What nonprofit investing really has to balance

I usually start by separating the problem into three questions: how much money has to be ready in 30 days, how much can stay invested for one to three years, and what capital can sit through a full market cycle. If those answers are not clear, the portfolio is usually doing two jobs badly instead of one job well.

Mission and market risk pull in different directions

A nonprofit can be financially healthy on paper and still be one market shock away from trouble. Too much caution quietly erodes purchasing power, especially when inflation outpaces cash yields. Too much risk creates the wrong kind of surprise when payroll, grants, or debt service come due during a drawdown. In practice, the board is not choosing between safety and growth so much as choosing where to place the tradeoff.

Read Also: Nonprofit Indirect Cost Rate - What's the Real Average?

Different pools of capital need different rules

Operating cash, board-designated reserves, donor-restricted gifts, and endowment principal should not share the same risk budget. Board-designated money can often be reclassified later; donor-restricted money usually cannot. When those buckets get mixed, a healthy-looking balance sheet can hide a liquidity problem, and that is how organizations end up selling assets at the wrong time just to keep the lights on.

That is why I would rather see a simple framework used consistently than a clever portfolio nobody can explain in a board meeting. Once the buckets are clear, the policy statement becomes the next logical step.

The policy statement is the control center

I want an investment policy statement to answer the questions that will otherwise get argued over later. It should not read like a legal memo. It should read like a decision tool the board can actually use.

When I draft or review an IPS, I also look for language on conflicts of interest, permitted and prohibited assets, rebalancing bands, and mission-related screens if the board wants them. If the organization wants to exclude certain industries or favor impact-aligned exposure, that belongs in writing because it can change both diversification and return expectations. A policy that is vague on those points usually creates bigger problems later, not fewer.

Most states have adopted UPMIFA or a close variant, which is why many boards now think in terms of total return rather than income-only investing. That shift matters because it gives the nonprofit more flexibility, but only if the policy is disciplined enough to keep spending and risk from drifting. Once the policy exists, the harder question is how to translate it into a portfolio that can handle real cash needs.

Build the portfolio in liquidity buckets

I do not build one portfolio for a nonprofit. I build a set of liquidity layers. That approach is more practical because it respects the fact that some dollars are needed next month, some next year, and some only after a full market cycle.

As a working reserve target, many nonprofits hold 3 to 6 months of operating expenses in cash or near-cash if they can. That is not a universal rule, but it is a useful starting point because it forces the board to define how much flexibility the organization really needs. The National Council of Nonprofits has made a similar point: reserve levels should fit the organization, not the other way around.

I would be especially careful with illiquid alternatives such as private equity or private credit. Those can make sense for large, long-dated pools, but only if the board understands capital calls, valuation lag, and lockups. A capital call is simply a request for additional money from an existing investor, often on short notice, and it can be awkward for a nonprofit that also has payroll and grant dates to meet. If money may be needed within the next 12 months, I would not park it in anything the board cannot sell quickly at a known price.

This is also where total-return thinking earns its keep. The point is not to live off dividends or interest alone; the point is to combine income and growth in a way that supports current operations and protects future buying power. The spending rule is where that structure meets the annual budget.

Set a spending rule that supports programs without eroding capital

A spending rule is not a guess at next year’s markets. It is a budgeting tool with guardrails. For many endowments and reserve pools, a 4% to 5% annual spending range is common, usually applied to a trailing average market value so that one strong year does not inflate spending and one weak year does not force panic cuts.

If the pool is $20 million and the spending rate is 4.5%, the baseline annual support is $900,000 before fees and other adjustments. That number only works if the board is comfortable with the liquidity behind it, which is why spending policy and asset allocation should be designed together rather than in separate meetings months apart.

For private foundations, the rule is more rigid. According to the IRS, the minimum investment return requirement is 5% of the relevant asset base, so the spending conversation starts with compliance and then moves to policy preference. Public charities usually have more flexibility, but they still need a rule that is stable enough to fund programs and honest enough to preserve principal over time.

• Use smoothing. A trailing average reduces the impact of market swings on the budget.
• Define the floor and ceiling. A minimum and maximum distribution range keeps spending from becoming either too tight or too loose.
• State how fees are treated. The board should know whether management costs are included above or below the spending line.
• Address underwater periods. A policy should say whether prudent spending is allowed if the fund falls below historic gift value and under what conditions.

The best spending rules are boring in the best possible way. They give the finance team a framework, keep the board from improvising under pressure, and make it easier to explain to donors why the organization is not spending recklessly just because markets had one good year. After that, oversight becomes the difference between discipline and drift.

Oversight is what keeps good assumptions honest

The portfolio does not manage itself, and neither does the policy. Someone has to review the facts, question the assumptions, and document why the current approach still makes sense. I prefer a small, financially literate investment committee with a clear report from staff and a written role for any outside advisor.

I also want the board to understand fees in plain language. A fee difference of 50 basis points, or 0.50%, on a $10 million portfolio is $50,000 a year before compounding effects. That is real money in a nonprofit budget, and it should be visible. The same is true for trading discretion, valuation of illiquid assets, and who has authority to move money between accounts.

If the organization uses an external manager, I want to know how they define risk, what benchmark they are using, how they handle rebalancing, and whether the reporting package is actually readable. I would rather review a concise dashboard every quarter than receive a dense packet that nobody on the board has time to absorb. Clear reporting is not cosmetic; it is part of fiduciary control.

The easiest mistakes to prevent are the ones the board names early. Once those are surfaced, the remaining question is what to stop doing before it costs the organization money.

The mistakes that quietly damage nonprofit portfolios

• Keeping too much in cash. Safety feels comforting, but excess idle cash can erode purchasing power and create opportunity cost.
• Chasing yield when the budget is tight. Higher nominal return is not a win if it comes from illiquid assets that cannot support operations.
• Blending restricted and unrestricted funds. That mistake makes reporting harder and can lead to accidental policy violations.
• Measuring success only by return. A portfolio should be judged against spending needs, liquidity, inflation, and the policy benchmark, not just last year’s headline number.
• Letting fees hide in the fine print. Management fee, trading cost, custody cost, and fund expense ratio all matter.
• Using complexity before clarity. Alternatives, hedging, and mission screens can be useful, but they do not fix a weak governance process.
• Skipping stress tests. If a 20% market decline would force program cuts, the portfolio is probably too aggressive for the institution.

I see one recurring pattern more than any other: the board inherits a portfolio, tolerates ambiguity because the returns look acceptable, and only later discovers that the structure cannot support the mission under pressure. The fix is not usually a dramatic trade. It is a clearer process and a more honest allocation of risk. From there, the first 90 days are mostly execution.

What I would put on the board agenda before the next allocation change

1. Map every pool of capital and label it as operating cash, reserve, board-designated, donor-restricted, or endowment.
2. Assign a time horizon to each bucket so the board can see which money must stay liquid and which money can compound longer.
3. Refresh the investment policy statement and make sure it covers purpose, risk budget, liquidity floor, spending rule, delegation, benchmarks, and review cadence.
4. Set a spending policy that can survive both a weak market year and a strong one without whipsawing the operating budget.
5. Approve a reporting format that shows allocation drift, liquidity coverage, fees, exceptions, and benchmark results in plain English.
6. Run a stress test that includes a market drawdown, delayed fundraising, and an operational cash squeeze so the board can see the real margin of safety.

When those steps are in place, investment management stops being a side project and becomes part of governance. That is where it belongs. The portfolio then has a clear job: support the mission today, stay flexible enough for tomorrow, and preserve enough value for the organization that comes after this board’s term ends.

In U.S. board governance, the standard response is straightforward: disclose the facts, step back from the decision when needed, and document the process clearly. The sections below explain how conflicts show up, how to manage them, and what a policy should require if you want the board to stay credible under pressure.

What the term means in board governance

At board level, a conflict of interest is not just about obvious corruption or someone “doing something wrong.” It is broader than that. A conflict exists when a director’s or officer’s personal interest could interfere with the duty to act for the organization, not for themselves. That personal interest might be financial, but it can also come from a family relationship, a second job, a consulting arrangement, equity ownership, or a future business opportunity.

I think the cleanest way to understand it is to separate three ideas. An actual conflict exists right now. A potential conflict could arise later if the facts change or the board moves forward. An apparent conflict may not prove wrongdoing, but it still creates a reasonable question about independence. In board governance, appearances matter because trust is part of the asset.

That distinction becomes important because boards are expected to exercise the duty of loyalty. In plain English, that means directors must be able to say, with a straight face, that the organization’s interests came first. When that is uncertain, the board needs a process, not a guess.

Once that definition is clear, the next question is where conflicts usually show up in real boardroom work.

The situations that usually create risk

Most board conflicts do not arrive as dramatic scandals. They show up in ordinary decisions that suddenly become sensitive because someone has something to gain, protect, or influence. Here are the patterns I see most often.

These cases matter because they are rarely about one giant ethical failure. They are usually about a board letting a familiar relationship sit too close to a decision. I would rather see a board over-disclose than under-disclose, because ambiguity is where governance tends to fail.

Once you can spot the common triggers, the practical issue becomes how to disclose and document them without creating confusion in the meeting itself.

How boards should disclose and document a conflict

Disclosure is not a formality. It is the point where the board gets enough information to decide whether the conflicted person can stay in the room, whether the matter needs independent review, or whether the transaction should be stopped. A vague statement like “I may have an interest here” is usually too weak to be useful.

Good disclosure should name the relationship, the type of benefit, and any facts that would matter to an independent director. If the issue involves money, say how much and when. If it involves a relationship, say who it is and how the connection works. If it involves an outside business role, explain whether the role could influence the decision.

• State the conflict before the discussion begins, not after the board has already leaned in one direction.
• Describe the relevant facts clearly enough that the other directors can judge the risk for themselves.
• Tell the chair, governance committee, or general counsel if the issue is material or sensitive.
• Record the disclosure, the board’s response, and the recusal in the minutes.
• Update the disclosure if the facts change before the final vote.

Disclosure and recusal are not the same thing. Disclosure informs the board. Recusal removes the conflicted person from the part of the process where independence matters. In some situations, disclosure is enough to let independent directors proceed. In others, the person should leave the discussion entirely, not just abstain at the end.

The IRS encourages charities to use written procedures that require disclosure and excuse conflicted individuals from voting, and that logic holds up well beyond the nonprofit world. If the board gets the disclosure right, the next task is deciding what action the conflict requires.

What to do once the conflict is identified

The right response depends on severity. Some conflicts can be managed cleanly. Others should stop the transaction before it goes any further. The mistake many boards make is assuming every conflict can be solved with a quick abstention. That is not always enough.

When the conflict is modest and the board can still make an independent decision, the response may be straightforward: recuse the interested person, collect independent bids or valuations, and let the disinterested directors decide. When the conflict is material, the board may need a committee of independent directors, outside counsel, or a third-party fairness review. And when the conflict cannot be separated from the decision, the clean answer is to reject or unwind the transaction.

• Recuse the conflicted director from discussion, not just the vote.
• Move the decision to independent directors or a committee if the issue is sensitive.
• Use market checks, competitive bids, or outside valuation where money or control is involved.
• Have counsel review related-party transactions, executive pay, or major vendor decisions.
• Walk away if the conflict cannot be disclosed and mitigated in a way that preserves independence.

The cleanest boardroom answer is often the least glamorous one: remove the pressure point, get independent review, and keep the record tight. If the conflicted person’s presence changes the conversation, the process is already compromised.

That is why weak conflict handling can damage more than the transaction itself.

Why weak conflict handling erodes trust fast

A board does not lose credibility only when a bad deal closes. It loses credibility when the process looks sloppy, defensive, or uneven. Once that happens, every later decision becomes harder to defend. Other directors start second-guessing one another. Executives start treating the board as political instead of independent. External stakeholders notice, and they rarely forget.

There is also real legal and operational risk. A conflicted decision can trigger challenges to the fairness of the process, problems with minutes, scrutiny from auditors, or claims that the board did not exercise proper oversight. In the U.S., public companies, nonprofits, and regulated firms all face different rules, but the underlying governance problem is the same: if the board cannot show a disciplined process, the decision becomes vulnerable.

That is why I treat conflict management as a board culture issue, not only a compliance issue. A board that normalizes disclosure, asks follow-up questions, and documents recusals is usually a board that takes its fiduciary role seriously. A board that shrugs off small conflicts usually has larger problems waiting underneath.

To keep that from happening, the board needs a policy that works in real life, not just on paper.

What a strong conflict policy should actually include

A usable policy does more than define the term. It tells directors and officers what to do when the issue appears, who reviews it, how fast disclosure must happen, and what gets written into the record. That is the difference between a policy that protects the organization and one that only looks good in a binder.

I would expect a strong policy to cover these points:

• A clear definition of actual, potential, and apparent conflicts.
• Examples tailored to the organization’s real risks, such as vendor relationships, family ties, equity interests, outside employment, gifts, and related-party transactions.
• A written disclosure process for directors, officers, and key employees.
• Rules for recusal, including whether the conflicted person may stay for discussion.
• Authority for independent directors, a governance committee, or counsel to review borderline cases.
• Documentation standards for minutes, approvals, and follow-up.
• Consequences for failing to disclose or trying to steer the outcome anyway.
• A regular review cycle so the policy stays aligned with the organization’s current risks.

The SEC’s conflict guidance for regulated firms treats conflict management as an ongoing process, not a one-time checkbox exercise, and that is the right mindset for boards too. If your policy only comes out after a problem appears, it is already too late. It should be part of the board’s operating rhythm, not an emergency document.

The real test is whether directors can identify a conflict early, say it plainly, and step aside without drama when the situation calls for it.

The boardroom test I use before any vote

Before any sensitive vote, I ask three questions. Would this decision benefit the person involved, or someone close to them? Would an outside observer question the board’s independence if they saw the relationship? Could we defend the process in the minutes without sounding evasive? If the honest answer to any of those is no, the board should slow down, disclose the issue, and redesign the decision process before money or trust is at risk.

That discipline is what turns a conflict policy into real governance. It keeps directors focused on the organization’s interests, which is the only position that holds up when scrutiny arrives.

What those charges actually cover

When I read a merchant statement, I treat it as three layers stacked together. Part of the money goes to the card issuer as interchange, part goes to the card network as an assessment, and part goes to the processor or merchant account provider as markup. If the sale is online, a payment gateway or platform fee may sit on top of that. In plain English, you are paying for risk, routing, fraud handling, and the infrastructure that moves the money from the customer to your bank.

• Interchange is the largest piece in most transactions and is usually set by the card networks and issuers rather than by your processor.
• Network assessments are smaller charges tied to the brand that handles the card.
• Processor markup is what your provider keeps for the service itself.
• Gateway fees show up more often with online or invoiced payments because the processor also has to move the transaction through a secure checkout layer.
• PCI compliance fees cover the security work of handling card data under PCI rules, and some processors charge extra for the program itself or for non-compliance.
• Refund costs can linger too, because in many systems the original processing fee is not returned when you refund a customer.

