Policies are the governance skeleton of a nonprofit. They codify how decisions get made, who's accountable for what, and how the organization responds to problems. Yet many nonprofits operate with minimal policies — treating them as bureaucratic overhead rather than essential infrastructure.

The reality: policies protect your organization and your board. They create consistency, establish procedures, demonstrate good governance to funders and regulators, and provide a paper trail if disputes arise. This lecture covers 15 essential policies every nonprofit should have, explains why each matters, and shows you what each should contain.

Why Policies Matter More Than Most Founders Realize

Many nonprofit founders treat policies as bureaucratic overhead — something you adopt to check boxes and satisfy auditors, then ignore in actual operations. This misunderstands their function. Policies are your governance infrastructure. They establish expectations, create consistency, document decision-making authority, and provide written evidence that your organization takes its mission seriously.

Policies also protect you personally. When conflicts arise, documented policies demonstrate that you've exercised reasonable care (fulfilling your duty of care obligation). When donors question fund use, policies show how decisions were made. When staff members raise concerns, policies establish the process for handling them.

The golden rule: Write policies that reflect how you actually operate. Then follow them consistently. A policy you don't enforce is worse than no policy — it demonstrates carelessness. A policy that doesn't match reality creates confusion and credibility problems.

Board responsibility: Major governance policies (conflict of interest, whistleblower protection, document retention, compensation) require formal board adoption. The board should review all policies at least annually. Minor operational policies can be delegated to executive directors or staff, but the board is ultimately accountable for all organization policies.

Tier 1: Non-Negotiable Governance Policies

These five policies are foundational to responsible governance. Every nonprofit — even small ones — should have these.

1. Conflict of Interest Policy

This policy requires board members and staff to disclose financial interests, relationships, and business affiliations that could create conflicts. It establishes how the board handles disclosed conflicts (voting recusal, transaction approval process, etc.) and consequences for non-disclosure.

What to include: Definition of conflict, mandatory disclosure process, annual certification, specific scenarios (contracts with board members' businesses, nonprofit donations to related entities), recusal procedures, and documentation requirements.

Why it matters: IRS Form 990 Schedule O requires disclosure of conflict of interest policies. The policy protects the organization from self-dealing and demonstrates good governance to funders. See Lecture 1.2.3 for detailed template language.

2. Whistleblower Protection Policy

This policy encourages staff and board members to report legal violations, ethical breaches, and mismanagement without fear of retaliation. It establishes safe reporting channels and protects those who report in good faith.

What to include: Protected reporting channels, prohibition on retaliation, confidentiality protections, investigation procedures, and outcomes communication.

Why it matters: It's required for most federal grants and is best practice for all nonprofits. It protects whistleblowers legally and helps your organization catch problems early. Without it, staff may tolerate misconduct or leave the organization.

3. Document Retention and Destruction Policy

This policy establishes how long the organization keeps various types of documents and when they're destroyed. It protects the organization from disputes about "lost" records and ensures compliance with legal requirements.

What to include: Retention periods by document type (board minutes indefinitely, financial records 7+ years, employment records 3-4 years per labor law), procedures for storage, and destruction requirements.

Why it matters: IRS audits look at records retention practices. Funders want to know records are maintained securely. Destroying records on schedule demonstrates responsibility; indiscriminate deletion looks suspicious. Additionally, IRS regulations require that nonprofits retain specific records (particularly Form 990 and tax documentation) indefinitely.

4. Whistleblower Non-Retaliation Policy

This is separate from the whistleblower protection policy. It specifically prohibits retaliation against anyone who reports violations internally or to external authorities. It's legally required for many federal grants.

What to include: Examples of protected reporting, explicit prohibition on retaliation, confidentiality protections, investigation requirements, and remedies for retaliation.

Why it matters: Federal grant requirements (OMB Uniform Guidance) mandate whistleblower non-retaliation language. But more importantly, it protects your organization from losing good people because they reported problems.

5. Gift Acceptance Policy

This policy clarifies what donations the organization will accept and under what conditions. It prevents you from accepting gifts with strings attached or gifts that compromise the mission.

What to include: Types of gifts accepted (cash, property, securities, in-kind donations), gifts to decline (gifts from competing organizations, restricted gifts that limit program flexibility), donor naming expectations, and endowment requirements.

