The basic nonprofit policies every small organization should have

If your nonprofit is small, busy, and trying to do meaningful work with limited time, policies can feel like the kind of thing you get to later.

But basic policies are not separate from the work. They are part of how you protect it.

For small nonprofits, the goal is not to build a giant policy manual that no one reads, but to have a short set of useful, written policies that help the organization make decisions consistently, handle risk responsibly, and show funders, board members, and partners that the operation is credible.

At the federal level, the IRS puts three written policies directly in view on Form 990: conflict of interest, whistleblower, and document retention and destruction. Those questions are there for a reason. They are not the entire governance picture, but they are a strong signal of whether an organization has basic guardrails in place.  

For a small nonprofit, we would start here.

1. Conflict of interest policy

This is the governance classic for a reason. A conflict-of-interest policy helps board members, officers, and key leaders disclose personal or financial interests, step back when appropriate, and document how decisions were made. It is not about assuming bad intent. It is about making clean decision making visible. The IRS specifically asks whether an organization has a written conflict-of-interest policy and whether it monitors compliance.  

2. Whistleblower policy

Healthy organizations need a way for people to raise concerns without fear of retaliation. A whistleblower policy gives staff, volunteers, and leaders a process for reporting suspected wrongdoing in good faith. The IRS asks about this policy, too, which tells you it is not just nice governance. It is basic governance.  

3. Document retention and destruction policy

Nonprofits need records, and not just in the vague sense of “we think it’s in Google Drive somewhere.” The IRS says exempt organizations must keep books and records needed to show compliance with tax rules and to document receipts and expenditures. A retention policy helps define what gets kept, for how long, who is responsible, and when document destruction must pause because of an audit, investigation, or legal issue.  

4. Basic financial controls

This may be one short policy or a small group of written procedures, but it should exist. Who approves expenses? Who authorizes payments? Who reconciles accounts? Who reviews financial reports? Who can approve reimbursements? A nonprofit does not need to be large to need financial controls. It just needs money, which is usually enough to make this relevant. The National Council of Nonprofits points to sound governance and financial management as core nonprofit practice.  

5. Gift acceptance policy

Gift acceptance is one of those topics that sounds overly formal until the first odd donation shows up. A written gift acceptance policy helps a nonprofit decide what kinds of gifts it will accept, who can approve unusual gifts, and when a gift creates more work or risk than value. The National Council of Nonprofits specifically recommends a written gift acceptance policy as a useful governance tool.  

6. Website privacy policy, including cookies and data use

This one often gets left off the traditional governance list, but it belongs in the modern baseline. If a nonprofit website collects names, emails, donation information, event registrations, newsletter signups, or analytics data, the organization should tell people what it collects, how it uses that information, whether it shares it, and how users can get in touch with questions. Separately, privacy disclosures should still be truthful and clear.  

For many small nonprofits, cookie disclosure can live inside the privacy policy rather than in a separate stand-alone cookie policy. If the site uses analytics, embedded video, event tools, donation platforms, or social integrations, the policy should say so clearly. This is less about legal theater and more about basic honesty.

Keep It Real

The good news is that these policies do not have to be long to be useful. They do have to be real. A plain-English policy that the board adopts and follows is more valuable than a 12-page document nobody has opened since the last redesign.

If your organization is trying to become more Funder Ready, this is one of the quiet places to start, not because policies are glamorous. They are not. But they signal something funders care about: this organization can handle responsibility with care.

Need help figuring out which policies you actually need — and which ones can wait? That kind of clarity work is exactly where we like to start.

Quick Indiana note

Many states have their own nonprofit policy requirements. For example, Indiana nonprofits should keep their entity filings current in INBiz, and any organization working with a paid professional solicitor or fundraising consultant should review Indiana Attorney General requirements. Those are compliance matters more than policies, but they belong in the same grown-up bucket.