That separation matters because a low advertised rate can hide a heavy markup, and a high advertised rate may still be fair if it bundles more of the stack into one number. Once you know what is inside the total, the next decision is which pricing model fits your sales pattern.

The pricing model matters more than the headline rate

I compare processing plans by predictability and scale, not by marketing language. The model tells you whether the provider is giving you a transparent pass-through structure or wrapping everything into one easy-to-read rate.

In practice, I see flat-rate pricing work well for businesses with modest volume and uneven sales, while interchange-plus tends to win once volume becomes stable enough to reward transparency. The same payment mix can produce very different bills under those two structures, so the next section is about anchoring expectations with current US pricing.

What small businesses are paying in the US right now

A realistic planning range for card processing is roughly 1.5% to 3.5% per transaction, but the blended total is often called the merchant discount rate, and the effective rate can drift higher once you add fixed per-sale fees, monthly charges, and dispute costs. Current US examples make that easier to see: Square lists 2.6% + 15¢ for tap, dip, or swipe and 3.3% + 30¢ for online or invoiced card payments, while PayPal’s US fee table shows 2.99% + $0.49 for standard card payments and 3.49% + $0.49 for PayPal Checkout.

The big lesson is that the same processor can be cheap for one sales channel and expensive for another. That is why I never compare quotes without running the numbers against the business’s actual monthly mix.

How to calculate your real monthly cost before you sign

The simplest formula is this: total processing cost = percentage fee + fixed per-transaction fee + monthly fees + add-ons. Once you divide that total by card sales volume, you get the effective rate, which is the number that tells the truth.

That example is the reason fixed fees matter so much. A plan with a monthly subscription can look worse on paper but still save money once volume is high enough, while a simple flat-rate plan can be the smarter choice when sales are light or inconsistent. If your average ticket is small, the per-transaction cents matter more; if your average ticket is large, the percentage matters more.

For me, the cleanest comparison comes from running the last 30 days of actual sales through two quotes and checking the effective rate side by side. That takes the guesswork out of the decision and makes the next step, cost reduction, much easier.

How I would cut fees without slowing down checkout

The lowest-friction savings usually come from changing behavior, not chasing a miracle provider. A few adjustments tend to move the needle faster than others.

• Push card-present payments whenever possible. Tap, chip, or wallet payments are usually cheaper than keyed entries because fraud risk is lower.
• Use ACH for B2B invoices when the economics justify it. Bank transfer fees are often materially lower than card fees for larger invoices or recurring bills.
• Keep your statement descriptor easy to recognize. Fewer confused customers means fewer disputes, and disputes are expensive even before the chargeback fee lands.
• Fix operational causes of chargebacks. Clear shipping times, easy refund rules, and fast support reduce the kind of disputes that eat margin.
• Review add-ons every month. A $15 PCI fee is $180 a year, and a $10 statement fee is another $120 before you process a single sale.
• Match the pricing model to your ticket size. Small-ticket businesses usually care more about the fixed cents; high-ticket businesses care more about the percentage.

If you are considering surcharging or cash discounting, I would check state rules and card-network terms first. The strategy can make sense, but compliance mistakes can be more expensive than the savings.

The contract details I would read twice

Most bad processing deals do not look bad in the headline rate. They become expensive in the fine print, where the provider quietly earns back the discount through extra fees, long commitments, or rate changes.

When I review contracts, I look for the total cost of staying, not just the cost of signing. That lens is especially important for small businesses, because a few small fees can become a meaningful drain over a full year.

The quote that looks cheapest can still cost more

If I had to make the decision today, I would start with the business’s actual payment mix, then ask three questions: how many transactions do you run each month, what is the average ticket, and how often do you process cards online versus in person? Those three inputs decide whether a simple flat-rate plan, an interchange-plus quote, or a monthly subscription structure is the better fit.

• Low volume and low complexity usually favor flat-rate pricing because the savings from a lower markup may not beat the convenience.
• Stable volume and higher ticket sizes often favor interchange-plus or subscription pricing because the processor’s markup becomes easier to optimize.
• Online-heavy businesses should pay extra attention to gateway, fraud, and dispute costs, not just the card rate.
• B2B businesses should compare card acceptance against ACH, because not every invoice needs to be paid with a credit card.
• Cash flow-sensitive businesses should compare payout timing as well as rate, because faster settlement can be worth a slightly higher fee.

The rule I use is simple: compare the effective rate on real sales data, not the prettiest marketing quote. If you do that, the right processor usually reveals itself quickly, and you will know whether the savings are worth the complexity. That is the number I would manage month after month, because it is the one that shows what you are truly giving up to accept card payments.

What internal controls actually do in accounting

In an accounting setting, internal controls exist to do three jobs at once: protect assets, keep financial reporting reliable, and make operations more efficient. I usually think of them as the guardrails around money and data. A good control does not just stop theft or catch errors after the fact; it also reduces confusion, speeds up review, and makes month-end close less painful.

COSO’s framework is useful here because it reminds you that control is not only about compliance. It is built around five components: control environment, risk assessment, control activities, information and communication, and monitoring. Those pieces work together. If the tone at the top is weak, even well-written procedures tend to drift. If monitoring is weak, the same mistake can repeat for months before anyone notices.

There is one concept that matters more than most people expect: reasonable assurance. Internal controls reduce risk, but they do not eliminate it. That is important because accounting teams sometimes treat controls as if they should make every error impossible. That expectation is unrealistic and usually leads to frustration. The better goal is to make significant errors hard to commit, easier to detect, and more expensive to hide. Once that idea is clear, the next step is choosing the right kind of control for the risk you are trying to manage.

The control types I would use first in a finance function

Good accounting control design is usually a mix of four types. The label matters less than the function, but the mix matters a lot. If a process relies only on detective controls, problems are found late. If it relies only on preventive controls, it can become slow and rigid. The point is balance.

In practice, preventive controls are strongest when the risk is severe, like unauthorized payments or incorrect bank access. Detective controls are often the workhorses of accounting because they are practical and scalable. Corrective and compensating controls matter because real finance teams rarely operate in perfect conditions. People leave, systems change, and the process still has to run. That reality becomes clearer when you look at the controls that protect the daily accounting cycle.

Day-to-day examples that protect cash, revenue, and the close

The best way to understand accounting controls is to look at where money moves. That is where risk is concentrated, and that is where a control failure becomes visible fast.

Cash and banking

Cash should never be handled as if trust alone is enough. I want bank reconciliations prepared monthly, reviewed by someone independent of cash posting, and cleared items explained rather than waved through. If a company has meaningful volume, I also want positive pay or equivalent bank-side protection. These controls matter because cash is liquid, fast-moving, and hard to recover once it disappears.

Payables and vendor setup

Accounts payable is one of the easiest places for fraud and error to hide. A strong process separates vendor creation, invoice approval, and payment release. The three-way match between purchase order, receiving record, and invoice is still one of the most practical controls in accounting because it catches overbilling, duplicate invoicing, and orders that were never received. Vendor master changes deserve extra review because fake or altered vendor records are a classic weak point.

Revenue, receivables, and credit

Revenue controls should make sure sales are recorded only when the underlying event has occurred and the supporting evidence exists. That means checking contract terms, shipment or service completion, and any returns or credits. On the receivables side, aging reports and collection reviews help spot accounts that are drifting out of range. The goal is not just accuracy; it is also early warning. If receivables are slipping, the control should show that before the close turns into a rescue mission.

Payroll and employee changes

Payroll is sensitive because it combines people data, payment processing, and timing pressure. I expect controls around new hires, terminations, rate changes, and overtime approval. A company should also review payroll master files for unusual changes and restrict who can edit employee records. Payroll fraud often begins with a simple access problem, not a complex scheme.

Read Also: P&L Meaning - How to Read a Profit and Loss Statement

Month-end close and journal entries

Month-end close is where many accounting problems either get caught or quietly rolled forward. I like controls over journal entry approval, late adjustments, account reconciliations, and unusual manual postings. Manual journal entries deserve extra scrutiny because they can bypass normal process logic. If a team can explain every large or unusual entry in plain language, the close is usually in better shape than if it depends on vague review notes.

These controls sound basic, but in accounting basics are where losses and misstatements usually start. The real failure is rarely a missing policy; it is a process that looks controlled on paper and feels loose in practice.

Why controls fail even when the policy looks fine

Most control failures come from a handful of predictable problems. The first is segregation of duties failure, where one person can initiate, approve, and record the same transaction. The second is stale review, where reconciliations or approvals happen too late to matter. The third is access creep, where employees keep permissions long after their role changed.

• One person can create, approve, and pay a transaction.
• Reconciliations are done, but nobody clears the exceptions.
• System access is never reviewed after promotions, transfers, or terminations.
• Controls exist, but the team cannot produce evidence that they were performed.
• Exception reports are generated automatically and ignored automatically.
• People rely on spreadsheets without version control or review discipline.

There is also a distinction that matters in audits and governance discussions: a control can be well designed and still fail in operation. That is the difference between design effectiveness and operating effectiveness. A control may look reasonable in a policy document, but if it is not performed consistently, it does not protect the company in the real world. The SEC also treats severe issues seriously enough that a combination of deficiencies can rise to a material weakness, which changes how management can describe the control environment.

Once you know how controls break, building them becomes a design problem rather than an abstract accounting debate.

How to design controls that hold up under pressure

When I help shape a control structure, I start with the process, not the policy. The best controls are tied to a specific risk, owned by a named person, performed on a defined schedule, and supported by evidence that someone else can review.

1. Map the process from start to finish so you can see where money, data, and approvals actually move.
2. Identify the highest-risk points, especially where someone could misstate balances, move cash, or override a check.
3. Choose the lightest control that still meaningfully reduces the risk, rather than piling on approvals that nobody reads.
4. Assign one owner, one frequency, and one evidence standard for each key control.
5. Build in review and exception handling so the control does something with the problems it finds.
6. Test the control periodically and update it when systems, staffing, or transaction volume changes.

Automation helps, but only when the underlying logic is sound. In 2026, many accounting processes run through cloud ERPs, payroll systems, and payment platforms, so IT access and change controls are part of the accounting control story whether teams label them that way or not. If a system lets the wrong person edit master data or post unsupported entries, the accounting process inherits that weakness immediately. That is why control design and technology design now belong in the same conversation.

That design work becomes especially important once U.S. reporting obligations enter the picture.

What U.S. reporting rules change for public companies

For U.S. public companies, internal controls are not just a management preference. They connect directly to SEC reporting expectations and, for many issuers, to Sarbanes-Oxley Section 404. Management must assess internal control over financial reporting, and if there is one or more material weakness, management cannot conclude that the system is effective.

That rule changes behavior in a useful way. It pushes companies to document the framework they use, test controls with some discipline, and disclose material weaknesses instead of pretending the issue is minor. COSO remains the common framework because it gives management and auditors a shared language for evaluation. That shared language matters when boards, auditors, and finance teams need to discuss not just whether a control exists, but whether it actually works.

• Public companies generally need a formal ICFR assessment.
• Material weaknesses must be disclosed when identified.
• Auditor attestation is part of the reporting structure for many issuers.
• Private companies may not face the same disclosure burden, but lenders, investors, and boards still expect disciplined controls.

Even where the law is less demanding, the business case remains the same. Reliable accounting supports financing, due diligence, tax work, and strategic decision-making. If the books are fragile, everything built on top of them becomes fragile too. That is why I usually finish with the question of where to begin if the company cannot fix everything at once.

If I were tightening a finance function this quarter, I would start here

I would not start with software. I would start with the few controls that protect the most exposed parts of the ledger and cash flow. In most small and mid-sized companies, that means bank reconciliations, vendor master access, payment approvals, journal entries, and month-end review of unusual balances.

• Require monthly bank reconciliations with documented review and exception follow-up.
• Separate vendor setup from invoice approval and payment release wherever staffing allows.
• Review who can post journal entries, edit master data, and approve payments.
• Use an approval matrix with clear dollar thresholds so decisions are not improvised.
• Track outstanding reconciling items, not just the reconciliations themselves.

If a company gets those five areas right, most of the rest becomes easier to manage. The real goal is not control theater; it is a system that makes errors harder to miss, fraud harder to hide, and reporting easier to trust.

What a CLM system actually is

I think of a CLM system as the operating layer for contracts. It is more than a repository. A good platform gives a business one place to manage templates, clause libraries, approval rules, version history, execution, and post-signature obligations.

That distinction matters. A shared drive can store PDFs, but it cannot reliably tell you which version is current, who still needs to approve a redline, when a renewal notice is due, or which vendor terms create exposure for the business. A CLM platform is designed to answer those questions quickly and consistently.

In a U.S. business context, that usually means legal is not the only team touching the contract. Sales wants speed, procurement wants control over vendor terms, finance wants visibility into commercial commitments, and leadership wants clean reporting. CLM sits in the middle of those needs.

At its best, it turns contract work from a fragmented document chase into a repeatable business process. That process is easier to see once you map the lifecycle itself.

The stages a CLM platform should cover

A useful CLM system covers the full contract lifecycle, not just signature day. The exact workflow changes by organization, but the core stages stay the same.

The stage many teams underestimate is post-signature management. Once the signature is done, the risk does not disappear. Delivery dates, reporting obligations, auto-renewals, and termination notices still need attention, and that is where a weak process gets expensive.

When you understand the lifecycle, the next question is simple: why not just manage all of this with folders, spreadsheets, and email?

Why businesses move beyond scattered documents

For a small number of low-risk agreements, manual management can survive longer than people expect. But once volume rises, the cracks show fast. Version confusion, missed renewals, and unclear ownership are not rare edge cases; they are the normal failure modes of unmanaged contract work.

The practical difference is speed with control. I see teams lose days not because contracts are legally complex, but because nobody can answer basic operational questions fast enough. A CLM system removes a lot of that friction without asking people to become process experts.

That value becomes more obvious in the teams that handle contracts all day, not once in a while.

Who gets the most value from CLM

CLM is not only for legal departments. In most U.S. organizations, the best results come when several teams use the same system for different reasons.

• Legal teams use CLM to standardize templates, control risk language, and reduce repetitive drafting.
• Sales teams use it to move MSAs, order forms, and amendments faster without losing legal oversight.
• Procurement teams use it to manage vendor agreements, approvals, and renewal leverage.
• Finance teams use it to track commercial commitments, payment terms, and exposure.
• Operations and governance teams use it to keep contract records auditable and searchable.

CLM tends to pay off fastest in businesses with repeatable contract types, a steady approval chain, and real renewal risk. That includes SaaS companies, manufacturers, healthcare organizations, financial services firms, and any company that depends on vendor or customer agreements across multiple departments.

There is also a point where CLM is probably too much system for the job. If a business handles only a small number of simple contracts each month, disciplined templates, a shared calendar, and clear ownership may be enough. I would not push software where process discipline alone will do the job.