Why it matters: Donors sometimes donate with hidden expectations or conditions. A gift acceptance policy prevents misunderstandings and ensures you honor donor restrictions appropriately. It also demonstrates to major donors that you're a sophisticated organization that takes gifts seriously.

Tier 2: Essential HR and Operations Policies

These policies become necessary once you have staff. If you're all-volunteer, you can defer some of these, but have them ready before your first hire.

6. Equal Opportunity Employment Policy

This policy affirms the organization's commitment to non-discrimination in hiring, compensation, promotion, and termination. It's required if you have employees and receive federal funding.

What to include: Protected classes (race, color, religion, sex, national origin, age, disability), non-discrimination affirmation, anti-harassment statement, complaint procedures, and investigation protocols.

Why it matters: It's legally required. It protects your organization from discrimination claims and sets clear expectations for respectful workplace behavior.

7. Sexual Harassment and Harassment Prevention Policy

This policy defines harassment, establishes reporting procedures, and outlines consequences for violators. Many states legally require it for organizations with 5+ employees.

What to include: Definition of sexual harassment and other forms of harassment, examples, reporting channels, investigation procedures, confidentiality protections, and prohibition on retaliation.

Why it matters: It's often legally required. More importantly, it creates a safer workplace and demonstrates to staff and donors that you take harassment seriously. Many funders now require harassment prevention policies as part of grant agreements.

8. Professional Conduct and Code of Ethics Policy

This policy establishes expectations for professional behavior, integrity, and ethical decision-making. It applies to board members, staff, and sometimes volunteers.

What to include: Ethical principles, expected professional behavior, confidentiality obligations, use of organizational assets, and consequences for violations.

Why it matters: It clarifies organizational values and expectations. It provides grounds for disciplinary action if someone violates standards. It demonstrates to stakeholders that you take ethics seriously.

9. Compensation Committee Charter and Process

This policy (or resolution) establishes how executive director compensation is set and reviewed. It ensures compensation is set by an independent board process, not by the executive director.

What to include: Committee composition (independent board members, no conflicts), process (market research, documentation, approval), frequency of review, and documentation requirements.

Why it matters: The IRS and state attorneys general scrutinize executive compensation. A documented independent process that sets reasonable, market-based compensation protects against accusations of self-dealing and demonstrates good governance.

10. Diversity, Equity, and Inclusion (DEI) Statement

This policy affirms the organization's commitment to diversity and inclusivity in hiring, programming, and board composition. It's increasingly expected by funders and staff.

What to include: Commitment to diverse hiring and board recruitment, inclusive programming, staff training on cultural competence, and accountability mechanisms.

Why it matters: Many foundations now require DEI statements in grant applications. More importantly, it attracts diverse talent and makes the organization more reflective of the communities you serve. It also protects you from claims of systemic discrimination.

Tier 3: Specialized Policies

These policies address specific situations. You may not need all of them, but review the list and adopt what's relevant to your organization.

11. Financial Management and Internal Controls Policy

This policy establishes procedures for approving expenditures, managing bank accounts, reconciling accounts, segregating duties, and audit procedures.

What to include: Approval authority by amount, segregation of duties (one person doesn't handle everything), bank account procedures, use of credit cards, investment policy (if applicable), and financial reporting requirements.

Why it matters: It prevents fraud and embezzlement by requiring multiple approvals and documented procedures. Auditors and funders review these controls. It protects the organization and ensures financial integrity.

12. Data Privacy and Information Security Policy

This policy establishes how the organization collects, stores, and protects sensitive information (donor information, client data, employee records). It's increasingly important as organizations move to cloud-based systems.

What to include: Types of data collected, storage procedures, access controls, breach notification protocols, vendor management (if using third-party software), and compliance with applicable privacy laws (HIPAA if health data, FERPA if education data, etc.).

Why it matters: Nonprofits hold sensitive information (donor contact info, client medical or social data, employee SSNs). Breaches damage trust and can have legal consequences. A documented data security policy shows stakeholders you take privacy seriously.

13. Technology Use and Social Media Policy

This policy governs how staff and board members use organizational technology and represent the organization on social media. It protects against liability from inappropriate posts and misuse of organization resources.

What to include: Acceptable use of computers and phones, personal vs. professional use, social media guidelines, consequences for violations, and content approval procedures.

