The 12 Policies Every Nonprofit Board Should Have (And Probably Doesn't)
Best practice calls for at least twelve policies. Most boards have two or three. That gap is where organizational risk lives.
Most nonprofit boards have two or three policies. Maybe a conflict of interest statement that nobody has signed since 2019. Maybe a set of bylaws that haven't been reviewed since the founding board wrote them over coffee. Maybe nothing at all.
Best practice calls for at least twelve. That gap isn't just a paperwork problem — it's where organizational risk lives.
Policies aren't bureaucracy. They're the operating manual for how a board makes decisions, manages risk, and protects itself legally. Without them, your board is improvising. And improvising works fine — right up until the moment it doesn't.
Here's what every nonprofit board should have in place, what each policy actually does, and what you're exposed to without it.
1. Conflict of Interest Policy
What it does: Requires board members to declare any personal, financial, or professional interest that could influence a board decision. Establishes a process for recusal from discussion and voting on conflicted matters.
Without it: A board member votes on a contract awarded to their spouse's company. Nobody says anything because there's no process for raising it. The organization's credibility — and potentially its charitable status — is at risk.
2. Code of Conduct
What it does: Sets behavioural expectations for board members, including respectful communication, confidentiality, and commitment to the organization's mission. Creates a shared standard everyone agrees to uphold.
Without it: One board member dominates meetings, dismisses others, or acts in ways that erode trust. There's no agreed-upon standard to hold them accountable, so the behaviour continues until people resign or disengage.
3. Whistleblower and Complaints Policy
What it does: Provides a safe, confidential channel for staff, volunteers, or stakeholders to report misconduct, fraud, or policy violations without fear of retaliation.
Without it: An employee notices financial irregularities but has no way to report them except to the person responsible. They stay silent, and the problem grows.
4. Signing Authority Policy
What it does: Defines who can sign contracts, cheques, and financial commitments on behalf of the organization, and at what dollar thresholds dual signatures are required.
Without it: The executive director commits the organization to a five-year lease without board approval. Or a board member writes cheques with no oversight. Either scenario puts the organization at serious financial risk.
5. Financial Controls Policy
What it does: Establishes internal controls over financial management — including approval thresholds, separation of duties, bank reconciliation processes, and annual audit or review requirements.
Without it: One person handles all the money with no oversight. This isn't a comment on their integrity — it's a structural vulnerability. Fraud happens most often when opportunity meets zero accountability.
6. Executive Director Accountability Policy
What it does: Clarifies the reporting relationship between the ED/CEO and the board. Defines the ED's authority, decision-making boundaries, and performance evaluation process.
Without it: The board either micromanages every operational decision or rubber-stamps everything the ED brings forward. Neither is governance. Both damage the organization.
7. Board Member Expectations Policy
What it does: Outlines what's expected of each board member — attendance, preparation, committee participation, financial contribution (if applicable), and confidentiality. Often includes a commitment letter that members sign annually.
Without it: Half the board shows up unprepared. Two members haven't attended in three months. Nobody knows whether that's a problem or just how it works. There's no standard to point to.
8. Confidentiality Policy
What it does: Establishes that board discussions, particularly in-camera sessions and personnel matters, are confidential. Defines what can be shared publicly and what cannot.
Without it: A board member casually shares details of an HR investigation at a community event. The organization faces a privacy complaint and a damaged reputation.
9. Risk Management Policy
What it does: Requires the board to identify, assess, and mitigate key organizational risks — financial, operational, reputational, and legal — on a regular basis.
Without it: Nobody is thinking about what could go wrong until it does. The building's insurance lapsed three months ago. The organization has no succession plan for the ED. A data breach exposes donor information. All preventable — if someone had been looking.
10. Privacy Policy
What it does: Governs how the organization collects, stores, uses, and protects personal information of donors, clients, staff, and stakeholders. Required by law in most Canadian jurisdictions.
Without it: The organization stores donor credit card information in a shared spreadsheet. A volunteer emails a client list to their personal account. These aren't hypothetical — they happen regularly in organizations without privacy protocols.
11. Social Media and Communications Policy
What it does: Defines who speaks on behalf of the organization, what channels are used, and what guidelines apply to official and personal social media use by board members and staff.
Without it: A board member posts a strong personal opinion on a political issue and tags the organization. The public assumes it's an official position. The ED spends the next week doing damage control.
12. Document Retention Policy
What it does: Specifies how long the organization keeps financial records, board minutes, contracts, HR files, and other documents. Establishes a process for secure disposal when retention periods expire.
Without it: The office has seventeen banker's boxes of unlabelled paper from the last decade. Nobody knows what's legally required to keep. Tax records from 2014 were accidentally shredded. HR files from a wrongful dismissal claim were lost because nobody tracked them.
Where to Start
You don't need to write twelve policies this month. That's a recipe for burnout and bad documents. Start with the three that carry the most legal exposure:
First: Conflict of Interest — because it's the most common governance failure and the easiest to fix.
Second: Whistleblower and Complaints — because without a reporting mechanism, you have no early warning system.
Third: Financial Controls — because money without oversight is the single biggest risk a nonprofit faces.
From there, work through two policies per quarter. Within eighteen months, you'll have a complete policy library — and a board that actually knows how it's supposed to operate.
Not Sure Which Policies You're Missing?
Download the Policy Gap Analysis Checklist — a one-page self-assessment that maps your board's current policies against the 12 essentials. Score yourself, identify the gaps, and know exactly where to start.
Or, if you want a professional evaluation, the Board Health Assessment maps your full governance infrastructure against best practice across 12 key areas — and gives you a prioritized action plan to close the gaps.
This article is general governance guidance and does not constitute legal advice. For questions about specific legal requirements, consult a lawyer familiar with nonprofit law in your jurisdiction.
Ready to close the gaps?
The Board Health Assessment maps your full governance infrastructure against best practice — and gives you a prioritized action plan to build what's missing.
Book Your Free Discovery Call