Once the workflow is clear, the next issue is selection: what should a CLM platform actually do well?

What to look for in a CLM platform

By 2026, many platforms advertise AI, automation, and analytics. Those features are useful only when they sit on top of a clean process. I usually look for a system that solves the basics first and adds intelligence second.

If I had to reduce the selection test to one sentence, it would be this: the platform should make it easier to follow your contract policy than to bypass it. That is the standard that separates real CLM from software that only looks sophisticated in a demo.

Even then, systems fail when the rollout is careless. The tool matters, but implementation matters more.

Where CLM projects go wrong

Most CLM failures are not technology failures. They are scope, ownership, and governance failures. The same mistakes show up repeatedly.

• Buying software before defining the process leads to a tool that mirrors confusion instead of fixing it.
• Trying to digitize every legacy contract creates a migration project that never ends.
• Letting legal own everything alone limits adoption because the business teams stop seeing the system as theirs.
• Automating bad templates makes bad language move faster, which is the opposite of control.
• Ignoring training leaves people reverting to email and shared drives the moment they are busy.

The cleanest rollout starts with a narrow contract set, a few well-defined approval paths, and clear ownership after go-live. I also prefer to clean up the highest-value templates before importing the rest of the archive. That gives the team a real working system instead of a giant digital storage bin.

Those mistakes are fixable, which brings us to the part that usually decides whether CLM actually earns its keep.

The real payoff is control after signature

The best CLM programs do not just speed up signatures. They make contracts operational. That means the business can see obligations, enforce standards, manage renewals, and prove what happened without digging through inboxes.

• Sales cycles move faster because approvals are routed instead of negotiated from scratch every time.
• Legal spends less time redoing routine work and more time on exceptions.
• Procurement keeps better leverage because renewal dates and vendor terms are visible.
• Finance and operations get cleaner data for forecasting and compliance.

If a CLM system only stores documents, it is not yet doing the real job. The real job is to turn contracts into a governed, searchable, measurable business process. That is the difference between having agreements on file and having control over them.

Where nonprofits are most exposed

In my experience, the weakest point is rarely the whole network; it is one account, one device, or one third-party service that was easier to reach than it should have been. Donation platforms, CRM systems, shared inboxes, cloud storage, payroll tools, and board portals all sit in the attack surface, which means a nonprofit can be compromised without anyone touching the main office computer.

The most common entry points are still painfully ordinary. Phishing emails try to steal logins or push someone into opening a malicious attachment. Business email compromise tricks finance staff into changing payment instructions. Lost or stolen laptops expose files that were never encrypted. Vendor compromise is another quiet risk: if a provider holding donor or case data is weak, your organization inherits part of that weakness.

I would also flag a governance problem that comes up often in smaller organizations: access is created faster than it is removed. Staff leave, volunteers rotate, interns end, and old accounts linger. That creates unnecessary exposure and makes it harder to tell who actually has access to sensitive records. CISA notes that more than 90% of successful cyberattacks start with phishing, which is exactly why email, credential hygiene, and account control deserve so much attention.

Once those entry points are visible, the next step is to build a baseline that closes them without slowing the mission.

The baseline controls I would put in first

If I had to build a small nonprofit security program from scratch, I would start with identity and recovery. MFA is the first control I want on email, finance, CRM, and admin accounts because it blocks a huge amount of opportunistic abuse. For a broader structure, I like NIST CSF 2.0 because it is built for organizations of any size, sector, or maturity, which makes it a practical framework for a charity with a tiny IT budget or a national foundation with a larger one.

I treat MFA as a first-day control because it changes the economics of account takeover. If an attacker still has to pass a second factor, the odds of easy compromise drop sharply. Backups, meanwhile, are only real protection if they are tested. A backup that has never been restored is a hope, not a control. Email authentication matters because spoofed messages are still one of the most efficient ways to impersonate executives, vendors, and donors.

Once the basics are in place, the harder work is deciding what data you keep, who can see it, and how long you keep it.

How to protect donor, client, and volunteer data

I usually group nonprofit data into three buckets: public, internal, and restricted. Public content can live on the website. Internal operational data belongs in standard collaboration tools with strong access controls. Restricted data such as donor payment details, Social Security numbers, medical or counseling information, background checks, or abuse reports needs tighter permissioning, shorter retention, and better logging.

One of the most useful habits is data minimization. If you do not need a field in a form, do not collect it. If you do not need a file after a campaign ends, delete it. If you no longer need exported spreadsheets with donor information, remove them. That sounds simple, but a lot of risk lives in old exports, personal inboxes, and shadow copies that nobody remembers creating.

I also want to separate the system of record from the copies that spread across operations. A system of record is the primary application where the authoritative version of the data lives. Everything else should be treated as a working copy, not the source of truth. That distinction matters because it limits how many places sensitive data can drift into.

• Use role-based access so finance, development, programs, and leadership each see only what they need.
• Encrypt restricted data at rest and in transit, especially on laptops, mobile devices, and file-sharing platforms.
• Set a retention schedule for donor records, applications, case notes, and board packets.
• Require secure disposal for paper records, exported files, and old devices.
• Review who can access the CRM, shared drives, and payment dashboards at least quarterly.

The organizations that do this well tend to be boring in a good way: they keep fewer copies, grant fewer standing permissions, and can explain where sensitive data lives without scrambling. That discipline matters even more when people move in and out of the organization quickly, which is why training and offboarding need to be handled as one workflow.

How to train staff and volunteers without wasting their time

Security awareness training fails when it is long, generic, and disconnected from daily work. I would rather see a 10-minute onboarding session and a few short refreshers each quarter than one annual lecture nobody remembers. The goal is not to turn staff into analysts; it is to make the right response automatic when a message, link, request, or attachment looks off.

1. Teach the three most common warning signs: urgency, secrecy, and a change in payment or login behavior.
2. Require a second-channel verification step for bank detail changes, wire transfers, gift card requests, and vendor payment updates.
3. Ban shared passwords. Shared accounts make audit trails messy and offboarding risky.
4. Give everyone one clear reporting path for suspicious email, lost devices, and accidental disclosures.
5. Run short phishing simulations or tabletop scenarios that reflect the actual emails your staff receives.
6. Use an offboarding checklist so access disappears the same day an employee or volunteer leaves.

For volunteers, I would simplify even further. They should know how to log in, how to report a suspicious message, what data they are allowed to handle, and what to do if a device is lost. Anything more complicated tends to be forgotten. The point is to reduce the number of judgment calls people have to make under pressure.

Training reduces the odds of a mistake, but the real test comes when a mistake still slips through, which is why response planning matters.

What to do when an incident happens anyway

A good incident plan is short enough to use and specific enough to matter. I want it to answer five questions before the event: who can freeze a payment, who resets accounts, who talks to leadership, who calls outside counsel or the insurer, and who decides when to notify affected people. In a small nonprofit, unclear authority causes avoidable damage.

Two rules matter here. First, if you cannot restore a system in a test, it is not a recovery plan. Second, if a transfer or login request feels unusual, the right answer is verification, not speed. I also tell boards to preselect outside help before an incident, because the first hour is the wrong time to be comparing law firms or forensics vendors.

With those decisions made in advance, governance becomes less abstract and much easier to run.

Governance, vendors, and the 30-day rollout I would use

Nonprofit leaders often think of cybersecurity as an IT issue, but it belongs on the governance agenda. The board does not need technical detail on every control, but it does need visibility into risk, exceptions, and the status of the basics. I would ask for a simple monthly report: MFA coverage, backup success, patch status, open incidents, and outstanding vendor reviews.

What the board should ask for

• A one-page risk register that lists the top data, operational, and vendor risks.
• Named ownership for incident response, access reviews, and backup testing.
• A current inventory of systems that hold donor, client, payroll, and financial data.
• A vendor list that shows which providers can access sensitive information.
• An annual review of cyber insurance, policies, and training completion.

Insurance can help absorb the cost of an incident, but it does not stop account takeover or ransomware. I treat it as a financial backstop, not a substitute for controls. The same is true for outsourced IT: external help is useful, but only if the nonprofit still understands what it owns and who can act when something goes wrong.

Read Also: Nonprofit Executive Director Job Description - Your Guide to Hiring

A 30-day rollout

1. Week 1: enforce MFA, inventory all active accounts, and separate admin logins from normal user logins.
2. Week 2: verify backups, run one restore test, and turn on automatic patching wherever possible.
3. Week 3: review access for staff, volunteers, and vendors, then remove anything unnecessary.
4. Week 4: run a short incident tabletop, brief the board, and configure email authentication if it is still missing.

If I had to choose only five controls for a resource-constrained organization, I would pick MFA, offline backups, patching, access review, and a written incident plan. That mix will not eliminate risk, but it will sharply reduce the chance that one bad click turns into a mission-threatening outage.

What indirect costs actually cover

Indirect costs are the expenses that support the whole organization rather than one specific program. I think of them as the backbone costs: bookkeeping, payroll, HR, insurance, audit, rent, utilities, compliance systems, and the leadership time that keeps the operation stable.

That is why the label matters less than the function. Some funders call these costs overhead, some call them administrative costs, and federal rules often use the term facilities and administration. The accounting logic is the same: these are real costs, but they are not tied neatly to one line item in one grant.

The practical rule I use is simple: if the cost would still exist even if a single grant disappeared, it is probably indirect. Once you separate those buckets cleanly, the benchmark numbers start making sense instead of looking random.

What the average looks like in practice

There is no single US average that applies to every nonprofit. The sector is too broad, and the way rates are measured changes the answer. If I need a working benchmark for planning, I use a range instead of a single number.

A sensible planning band for many nonprofits is 20% to 35% of direct costs. For some federally funded organizations, especially research-heavy ones, NIH has said the average indirect cost rate reported over time has been about 27% to 28%. That is a helpful public benchmark, but it reflects NIH-related awards, not every nonprofit budget in America.

The biggest mistake I see is treating the 15% de minimis rate as if it were the sector norm. It is not. It is a permission set by federal rules for organizations that do not already have a negotiated rate, and it is calculated on modified total direct costs, not on the full budget. That distinction changes the answer more than most people expect.

If you only remember one thing from this section, remember that the average depends on the base. Fifteen percent of one base is not remotely the same as 15% of another, and that is exactly why the next question is why nonprofit rates vary so much.

Why nonprofit rates vary so widely

Two organizations can do equally important work and still need very different indirect rates. A small local nonprofit with a volunteer-heavy model will not have the same overhead structure as a national advocacy group, a shelter with 24/7 staffing, or a research nonprofit that needs lab space and specialized compliance support.

The biggest drivers are usually predictable:

• Funding mix - Federal grants, foundation grants, earned revenue, and unrestricted donations all support overhead differently.
• Program model - A case-management nonprofit has different infrastructure needs than a policy shop or research center.
• Facility costs - Rent, utilities, and insurance can be modest in one city and punishing in another.
• Compliance burden - Audit requirements, reporting systems, data security, and procurement controls all add cost.
• Organizational scale - Smaller groups often have a higher overhead percentage because they do not get the efficiency of scale.

That last point is easy to miss. A small nonprofit can be run well and still show a higher indirect rate than a larger peer, simply because fixed costs are spread across fewer programs. In governance terms, that is not a flaw, it is an operating reality.

For readers trying to compare organizations, I would be careful with simple overhead rankings. They often reward underinvestment and penalize organizations that are actually building the capacity to deliver responsibly. That is why the calculation method matters so much.

How to calculate your own rate without distorting it

The basic formula is straightforward:

Indirect cost rate = indirect costs divided by the chosen direct-cost base

Most of the confusion comes from the base. If your organization uses direct costs as the base, the math is one thing. If it uses modified total direct costs, or MTDC, the math is different because federal rules exclude certain items from the base.

That gap between 30% and 23.1% is why people talk past each other. One person is quoting the rate on direct costs, while another is talking about overhead as a share of the full budget. Both can be right, but they are answering different questions.

Under federal rules, MTDC excludes items such as equipment, capital expenditures, patient care, tuition remission, scholarships and fellowships, participant support costs, and the portion of each subaward above the first $50,000. If you are using MTDC, I would document the exclusions carefully and keep the treatment consistent across grants.

Once the calculation is clean, the real issue becomes whether the funder will let you recover the amount you actually need.

How funders change what you can recover

This is where strategy and compliance meet. A nonprofit's true indirect cost rate is one thing; the rate it can recover is another. Federal grants, pass-through awards, and private foundation grants all have different expectations, and those differences can materially affect cash flow.

Under the Uniform Guidance, eligible recipients without a current negotiated indirect cost rate can elect to use a 15% de minimis rate on MTDC. If a subrecipient already has a federally negotiated rate, pass-through entities must accept it. That protection matters because it keeps lower-tier funding from forcing organizations into artificial under-recovery.

Private foundations are more variable. Some reimburse a meaningful share of overhead, some use a flat cap, and some still underfund indirect costs in a way that pushes the burden back onto unrestricted donations. I would not assume that every grant opportunity is built on the same logic.

Before I submit a budget, I always want four answers: what base is allowed, what costs are excluded, whether the rate is capped, and whether the policy changes for subawards or multi-year awards. Those details often decide whether a grant is actually sustainable.

If you know the rule set before you write the budget, you avoid the next problem, which is the set of bookkeeping mistakes that make a good rate look sloppy.

The mistakes that distort the number

I have seen well-run organizations make themselves look weaker than they are simply because the rate was calculated badly. The most common errors are not dramatic, but they are expensive.

• Mixing direct and indirect costs - A cost should not be counted in both buckets.
• Using the wrong base - A rate on total budget and a rate on direct costs are not interchangeable.
• Leaving out real overhead - Rent, audit, insurance, IT support, and compliance staffing disappear far too often.
• Loading program costs into overhead just to raise recovery - That may look clever, but it weakens credibility and can create audit risk.
• Treating low overhead as a badge of honor - That often means the organization is subsidizing grants with reserves or underpaying for infrastructure.
• Failing to refresh allocations - A rate that made sense three years ago may be stale after growth, inflation, or a funding shift.

These mistakes usually push the number down, not up. That is why many nonprofit leaders think they are being efficient when they are actually underpricing the infrastructure that makes the programs possible.

Clean bookkeeping is not just an accounting preference here. It is part of the organization's governance discipline, because a defensible indirect rate gives the board a realistic view of what it costs to operate the mission.

What to do before your next grant cycle

If I were reviewing a nonprofit budget this week, I would not chase a perfect industry average. I would make sure the organization has a defensible rate, a clear cost-allocation method, and a funding strategy that does not force the staff to hide overhead in unrelated lines.

• Rebuild the rate from actual costs at least once a year.
• Separate program costs from shared infrastructure costs in a documented way.
• Compare the budgeted rate to what the funder actually allows before the proposal goes out.
• Explain the rate in plain language to the board so governance and finance stay aligned.
• Track the gap between recovered overhead and real overhead, then adjust strategy when the gap widens.

