Bylaws Aren't Enough
Most nonprofits I work with treat bylaws as the finish line. The bylaws get drafted during formation, adopted at the first board meeting, filed with the 501(c)(3) application, and then everyone moves on.
Then a real situation comes up. A board member's company bids on a contract. An employee raises a concern about how reimbursements are being approved. A donor offers stock instead of cash. The organization loses a laptop with donor data on it. The bylaws don't address any of this — and they shouldn't, because bylaws govern the organization's structure, not its day-to-day operations.
That's what operating policies are for. They translate the legal duties of nonprofit leadership into actual procedures that people can follow when something happens. The IRS asks about five of them on every Form 990. State regulators expect some of them. Grant funders often require them. Most importantly, your board members need them in order to do their jobs without taking on personal liability they shouldn't be carrying.
Here's the working checklist I use when I review a nonprofit's governance — what every 501(c)(3) needs, what depends on your activities, and what you can skip.
The Five Policies the IRS Asks About
Form 990 Part VI, Section B is the governance section. It asks five direct questions about specific policies. Answering "no" to any of them isn't fatal, but it's a flag. The 990 is public, and "no" answers tell donors, watchdog sites like Candid, and state regulators that your governance isn't fully built out.
Conflict of interest policy (Line 12a–c). The IRS doesn't technically require one, but they ask three separate questions about it and provide a sample policy in the Form 1023 instructions. Your policy needs annual disclosures, transaction-specific disclosures, recusal procedures, and documentation in the minutes. Most organizations adopt a policy and never operationalize it — that's the problem the 990 is designed to surface. We have a full guide to the conflict of interest policy that walks through what each section needs to cover.
Whistleblower policy (Line 13). Required by the Sarbanes-Oxley Act for all organizations, including nonprofits. It must allow employees, volunteers, and board members to report suspected misconduct without retaliation, and it must specify how reports get investigated. The policy needs a designated recipient (usually the board chair or audit committee chair) and a backup if the primary recipient is the subject of the complaint.
Document retention and destruction policy (Line 14). Also required by Sarbanes-Oxley. The policy specifies how long the organization keeps different types of records — corporate documents permanently, tax returns at least seven years, employment records for the duration of employment plus a defined period afterward, and so on. The destruction part matters too: the policy must require that records be destroyed in the ordinary course of business, not selectively when something looks bad.
Executive compensation review (Line 15a–b). The policy needs to describe how the board (or compensation committee) reviews and approves the CEO's compensation, including the use of comparability data, deliberation by people without conflicts, and contemporaneous documentation. This is the procedure that creates the rebuttable presumption of reasonableness under IRC §4958 — the protection against intermediate sanctions excise taxes if the IRS later challenges the compensation.
Gift acceptance policy (Line 16a–b). Required only if the organization received non-cash gifts during the year, but most boards adopt one preemptively. The policy specifies what kinds of gifts the organization will accept (cash, securities, real estate, in-kind goods), what the approval process is for unusual gifts, and what the documentation requirements are. Without this policy, an organization can end up holding a donated property it can't sell, a vehicle that's worth less than the cost to dispose of it, or stock in a closely held company with no market.
These five are non-negotiable. Every 501(c)(3) needs them, regardless of size.
The Policies the IRS Doesn't Ask About — But You Still Need
The 990 is the floor, not the ceiling. A few more policies are essential for any organization that handles money, hires staff, or has assets — which is to say, all of them.
Financial controls and signing authority. This one isn't on the 990 but should exist in writing. It covers who can sign checks, what dollar threshold requires dual signatures or board approval, how bank accounts are reconciled, who has access to the credit card, and how expense reimbursements get approved. Most of the embezzlement cases I've seen in nonprofits trace back to a single person having unchecked control over the bank account.
Expense reimbursement policy. Closely related to financial controls but worth a standalone policy. It defines what expenses are reimbursable, what documentation is required (receipts, mileage logs, business purpose), what the timeline for submission is, and how reimbursements differ for board members, staff, and volunteers. The IRS requires an "accountable plan" for reimbursements to avoid them being treated as taxable income — your policy is the documentation that you have one.
