Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward
Diligent Logo
Request a demo
menu
menu
Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now
arrow_forward
Partner
Company
Support
Login
language
Diligent Logo
Products
arrow_drop_down
Solutions
arrow_drop_down
Resources
arrow_drop_down
Diligent AI
Request a demo

From compliance to resilience: Building smarter nonprofit governance

December 16, 2025
1 min read

Hosted by:

Jill Holtz

Jill Holtz

Senior Content Strategy Manager

Share:

In this episode of the Leading with purpose podcast, Dale Waterman, Solution Designer and regulatory expert at Diligent, explains how today’s fast‑changing risk environment is reshaping regulation for nonprofits — from AI and cyber to operational resilience. He shares why boards need to shift from a narrow compliance mindset to a broader, risk‑based approach that aligns controls with their mission, size and exposure, and documents decisions so they can stand up to regulatory scrutiny.

We discuss how nonprofit boards can build real organizational resilience by identifying “grey rhino” risks, embedding continuous learning, and using tools like scenario planning and stress tests to prepare for crises before they hit. Dale also highlights how simulations and tabletop exercises can help boards test whether policies actually work in practice and turn challenging moments into opportunities to better serve their communities.

Tune in for practical, forward‑looking guidance on strengthening resilience and governance ahead of 2026.

If you enjoyed this episode, please rate and review the podcast to help others discover it too.

More about the podcast

Dale Waterman is a Solution Designer and regulatory expert at Diligent, with deep experience translating evolving mandates into practical governance requirements for organizations. In this episode, we look at how today’s shifting risk universe is reshaping the regulatory landscape for nonprofits and what boards need to do now to move from basic compliance to true resilience. We explore why diverging global regulations on issues like AI, cybersecurity and operational resilience make life more complex for mission‑driven organizations operating across multiple jurisdictions, and how boards can adapt to a “tsunami” of change without losing sight of their purpose. Dale explains the shift from rules‑based to risk‑based regulation, what “appropriate and proportionate” controls really mean in practice, and why documenting risk decisions is now just as important as the policies themselves. We discuss how boards can build a continuous‑learning mindset, ask better questions of management, and embed resilience into strategy rather than treating it as a standalone risk function. We explore operational resilience as a source of advantage, not just recovery: anticipating “grey rhino” risks, using scenario planning and stress tests, and turning crises into opportunities to better serve beneficiaries, donors and communities. Stick around to the end for Dale’s key recommendation for how to strengthen resilience and future‑proof nonprofit governance for 2026 and beyond.

Further resources on regulations for nonprofit boards

Transcript for From compliance to resilience: Building smarter nonprofit governance

Jill Holtz: Welcome to the Leading with Purpose podcast where we share practical advice for purpose driven work and board leadership and mission focused organizations. I'm your host Jill Holtz from Diligent and in this four part series I talk to different leaders to explore regulations and compliance for nonprofit boards, what's coming in 2026, why oversight matters and how to prepare. We'll cover critical areas of regulation but also how charity and nonprofit boards need to think about managing their oversight and compliance and policy.

I hope you enjoy the series. My guest today is Dale Waterman, a solution designer and regulatory expert at Diligent with deep experience in translating evolving mandates into practical governance requirements for organizations. Dale explains how the changing risk universe is driving nonprofit regulatory shifts and why operational resilience is essential to sustain programmes while meeting expectations from regulators, donors and beneficiaries.

We explore how and where boards should prioritise effort from training requirements to AI governance guardrails that stand up to scrutiny. Listen now as we talk about board oversight habits that work, how to align policies with programme realities and the minimum controls every nonprofit should adopt. Stick around to the end for Dale's great advice on how to strengthen resilience and compliance in 2026.

We've been looking at all the regulations and legislation that nonprofit boards and charities, foundations etc have to comply with and we have a new guide coming out on this for nonprofit organizations. So I really thought you were ideal to invite to talk to me a bit about this topic and to get your perspective. So welcome Dale.

Dale Waterman: Yeah, thank you for inviting me. Looking forward to the conversation.