The healthiest benchmark is the one your budget can defend and your mission can live with. If the rate is too low, the organization quietly subsidizes grants with reserves, staff burnout, or deferred maintenance. If it is realistic, indirect costs become what they are supposed to be: the operating capacity that lets the program exist in the first place.

Cash flow and profit answer different questions

I usually explain it this way: profit is a performance measure, while cash flow is a liquidity measure. Profit comes from the income statement and tells you whether revenue exceeded expenses over a period; cash flow comes from the cash flow statement and shows what actually happened to the money in the bank.

That distinction matters because accounting does not always line up with reality on the calendar. A sale booked today may be paid 45 days later, and an expense can hit profit before cash leaves the account, especially under accrual accounting. If you only look at profit, you can miss a cash squeeze that is already building.

There is also a second layer of confusion: people often say “cash flow” when they really mean operating cash flow, but sometimes they mean free cash flow, which is operating cash flow after capital spending. Once you separate those terms, the rest of the analysis becomes much clearer. That difference becomes obvious when you compare the numbers side by side.

Why a profitable business can still run short on cash

This is the part that trips up even experienced owners. A business can show healthy profit and still struggle to make payroll if the timing of receipts and payments is off. The reason is simple: profit is recorded when earned, but cash arrives when customers actually pay.

Here are the most common causes I see:

• Slow collections - If you invoice on 30-day terms but customers pay in 60 days, your income statement can look fine while your bank balance falls.
• Inventory buildup - Retailers and product businesses often pay for stock weeks before they sell it, which ties up cash.
• Payroll and rent timing - These bills are not negotiable for most businesses and usually arrive before customer cash does.
• Equipment purchases - Buying a $25,000 machine hurts cash immediately, even though accounting profit is spread over time through depreciation.
• Debt principal - Loan repayments reduce cash but do not always reduce profit in the same way, because only interest hits the income statement.

A simple example makes the issue concrete. Suppose a consulting firm books $100,000 of revenue in March and records $70,000 of expenses, so it shows $30,000 of profit. If $60,000 of those invoices are not collected until May, while payroll, software, rent, and taxes still come due in April, the business can feel cash-poor despite a strong profit number. That is not a bookkeeping error; it is a timing problem, and timing problems are often what sink otherwise viable companies.

Once you see the timing gap, the next question is how that gap shows up in formal accounting reports.

Cash flow vs profit at a glance

If I had to compress the whole comparison into one sentence, I would say this: profit tells you whether the business is earning money, and cash flow tells you whether the business can survive its obligations. That is why lenders, owners, and investors read the same story through different lenses. The U.S. accounting and tax rules make that separation even more important.

How U.S. accounting and taxes treat them differently

For federal tax purposes, the IRS distinguishes between cash and accrual accounting. Under the cash method, income is generally recognized when received and expenses when paid; under the accrual method, income is recognized when earned and expenses when incurred. That means the same business can show a different tax picture depending on its accounting method, even though the underlying operations have not changed.

The practical takeaway is straightforward: a reported profit does not always equal spendable cash, and cash in the bank does not always mean the business is highly profitable. A company can collect a large customer prepayment, for example, and look cash-rich before the revenue is fully earned. Another company can ship product, record revenue, and still wait weeks for payment.

The cash flow statement also gives you a cleaner operational view because it separates cash into operating, investing, and financing activities. Operating cash flow covers day-to-day business activity. Investing cash flow captures equipment, property, and acquisitions. Financing cash flow captures loans, repayments, equity injections, and owner distributions. Once you separate those buckets, the business story becomes much easier to read.

This is also why the SBA asks for income statements, balance sheets, and cash flow statements in business planning and financing discussions. A lender does not only want to know that a company is profitable on paper; it wants to know whether the company can actually service debt and survive month to month. That leads directly to the metrics I would track in practice.

What I would track every month in a U.S. business

If I were reviewing a small or mid-sized business, I would not stop at net income. I would build a monthly dashboard that shows both earnings quality and liquidity pressure. The goal is to catch the problem before it turns into a missed payroll or a loan covenant issue.

• Operating cash flow - This shows whether core operations are generating cash without relying on one-off financing or asset sales.
• Gross margin - Gross margin tells you how much is left after direct costs, which is often the first sign of pricing pressure or rising input costs.
• Net margin - Net margin shows the bottom-line profit after all expenses, which is useful for judging overall efficiency.
• Accounts receivable days - This measures how long customers take to pay; a jump from 32 days to 58 days can strain cash quickly.
• Cash runway - This is how many months of operating expenses the business can cover with existing cash; it matters most in seasonal or growth-heavy businesses.
• Debt service coverage ratio - This compares operating cash flow to principal and interest payments and is one of the numbers lenders watch closely.
• 13-week cash forecast - I consider this the most useful short-term planning tool because it exposes timing gaps that a monthly P&L can hide.

Those numbers work best together, not in isolation. A strong gross margin with weak collections still creates cash pressure, and strong cash today can hide a profit problem if the business is relying on one-time receipts. Once the dashboard is in place, the real value comes from avoiding the mistakes that distort both views.

The mistakes that create bad decisions

Most cash problems are not mysterious; they come from a few recurring errors that are easy to miss when you only skim the P&L. I see the same mistakes repeated because people trust the wrong report for the wrong decision.

• Assuming profit equals available cash - It does not, especially when receivables, inventory, or capital spending are large.
• Ignoring owner draws, taxes, and debt principal - These items can drain cash without showing up as ordinary operating expenses.
• Counting loan proceeds as earnings - Borrowed money improves cash temporarily, but it is not revenue and it does not improve profit.
• Using only annual reports - Annual reporting is too slow for a business with weekly payroll and monthly vendor obligations.
• Letting receivables age silently - A few late customers can create a much larger liquidity problem than the margin percentage suggests.
• Mixing growth spending with day-to-day operations - A new vehicle, machine, or office build-out should be planned as investing cash flow, not treated like routine overhead.

These mistakes matter because they distort decision-making. If you mistake borrowed cash for profit, you may spend like a business that is stronger than it is. If you mistake accounting profit for liquidity, you may delay financing or collection efforts until the bank account has already become the bottleneck. The safer approach is to decide which number matters first for the specific choice in front of you.

The rule I use when the numbers disagree

When cash and profit point in different directions, I start with the time horizon. If the question is whether the business can make payroll, pay rent, cover taxes, or meet loan payments in the next 90 days, I trust cash flow first. If the question is whether pricing, margins, and operations are healthy over the next 12 months, I trust profit analysis first.

That rule keeps me from overreacting to temporary timing noise and also prevents me from ignoring real liquidity risk. For a funded, established business, I want both views side by side: a monthly profit and loss statement, a 13-week cash forecast, and a balance sheet that shows working capital pressure. Working capital is simply the money tied up in current assets and current liabilities, and it often explains why the bank balance feels tighter than the income statement suggests.

The final test is practical: if the business cannot convert earnings into cash quickly enough to support its obligations, the profit number is incomplete. If the business has cash today but weak margins or recurring losses, the cash number is only buying time. The healthiest businesses keep both metrics visible, because each one protects a different part of the decision-making process.

What an endowment actually does for a foundation

I think the cleanest way to understand an endowment is to treat it as permanent or long-horizon capital with a rule for how much can be used each year. The principal is invested, a portion of the return is spent, and the rest stays in place so the fund can keep supporting the mission over time. That is very different from simply parking surplus cash in an account and hoping it lasts.

For a foundation, the practical question is not whether money is set aside. It is whether the money is governed well enough to survive downturns, inflation, and shifting program demand. I usually separate four buckets in conversations with boards:

That distinction matters because too many organizations call every surplus dollar “endowment” and then wonder why the balance sheet feels tight. An endowment should create discipline and continuity, not confusion. Once that distinction is clear, the next issue is the legal framework that decides how much can be spent and how the board must account for it.

How U.S. rules shape spending and oversight

In the United States, the rules depend on the type of organization. For private foundations, the IRS generally requires a minimum investment return of 5 percent of the relevant asset base, and the foundation must file Form 990-PF each year. Those organizations also live with excise-tax rules on net investment income and prohibited transactions, so governance is not optional paperwork; it is part of the asset strategy.

That is why I tell boards to think in terms of compliance plus stewardship. A private foundation cannot treat its investment pool as a personal portfolio with charitable branding. Self-dealing, excess business holdings, jeopardizing investments, and taxable expenditures all sit in the background as real risks, not theoretical ones. If the fund is structured as a private operating foundation, the spending mechanics can differ again, because the foundation must actively carry out its exempt work and satisfy separate operating tests.

Public charities and many donor-restricted charitable funds operate under a different legal lane. In many states, UPMIFA gives boards a prudence framework for investing and spending endowed funds. The board is expected to weigh the purpose of the fund, economic conditions, the duration of the fund, expected total return, and the organization’s other resources before appropriating money for spending.

That legal split creates a very different operational posture. A private foundation often starts with a federal payout requirement. A public charity usually starts with donor intent, state law, and board judgment. Both can support long-term mission work, but they are not governed the same way, and conflating them is where many organizations get sloppy. The next step is translating those rules into written controls the board can actually live with.

What the board should put in writing before the first dollar is invested

If I were building a new fund from scratch, I would not begin with asset selection. I would begin with the documents that define behavior when conditions get messy. A strong investment policy statement and a matching spending policy do more to protect an endowment than almost any “smart” market call.

• Investment objective - Is the priority capital preservation, real growth, mission spending, or a blend of the three?
• Spending formula - Will distributions be based on a rolling average, a fixed percentage, or board discretion?
• Risk tolerance - How much volatility can the organization accept without threatening operations?
• Asset allocation bands - What mix of equities, fixed income, and alternatives is allowed?
• Liquidity rules - How much must stay accessible for grants, operating needs, or downturns?
• Delegation and oversight - Who monitors performance, rebalances, and reports to the board?
• Exception authority - When can the board override the normal spending rule, and how is that documented?

I also recommend written language for donor restrictions, because vague intent becomes expensive later. If a contribution is meant for a named purpose, a specific time horizon, or a program that may change over time, that should be captured up front. A well-drafted policy does not eliminate judgment; it makes judgment auditable. From there, the real challenge is deciding how much to spend without eroding the fund’s future purchasing power.

How to set a spending rule that still protects purchasing power

A spending rule should answer one basic question: how much can be used this year without forcing the next board to start over? That sounds simple until market values swing, inflation rises, and program demand increases at the same time. A sensible rule has to be boring in good years and resilient in bad ones.

As a practical benchmark, I see boards start around a 4 percent to 5 percent spending range, usually applied to a smoothed market value rather than a single year-end snapshot. NACUBO’s endowment example uses a 4 percent spending rate, which is a useful anchor because it forces the board to connect spending to long-term return expectations instead of short-term optimism.

1. Estimate the annual mission commitment the fund is expected to support.
2. Choose a smoothing method, such as a multi-quarter or multi-year average.
3. Test the rule against a down market, not just a normal year.
4. Build in an underwater policy so the board knows what happens if value falls below prior levels.
5. Revisit the rule at least annually, even if you do not change it.

The most common mistake here is spending based on paper gains that have not been stress-tested. Another is pretending inflation is someone else’s problem. If the fund spends 5 percent but the portfolio only earns 3 percent after fees over time, the organization is slowly liquidating itself. The spending policy has to be tied to a realistic return assumption, not a hopeful one. That is also why the operational mistakes matter so much.

The mistakes that quietly damage long-term support

When an endowment underperforms, the cause is often less dramatic than people expect. I usually find one of five issues underneath the surface:

• Confusing endowment with reserve money - This creates bad liquidity decisions and weak board discipline.
• Overloading the portfolio with illiquid assets - Private equity, private credit, or real estate can work, but only if the board can tolerate slower access to cash.
• Skipping rebalancing - A portfolio that drifts too far from policy can take on more risk than the board intended.
• Using the fund to patch recurring operating deficits - That may solve one year and weaken the next five.
• Failing to document donor intent and board action - This becomes a reporting and governance problem fast.

I also watch for a subtler problem: boards that celebrate asset growth but ignore distribution quality. A fund can look healthy on paper while still producing erratic support for programs. If grantmaking or program delivery depends on predictable annual draws, the board needs to measure stability, not just return. Once those errors are visible, the final question is what to put in place if the fund is still being built.

What I would build first if the fund is starting now

If an organization is early in the process, I would build the operating system before I scale the assets. The first version does not need to be fancy. It needs to be clear, repeatable, and defensible under board scrutiny.

• A one-page purpose statement that says exactly what the fund is meant to support.
• A board resolution that authorizes the fund and names the decision makers.
• An investment policy statement with target ranges, benchmarks, and review dates.
• A spending policy that explains the formula, the smoothing period, and the exception process.
• A quarterly dashboard that shows market value, spending, fees, liquidity, and variance from policy.

The organizations that do this well usually have one thing in common: they treat the endowment as a governed asset, not a symbol of maturity. That mindset keeps the fund useful when markets wobble and keeps the board from improvising under pressure. If you want long-term support to stay credible, the policy architecture has to be as strong as the portfolio itself.

The business credit card vs personal decision is really about control: who is liable, how cleanly you can separate expenses, and whether the account helps or complicates your bookkeeping. I focus on this choice because it affects tax prep, cash flow, and governance discipline more than it affects day-to-day convenience. In 2026, the smartest answer depends less on the logo on the card and more on how your business spends, who spends it, and how much separation you want between company money and your own.

Why this choice affects more than rewards

That separation matters even more if you operate through an LLC or corporation. Good governance is not just about entity paperwork; it also shows up in how consistently you handle company spending. A business card can support that discipline, while a personal card for company use can blur it quickly. Once that baseline is clear, the practical differences become much easier to judge.

How business and personal cards differ in practice

The important point is not that one is always cheaper or safer. It is that business cards are designed to keep company spend observable, while personal cards are designed around consumer use. That design choice drives most of the trade-offs. From there, the next question is when the business version is actually worth it.

When a business card is the stronger move

I usually recommend a business card when the company has enough moving parts that manual tracking starts to break. In those cases, the card is not just a payment method; it becomes part of the finance system.

• You have recurring business categories. If the same types of charges appear every month, a business card makes reconciliation much cleaner.
• You need more than one cardholder. Employee cards and custom spending limits matter as soon as someone besides the owner starts buying on behalf of the business.
• You want cleaner month-end close. Receipt capture, export tools, and accounting integrations reduce the time spent sorting charges later.
• You want to build business credit. That can be useful for future financing, but I would only choose for this reason if I knew how the issuer reports.
• You want better governance discipline. Separate business spending helps owners, managers, and accountants see what the company is actually doing.

There is also a practical tax advantage in the background: when company purchases stay in one place, you are less likely to miss deductions or mix in personal charges by accident. That is why business cards make the most sense once the company has enough volume or enough people involved to justify a more structured setup. The opposite case is where a personal card can still be rational.