Why it matters: Staff posts that go viral for the wrong reasons can damage reputation. A documented policy clarifies expectations and provides grounds for discipline if violations occur. It also protects the organization from claims of privacy violations.

14. Donor Communications and Stewardship Policy

This policy establishes how the organization communicates with donors, honors donor restrictions, and reports on impact. It's especially important for organizations with major donors or restricted grants.

What to include: Communication frequency, reporting requirements by gift size, donor naming and recognition standards, and tracking of restricted use compliance.

Why it matters: It ensures donors feel valued and that their restrictions are honored. It reduces disputes about what was promised and what was delivered. It demonstrates to donors that you manage funds responsibly.

15. Board Member Recruitment and Orientation Policy

This policy establishes expectations for board service, recruitment standards, and orientation procedures. It clarifies what board service entails before someone joins.

What to include: Expectations (meeting attendance, committee service, fundraising participation), term limits, conflicts of interest disclosure, orientation requirements, and evaluation/renewal process.

Why it matters: Clear expectations reduce misalignment and improve board effectiveness. Orientation helps new board members understand fiduciary duties and organizational context. Evaluation and term limits create natural renewal points.

Policy Priority Table: Build Your Library Strategically

PhaseEssential PoliciesTimeline
Phase 1: Launch (0-6 months)Bylaws, Conflict of Interest, Whistleblower Protection, Document Retention, Gift AcceptanceBefore first board meeting
Phase 2: Growth (6-18 months)Add: Equal Opportunity, Harassment Prevention, Professional Conduct, Compensation Committee, Financial ControlsBefore first hire or major grant
Phase 3: Maturity (18+ months)Add: DEI Statement, Data Privacy, Technology Use, Donor Communications, Board RecruitmentAs organization scales

How to Actually Implement Policies

Writing policies is step one. Actually using them is step two, and that's where most nonprofits fail. Here's how to make policies stick:

1. Board adoption and communication. The board should formally adopt policies through resolution, not just email approval. Communicate adopted policies to all staff and board members.

2. Make them accessible. Keep a current policy library in a shared location (shared drive, wiki, intranet). Staff can't follow policies they can't find.

3. Require acknowledgment. Have new staff and board members sign a form acknowledging they've read and understood key policies (conflict of interest, harassment, professional conduct). Keep these signatures on file.

4. Enforce consistently. If someone violates a policy, address it. Inconsistent enforcement teaches people the policies don't matter.

5. Review annually.** Board should review policies annually to ensure they're current and relevant. Update them as needed. Track when each policy was last reviewed.

6. Highlight in onboarding.** New staff should receive policy training, not just a link to read. Cover the policies that affect them (harassment prevention, professional conduct, technology use) explicitly.

What to Do Next

If you're uncertain about conflict of interest specifics, move to Lecture 1.2.3: Conflict of Interest Policies That Actually Get Used for template language and implementation guidance. For meeting procedures and board operations, Lecture 1.2.4: Robert's Rules of Order for Nonprofits clarifies governance mechanics. For compliance and record-keeping deadlines, Lecture 1.2.5: Annual Filing Requirements maps out the calendar.

Frequently Asked Questions

Do I really need all 15 policies? We're a small nonprofit.+
Start with Tier 1 (the five non-negotiable policies) at minimum. As you grow, add Tier 2 policies before your first hire. Tier 3 policies can come later as relevant to your specific situation. But don't skip the foundational five — they're essential for any nonprofit, regardless of size.
Can I adapt policies from another nonprofit?+
Yes, learning from other organizations is smart. But don't just copy-paste. Adapt policies to your context (board size, staff structure, funding sources). Have your board review adapted policies to ensure they fit your organization. If you can afford it, have legal counsel review before adoption.
What happens if we don't have policies?+
You're at risk on multiple fronts: IRS scrutiny (the 990 asks about conflict of interest and whistleblower policies), funding loss (many grants require specific policies), employee disputes (without clear procedures, claims of discrimination or harassment are harder to defend), and fraud (without financial controls, theft is easier). Additionally, board members are less protected from liability without documented policies and procedures.
How often should we update policies?+
The board should review all policies at least annually, looking for changes in law, organization context, or effectiveness. Major updates to policies should be formally adopted by the board. Minor clarifications can be made without full re-adoption. Keep a log of when each policy was last reviewed and updated.