Risk and regulation for 2026

Jill Holtz: Great. So I want to kick off with a question. How is the evolving risk universe, if we can call it that, impacting the regulatory landscape as we come out of 2025 and into 2026 and beyond? How is that impacting regulations?

Dale Waterman: So I think it's a great question and I think what's quite useful for us is to sort of take a step back just for a second and look at what we might call sort of the big picture from a regulatory perspective. And I think we could probably all agree that we unfortunately live in a world that's increasingly sort of divisive. There's more polarisation and fragmentation.

And we've got some decades long international relationships that are being rapidly reshaped around the world. And from a regulatory perspective, I think if we look back at risks that we've tried to address in the last sort of 20 to 30 years, it's probably true to say that most of those risks that we've addressed fairly successfully have been done through collective efforts. And probably one of the things we should be a little concerned about, and it's actually pointed out by the World Economic Forum in their global risk report, which is definitely worth having a look at.

And this was for 2025. So we've got a bit of hindsight now as we reach the end of the year. But what they've predicted was that we would see, unfortunately, sort of new lows in terms of global cooperation across different things like geopolitics and humanitarian issues, economics, environmental, societal, technology.

And I think we could probably agree that that's definitely a trend that we've seen over the past sort of 10 months. And the challenge for us from a regulatory perspective, to try and bring it back to how this impacts our landscape, is we've got countries that are turning inward. And, you know, they're focused on internal economic or societal concerns.

But it does mean that arguably sort of our age of globalisation and this use of sort of multilateral efforts to tackle some of our big risks and problems in the world is maybe coming to an end. And the impact that that has on our eggs is that when you're not working collectively on problems, you tend to lack harmonisation. So what the collective action did from a global perspective is it drove at least a good ambition around harmonisation.

And when you're an entity that's trying to deal with laws and you're multinational and you're operating across borders, it obviously helps enormously when you start seeing things that you're familiar with and there's that harmonisation. And so, you know, looking forward at the world, unfortunately, the outlook is probably quite pessimistic, certainly from a World Economic Forum perspective. And you only have to look at some sort of policy approaches or regulatory approaches to some issues like, for example, the environment or climate change.

It's pretty clear that the countries are approaching these issues very, very differently. And another one is AI. I think it's a great example where you've got a divergence in the way that countries are looking to govern AI in future.

You've got those that are much more on the sort of principled human rights, you know, AI safety side of the equation. And those tend to be sort of hard laws. The EU would be a great example of that with plans around enforcement.

And then you've got countries that have decided to go a different route. On the opposite side of the spectrum, you've got someone who's thinking more about what they would position as innovation, but sort of anti-regulation.

Jill Holtz: Yeah, innovation.

Dale Waterman: They're more focused on voluntary guidelines and things like that. And so these different changes will impact the way in which organizations will see these new laws arrive across the world. And a great example for me is GDPR, which isn't that long ago.

If you think about GDPR, 2016, I think it went live in 2018, set up by Europe, was seen as sort of this global high-water mark. And then you had all these GDPR-inspired or GDPR-like laws that developed across the world. You know, whether you're in the Middle East or Africa, in the UK, LATAM, AIPAC, there was a lot of familiarity with that.

And when something like the AI Act came out, which is only 2024, August, really only this year from sort of some of the deadlines. But we thought, I think, that we would see sort of a GDPR-like effect where that would again be the high-water mark. There's been a lot of effort put into the AI Act, and we'd see something spread across the world.

And we haven't. We've actually seen a lot of divergence in approaches. And I think that's a great example of some of the geopolitical competitive themes that we're starting to see.

Jill Holtz: So what I'm really hearing from you, just to recap, I suppose, at this point, is that because of changes and geopolitical things going on, and that regulation is diverging and it depends. So if you're operating in more than one locale, you have to be aware of that divergence. You have to understand that what is in one place is potentially radically different from another place.

Dale Waterman: And it's difficult. Because not only have you got lots of laws developing, because everyone has these laws, whether it's AI or cybersecurity or operational resilience, but now they've all got little tweaks that are different, and that makes it more complex to implement. And from a sort of risk perspective, I think something to call out for folks, again, sort of looking at the big picture side of things, is I saw a Gartner report or study, I think it was not too long ago.