When a personal card can still make sense

A personal card is not automatically wrong for business spending. It can be the practical choice when the company is tiny, the volume is low, or you do not yet qualify for a strong business card. I see this most often with freelancers, solo consultants, and side businesses that are still proving their revenue pattern.

• Your business is still small. If you make only a handful of purchases each month, a personal card can be workable.
• You already have a strong consumer card. If the rewards, protections, and credit line are excellent, that may outweigh the inconvenience for limited business use.
• You need a simple short-term bridge. Some owners use a personal card while they wait for stronger business cash flow or better eligibility.
• You are very disciplined about records. If you tag every charge and reconcile every month, the setup can stay manageable.

Even then, I would keep a separate ledger and save every receipt. The IRS expects business expenses to be supported by records, and the card type does not turn a personal expense into a deductible one. If you take this route, the next section matters even more, because the fine print is where the real surprises live.

The fine print that changes the outcome

Most bad decisions here come from assumptions, not from the card itself. I usually watch for four mistakes.

• Assuming business cards remove personal responsibility. Many small-business cards still include a personal guarantee, so the owner remains liable if the account goes unpaid.
• Assuming every business card builds business credit. Reporting is issuer-specific. Some cards help your business file, some affect both files, and some do less than owners expect.
• Chasing rewards before structure. A rich points bonus is not much help if the card has poor controls, weak reporting, or a fee structure that does not match your spend.
• Mixing personal and company charges. Once that starts, month-end close gets slower and the paper trail gets weaker.

I treat those checks as non-negotiable because they affect liability and reporting, not just points. Once they are clear, the choice becomes much easier to make. That is why I reduce the decision to a simple rule set.

A simple decision framework for 2026

1. Choose a business card if you need separation, employee controls, recurring company spend, or a path toward business credit.
2. Choose a personal card only if business spending is limited, simple, and easy to document.
3. Check reporting before applying if building business credit matters to you.
4. Compare real costs, not headline perks by weighing annual fees, rewards categories, and the time saved on bookkeeping.
5. Match the card to your operating model rather than forcing one account to cover both household and company spending.

In practice, I think the best card is usually the one that matches your administrative reality. If your business is still lean, a personal card can be a temporary bridge. If your operation is growing, the business card usually pays for itself in control and clarity.

The habits that make either card work better

The card itself matters less than the system around it. I have seen good cards fail because the owner never built a repeatable process, and I have seen ordinary cards work well because the books were disciplined.

• Reconcile charges every month instead of waiting until tax season.
• Keep digital copies of receipts for travel, meals, supplies, and equipment.
• Set spending rules for anyone who has access to the card.
• Review the annual fee and rewards mix once a year to see whether the card still fits.
• Move business spending off a personal card as soon as the business has enough volume to justify separation.

A clean card setup does not just make accounting easier. It helps you make better decisions about cash flow, deductibility, and financial control, which is exactly where a business owner should spend attention.

What CCPA means in practice

I usually separate the meaning of CCPA into two parts. The first is consumer control: a Californian can ask a business what personal information it holds, request deletion, opt out of sale or sharing, correct inaccuracies, and limit certain uses of sensitive personal information. The second is business accountability: if you collect the data, you need a process that can receive, verify, log, and answer those requests without improvisation. That is why I treat the law as more than a privacy notice requirement; it is a workflow requirement.

The definition of personal information is broad enough to catch far more than names and email addresses. Browsing history, geolocation, identifiers, and inferences can all matter. Once you accept that scope, the next question is whether your business actually falls inside the law's reach.

Who has to comply and where the line is drawn

The scope question is where many teams lose time. CCPA applies to for-profit businesses that do business in California and meet at least one of the current thresholds. Location alone is not the test, and a company does not have to be headquartered in California to be caught by the law. In practice, if you serve California residents at scale, collect meaningful personal data, or monetize personal information, you need to take the statute seriously.

The law also reaches some controlled entities, certain joint ventures, service providers, and contractors through separate obligations. Nonprofits and government agencies are generally outside the core business definition, which is one reason a careful scope review matters before anyone assumes they are exempt. Once scope is clear, the real work begins with request handling and disclosures.

What a defensible compliance program actually looks like

1. Map the data. Know what personal information you collect, where it comes from, what systems store it, who can access it, and where it leaves the business.
2. Align your notices. Your notice at collection and privacy policy should describe actual practices, not a generic template from another business.
3. Build request channels. Businesses must designate at least two ways for consumers to submit requests, and one must be a toll-free phone number. If the business has a website, one method must be online. If it operates exclusively online, email may be enough for some request types.
4. Set the clock correctly. Requests are generally due within 45 calendar days, with one 45-day extension if the consumer is informed. If you cannot track the deadline, you do not have a compliant workflow.
5. Verify proportionately. Identity checks should be strong enough to prevent fraud but not so heavy that they become a barrier or force unnecessary collection of more data.
6. Operationalize opt-outs. The opt-out link is not enough if adtech, analytics, or sharing arrangements still leak data after the consumer has opted out.
7. Update vendor agreements. Service providers and contractors need instructions that match your compliance obligations, not informal promises in an email thread.
8. Keep records. A log of requests, responses, exceptions, and remediation is what turns compliance from a claim into evidence.

That is the layer that actually reduces risk. A company can have a polished policy and still fail the law if it cannot carry a request through to completion. The next question is where those failures usually happen.

Where companies most often create avoidable risk

In my experience, the common failures are rarely dramatic. They are usually boring, repetitive, and expensive because nobody fixed them early. A lot of CCPA exposure comes from a gap between what the business says it does and what its systems actually do.

When I look at enforcement risk, these are the patterns that stand out. They also explain why CCPA matters to companies that think of themselves as national, not Californian. The law has become a baseline for privacy governance, and that affects strategy well beyond one state.

Why this law matters beyond California

For multistate businesses, CCPA often becomes the privacy floor. It is simpler to build one disciplined data program than to maintain a patchwork of fragile exceptions. That is especially true for companies with marketing-heavy models, data brokerage activity, or complex vendor ecosystems, where the real risk is not just a consumer request but the way data moves across systems.

I also see the law shaping board-level questions. Who owns privacy operations? Who approves retention? How do we document exceptions? How do we know a deletion request actually reached every downstream system? Those are governance questions, not just legal questions, which is why privacy is now part of enterprise risk management. The same discipline also helps with newer rules around cybersecurity audits and automated decision-making, because all of them depend on the same basic habits: data inventory, control, and documentation.

The compliance standard I would use in 2026

If I had to reduce CCPA to one working principle, it would be this: know what personal data you hold, explain why you hold it, and be able to act on a consumer's request within a documented process. Everything else is implementation detail.

1. Confirm whether the business is inside scope and document why.
2. Inventory the data, the vendors, and the sharing pathways.
3. Rewrite notices so they match the actual operating model.
4. Test request intake, verification, deletion, correction, and opt-out handling end to end.
5. Review retention, security, and training on a fixed cadence instead of waiting for a complaint.

That is the difference between a fragile privacy posture and a defensible one. When the law is treated as a managed process rather than a static policy, CCPA becomes less of a compliance burden and more of a practical framework for reducing risk.

Why board governance needs a different meeting workflow

Board work is not just about getting people in a room or on a video call. It is about making sure directors see the right information at the right time, deliberate on a stable set of materials, and leave behind a record that reflects what was actually decided. In U.S. organizations, that record matters because minutes, approvals, and document history are part of how governance is tested later.

That is why board teams should not treat meeting software as a scheduling convenience. The real job is to support the entire governance chain: agenda planning, secure distribution, discussion, decision capture, and post-meeting accountability. Once you view the meeting as a governance process instead of an event, the technology requirements become much clearer. From there, the operational gains are easier to see.

Where the biggest operational gains show up

The benefits of meeting management software are clearest when it replaces scattered PDFs, email approvals, and inconsistent minute-taking with one controlled workflow. I look for three things first: a single source of truth, traceable access, and a faster path from draft to approved record.

For board governance, this matters because the platform is not just saving time. It is reducing the chance that directors operate from outdated information or that the organization struggles to reconstruct what happened later. That control becomes even more valuable when the board is preparing difficult decisions or sensitive committee materials.

Better preparation leads to sharper decisions

Board members rarely make better decisions because they had more meetings. They make better decisions because they had time to prepare with complete, well-organized materials. Meeting software improves that preparation by making board packs easier to review, annotate, search, and revisit without hunting through email attachments.

In practice, this usually means:

• Directors can review agendas and supporting documents in one place.
• Committee chairs can push out updates without restarting the distribution process.
• Annotations, highlights, and bookmarks stay attached to the material instead of living in separate notes.
• Searchable documents reduce the time spent finding prior resolutions, committee references, or background reports.

That preparation layer is easy to underestimate. A board member who arrives with context, not confusion, asks better questions and spends less time catching up. The meeting itself then becomes easier to manage because the room starts with a shared factual baseline.

The meeting itself becomes easier to run

Once the meeting begins, the software should help the chair keep the agenda on track rather than become another distraction. Good board meeting tools support structured agendas, time management, attendance tracking, voting, and live access to the documents being discussed. In hybrid or remote meetings, that matters even more because the software often becomes the operational glue for the entire session.

In 2026, some platforms also offer AI-assisted minute drafts or action item extraction. That can be useful, but I would treat it as a drafting aid, not as an authority layer. Human review still matters because board minutes are not casual notes; they are part of the organization’s governance memory.

What helps most during the meeting is simple: fewer interruptions, fewer document hunts, and fewer ambiguities about what was approved. When the mechanics are clean, the board can focus on judgment instead of logistics. After that, the next question is what happens once the meeting ends.

Follow-through is where governance improves or slips

Many boards do a respectable job during the meeting and then lose momentum afterward. Action items drift into inboxes, minute approval takes too long, and nobody can quickly confirm what was assigned to whom. Meeting software helps close that gap by turning decisions into trackable follow-up instead of informal memory.

The strongest post-meeting benefits usually come from:

• Clear action logs tied to named owners and due dates.
• Structured minute review and approval workflows.
• Secure storage for approved records, resolutions, and attachments.
• Audit trails that show when documents were viewed, edited, or signed off.

This is also where a lot of compliance anxiety fades. A board does not need perfection; it needs a process that is consistent, documented, and easy to verify. The software supports that discipline, but it only works if the board actually uses the follow-up features instead of reverting to email once the meeting is over.

What software cannot fix on its own

Technology can improve a weak process, but it cannot rescue a board from unclear leadership or bad meeting habits. If agendas are bloated, decision rights are fuzzy, or papers are sent out late every month, the software will not magically solve the problem. It will just make the dysfunction more visible.

The main limitations I see are predictable:

• A poor agenda still produces a poor meeting, even in a polished platform.
• If directors do not read the material, better access alone will not improve the conversation.
• If permissions are misconfigured, a secure system can still be used carelessly.
• If the organization does not standardize minutes and approvals, the record remains inconsistent.

That is why implementation matters as much as features. The best results come when the board agrees on a simple operating model first, then uses software to reinforce it. Once that is clear, choosing the right platform becomes much more practical.

How I would choose a platform for a board

When I evaluate board meeting tools, I compare them less like consumer software and more like governance infrastructure. The question is not which app has the flashiest interface. The question is which one can handle confidential materials, preserve the record, and stay usable for directors who do not want to learn a complicated system.

For most formal boards, I would lean toward a dedicated board portal or board management platform rather than a general-purpose meeting app. Generic tools can be fine for internal team meetings, but they often fall short once confidentiality, retention, and approval discipline become non-negotiable. If the board’s work is sensitive enough to require careful recordkeeping, the platform should be built for that reality.

Why the right setup matters more than the feature list

The strongest return comes from using the software to enforce a better board rhythm: cleaner agendas, earlier distribution, sharper preparation, faster minutes, and disciplined follow-through. That is the practical core of the value proposition, and it is easy to miss if the discussion stays focused only on convenience.

If I were advising a board in the United States, I would start with the process before the product. Define how materials move, who approves what, and how the record is preserved. Then choose software that makes those steps easier to follow consistently. When the process is sound, the technology stops being a novelty and starts acting like governance infrastructure.

What the policy is meant to solve

At its core, the policy gives people a path to raise concerns about fraud, bribery, accounting issues, safety hazards, harassment, conflicts of interest, or other misconduct without having to decide whether the issue is "serious enough." That sounds simple, but it solves a hard problem: most employees do not report because they fear being ignored, exposed, or punished. I treat the policy as an early-warning control, not a legal document meant to sit in a handbook.

The best versions do two things at once. They protect the reporter and they protect the company by surfacing problems before they turn into enforcement actions, lawsuits, or cultural damage. A weak version usually fails in one of two ways: it is too vague to use, or it is so legalistic that nobody trusts it. Once that purpose is clear, the next step is to build the policy around the controls that make it credible.

What a strong policy needs to include

When I review a reporting policy, I usually look for a small set of controls that do the real work. If those controls are missing, the document may be polished, but it will not hold up when a complaint arrives.

The distinction between anonymity and confidentiality is especially important. Confidentiality means the company knows who the reporter is but limits disclosure. Anonymity means the reporter can stay unknown, at least initially. I would not blur those terms, because people will notice the difference the first time a manager mishandles a complaint. From there, the next design choice is the reporting route itself.

How to design reporting channels people will actually use

If the only option is "tell your manager," the system is already weak. Employees need more than one way to report, because not every concern can safely go to a direct supervisor. A strong design usually mixes internal and third-party options, and it works across office, remote, shift-based, and field environments.

The practical details matter more than people expect. A hotline that is not 24/7, not mobile-friendly, or not available in the languages your workforce actually uses will underperform. The same is true for contractors and frontline workers, who often need a simpler path than a corporate email chain. If people cannot report in under two minutes, the design is probably too clever. Once the report comes in, the quality of the investigation decides whether the policy has any credibility at all.

How to investigate without creating retaliation risk

An investigation should be prompt, independent, and documented, but not theatrical. I have seen companies damage otherwise solid programs by overpromising, oversharing, or letting the accused control the pace. A good process starts with triage: what is the allegation, how urgent is it, who needs to know, and what evidence should be preserved immediately?

1. Acknowledge receipt when you can do so safely, even if you cannot share full details.
2. Classify the issue by risk level, legal exposure, and potential for ongoing harm.
3. Assign the matter to someone independent enough to avoid a conflict of interest.
4. Preserve documents, messages, access logs, and other evidence before it disappears.
5. Limit access to information on a need-to-know basis.
6. Track remedial action and watch for retaliation after the case closes.

Not every report needs a full forensic exercise, but every report needs a response. That response can be a quick fact check, a limited interview, or a formal investigation, depending on the risk. The mistake I see most often is silence. Silence tells the reporter that the company cares more about exposure than resolution. It also increases the chance that the matter will go outside the company. The U.S. legal backdrop makes that even more important.

