NGOsource, a project of TechSoup and the Council on Foundations, has published its first article in a three-part series on due diligence in grantmaking. The series explores the purpose and function of a grantmaker's due diligence program, along with specific tools and resources. This companion piece is intended to look at what due diligence means for nonprofit grantees.
What Is Due Diligence?
In its broadest sense, due diligence refers to the level of attention that must be paid to a particular circumstance before taking action. As many of us are aware, organizations and individuals are generally advised to conduct due diligence before entering into any material transaction, like a large investment, purchase, or donation. Companies regularly conduct due diligence before a merger or acquisition, ensuring that there will be no surprises down the road once the transaction is complete and there is no going back.
In the nonprofit sector, due diligence is just as relevant for things like investments and mergers. However, the term is most commonly used with respect to an organization's funding of, collaboration with, or partnership with another nonprofit. For grantmakers, conducting due diligence on a grantee is a key component of any grantmaking program. For potential grant recipients and other nonprofits, understanding how to prepare for and successfully undergo a due diligence exercise increases their chance of receiving a grant or formalizing other kinds of successful partnerships.
When and Why Is Due Diligence Necessary?
Due diligence is an exercise most commonly undertaken by one party on another. However, when an organization undertakes an internal audit on its own practices, it is in essence conducting due diligence on its own operations.
This "internal" due diligence is useful in a number of circumstances. For example, following a change in leadership, or in preparation for a public-facing campaign or grant appeal, it behooves an organization to review its standard policies and processes to ensure that it can respond to or mitigate potential areas of exposure.
In other words, there are many good reasons to conduct inward-facing due diligence without it being imposed on an organization by an external party. This post, however, primarily focuses on responding to an externally imposed due diligence exercise.
The kind of due diligence appropriate in any given situation varies according to the individual circumstances, relevant laws, political climate, and risk appetite of the parties involved. In the nonprofit sector, due diligence is primarily used to address one of four risks:
- Legal
- Mission alignment and impact
- Financial
- Reputational
Addressing legal risk is generally the most comprehensive and burdensome aspect of any due diligence exercise. Failure to appropriately mitigate legal risks can carry serious financial and criminal penalties. For this reason, legal risk is also closely linked to financial and reputational risk.
How to Prepare for a Due Diligence Exercise
We cannot possibly address every potential risk here. Our goal is instead to provide a high-level blueprint for ways your organization might think about and prepare for a due diligence exercise. This will be helpful if your organization is being considered for a grant, is being reviewed for an equivalency determination or expenditure responsibility, is under audit by a regulator, or is simply preparing for the possibility of such a review. In any of these scenarios, it's necessary to take stock of your organization's current processes around recordkeeping, security, and communications, as these will be key to any due diligence exercise.
Accessible Recordkeeping
No matter the circumstance, you will be asked to produce some kind of documentation, digital or otherwise, related to the formation, regulation, and operation of the organization. Oftentimes organizations are so focused on achieving their programmatic missions that they forgo fundamental document management and recordkeeping that could save them significant time and money over time. Every nonprofit organization should permanently retain the following in an accessible location, either on paper or digitally (ideally both):
- Incorporation, registration, and current governing documents (certificate or articles of Incorporation, memorandum of association, bylaws, statutes, trust deed, and the like)
- Any pertinent certificates of registration or tax exemption.
- At least three years of audited or unaudited financial statements.
- Any current organizationwide policies (conflict of interest policy, human resources manual, code of ethics, whistleblower policy, document retention policy, and the like)
Locating and producing these kinds of documents is often the most painstaking part of any due diligence exercise. Once you have a system down, it should be easy to produce and replicate such documents on demand.
Note that, for 501(c)(3) organizations in the U.S., some of these documents are required to be maintained and available to the public upon request. In some other countries, like the U.K., many of these documents are publicly accessible online via regulators like the Charity Commission, but this is not the case in most countries.
Maintaining digital copies of key organizational documents is especially important during times when access to physical locations may be limited during conflict, disaster, or pandemic.
Data Security
Data security is critical for your organization's operations, including the maintenance of its own records, and for the safety of its staff and beneficiaries whose personal data you maintain. But data security is also key to retaining the trust of your funders. Funders are increasingly concerned about their grantees' understanding of, and implementation of, effective data security measures. At a minimum, your organization should be requiring password protection on all devices, as well as automatic backups.
Responsiveness
Failure to follow this basic tenet of good communications regularly costs organizations grants. Funders are often operating under tight deadlines to disburse funds, and a prospective grantee's failure to respond and produce requested documents in a timely manner can actually lead to their loss of a valuable grant opportunity. Even if a grant is not lost due to a grantee's lack of responsiveness, it may bear on the organization's reputation and likelihood of securing future grants from that funder and others. An organization's ability and willingness to respond in a timely fashion in this way has critical short- and long-term consequences.
Proactive Acknowledgment and Correction of Past Failures
It is not unusual for nonprofits to have experienced at some point loss of data, litigation, fraud, or other circumstances that may give rise to a red flag under a due diligence review. The best possible way to address such situations is by promptly acknowledging them and, if applicable, demonstrating that corrective action was taken to mitigate the possibility of recurrence.
Demonstrated initiative with respect to a typical negative event can actually shed a positive light on an organization's ability to quickly address the unanticipated. Grantees are often under the impression that their funders only want to encounter spotless track records. To the contrary, funders are looking for transparency and clear communication. An organization's demonstration of its ability to learn and grow from mistakes is a sign of resilience and an important assurance of its ability to mitigate risk.
Know Your Audience
It is not possible to prepare in advance for every request that may come from a funder, a regulator, or a potential partner. Instead, focus on what is important to those stakeholders with whom your organization is most likely to interact. While the Internal Revenue Service may home in on your conflict of interest policy, a humanitarian funder may be much more interested in your safeguarding policy.
If your funders are government agencies, then review the state or federal requirements that apply to government grants and contracts. If you work with children, then be prepared to demonstrate compliance with local and international laws, as well as best practices, around child protection. If you are a non-U.S. nonprofit seeking funds from U.S. foundations, then familiarize yourself with equivalency determination and expenditure responsibility, since one of these two due diligence mechanisms will likely be undertaken before you are issued a grant.
Never assume that one review will look anything like the last. Unfortunately, because risks and willingness to take on risk vary so greatly between funders and regulators, there is no one-size-fits-all approach to due diligence. The best you can do as an organization to prepare for such an exercise is to maintain organized and secure records, timely communications, and attention to the specific needs of your reviewer.
TechSoup Resources
A number of tools are available to nonprofit organizations struggling to manage financial, technical, legal, and administrative aspects of their operations. We've listed a few key such resources below.