Investment or reserves policy. Once an organization has more than a few months of operating reserves in the bank, it needs a written approach to managing them. The policy specifies what kinds of investments are appropriate (operating cash, short-term reserves, long-term investments), who has authority to make investment decisions, and what reporting goes back to the board. Foundations have stricter requirements here — see our private foundation jeopardizing investments rules for the foundation-specific version — but every public charity with reserves needs a basic version.
Public disclosure policy. Federal law requires every 501(c)(3) to make its three most recent Form 990s and its application for exemption (Form 1023 or 1023-EZ) publicly available. A short written policy specifies who handles disclosure requests, what format the documents are provided in, and what fees (if any) the organization charges for paper copies. This is one of the hidden compliance obligations most new nonprofits miss.
Policies You Need If You Do Specific Things
The next layer depends on what your organization actually does. You don't need all of these — only the ones that match your activities.
Fundraising and donor privacy policy if you accept donations from the public, do online fundraising, or work with professional fundraisers. State charitable solicitation rules (the registration requirement that catches most nonprofits) often require disclosure language and donor privacy commitments.
Grant administration policy if you make grants to other organizations or individuals. Foundations are required to have these by IRS rules; public charities that regrant should adopt one too. The policy covers eligibility, application process, due diligence, agreement terms, and reporting expectations.
Joint venture policy if you partner with for-profit entities on programs or services. The IRS wants to see that the nonprofit's tax-exempt purpose isn't being subordinated to the for-profit's business interests.
Equal employment opportunity and anti-harassment policies if you have employees. Required by federal law for any employer with 15+ employees, but every nonprofit with even one employee should adopt them. Pair them with a complaint procedure that connects to the whistleblower policy.
Data privacy and IT security policy if you collect personal information from donors, clients, members, or beneficiaries. The level of detail scales with the sensitivity of the data — a food pantry tracking client names needs a different version than a behavioral health nonprofit handling protected health information.
Lobbying policy if you engage in any legislative advocacy. Public charities can lobby within IRS limits, but the limits are based on a calculation that requires tracking expenses by category. The policy creates the tracking system.
How to Actually Adopt and Use Them
A binder full of policies that nobody reads or follows is worse than no policies at all. The 990 asks specifically whether the conflict of interest policy is "regularly and consistently monitored and enforced" — and that question applies in spirit to every other policy the organization adopts.
Three habits separate functional policies from filing-cabinet policies:
Adopt them by formal board resolution. Each policy gets a vote, the vote gets recorded in the minutes, and the policy itself gets dated and signed by the board chair. This creates the legal record that the board exercised its fiduciary duty.
Build the procedures around them. A conflict of interest policy needs annual disclosure forms. A whistleblower policy needs a designated recipient and a documented investigation process. A document retention policy needs a destruction schedule that actually runs. The policy is the rule; the procedure is what you do.
Review them on a schedule. Every three years at minimum. I usually recommend boards put one or two policies on each board meeting agenda for review — that way the entire set gets refreshed over a board cycle without overwhelming any single meeting. Board orientation for new members is also a good moment to flag any policies that haven't been touched in years.
Where Most Boards Get Stuck
The pattern I see most often: a nonprofit adopted a few policies during formation, copied them from a template, and hasn't looked at them since. The whistleblower policy names a board chair who left the organization in 2019. The document retention policy references a paper filing system that hasn't existed since the office moved. The conflict of interest policy has annual disclosure forms that nobody has filled out in three years.
Fixing this isn't complicated, but it does take a methodical pass through what exists, what's missing, and what needs to change. That's exactly what our Governance Remediation service handles — we go through the policy set on an à la carte basis, fix what's broken, write what's missing, and walk the board through the adoption resolutions. If you're looking at your 990 and seeing "no" answers in Part VI Section B, or you're stress-tested by a real conflict that the existing policy didn't handle cleanly, that's the moment to bring someone in.
Operating policies don't make your organization run. Your people do. But the right set of policies, adopted properly and used the way they're meant to be used, is what lets your people do their work without exposing themselves or the organization to risks they shouldn't be taking. That's the whole point.