The U.S. rules that shape the policy in practice

In the United States, this is not just a corporate governance topic. It sits at the intersection of workplace safety, securities regulation, retaliation risk, and broader compliance expectations. OSHA's whistleblower framework spans dozens of federal statutes, and under the Occupational Safety and Health Act, retaliation complaints generally have a 30-day filing window. The SEC program also matters because eligible whistleblowers can receive awards of 10% to 30% of monetary sanctions collected in covered actions. Those facts change how a company should write the policy, because they remind management that internal reporting is not the only legal route.

I would also be careful with separation agreements, confidentiality clauses, and settlement language. Anything that can be read as a waiver of the right to report to regulators, cooperate with an investigation, or seek an award is a problem. The broader lesson is simple: internal controls should encourage reporting, not attempt to box it in. From there, the failures are usually operational rather than legal.

Where companies weaken the policy without noticing

Most bad programs do not collapse because of one giant mistake. They erode through small habits that make people stop trusting the system. These are the ones I see most often:

• One reporting door only. If the process assumes every concern should go to a line manager, it will miss the very cases that need protection most.
• Anonymous in name only. Some systems collect more identifying data than necessary, which defeats the point.
• Soft retaliation. No one gets fired, but hours shrink, shifts change, promotions stall, or assignments disappear.
• Slow follow-up. A fast intake with a slow investigation creates the impression that compliance is performing, not responding.
• Manager improvisation. If supervisors are left to "handle it quietly," the company loses consistency and evidence.
• Policy without training. Written rules that never reach managers and frontline staff are usually ineffective in practice.
• No trend review. A single case may be solved, but repeated themes reveal a control failure that leadership should see.

The pattern behind all of these is the same: the company treats the policy as communications instead of control. That is a costly mistake, because employees measure the system by how the first complaint is handled, not by how polished the handbook looks. The final step is to keep the program alive after launch, not just compliant on paper.

What makes the policy work after launch

The strongest programs are reviewed, tested, and adjusted. I like to see annual policy reviews, hotline testing from mobile devices, manager refreshers after real cases, and dashboard reporting to compliance leadership or the board. It also helps to ask a simple question after every significant complaint: what did the company learn about tone, process, or access that it did not know before?

• Review the policy after major investigations, leadership changes, or regulatory updates.
• Test whether an employee can report in under two minutes from a phone or laptop.
• Track case volume, closure time, retaliation concerns, and repeat issues by business unit.
• Train managers on what not to say in the first 24 hours after a report is made.

If I were stress-testing a program today, I would ask three questions: can an employee find the reporting route fast, can a manager explain the process without a script, and can the company prove it handled a serious complaint fairly? If the whistleblower policy cannot survive those tests, it is not really a control yet. It is just text.

What an advisory board is and where it fits in nonprofit governance

In a U.S. nonprofit, an advisory board is there to inform decisions, not make binding ones. Candid puts it simply: an advisory board makes non-binding recommendations, while the governing board carries legal oversight. That distinction matters because it keeps the organization from creating a shadow board that looks important but is unclear in practice.

I usually frame the advisory board as a support layer for specific gaps: technical knowledge, community access, donor relationships, or program insight. It should make the nonprofit smarter and faster, not add another layer of ceremony. Once that boundary is clear, the next question is what members should actually do.

The core responsibilities advisory members are usually expected to carry

The best advisory boards do a handful of things well. I like to think of them as force multipliers: they extend the reach of the staff and the governing board without replacing either one.

Strategic advice and scenario testing

Advisors should help leaders test assumptions before a decision becomes expensive. That can mean pressure-testing a new program, flagging weak market assumptions, or identifying a policy risk that the internal team is too close to see clearly.

External credibility and connections

Many nonprofits use advisors as trusted connectors into donor circles, local institutions, industry partners, or community networks. A strong adviser can open a conversation that staff could not easily create on their own, which is especially useful when the organization is entering a new market or trying to reach a new constituency.

Fundraising and partnership support

BoardSource notes that well-run advisory councils can contribute to fundraising, advocacy, program evaluation, and future board recruitment. That matches what I see in practice: the most useful advisors do not just “support fundraising” in the abstract, they make specific introductions, help refine the pitch, and give honest feedback on which requests are realistic.

Program and mission feedback

Advisors should also help the nonprofit evaluate whether programs are actually working. Sometimes that means reviewing beneficiary feedback, sometimes it means comparing the organization’s work with what similar groups are doing, and sometimes it means saying plainly that a concept is not ready for scale.

Read Also: Board Governance Framework - Build Oversight That Works

Mentoring and succession support

In stronger organizations, advisory members also help develop future board talent. They can mentor emerging leaders, identify people with the right skills for governance service later, and reduce the “we need somebody qualified, but we have no pipeline” problem that slows many nonprofits down. Once those duties are defined, the next step is drawing a firm line around what advisory members should not do.

How to define the boundaries that protect both the nonprofit and the advisor

The fastest way to weaken an advisory board is to let it drift into governance. Advisory members can be highly capable, but they should not be asked to act like directors unless the organization has formally structured them that way and accepted the legal consequences that come with it.

Even without fiduciary duties, I still want a written advisory agreement. It should cover confidentiality, conflicts of interest, term length, attendance expectations, and removal language. That is not bureaucracy for its own sake; it is how you keep everyone aligned and prevent awkward misunderstandings later. With the boundary in place, the next question is how to design the role so strong people actually want to serve.

How to design a role people will actually accept

Good advisory service starts with a role that is specific enough to be meaningful and limited enough to be realistic. Vague invitations attract polite spectators. Clear invitations attract useful people.

• Write a one-paragraph purpose. State exactly what the board advises on and why it exists.
• Define the scope. Say whether the board is focused on fundraising, community engagement, program quality, technical expertise, or something else.
• Assign a liaison. One staff leader or governing-board contact should own communication and follow-up.
• Set attendance and preparation expectations. Members should know whether pre-read review is mandatory and how missed meetings are handled.
• Choose a practical term. For many nonprofits, one-year or two-year terms with one renewal keep the group fresh without constant turnover.
• Keep the group small enough to work. In my experience, 6 to 9 active advisors is often easier to manage than a larger honorary crowd.
• Address donations honestly. If you expect financial support, say so early and make the expectation proportionate to the role.
• State how members exit. No one should be trapped in a role that no longer fits the mission or the person’s availability.

The key here is discipline. If the charter says the group exists to advise on program expansion, then every meeting, document, and request should reinforce that purpose. Otherwise the board will slowly become decorative, which is usually a sign that the design was too broad from the start. Once the role is defined, the real test is whether meetings produce actionable advice.

How to run meetings so advice turns into decisions

Diligent’s current guidance says advisory boards typically meet two to six times per year, with quarterly meetings being the most common cadence. That is a useful baseline, but I care more about consistency than raw frequency. A board that meets four times a year and does real work is far better than one that meets monthly and produces no usable insight.

I also prefer meetings that are framed around decisions, not monologues. If the nonprofit wants input on a new partnership, say that. If it wants advice on donor segmentation, say that. The more precise the question, the more useful the answer. Good process is what converts expertise into value, and without it the board starts to drift into the kinds of mistakes that quietly waste everyone’s time.

The mistakes that make advisory boards expensive noise

Most advisory boards fail for ordinary reasons, not dramatic ones. The pattern is usually the same: unclear purpose, weak follow-through, and too much deference to whoever invited the members in the first place.

• Honorary appointments with no real work. Prestige is not a strategy.
• Too many members. Large groups often create applause instead of advice.
• Asking for input after the decision is already made. People notice when their role is performative.
• Letting the loudest person dominate. A good chair protects the quality of the discussion.
• Confusing networking with accountability. Introductions matter, but they do not replace thoughtful counsel.
• Never closing the loop. If members never hear what happened to their advice, engagement drops fast.
• Skipping annual review. A useful advisory board should be evaluated like any other strategic tool.

One of the hardest truths I share with nonprofits is that an advisory board can fail even when everyone involved is well intentioned. If it does not have a decision space, a rhythm, and a reason to exist, the group becomes polite background noise. Once you see those failure modes clearly, it is much easier to define what strong service actually looks like.

What strong advisory service looks like in practice

When nonprofit advisory board roles and responsibilities are written clearly, the group stops being decorative and starts creating strategic leverage. The nonprofit gets sharper advice, the advisors get meaningful work, and the governing board stays firmly in control of the organization’s direction.

• The charter names one clear purpose and a limited scope.
• Members know exactly what kind of advice is expected.
• Meetings are scheduled regularly and built around real questions.
• Conflicts, confidentiality, and term limits are documented.
• Recommendations are tracked, reviewed, and either acted on or explained.
• The board is refreshed when the mission changes or the work is no longer useful.

If I were reducing the whole topic to one rule, it would be this: give advisors a real problem to solve, then show them that their input changed something. That is what makes the role credible, keeps governance clean, and turns an advisory board into an asset rather than a label.

What nonprofits are actually trying to fund

I like to separate the mission from the accounting. A nonprofit can absolutely bring in more revenue than it spends in a given year; that surplus is what lets it build reserves, replace equipment, hire staff, and survive delayed grants. What it cannot do, for a 501(c)(3), is distribute those earnings to owners or insiders.

That distinction matters because many people assume “nonprofit” means “no money.” In practice, the organization needs cash flow, margin, and a cushion. Without those, even a strong program can stall when a reimbursement arrives late or a fundraiser underperforms. Once you understand that, the next question is where the money usually comes from.

The money mix behind most nonprofits

The sector is less donor-funded than many people think. The National Council of Nonprofits’ 2025 overview says nonprofits earn more than 80% of their revenue through fees for services and government grants or contracts, with charitable giving making up about 14% of financial resources. That is a useful reality check: philanthropy matters, but it is only one piece of the model.

The practical rule is simple: the most valuable dollars are usually the ones that are predictable, unrestricted, and aligned with the delivery model. A nonprofit can raise impressive gross revenue and still be fragile if that money is delayed, restricted, or expensive to earn. That is where tax rules and compliance start to matter.

What the IRS allows and what can create tax risk

Tax-exempt does not mean rule-free. The IRS is clear that a 501(c)(3) must be organized and operated exclusively for exempt purposes, and none of its earnings may benefit a private shareholder or individual. It can earn revenue, but the money has to support the mission rather than enrich insiders.

• Mission-related revenue is generally safer. Fees for training, tickets, programs, or services that advance the exempt purpose are usually cleaner than side businesses with no real connection to the mission.
• Unrelated business income can be taxable. If a nonprofit regularly runs a trade or business that is not substantially related to its exempt purpose, the IRS may treat that income as unrelated business income.
• The filing threshold is low. If gross unrelated business income reaches $1,000 or more, the organization generally must file Form 990-T.
• Some activities need close review. Advertising, gaming, merchandise sales, and certain rental income can be taxable depending on the facts.
• Political activity is restricted. Advocacy and lobbying have limits, and campaign intervention is not allowed for charitable organizations.

I see this line crossed most often when a nonprofit starts treating a side activity like a commercial venture without checking the structure. A gift shop, a paid newsletter, or a conference can be perfectly legitimate, but only if leadership understands whether the revenue is mission-related, how it will be reported, and whether the activity still fits the exemption. Once compliance is handled, the real work is building a mix that can survive a bad quarter.

How to build a funding mix that survives a bad quarter

The strongest nonprofit budgets are boring in the best way. They do not depend on one gala, one grant, or one donor who can disappear overnight. They usually combine recurring support, earned income, and enough unrestricted cash to absorb delays.

1. Start with predictable revenue. Monthly donors, renewals, contracts with known payment schedules, and stable program fees are easier to plan around than occasional windfalls.
2. Price earned income on full cost. If a program, class, or service fee does not cover staff time, direct costs, and a share of overhead, it is not really revenue; it is a hidden subsidy.
3. Protect unrestricted dollars. Restricted grants are useful, but unrestricted revenue pays rent, payroll, and the inevitable costs that do not fit neatly inside a grant budget.
4. Build reserves on purpose. A practical target for many organizations is three to six months of operating expenses, even if it takes time to reach it.
5. Watch concentration risk. If one funder or one contract represents too much of the budget, a single decision can destabilize the whole organization.
6. Match the revenue stream to the work. Advocacy, direct services, cultural programming, and education each support different funding models, so one template rarely fits everything.

When I review nonprofit revenue plans, I usually ask a simple question: if the top source disappears for ninety days, what still pays the bills? If the answer is “not much,” the strategy is too narrow. That problem shows up quickly in the mistakes organizations make.

Common mistakes that weaken nonprofit revenue

Most funding problems are not mystery problems. They come from a handful of predictable habits that look harmless until cash gets tight.

• Using events as the core business model. A gala may build visibility and donor relationships, but after venue costs, staff hours, catering, and processing fees, the net margin is often thinner than leaders expect.
• Ignoring indirect costs. If grants and contracts do not cover administration, technology, finance, and leadership, the organization slowly starves its own operating capacity.
• Relying on one funder or one channel. A budget built around a single foundation, one government contract, or one annual campaign is too exposed.
• Counting pledges as cash. Revenue on paper does not pay invoices. Cash timing matters as much as total revenue.
• Launching earned income without a real business plan. Selling a product or service sounds attractive, but if pricing, staffing, and demand are not tested, the project can drain more resources than it brings in.
• Confusing mission alignment with profitability. A program can be important and still be underpriced. Importance does not replace a margin.

The pattern changes by organization type, which is why the right answer is always more specific than “raise more money.” Different nonprofits need different mixes, and the best ones choose revenue sources that fit how they actually operate.

What revenue looks like by nonprofit type

Here is the part that usually makes the strategy click. A nonprofit’s best revenue mix depends on the service it delivers, the audience it serves, and the level of trust it needs to maintain.

This is where strategy beats generic advice. A food bank can often support a large share of its operations through public funding because it delivers measurable services. A policy group usually cannot. A museum can use memberships and admissions in a way a shelter cannot. The revenue model has to match the work, or the organization ends up forcing the mission to fit the money instead of the other way around.

The revenue model that ages best

If I had to reduce the whole topic to one rule, it would be this: the strongest nonprofits combine mission-aligned earned revenue, unrestricted contributions, and disciplined compliance. They do not chase every dollar. They choose the dollars that support the work, cover the true cost, and keep the organization flexible when conditions change.

That is the practical answer behind nonprofit revenue. It is not about finding a magic income stream. It is about building a mix that can absorb delays, survive policy shifts, and still pay for the people and systems that make the mission possible.

When those pieces are in place, fundraising becomes less frantic and operations become easier to manage. The organization stops asking whether it can survive on one stream and starts asking how each stream can strengthen the whole.

What work in progress really measures

I think of WIP as the bridge between raw input and finished output. It captures the cost of work that has started but has not yet become a saleable product, a completed job, or a billable service, which is why it sits at the center of both inventory accounting and project accounting.

