By: Heather Willis, Senior Consultant
Heather Willis
The Epstein files will not just be a media story; they will be a stress test of your nonprofit’s risk tolerance, governance, and due diligence systems. Use this opportunity as an incentive to build—or finally formalize—how your organization evaluates and responds to risk.
Two things are converging: an unprecedented release of over 5 million pages of Epstein-related flight logs, financial records, and communications, and a sector already walking a fine line balancing between raising funds and protecting their reputation. Nonprofits should not ignore The Epstein files.
Nonprofits that have already defined their risk posture and decision-making processes will be able to move quickly when questions arise. Those that have not may find themselves scrambling. Are You Prepared? Some things to consider….
Clarify Your Risk Tolerance
- Have a candid conversation about overall risk tolerance taking into consideration your mission, values, and stakeholder expectations.
- Use your existing gift acceptance, donor privacy, and ethics policies as anchor documents, and revise if necessary.
Build or Refine a Risk Rubric
- Define levels such as low, moderate, and high risk, with specific criteria for each (e.g., allegations vs. charges vs. convictions; direct involvement vs. weak association; recency and pattern of behavior).
- Tie each level to an action, such as: monitor only; accept with conditions; pause engagement; decline gift and/or step back from relationship.
Design a Simple Tracking System
- Set up a basic spreadsheet to record the name, source, context, and any other important information.
- Decide what, if anything, should live in your CRM, balancing usefulness with donor privacy and data protection obligations.
- Cross-check names with your CRM and make note of the risk.
Department Coordination and Planning
- Coordinate now with communications/PR, legal, finance, advancement leadership, and HR to agree on roles.
- Clarify who must be notified, and when: CEO, board chair, advancement committee, major gift officers, and key institutional partners.
- Build a communication plan that covers internal and external talking points, and who will communicate them.
Decide Who Owns Risk Decisions
- When a name surfaces, who actually decides whether the donor or prospect is a risk?
- Identify the decision-making body. Some options to consider: the full board, a risk or gift acceptance committee, executive leadership, or a combination.
- Document their responsibilities: what information they review and whether they can decline gifts.
Set Aside Time to Actually Analyze
- Reviewing the files will not be a quick side project. Block dedicated time for staff to review, tag, and summarize findings.
- Communicate that some projects may need to be paused or deprioritized during the initial review period.
Use AI Thoughtfully and Safely to Save Time
- Use AI to extract and de-duplicate names from large document sets.
- It can also be used to summarize long news articles or legal documents for internal briefings.
- Always keep humans in the loop for verification, context, and final decisions, and ensure any tools you use comply with your data security and privacy policies.
Stay Ahead With News Monitoring
- Some individuals are already speaking publicly about potential Epstein connections.
- Set up news alerts pairing your organization’s name, senior leaders, and top donors with terms like “Epstein” to monitor potential risks.
If your organization does not yet have a due diligence system, this is the moment to advocate for one. Use the Epstein files release, or other examples of how some nonprofits have suffered reputational damage, to show the necessity of being able to act quickly with a good plan in place.
The Epstein files are a reminder that reputation isn’t built on luck—it’s built on preparation. By taking time now to determine your plan on how to handle the files, how you communicate, and where you draw the line, your putting your organization in a good spot for when the next challenge comes along.
For more information check out Apra’s webinar, Due Diligence Pulse Check: How are You Preparing Your Nonprofit for The Epstein File Release?
