. Enterprise Risk Management for Nonprofits

Enterprise Risk Management (ERM) is the discipline of identifying, evaluating, and managing risks across the whole organization — not just by category (insurance, HR, finance) but as a portfolio. Done well, it lets the board see the whole risk picture and make informed trade-offs.

The five-step ERM cycle

1. Identify — what could go wrong? Use the categories below as prompts.
2. Assess — how likely is each risk, and how big would the impact be? Score on a consistent scale (the Risk Register generator uses 1-5 by default).
3. Decide — for each risk, choose: avoid (stop doing the activity), reduce (mitigate), transfer (insure or contract), or accept (acknowledge and monitor).
4. Implement — execute the chosen response. Assign an owner and a target date.
5. Monitor and report — review the register at the cadence chosen in the generator. Report to the board at the cadence chosen in the Risk Committee Charter.

Risk categories to think through

Risk appetite and risk tolerance

Risk appetite is how much risk the organization is willing to take to pursue its mission. Risk tolerance is how much variance from expected outcomes the organization can absorb. These are board-level conversations the Risk Committee should facilitate at least once every three years. A nonprofit serving vulnerable youth has a near-zero risk appetite for misconduct and a higher appetite for innovation in service delivery. Knowing the difference shapes hundreds of operational decisions.

11. Crisis Management Framework

A crisis is any event that threatens the organization's ability to operate, fulfill its mission, or maintain public trust. Crises are not the same as incidents (which are usually contained and routine). Crises require leadership-level activation, often involve outside counsel and PR support, and almost always have media or stakeholder visibility.

Common nonprofit crisis triggers

• Leadership crisis — sudden departure of ED or board chair under contentious circumstances
• Financial crisis — embezzlement discovery, audit qualification, cash insolvency, loss of largest funder
• Reputational crisis — social media controversy, journalist investigation, board member statement
• Beneficiary harm — allegation or finding of harm to someone in your care
• Cyber crisis — ransomware lockout, large data breach, wire fraud loss
• Facility crisis — fire, flood, prolonged loss of physical location
• Public health crisis — communicable disease outbreak, contamination
• Regulatory crisis — state AG investigation, IRS examination, accreditation loss

The four phases of crisis response

1. Prepare — before crisis happens: written plan, trained team, vendor relationships in place, simulation exercises
2. Activate — declare the crisis, convene the team, notify insurance/legal, begin documentation
3. Manage — communicate with stakeholders, address the underlying issue, document decisions, support affected people
4. Recover and learn — after-action review, update plans, support staff resilience, restore operations

Five decisions that should be pre-made (in the plan, not in the crisis)

1. Who declares a crisis — and who can declare in their absence
2. Who is the spokesperson — usually the ED; never freelance media comments
3. Who has spending authority — and at what dollar thresholds
4. When to notify insurance and legal — usually immediately for any matter that could become a claim
5. How decisions get documented — contemporaneous notes are essential; memory will not be reliable later

12. Incident Documentation Best Practices

The Incident Report Template generator provides the structure. The practices below explain why each section matters and how to use the resulting reports.

Why document everything, including near-misses

• Insurance preservation — late notice is grounds for denial on many policies; documented contemporaneous reports preserve coverage
• Pattern detection — one slip-and-fall is an event; five slip-and-falls on the same staircase is a finding
• Legal defense — juries and regulators expect organizations to document and learn from incidents; the absence of documentation is itself evidence
• Insurance pricing — underwriters reward organizations with mature incident management; absence of reports is sometimes treated as "you do not have any controls" rather than "you do not have any incidents"
• Continuous improvement — you cannot fix what you cannot see

The 24-48 hour rule

Most insurance policies require notice "as soon as practicable." Industry practice is that anything that could plausibly become a claim should be reported to the carrier within 24-48 hours. Reporting an event is not the same as filing a claim. When in doubt, report — carriers prefer notice of events that do not develop over late notice of events that did.

Facts vs. opinions vs. legal conclusions

In the initial report, document facts: who, what, when, where, what was observed. Do not document opinions about cause, legal conclusions about fault, or speculation about motives. These are reserved for follow-up investigation, often conducted with or under direction of legal counsel.

When to bring in legal counsel before extensive documentation

• Any allegation of staff or volunteer misconduct involving beneficiaries
• Any potential D&O matter (executive misconduct, governance failure, fiduciary breach)
• Any allegation of harassment or discrimination by a board member, executive, or supervisor
• Any suspected criminal activity
• Any matter likely to involve law enforcement
• Any matter likely to result in regulatory action
• Any matter likely to attract media attention

In these situations, the initial report should be brief and factual; the investigation should be directed by counsel, often under attorney-client privilege.