In manufacturing, the balance usually lives inside inventory. In construction, engineering, and professional services, it often sits beside revenue recognition because the bigger question is how much of the contract has actually been earned. That distinction matters: a project can look profitable on paper only if the estimate behind it is current and the costs are coded correctly.

For leaders, the number matters for more than bookkeeping. It affects gross margin, working capital, lender confidence, board reporting, and whether management sees problems early enough to fix them before a job turns into a loss.

Once that distinction is clear, the next step is turning the concept into a number that can survive a close.

How the balance is built step by step

The cleanest way to build WIP is to start with direct costs, add the overhead that belongs to the job, and then test whether the result still makes sense against progress and realizable value. In practice, I usually separate the calculation into cost accumulation and progress measurement, because those are related but not identical.

If a manufacturer uses standard costing, I would expect the WIP balance to carry standard material, labor, and overhead rates until variances are reviewed and closed. That is normal, but it also means a stale rate can quietly push the balance out of line with reality.

For project work, the logic often shifts to a cost-to-cost measure of progress: percent complete = costs incurred to date ÷ estimated total costs. That works well when cost tracks progress closely. It works less well when materials are bought early, subcontractors are front-loaded, or a contract has unusual milestone payments.

For example, if a contractor has a $1,000,000 contract, expects $800,000 in total cost, and has incurred $480,000 so far, the job is 60 percent complete. Earned revenue is then $600,000, even if only $540,000 has been billed. In that case, the difference is a $60,000 underbilling, which is the kind of gap management needs to see early.

That estimate is only half the story; the report still has to land in the right place on the books.

Where it lands on the financial statements

On the balance sheet, inventory-style WIP is usually a current asset. On long-term contracts, the same underlying work may show up as a contract asset or a contract liability depending on whether billings are behind or ahead of performance. That is why the balance sheet can look healthy while the underlying project is already drifting.

I also like to look at the report columns rather than only the ending balance. A useful WIP schedule normally includes contract value, cost to date, estimated cost to complete, earned revenue, billings to date, and forecast gross margin. Those lines tell you whether the estimate is still believable or whether the job is starting to tell a different story.

When you move from the balance sheet to the operating model, the industry context starts to matter much more.

Why industry context changes the treatment

Manufacturing, construction, and service firms all talk about unfinished work, but they do not always mean the same accounting object. A factory is tracking goods moving through stages of completion; a contractor is tracking earned revenue against costs; a services firm is often tracking unbilled time and contract progress.

For services, I would be especially careful not to treat every unbilled hour as equal. Some hours are fully recoverable, some are partly billable, and some should never have been capitalized into project progress in the first place. That is why the same label can hide very different economics across firms.

That difference is also where most reporting mistakes begin.

The mistakes that distort margins and cash flow

When I review a weak WIP schedule, the problem is usually not one big error but a stack of small ones. A stale estimate here, a miscoded labor bucket there, and suddenly the report is telling a story the project team no longer believes.

• Treating purchased materials as earned progress too early - buying steel, equipment, or software licenses does not automatically mean the work is equally complete.
• Letting estimates to complete go stale - if scope changed last month and the forecast did not, the margin is probably fiction.
• Misallocating overhead - overhead rates that no longer reflect labor mix, machine time, or project structure can push WIP too high or too low.
• Confusing billings with revenue - cash collected or invoices sent are not the same thing as earned value.
• Ignoring rework, scrap, and idle time - those costs may need separate treatment instead of being buried in normal progress.
• Skipping lower-of-cost-or-NRV testing - inventory-style WIP still has to be recoverable, not just recorded.
• Failing to reconcile the subledger to the general ledger - if the job system and the books disagree, the close is already compromised.

In 2026, the biggest mistake is still the oldest one: letting assumptions age while the work keeps moving. The companies that avoid trouble are usually not the ones with the fanciest software; they are the ones that update estimates quickly and challenge anomalies before the close.

A disciplined monthly close is the fastest way to catch those problems before they become a margin surprise.

The monthly controls that keep WIP useful

The best close is not the most detailed one; it is the one that forces the right conversations. I would check three things every month: whether the estimate to complete is current, whether the billing position matches progress, and whether the general ledger agrees with the project or manufacturing subledger.

• Reconcile job-cost or production reports to the general ledger before numbers go out to management.
• Refresh the estimate to complete on every material job, not just the ones already in trouble.
• Review underbillings and overbillings together so cash flow and performance are seen in the same frame.
• Compare actual margin to original bid margin and the latest forecast margin.
• Escalate any job with major scope change, rework, claims, or negative margin drift.
• Check whether any inventory WIP needs a write-down because market value or net realizable value has moved.

Automation helps here, but it does not replace judgment. I would trust software to move the data and flag exceptions; I would still rely on a human review to decide whether the assumptions behind the number are actually defensible. That is where WIP stops being bookkeeping and becomes a governance tool.

The practical test is simple: if the WIP schedule can explain where profit is coming from, where cash is tied up, and what changed since the last close, it is doing its job. If it cannot, the fix is not more spreadsheet detail; it is better cost coding, fresher estimates, and tighter billing discipline. That is why control over unfinished work belongs in the same conversation as margin management, credit risk, and operational governance.

What a productive board meeting is really supposed to do

A board meeting is not a management update with a formal vote attached. Its job is to help directors exercise oversight, test strategic assumptions, monitor risk, and make decisions that management cannot or should not make alone. In a U.S. governance context, that matters because board duties are tied to fiduciary oversight, and the exact rules still depend on the entity type, bylaws, and state law.

That is why I think the best boards are picky about what earns live time. If an item only needs awareness, it should be read in advance. If it needs debate, the board should have the facts and the framing before anyone walks into the room. If it needs a decision, the meeting should make the decision clear enough that everyone understands who owns what next.

When a board treats the meeting as a decision engine, not a reporting ritual, the quality of governance usually improves fast. The agenda gets sharper, the discussion gets shorter but deeper, and the minutes become easier to trust. That leads directly to the part most boards get wrong first: what they put on the agenda.

Build the agenda around decisions, not updates

The single biggest improvement I make to board meetings is to force every agenda item to answer one question: what kind of conversation is this? An update, a discussion, or a decision? Once that is clear, the meeting stops blurring everything into a long, flat conversation where nobody knows what matters most.

I also prefer a concise agenda that fits on one page, with detail pushed into the board book. That does not mean the meeting is shallow. It means the board can see the structure at a glance and spend its energy where judgment is actually needed.

That structure is useful because it prevents one board member’s favorite reporting format from hijacking the whole meeting. It also gives the chair a simple tool for pacing. If the agenda is overloaded, I would rather cut live discussion than let routine material squeeze out strategy.

Once the agenda is this clear, the next win comes from preparation, because directors can only make good decisions if they arrive ready to engage.

Prepare directors before they walk in

The best board rooms are often decided before the meeting starts. I want directors to arrive with a working understanding of the numbers, the risks, the unresolved questions, and the decisions that are coming. That is why I push hard for a board book that is sent early, preferably 5 to 10 days ahead of time.

That timing is not cosmetic. If materials arrive too late, the meeting becomes a reading session. If they arrive in a messy bundle of PDFs and slide decks, directors spend their energy hunting for context instead of forming judgments.

My standard for the pre-read package is simple: less clutter, more signal. The board does not need every internal report in full. It needs the versions that help directors compare trends, spot exceptions, and understand what has changed since the last meeting.

• Chair: confirm the decision points, trim low-value items, and protect time for the hardest issues.
• CEO: frame the strategic problem clearly and avoid turning the meeting into a progress recap.
• Secretary or governance lead: assemble the board book, coordinate distribution, and track resolutions and action items.
• Committee chairs: bring only the questions that the full board actually needs to resolve.

In the United States, public boards may also have statutory notice obligations under open meeting laws, but that is a legal floor, not a best-practice target for director preparation. Private company and nonprofit boards still need enough lead time to read, compare, and think. Without that, the live meeting becomes reactive instead of deliberate. Next comes the part where preparation either pays off or falls apart: how the chair runs the room.

Run the room with chair discipline

A good chair does more than open and close the meeting. The chair sets tone, controls tempo, and keeps discussion from drifting into management territory. I look for three habits in particular: naming the purpose of each agenda item, asking for a decision at the right moment, and summarizing the outcome before moving on.

If your board follows Robert’s Rules of Order, the process should be consistent enough that directors know how to make motions, offer amendments, debate, and vote without confusion. I do not think every board needs a theatrical parliamentary performance. I do think every board needs a predictable process, because uncertainty about process wastes time and creates avoidable friction.

Here is the kind of discipline that keeps a meeting moving:

• Start each item by saying whether the board is being asked to inform, discuss, or decide.
• Cut off repeat commentary once the point has already been made.
• Summarize the recommendation in plain language before the vote.
• Separate board-level oversight from operational detail so management does not get pulled into the weeds.
• Use time boxes when the agenda is crowded and protect the items that matter most.

The other thing I watch closely is how directors speak to one another. The best boards challenge ideas without turning the room into a debate club. That means asking pointed questions, not delivering speeches. It also means being willing to pause an item when the facts are not ready rather than forcing a bad decision for the sake of staying on schedule. Once the chair has that under control, the board can use its special tools, especially the consent agenda and executive session, without abusing either one.

Use consent agendas and executive sessions without abusing either one

A consent agenda is one of the simplest efficiency tools in governance, and it is often underused. It is meant for routine items the board has already seen or expects to approve without debate. Typical examples include prior minutes, recurring financial reports, committee updates, and administrative approvals that do not need live discussion.

The point is not to hide anything. The point is to stop spending valuable board time on items that are already settled. If one director wants to pull an item for discussion, that should be easy to do. A consent agenda only works when the board trusts that nothing material is being buried inside it.

What belongs in a consent agenda

• Noncontroversial approvals with a clear history.
• Reports that directors need to note, not debate.
• Items with prior consensus and no new risk signal.

Read Also: Board Governance Framework - Build Oversight That Works

When to move into executive session

An executive session is the private portion of a board meeting used for sensitive matters. I expect boards to use it carefully for topics such as CEO performance, legal exposure, personnel issues, or other confidential matters that should not remain in open discussion. That private space is useful, but only when the board is disciplined enough to keep it narrow.

My rule is simple: if the topic is sensitive, but not actually confidential, keep it in the open meeting. Overusing executive session can make the board look evasive and can weaken trust with management. Underusing it can expose the organization to unnecessary risk. The balance matters, and it leads naturally to the part that determines whether the meeting will be usable later: the minutes and follow-up.

Write minutes that support governance instead of creating risk

Minutes are not a transcript. They are the governance record of what the board considered, decided, and delegated. That distinction matters because good minutes should help the organization prove process, preserve memory, and track accountability without turning into a wall of unnecessary detail.

In practical terms, the strongest minutes usually include:

• Attendance and quorum status.
• Key motions, amendments, approvals, and dissent where relevant.
• Conflicts, recusals, and abstentions.
• Action items with owners and deadlines.
• Any decisions that need to be revisited at the next meeting.

I prefer to draft minutes while the discussion is still fresh and circulate them promptly through the board’s normal approval process. Exact timing can vary, but the longer the lag, the more memory fades and the more likely follow-through gets sloppy. Once that follow-up discipline exists, the board can start looking at the mistakes that quietly erode quality from one meeting to the next.

The mistakes that quietly drain board value

Most weak board meetings do not fail because of one dramatic error. They fail because of a dozen small ones that keep repeating. If I were auditing a board’s calendar, these are the patterns I would look for first:

• Too many presentations, not enough decisions.
• Materials sent too late for serious preparation.
• Committee reports that repeat the same information the board already received.
• No clear owner for follow-up items.
• Minutes that record words but not outcomes.
• Strategic items pushed to the end of the agenda, when everyone is already tired.
• Operational topics crowding out governance questions.

One especially common mistake is mistaking activity for value. A long meeting can feel serious while producing very little. A short meeting can feel brisk while still covering the right risks, choices, and oversight points. The real test is simple: did the board improve the organization’s position, or just talk about it? That question is what makes the final operating rhythm worth keeping in view.

The boardroom rhythm I would keep in 2026

If I were building a board process from scratch, I would keep it boring in the best possible way. A stable annual calendar, a clean pre-read process, a clear division between consent items and live debate, and a disciplined follow-up loop will outperform a flashy meeting format almost every time.

I would also review the meeting itself at least once a year. Not the content of one agenda, but the quality of the process: Were the right issues discussed? Did directors have enough time to prepare? Did the chair keep the room focused? Did decisions turn into action quickly enough?

That is how I think about board governance in 2026: not as a status update, but as a decision system. Done well, these habits turn board meetings into effective board meetings that move strategy, oversight, and accountability forward.

What automation changes in everyday bookkeeping

Automation does not magically make accounting strategic. It removes repetitive work so the person reviewing the books can spend time on exceptions, not transcription. In practice, that means bank feeds, receipt capture, invoice routing, recurring entries, and rule-based matching do the heavy lifting while the human role shifts to approval, explanation, and correction.

That shift matters because clean financials are usually built by reducing the number of touches between the transaction and the ledger. The software can catch the obvious items, but it should not be trusted to decide how to treat a split charge, a messy reimbursement, or a new vendor with no history. Once that shift is clear, the next question is which tasks deserve automation first.

The tasks I would automate first

When I map a bookkeeping workflow, I start with the tasks that are frequent, rule-based, and painful to do by hand. Those are the places where automation usually creates the fastest win and the least drama.

If a workflow is high-volume, rule-based, and fed by consistent source data, it is usually a good candidate. If it depends on judgment, exceptions, or a one-off approval path, I keep a human in the loop until the rules are stable. After those priorities are set, implementation is less about buying software and more about designing the process around it.

How to build a workflow that survives month-end close

A good workflow starts with structure, not with features. I usually map the current process on paper first: where the transaction starts, which system touches it, who approves it, and where exceptions go. Then I automate only the repeatable part and leave a visible path for anything unusual.

1. Clean the chart of accounts, vendor names, and item labels before you automate anything. Bad labels create bad rules.
2. Connect bank and card feeds so transactions arrive daily instead of in a monthly pile.
3. Set rules by vendor, amount, location, and account type, then keep the rule set simple enough to explain.
4. Create an exception queue for split payments, new vendors, and transactions that do not match historical behavior.
5. Use approvals for payments and journal entries that affect cash, payroll, sales tax, or tax filings.
6. Pilot one month before scaling, because a workflow that looks good in a demo can still fail under real volume.

When AI is part of the stack, I prefer systems that learn from prior coding decisions but still show why a match was suggested. That matters because a black box may be fast, but it is hard to trust when a lender, auditor, or controller asks for support. That kind of design keeps the close predictable, which is what finance teams actually need before they compare platforms.

Choosing the right system for a U.S. business

The best tool is the one that fits your workflow, not the one with the longest feature list. In the U.S. market, I usually think in three buckets: all-in-one accounting suites, point tools for specific tasks, and workflow automation tools that move data between apps.