And when they're looking at the risks that we're having, and this was for the GRC audience, what they found was that over 75% of GRC professionals feel like there are more risks today than there were two years ago. And again, over 70% of them felt that the time to impact of those risks was reducing quite quickly. So we had quite a significant finding.

And what that means is, as we're thinking about this macro economic geopolitical kind of environment, but as a risk team or as an organization, or as a boardroom who's responsible, people are feeling way less comfortable and confident that they're actually identifying all these risks. And secondly, that they're prioritizing the right ones and deciding which ones should monitor, which ones they should manage. What was quite an eye opener for me, actually, in that WEF study, was that when we looked at what we thought would be the key risks this year, so for 2025, and it's a big study, it's 900 people, a global study of subject matter experts, also from different roles and regions.

And what they found was that the top one was to do around conflict. So you had sort of state-based armed conflict and geoeconomic risk. Makes complete sense to us as we sit here in October.

But when you look ahead two years, the key number one risk that they identified as subject matter experts is actually misinformation and disinformation. I mean, we know about the democratic impact, you know, democracy and things, but we hadn't actually thought about the impact that disinformation will have on the way countries are perceived. And therefore, you know, their ability to trade and tourism.

So that's going to be a big one. And then polarization is coming. And then when you look even further ahead out to about 10 years, what surprised me is the top four risks that have been identified are all environmental.

So extreme weather, changing weather patterns, a lack of resources. And so it's becoming difficult to be comfortable about what risks you should be addressing. And that obviously impacts the regulatory landscape, because we know that things are happening like cybersecurity and cyber espionage and AI governance.

So we're all maybe not happy about the fact that we're having enhanced laws or new laws, but we understand why we need them. But that doesn't mean that organizations aren't feeling completely overwhelmed, because it's like this tsunami of new regulations coming in response to all these new risks that are slowly being identified.

Jill Holtz: I think that's a really great summary and really interesting about the misinformation one. I mean, we're not surprised by the environmental ones and we know misinformation is there. But even to think about that in terms of, you know, misinformation about your own organization and what's out there and what's being communicated is a risk.

How should nonprofits adapt to regulatory change

How do you see then the role of a nonprofit board, if we can take that, because that's what I'm talking to you about today. How do they need to adapt in response to that tsunami that you described? Not just a current wave of regulatory transformation, but a tsunami. What do they need to think about doing to adapt to that change?

Dale Waterman: It's quite a difficult question in some senses, but I think we know that corporate boards are more focused on shareholder value and we know that our nonprofits are more sort of mission driven. And, you know, they're thinking about the community impact. But I think that many of the challenges that we're facing today, which revolve around sort of things like digital transformation and cyber security and data privacy adoption, those actually crossover between them.

And so I think we can learn quite a bit from what's probably happened in the corporate space, because they are more mature. They've been driven more by regulation. So we've got a lot that I think we can learn there.

What I thought would be useful to share is maybe thinking about some of the trends that we've seen amongst these laws. So it's not all of them. And I don't profess to be an expert of all sort of MDO nonprofit laws.

But there's some interesting trends that we're seeing in areas like AI governance and cyber security, operational resilience. And I think those trends will shape the way that boards begin to adapt to this new world. So the first one that I would highlight is that a lot of these laws are risk based.

So, you know, historically, probably, particularly in the US, you had more rules based legislation, which meant, you know, these are the things you had to do. There was compliance orientated, you know, I wouldn't call it tick the box. But, you know, there's clarity on the 10 things you had to do.

Risk based legislation is quite different because it means that you need to identify the risks, which is the conversation we've just been talking about. And then you need to assess what those risks are and what these laws ask you to do. The AI Act, the NIS2 Directive, which is cyber resilience in the EU, DORA, which is for banks around operational resistance.

All these laws ask you to implement what the kind of language they use is things like, you need to have appropriate and proportionate technical measures or organizational measures, or you're meant to look at your organization and implement measures in accordance with your size or your profile or your risk or the complexity of your services or your offerings. Now, that sounds quite tricky. The nice thing is it's not a one size fits all.

