2025 promises to be a busy year as nonprofits leaders grapple with risks ranging from cybersecurity and adoption of new technologies to concerns regarding internal fraud, financial reporting, and fundraising. Here are some risks to watch for in 2025.
Nonprofits are no strangers to challenges, but 2025 is shaping up to be a year of transformation and heightened risks. From the rapid evolution of artificial intelligence (AI) to increasing cybersecurity threats and evolving financial scrutiny, nonprofit leaders are navigating complex terrain. Staying ahead of potential risks is essential to safeguarding your mission and resources. Below, we explore five critical risk areas to focus on in 2025 and offer actionable steps to address them effectively.
1. Artificial intelligence: Harnessing AI for business innovation and efficiency
As nonprofits continue to navigate complex compliance requirements, they face new challenges associated with emerging technologies. AI is a current technology that continues to disrupt business and settled practices within organizations. Balancing the features of AI with security should be at the forefront of your technology and cybersecurity planning.
The critical starting point is understanding where AI is used in your technology platforms, how it’s being leveraged, and the security risks presented. Use your existing processes to evaluate AI technologies, and, if necessary, bring in experienced consultants to help strengthen your governance over AI.
The critical starting point is understanding where AI is used in your technology platforms, how it’s being leveraged, and the security risks presented.
Your evaluation should consider the following areas:
Data privacy. Protect individual privacy by ensuring sensitive data is handled in compliance with applicable laws and regulations.
Data confidentiality. Confirm that sensitive data — especially client data — is never used in AI queries.
Data management/minimization. Staff should understand the importance of limiting the amount of organizational data submitted into AI models.
Governance and oversight. Establish a committee that’s responsible for overseeing the development and deployment of AI technologies including policies and procedures.
Training and education. Provide training and education to staff on AI governance principles and best practices.
Validation and accuracy of results. Develop processes to verify AI results prior to use internally or released for public consumption. Your assessment criteria should include checking accuracy of sources relied upon by the AI model, plagiarism, and potential bias.
2. Cybersecurity: Mitigating cyber risk in nonprofit operations
There are several ongoing cybersecurity risks nonprofits should address to ensure data confidentiality and information system availability. To understand and develop strategies to mitigate cyberthreats, a comprehensive risk assessment is necessary. It should include the following:
Social engineering. Evaluate your staff’s ability to protect against external threats from:
Phishing (the use of bogus emails to direct users to a fake website in an attempt to steal sensitive information).
Vishing (voice phishing via phone calls or voice messages).
Impersonation attacks (deepfake).
Multifactor authentication compromise.
Security vulnerabilities. Mitigate vulnerabilities in your network by conducting periodic simulated external and internal attacks by threat actors.
Vendor and supply chain management. Monitor critical vendors’ adherence to established business security standards to ensure the protection of entrusted information.
Immature security environment. Monitor your organization’s adherence to security controls in line with common frameworks to avoid introducing risks among your people, processes, or technologies.
To understand and develop strategies to mitigate cyberthreats, a comprehensive risk assessment is necessary.
3. Form 990: Addressing risks related to public perception and IRS focus areas
When reviewing a nonprofit annual Form 990, board members often ask what they should be concerned about in this tax filing. While the focus is often on whether the organization’s tax exemption is at risk, this is usually a minor concern. The bigger challenge lies in managing public perception. Why? Your Form 990 is posted online for anyone to see. It reveals a lot about your organization, including how efficiently it uses donor and constituent money, whether funds are advancing the mission, executive compensation, the process for determining that compensation, and details of transactions with interested parties such as board members or their families, to name a few.
Beyond issues of public perception, the IRS may use the information on your Form 990 to trigger an audit. While the IRS doesn’t disclose what indicators it uses to initiate an audit, practitioners have some idea based on experience. For example, unusually high and low compensation can raise red flags, as can issues with independent contractors and payroll tax compliance. A lack of fundraising expenses when there are large amounts of fundraising income can also cause concern. There are many areas that can raise red flags, so be meticulous about what your organization reports on its Form 990, and be ready for scrutiny from donors, staff, news outlets, and the IRS.
There are many areas that can raise red flags, so be meticulous about what your organization reports on its Form 990.
4. Fraud detection: Finding out what you don’t know
The purpose of your annual audit is to ensure your nonprofit’s financial statements materially represent the financial position at a specific point in time. The emphasis on “materially represent” is crucial as it’s cost-prohibitive to examine every single transaction. Instead, auditors assess risks and test for material issues. While still troubling, many frauds are immaterial to the financial statements as a whole and may go undetected by auditors. Management should not rely on audits to detect fraud; the unfortunate reality for those who do is misconduct can often go undetected and unaddressed for an extended period, leading to a culture of impunity and increased losses, as fraud typically escalates over time.
Further, if issues aren’t reported and addressed internally, they may eventually become public, which could lead to negative publicity and a loss of donor support. To detect and address fraud in your nonprofit, it’s essential to:
Foster a culture that encourages your staff to speak up when they notice something suspicious.
Ensure your organization has an accessible way to report concerns.
Train all staff on how to use the available reporting options.
Have established policies and procedures for how to respond to reported concerns.
Studies have shown that tips are the most common method by which organizations detect fraud. Additionally, hotline reports can provide valuable insights into operational areas where your organization can improve its practices and policies.
To detect and address fraud in your nonprofit, it’s essential to foster a culture that encourages your staff to speak up when they notice something suspicious.
Finally, understand who your organization’s vendors are and verify their legitimacy. We’ve seen several instances where nonprofit employees and leaders have created fraudulent vendors or service providers to divert funds from the organization.
5. Accounting and financial reporting reminders
In the current economic climate — showing inflation at relatively high levels, new and potential policy changes coming from the new presidential administration, and ongoing international conflicts — some nonprofits are feeling uncertain about the U.S. economy and future impacts. Viewed through this lens, several accounting areas may be impacted.
Revenue and fundraising sources: Emerging government policies have already proven to impact not-for-profits that operate in certain parts of the world or have particular missions more severely than others. Overall fundraising and giving by donors may be negatively impacted by inflationary pressures and economic uncertainty. If economic uncertainty is a factor for your nonprofit, be sure to keep a close eye on the collectability of pledges and other accounts receivable and your future cash flow projections, and update your budgets accordingly.
Credit losses: FASB ASU No. 2016-13, Financial Instruments—Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments, includes a requirement to estimate credit losses expected over the contractual life of a financial asset. Factors to consider include historical experience, current conditions, and reasonable/supportable forecasts. This requirement makes it imperative to monitor the overall economy and the impacts of continued inflation, policy changes, and other economic factors that will impact the credit losses recorded on your receivables.
Investment managers: As more nonprofits rely on investment managers and advisors (or have transitioned entirely to an outsourced chief investment officer to manage the investment portfolio), it’s critical to properly monitor your third-party service providers, understand their controls and processes, and ensure investment information is properly reported. Be informed: ask questions during presentations, understand how investments are being selected and evaluated, and independently assess benchmarking or performance data provided by the third party. If the third party receives attestation reporting (for example a SOC-1 report), obtain the reports and evaluate any findings.
Stay vigilant and cautious on the road ahead
2025 presents a complex array of risks for nonprofit organizations. Leaders must be prepared to safely leverage new technologies, stay on top of emerging cybersecurity threats, and keep a strong eye on funding and finances. By implementing comprehensive risk management practices, your nonprofit can safeguard its operations and reputation, sustain its impact, and continue to fulfill its mission in the year ahead.
Ensure your organization is primed to withstand top industry challenges by joining us at the annual Nonprofit Summit.
