Three Risk Management Priorities Nonprofits Should Tackle in 2026

Written By Tatiana Stone

Nonprofits don’t always think of themselves as risk-bearing institutions—but every organization, no matter its size or mission, manages risk every single day. From weather disruptions, to workplace safety, to digital vulnerabilities in volunteer programs, smart risk management is simply another form of mission stewardship.

In my recent “Risk Management Tips for Nonprofits in 2026” post, I highlighted three areas that every nonprofit should revisit this year: winterizing your policies, preparing for OSHA’s proposed heat-safety rules, and reviewing volunteer digital policies. Below is a deeper dive into each tip, with real-world examples across different types of nonprofit organizations.

1. Winterize Your Policies: Preparing for Cold-Weather Disruptions

Winter weather is more than a logistical hiccup—it's an HR, safety, and program-continuity issue.

Know Your Wage Obligations (and Avoid Accidental Violations)

Many nonprofits don’t realize that exempt employees generally must be paid their full weekly salary if they perform any work that week—even if a snowstorm closes the office for several days. If your nonprofit moves services online, a single email from an exempt employee triggers this requirement.

Examples across nonprofits:

  • Arts organizations: If rehearsals are canceled for a blizzard but your Artistic Director spends Monday reviewing a grant report, you must pay the full week.

  • Environmental nonprofits: Field-based staff who move to remote work for part of the week due to icy roads still count as having worked.

  • Administrative offices: A development director who logs into email during a campus closure day is still considered active for payroll purposes.

This is why policies matter: clarity now prevents compliance headaches (or back pay issues) later.

Treat Winter as a Workplace Hazard—Not an Inconvenience

For organizations serving unhoused or vulnerable communities, winter introduces immediate safety risks. Your winter hazard assessment should identify risks like icy walkways, inadequate heating in client areas, and outdoor work that exposes staff to cold-related illnesses.

Examples:

  • Shelters: Frequent doorway traffic melts snow, creating icy re-freeze areas. Assign a staff rotation for de-icing or contract with a service provider.

  • Mobile outreach teams: Provide high-visibility gear, gloves, and traction devices, and require teams of two for overnight outreach.

  • Food distribution sites: Parking-lot events need windbreaks, heaters, and clear pathways for carts and volunteers.

Small operational changes can dramatically reduce preventable injuries and interruptions to service.

2. Stay Warm on OSHA’s Proposed Heat-Safety Rule

It may feel odd to plan for heat in December, but nonprofits should treat heat exposure the same way we treat winter hazards: as predictable and preventable.

OSHA is still signaling it will pursue some form of heat-illness protections, even if the final rule is scaled back. Now is the time to integrate heat-safety considerations into your 2026 policy updates and training plans. You can use OSHA’s Employer Checklist for Outdoor and Indoor Heat-Related Injury and Illness Prevention to guide you as you do your assessment.

Heat Exposure Affects Far More Nonprofits Than We Think

Heat isn’t just an “outdoor construction worker” issue. Nonprofits across sectors face distinct heat-related risks:

Human services: Outreach teams on foot, or staff doing wellness checks in un-air-conditioned homes, often lack consistent access to water or shade.

Food banks & meal programs: Staff or volunteers moving between refrigerated rooms and warm loading docks experience “temperature yo-yoing,” which strains the body and increases illness risk.

Youth programs: Children often miss early signs of heat exhaustion and don’t know how to prevent heat exhaustion—your staff must not miss this.

Arts & culture orgs: Outdoor performances, festivals, and community events are increasingly affected by heat waves, especially in July and August.

Build a Heat Hazard Assessment Into Your Annual Risk Plan

A heat-hazard assessment highlights operational vulnerabilities before they become emergencies.

Questions to guide your 2026 planning:

  • What happens if temperatures reach levels that affect power systems or equipment? (re: the Pacific Northwest Heat Dome of 2020)

  • Do staff know how to identify heat stroke or heat exhaustion?

  • What internal thresholds trigger modified programming (e.g., canceling outdoor activities or shifting to shaded areas)?

  • Are staff trained to respond to heat-related illness in children?

Examples across nonprofits:

  • Environmental orgs running summer youth camps: Create a “heat index protocol” that automatically adjusts activities based on CDC guidance.

  • Community events & festivals: Add cooling stations, medical roaming teams, shade tents, and hydration points for staff, vendors, and volunteers.

  • Animal shelters: Redesign outdoor kennel schedules, add misting fans, and train volunteers to recognize overheating in animals and themselves.

Check out OSHA’s Heat Hazard tips for even more inspiration as you plan your risk assessment. As climate change continues to cause record-breaking extreme weather patterns. heat-planning isn’t theoretical anymore—it’s a business continuity strategy.

3. Review (and Strengthen) Your Volunteer Digital Policies

Volunteers often access more systems than we realize—email lists, shared drives, event software, donor platforms, digital intake forms, and sometimes even sensitive client information. Yet volunteer policies are often less developed than staff policies.

A strong digital policy protects your organization, your clients, and your volunteers.

What a Solid Volunteer Digital Policy Should Include

Good policy isn’t just about guarding data. It’s about preventing confusion, inconsistency, and unnecessary risk.

Every nonprofit—regardless of mission—should clearly outline:

  • What platforms volunteers can access (and what they cannot)

  • How accounts are created and disabled (and when)

  • How and when information should be stored or deleted (e.g., client numbers after outreach shifts)

  • Confidentiality expectations

  • Rules for personal device use

  • 2FA or password requirements for any device accessing organizational data

Examples of Risks Across Nonprofits

  • Animal rescues: A volunteer uses their personal phone to schedule foster appointments, but doesn’t delete client numbers afterward.

  • Arts organizations: Event volunteers download spreadsheets of vendor contact info to their personal laptops.

  • Food banks: A volunteer logs into a shared email account without two-factor authentication on their device.

  • Human services: Volunteers accessing intake tools may unintentionally store client data in personal text threads or notes apps.

If volunteers touch technology, they touch risk. The solution isn’t less access—it’s better policy, training, and safeguards.

Risk management is not about eliminating risk

It’s about anticipating it and making thoughtful, mission-centered decisions. Whether it’s preparing for winter storms, extreme heat, or tightening your digital protocols for volunteers, these actions protect your nonprofit’s people, programs, and long-term sustainability.

If reading this sparked ideas—or uncertainty—about your organization’s risk posture, I’d love to help. I offer policy reviews, risk assessments, and practical, actionable updates tailored specifically to nonprofit realities.

Tatiana Stone
Previous

Washington State’s 2026 Salary Threshold Increase: Why Nonprofits Must Plan Now (and What Happens If You Don’t)
Next

Trust is not binary