You can treat industries differently. And it actually means you have to assess. That's why I think that talk about the different evolving risks is so important.

You have to identify that risk and then think about how that risk impacts you with your mission, your organization, your objectives. And then you have the right to choose sort of whether to go for silver or platinum or gold, what controls to implement. But the regulatory change that will impact boards is you need to demonstrate how you made that decision.

So there's a lot more documentation around how did we make that diligent and thoughtful decision? And then how did we demonstrate that we implemented those controls in accordance with our risk based decision making? And that's going to be a big change.

And I think it's a trend that we'll continue to see across regulations.

Jill Holtz: Just to recap that, you've talked about changing away from a compliance mindset to more of a risk mindset, assessment of those risks. How are they going to impact your organization? How are they going to impact your organization's resilience?

And then what do we need to put in place to mitigate that and also document all that decision making so that you can show from a regulatory point of view that you have considered these risks and you've put these things in place. And provided you do that, at least you've met what some of those legislations and regulations are now asking you to do.

Dale Waterman: Correct. But it's quite a big change in the way in which, because it's not that one size fits all, which has pros and cons. Which is good.

Jill Holtz: It has its merits.

Dale Waterman: Yes. The second one that I think is super important for boardrooms is this sort of trend around governance and accountability. So looking at it particularly from a management body perspective.

I mean, if you think about it historically, you always had fiduciary responsibility and you have oversight and that's what boards do. But I think what's changed now is they're actually making it a legal obligation. So if you take acts like sort of some of the operational resilience laws, and we're seeing them everywhere across the world.

But NIST2 would be a cyber version. And as I mentioned earlier, DORA would be for financial entities. And those are European based.

But what they all ask you to do is they ask the management body to actually take responsibility for some of the decision making. So if it's a cyber resilience, for example, you need to understand what is a cyber risk as a board member. Because you're now accountable.

So that's different from someone presenting to you what their cyber plan is and telling you what cool things they're going to do and what controls. And then assuring you that everything's okay. You now have a duty to one, understand what the risks are.

You have a duty to actually approve the measures that will be recommended when they have to be appropriate and proportionate. And then you have a role of actually ensuring that they're implemented from a control perspective. So, you know, I think what board members are going to have is a lot more skin in the game.

And, you know, in certain instances with some of these laws, and it varies across Europe, you will start seeing elements of personal liability where you can be demoted from your role or you could lose your responsibility, maybe temporarily, maybe permanently. And they can actually be personal or civil. And in extreme cases, criminal liability, we're starting to see, which is really new.

It's not something that I want to sound too scary because it's generally for people who have been deceitful or extremely negligent. But, you know, that's a trend around sort of the accountability of boards, let's say, which means you've got to learn a lot more about, it's no different from corporate governance, if you think about to the days back to Cyber and Zaleski, where as a CFO, you're signing financial statements and you're on the hook for making sure that they're accurate and that you're being transparent.

Jill Holtz: So it's really important then that board members realise that, again, there's been a shift away from turning up at the board meeting, approving it, kind of listening to a presentation, going, yeah, yeah, that all sounds good, that they know it's incumbent on them to make sure that is getting implemented because they could be held personally liable. And, you know, there's a lot of risks with that. Again, I do think, to paraphrase our CEO, Brian Stafford, he says now that, you know, governance is an exercise in risk management and it really is, isn't it?

That you as a governing body have to be on top of those risks, but it can have an even personal impact as you on that liability beyond a sort of a duty of care, as you said, or fiduciary duty.

Organizational and operational resilience for nonprofit organizations

Dale, you mentioned, you know, you've been talking a lot about operational resilience. Obviously, that's going to really resonate with nonprofits at the moment.

They've had a lot of change in terms of their funding, where their money's coming from. I mean, obviously, operational resilience is beyond the cash and the donations or the revenue, but that's obviously a kind of global theme that you're seeing across the new regulations. How is this concept of organizational resilience evolving?

Obviously, it's important, but why is it important? And what can boards do ultimately to try and build that organizational resilience in this kind of constant change in regulations?