Retention

Incident reports involving any potential injury or claim should be retained for the longer of (a) 7 years, (b) any period required by funder, regulator, or accreditor, or (c) until the statute of limitations runs on any potential claim. Reports involving minors should typically be retained until the minor reaches age of majority plus the applicable statute of limitations — which can be 25+ years.

13. Risk Committee Governance

A board-level Risk Committee is governance best practice for nonprofits with $1M+ revenue, vulnerable populations served, significant regulatory exposure, or major insurance programs. Smaller organizations typically embed these functions in the Finance or Audit Committee.

Three viable structures

• Standalone Risk Committee — reports to full board; best for larger or higher-risk organizations
• Audit and Risk Committee — combined; common in midsize organizations; leverages overlap between audit and risk oversight
• Finance Committee with risk responsibilities — appropriate for small organizations; risk functions appear as standing agenda items

What the committee should actually do (and not do)

Should

• Oversee the risk management framework, not write it
• Review the Risk Register annually; receive updates on material changes
• Receive the Annual Insurance Review before primary renewal
• Receive incident summaries at every meeting
• Receive immediate notice of any Critical-severity incident
• Review the Crisis Plan every 2 years
• Recommend material risk decisions to the full board

Should not

• Manage day-to-day operations
• Investigate specific incidents (that is staff and counsel work)
• Negotiate specific insurance terms with brokers (staff role, with committee approval of strategy)
• Replace the full board's fiduciary responsibility — the committee elevates and informs; the full board still decides

Sizing the committee

Most effective nonprofit risk committees have 3-5 voting members plus the ED as ex officio non-voting. At least one member should bring relevant expertise — risk management, insurance, legal, audit, or IT security. Larger committees become unwieldy and meeting attendance suffers.

Meeting cadence

Quarterly is the most common cadence. Monthly is overkill for most nonprofits and tends to push the committee into operational territory. Semi-annual is typically too infrequent — renewal cycles, incident reviews, and risk register updates need more frequent touch.

Administrator Access

This app supports a separate Administrator role with elevated permissions. The administrator can view all user accounts, reset application data, and perform setup tasks.

First-Time Setup

From the sign-in screen, click Administrator Access in the side links below the Sign In button. On first use, you will be asked to set a password (enter once, confirm once). This password is stored as a hash in your browser's local storage — the actual password is never stored in cleartext.

Subsequent Sign-In

After setup, the Administrator Access link prompts only for the password. Successful sign-in lands you on the dashboard with administrative privileges enabled (synthetic user admin@local, isSuperAdmin: true).

Forgot the Admin Password?

The password is stored locally in your browser and cannot be recovered. To reset, sign in as any regular user, open the Admin Settings page if you have admin privileges, and use Reset All Data. This clears all application data including the admin password hash, allowing you to set a new one. Be aware that this also clears all generated documents and user accounts — export anything you want to keep first.

Contact & Support

This Risk Management & Insurance Audit tool is part of Build Your Club Academy — a growing library of self-service apps and learning content for small nonprofit organizations. We are nonprofit board members ourselves, building the tools we wished existed when we started.

Other Build Your Club tools you may find useful

• Document Retention & Security Policy Generator — five core policies including Data Breach Response, Acceptable Use, and Privacy Notice. Pairs naturally with the Cyber Liability section above.
• Nonprofit Employment & HR Policy Generator — ten HR policies plus worker classification, compensation, and onboarding tools. Pairs with the EPLI / D&O sections.
• All Build Your Club apps — the full app library including board management, donor management, fundraising, grants, marketing, and more.

Questions, suggestions, bug reports

We read every message and incorporate feedback into the tools. Reach us through the contact form on buildyourclubacademy.org or via the support links on the main BYC site.

Important disclaimers

This tool generates document drafts based on widely accepted nonprofit risk management practice and general principles of insurance. It is not legal advice, is not insurance advice, and does not establish an attorney-client or broker-client relationship. State laws, regulatory requirements, accreditation standards, and insurance market conditions vary and change. Before adopting any generated document — particularly the Risk Committee Charter and Crisis Plan — have it reviewed by qualified legal counsel and your insurance broker. For incidents involving serious injury, death, abuse allegations, suspected criminal activity, or potential D&O exposure, consult legal counsel and your broker immediately, before extensive internal investigation.

↑ Back to top