QuickBooks and Xero are the clearest examples of the all-in-one category, and they make sense when the goal is to streamline bookkeeping without building a custom finance stack. The point is not to pick a famous platform; it is to match the tool to the volume, complexity, and approval structure of the business. The next layer is governance, because speed without controls creates hidden risk.

Controls that keep speed from becoming a liability

The governance question is simple: can you show who changed what, when, and why? If the answer is no, the system may be fast, but it is not reliable enough for serious financial work. In a U.S. setting, that matters for payroll, sales tax, 1099 work, and anything that will later be reviewed by management, a lender, a tax preparer, or an auditor.

The AICPA’s automation guidance is consistent on one point: start with repeatable workflows, but keep approval logic visible. I would add a few practical controls that tend to matter more than people expect:

• Separate data entry, approval, and payment authority wherever possible.
• Keep an audit trail of rule changes, overrides, and exception handling.
• Limit who can edit vendor master data, bank rules, and payment settings.
• Require human review for new vendors, manual journals, and any override of a matching rule.
• Store source documents in one place so every posting can be traced back to support.
• Review duplicates, stale reconciling items, and unusual reversals on a fixed schedule.

Those controls are not bureaucratic overhead. They are what keep automation from turning into invisible error propagation. Once those guardrails exist, ROI becomes much easier to measure.

What the numbers usually look like

I like to model payback in plain language: monthly hours saved, loaded labor cost, software spend, and any one-time cleanup or setup work. If automation saves time on paper but creates rework in practice, the math falls apart quickly.

That is why I do not judge a system by subscription price alone. I watch three operating metrics instead: uncategorized transactions, unreconciled items, and days to close. If those move in the right direction for two or three cycles, the system is doing real work. With the economics visible, the rollout can stay deliberate instead of chaotic.

A 90-day rollout that avoids rework

1. Days 1 to 30: map the current workflow, pick one repetitive process, clean the data behind it, and measure the baseline.
2. Days 31 to 60: automate that single process, keep human review on the exception queue, and compare results against the baseline.
3. Days 61 to 90: add one adjacent workflow, document the controls, tighten permissions, and check whether the close is actually faster and cleaner.

The safest strategy is usually the boring one: automate the repeatable 80 percent, keep the exception path explicit, and review the controls every month. That gives you faster books without losing the audit trail, and it tends to hold up better when tax season, diligence, or lender questions show up.

Why GDPR exposure is really an operating risk

I usually separate GDPR risk into three layers: legal basis, operational control, and proof. A company can have a decent privacy notice and still fail if it cannot show why it collects data, how long it keeps it, who can access it, and what happens when something goes wrong. That is why privacy problems so often show up in day-to-day workflows rather than in formal legal reviews.

For a U.S. business, the trigger is often simple: you sell into the EU, track EU users, hire EU staff, or move personal data through a global SaaS stack. The European Commission says sanctions can include warnings, reprimands, temporary or definitive bans on processing, and fines of up to €20 million or 4% of annual worldwide turnover. That is a governance problem, not just a legal one.

Before you try to “fix GDPR,” it helps to look at the specific failure modes that create the biggest losses.

The risk areas that drive the most enforcement

The most expensive problems are rarely exotic. They are usually ordinary, repeated mistakes that affect large volumes of personal data. I find it useful to group them by business impact, because that makes it easier to decide where to spend time and budget.

What this table shows, in practice, is that privacy failures tend to live in the seams between teams. Legal may approve the policy, but product, marketing, operations, and IT are the places where the risk becomes real.

That leads naturally to the question most teams ask next: where, exactly, do these gaps appear first?

Where organizations usually slip in practice

The weak spots are usually boring. That is the uncomfortable part. I see the same patterns again and again, especially in companies that are growing quickly or using a lot of third-party tools.

• Marketing stacks collect pixels, audiences, newsletter data, and tracking tags faster than anyone updates the legal basis or the cookie logic.
• People operations keep resumes, background checks, payroll records, and employee-monitoring data longer than the retention policy allows.
• Customer support threads spread personal data across tickets, attachments, call notes, and screenshots that were never meant to live forever.
• Product and engineering teams log too much, test with real user data, or give staging environments access they should never have.
• Vendor sprawl creates hidden transfers, duplicate processors, and “temporary” tools that become permanent parts of the stack.

In a U.S. company, one of the most common failure patterns is simple: the business assumes the privacy review ended when the legal team signed off. It did not. If a marketing vendor, HR platform, or cloud service changes how data is handled later, the risk changes with it.

I also see a lot of confusion around consent. Consent is useful in some contexts, but it is not a shortcut for sloppy collection practices, and it is not a substitute for data minimization. If you collect more than you need, you still own the risk.

The practical answer is not more policy language. It is a system that changes how data is handled before the problem spreads.

How to lower the risk without turning compliance into theatre

This is the part that actually changes outcomes. I do not look for a perfect privacy program; I look for one that is current, testable, and visible to the people who touch data every day. If the controls do not survive a real workflow, they are not controls yet.

Build a live map of data and lawful basis

Start with a record of processing activities that is actually kept up to date. I want to see the data category, source, purpose, recipient, retention period, and lawful basis in one place. That gives you a working map, not a compliance ornament. If you cannot explain why a dataset exists, that dataset is usually the first place risk accumulates.

Make third-party and transfer risk visible

Every processor should have a clear contract, a named owner, and a review cycle. If data leaves the EU, check the transfer mechanism instead of assuming it is fine. In some cases that means an adequacy decision; in others it means standard contractual clauses, plus supplementary safeguards if needed. For U.S. businesses, this is one of the biggest places where risk hides in plain sight, especially when teams buy tools without involving privacy or legal early enough.

Design security and retention into the default workflow

Use DPIAs for high-risk projects before launch

A DPIA is not paperwork for the sake of paperwork. It is a written check on whether the processing is necessary, proportionate, and likely to create high risk for individuals. If the answer is yes, you need safeguards before the project goes live, not after complaints arrive. This is especially relevant for employee monitoring, profiling, large-scale analytics, and sensitive data use.

Read Also: Whistleblower Policy - Build Trust & Protect Your Company

Test rights handling and breach response like real operations

Run access, deletion, and portability requests through a tracked workflow with deadlines. Then test your breach process with a realistic scenario. I want teams to know who contains the incident, who assesses risk, who notifies the controller or authority, and who writes the final record. If you only discover those answers during a live event, the response will be slower and sloppier than you expect.

The point is not to eliminate risk completely. The point is to make the risk visible early enough that the business can change course without improvising.

What to do when a breach or regulator inquiry hits

When something goes wrong, speed matters, but accuracy matters just as much. The EDPB guidance treats the 72-hour clock as starting when you become aware of a personal data breach, not when the internal debate finally ends. If you do not yet have all the facts, send an initial notice and supplement it later rather than waiting for perfect information that may never arrive.

1. Contain the issue immediately. Shut down the exposed access, isolate affected systems, and preserve logs before anyone “cleans up” the evidence.
2. Confirm whether personal data is involved. A technical incident is not always a GDPR breach, but if confidentiality, integrity, or availability is affected, treat it seriously.
3. Assess the risk to individuals. Not every breach needs notification, but every breach needs a documented assessment.
4. Notify the right parties on time. If notification is required, the controller must notify the supervisory authority without undue delay and, where feasible, within 72 hours. Processors should notify controllers promptly.
5. Record the decision trail. Keep the facts, the reasoning, the timing, and the remediation steps together. If regulators review the case later, that record matters.

For a U.S. company, the harder part is usually not the notification form. It is the internal coordination: legal, security, product, support, and leadership all need the same facts fast enough to make a clean decision. That is why I push companies to rehearse one breach scenario before they ever need it.

Once you have a response path, the final question is how to keep the program from decaying after the first round of fixes.

What durable compliance looks like in 2026

In 2026, the businesses that stay out of trouble are not the ones with the longest policies. They are the ones that keep a small set of controls alive: quarterly data reviews, vendor checks before procurement, access reviews, breach drills, and a clear owner for privacy decisions. I also like to see leadership reporting on a few metrics that actually matter: open rights requests, overdue deletions, high-risk processors, active DPIAs, and unresolved incidents.

• Review the data inventory before every major product, marketing, or vendor change.
• Use DPIAs as a launch gate for high-risk processing, not as a cleanup task after rollout.
• Keep retention and deletion rules connected to systems, not just policy documents.
• Re-check transfer mechanisms whenever the vendor, purpose, or geography changes.

If I had to reduce the whole topic to one rule, it would be this: GDPR risk falls when the business can explain its data handling in plain English, prove it with records, and change it quickly when the facts change. That is the standard worth aiming for.

What strong board governance actually does

I think the easiest way to define strong board governance is this: it improves decisions before, during, and after management brings them to the table. Before the meeting, the board sets the right composition, committee structure, and information flow. During the meeting, directors test assumptions, surface tradeoffs, and force clarity. After the meeting, they hold leaders accountable for follow-through.

That is a different job from management. A board that only receives updates is not governing; it is listening. A board that only approves what it is handed is not directing; it is ratifying. The real value shows up when the board helps the organization make fewer bad decisions and recover faster from the ones it cannot avoid.

That framework only works if the right people are in the room, which is why composition and independence come first.

Build independence without starving the board of expertise

For many U.S. public companies, the starting point is clear: a majority of the board should be independent, and the audit committee should have at least three independent directors. The compensation and nominating/governance committees are also expected to be independent in practice. Controlled companies and some foreign private issuers can have different rules, but that does not change the underlying logic: the board needs enough distance to challenge management and enough expertise to understand the business.

Independence alone is not enough. A board can be technically independent and still be strategically weak if it lacks financial depth, industry fluency, regulatory judgment, or digital risk experience. That is why I prefer a skills matrix that goes beyond titles and resumes. The board should know, in plain language, where it has strength and where it is thin.

• Financial reporting and audit literacy
• Industry and regulatory experience
• Capital allocation and M&A judgment
• Cybersecurity, data, and technology oversight
• Human capital, succession, and culture
• Risk management and crisis response

I also like a living matrix, not a document that gets updated once a year and forgotten. A quarterly review is a practical cadence because strategy, regulation, and director experience do not stay still. If the board recruited a director for financial expertise or operational transformation, that director should keep those skills current and visible to the rest of the group.

The point is not to build a board full of specialists. It is to build a board whose collective judgment is broad enough to match the company’s next few years, not just its last few quarters. Once that foundation is in place, the committee structure has to turn it into real oversight.

Turn committees into real accountability centers

Committees work only when each one owns a distinct part of the governance load. If the audit committee, compensation committee, and nominating/governance committee are all doing the same loose review work, the board is wasting time and blurring accountability. The best committees are disciplined about scope, documentation, and reporting.

Just as important, each committee should have a charter that says what it owns, what authority it has, and how it reports back to the full board. If a committee cannot explain why it exists in one sentence, the charter is probably too vague.

Independent oversight matters even more when conflicts appear. Related-party transactions, for example, should be reviewed by the audit committee or another independent body, not left to informal conversation. When the conflict is material, I would rather see a temporary independent committee than a board trying to manage the issue through goodwill alone.

Once committees are structured properly, the meeting rhythm has to support them. Otherwise, even the best charter turns into paperwork.

Design the meeting rhythm so hard issues cannot hide

The board agenda is a governance tool, not a calendar placeholder. I like agendas that start with the highest-risk, highest-judgment items and push routine approvals into a consent package. Reusing last quarter’s agenda without rethinking it is one of the easiest ways for a board to drift into irrelevance.

A useful rule of thumb is to spend roughly one-third of the allotted time on presentations and two-thirds on discussion. That ratio forces management to be concise and gives directors room to ask better questions. Pre-read materials should do the heavy lifting before the meeting begins, so the meeting itself is about judgment, not narration.

Executive sessions matter here. Non-management directors need regular time without management in the room, and audit committees in particular benefit from candid sessions with management, internal audit, and the external auditor. In practice, I want those sessions to happen routinely, not only when something goes wrong. They are where the board surfaces friction, clarifies priorities, and tests whether the discussion in the main meeting is complete.

The chair or lead independent director also matters more than many boards admit. That person sets tone, protects time, and makes sure the board hears the uncomfortable version of the story when needed. If that role is passive, the board becomes passive with it. From there, the next step is to make sure the board is asking the right risk questions, not just the usual operating questions.

Treat risk, cyber, and AI as board matters, not side topics

Boards do not manage day-to-day risk. They do, however, set the risk appetite, define escalation thresholds, and make sure the right information rises fast enough. I think of that as oversight with teeth: not running the business, but insisting that management explain how major risks are being watched and measured.

Good oversight usually starts with a simple framework. What are the top enterprise risks? What signals tell the board that a risk is moving from theoretical to real? Which metrics are reported every meeting, and which ones trigger immediate escalation? If the board cannot answer those questions, it probably has a reporting problem before it has a risk problem.

Cybersecurity deserves special treatment because the disclosure timeline is short and the business impact can escalate quickly. Under current SEC rules, material cyber incidents generally require disclosure within four business days after the company determines the incident is material. That means the board needs a clear incident-response chain, a fast materiality review process, and a tested understanding of who tells whom, and when.

AI adds another layer. Boards do not need to approve every use case, but they do need governance around model risk, data quality, bias, vendor controls, and human review. If AI affects customer decisions, credit decisions, hiring, pricing, or regulated processes, I expect the board to know where the guardrails sit. Stakeholder trust now depends on more than performance; it depends on whether the organization can explain how its systems make decisions.

This is where board-level governance can get sloppy if topics are split across too many committees. Risk, strategy, technology, and culture should connect at the full-board level. If they stay in separate silos, the board will see fragments instead of the operating reality. That leads naturally to the final question: how do you keep the board itself from becoming stale?

Refresh the board before continuity turns into drift

One of the most useful habits a board can build is an annual evaluation cycle that is actually used. That means reviewing the full board, the committees, and individual director contribution, then discussing the results privately and turning them into an action plan. A board assessment should not be a polite exercise in scoring everyone “meets expectations.” It should identify where the board is losing momentum, where expertise is thin, and where leadership succession is becoming a risk.

Succession planning for directors should run alongside succession planning for executives. The board should know which skills it needs now, which it will need in two to three years, and which members are nearing the point where rotation makes more sense than continuity. Tenure limits and retirement ages can help, but they are blunt tools. I would rather see a board that uses them as guides, not as the only mechanism for refreshment.

Director onboarding and continuing education also matter more than many boards budget for. New directors need a fast path into the company’s strategy, risk profile, and committee workload. Existing directors need periodic updates on finance, cyber, regulation, and industry shifts. A board that stops learning eventually starts guessing.

If I had to upgrade a board in the next quarter, I would start with five moves: tighten the charters, update the skills matrix, improve the agenda, clarify risk escalation, and turn evaluations into a real succession discussion. That is the practical core of strong board governance: clear authority, current expertise, disciplined meetings, and a habit of refreshment. When those pieces work together, the board stops performing governance and starts delivering it.