Evaluating your fundraising campaign risks
Fundraising campaigns require a considerable amount of activity, and harmful risks can emerge in several areas, including external parties, people, processes, technology and relationships. The potential consequences of these risks can be significant, from derailing the progress of your institution’s campaign, to more severe results such as reputational damage, financial losses, falling stakeholder consequence and even sustainability questions.
Potential risks that are common to fundraising campaigns include:
- Lack of transparency and manipulation of financials
- Segregation of duties and proper recording of gifts
- Fraud risks and safeguarding of cash receipts
- Cybersecurity and security and privacy of donor information
- Compliance with charitable registration laws
- Social media and media responsibilities
In addition, third-party risks are often overlooked during capital campaigns. Your board of directors should discuss and develop organizational policies and processes for third-party fundraising initiatives to capitalize on the benefits while reducing risks. Potential controls to protect against third-party risks include not loaning, selling or transferring your charitable registration number, clearly defining the duration of agreements, restricting further transfers of third-party responsibilities, reviewing any materials with your logo and ensuring third parties abide by your policies and procedures.
During your organization’s fundraising campaign, you likely collect personally identifiable information (PII) from donors, defined as first and last names in conjunction with social security numbers, date of birth, driver’s license numbers, or financial account or credit card numbers. PII is the focus of new U.S. data privacy laws due to the growth in identity theft and the potential to locate an individual with that information. Your institution must implement effective controls to manage, protect and store donor PII collected during a campaign.
Cybersecurity must also be top of mind during your campaign, as emerging threats can bypass the preventative controls institutions typically focus on such as vulnerability, patch and configuration management, and access and authentication controls. Instead, your institution should implement a more effective security framework that includes detective and corrective controls. Detective controls leverage active monitoring and alerts, while corrective controls utilize incident response, forensics and quarantine capabilities.