Dale Waterman: It's a pet love of mine in some ways. And I think that if it wasn't for the talk about AI, which I completely understand, I think this would probably be almost a global number one trend for probably 2024, 25, 26. But I guess what's important is how the notion or the concept of operational resilience is evolving a little.

I think originally when you spoke about operational resilience, we would think about a crisis happens. How quickly can you respond to that and get back to where you were?

Jill Holtz: Bounce back as it were.

Dale Waterman: Exactly. So it was like that idea of how quickly can we recover? And that was really what we thought about from a crisis perspective.

Whereas a sort of, I don't know, it's more modern, but I guess the sort of updated version of this is not just about how you deal with a crisis, but in a sense almost how you can turn it to your advantage and what that opportunity can be. And so it's not just sort of the negative, but the positive in a sense. And there's the famous Churchill quote about never letting a good crisis go to waste.

And it's something along those lines. I saw a Boston Consulting Group study a little while ago, which was super interesting. And what it talked about is it looked at top performing companies and what made them top performing.

And resilience was a key common denominator. And what it found was that when you're a top performer and the world's going well, like everyone kind of performs okay. So you sort of move in parallel.

You know, everyone's doing okay. But where you start seeing the difference between top and bottom or like where you separate maybe the wheat from the chaff is how you operate during a crisis. And that's when you really differentiate yourselves.

In fact, what the BCG study found was that 30% of long-term shareholder value came through how you dealt with a crisis and crisis periods. And of course, we're not talking about shareholders here, but that's still about, it's about value. Like, you know, the value that you offer your community.

We'll come through how you manage periods of crisis, which makes actually complete sense from an MDO perspective. And so the trade that we're sort of seeing is the benefit, I guess, of operational resilience. And the way that they talk about it are the different advantages that you would have as an organization.

One, if you're anticipating an issue, i.e. you've looked at all the risks we've talked about and you've identified which ones to prioritize. When the shock happens, the impact, you know, the crisis, the impact on you as an organization is less because you've anticipated coming and you've kind of cushioned that effect. You've thought about maybe it's supply chain.

Exactly. You've got alternative plans. So your initial impacts firstly is lower, which is good.

Secondly, your speed to recovery is way quicker because, again, you've anticipated what's coming and you're able to adapt to the new circumstances more quickly than your peers. So that becomes a competitive advantage or an advantage to your constituents that you're supporting. And then thirdly, and it's probably the point I was trying to make at the start, your recovery extent is greater.

So in other words, when you come back, you actually start to thrive in those new circumstances, which is really interesting. And that's when you start getting that competitive advantage. And in a sense, this is where winners stay winners or winners become losers.

What they also found, this is also an opportunity for people who maybe weren't at the top table through their resilience, through some period of crisis, they become winners. To rise above that. Exactly.

And so you can leapfrog because of your strong operational resilience program.

Jill Holtz: So I was thinking when you were talking about all of that, of that very, very simple tool that's used in many organizations over and over again. But your SWOT table, your strengths, weaknesses, opportunities and threats. And even a simple framework like that can start to make you think about what are the threats.

And doing that risk assessment that you talked about earlier. So once you know what your key risks are, you're maybe using things like scenario planning as well. How are we going to deal with if this thing happens? What is the impact going to be? What is our kind of plan of action? Means that if it does come to pass, you are in a better position, as you said, and you have that resilience and you have that bounce back then.

But also looking at the opportunities of risks. So for example, you know, we're in higher education as a nonprofit. Student demographics are changing.

That's a risk because our traditional revenue came from this type of student. But what does that mean in terms of opportunities as well? A new cohort of students that we've never served traditionally, that we can now because of changes.

And that could be an opportunity. And how do we plan for that? So I'm hearing understanding, assessing, planning are key things to build that resilience.

Dale Waterman: Yeah, the sort of lingo that they use in the risk spaces. So you is that you have the black swan, which is the unpredictable event. It's really rare.

But then they talk about grey rhinos and the grey rhino is something where there's signals that come and we might choose to ignore them. We even do this in our personal lives. It's kind of human nature.

You know, I don't want to go for that checkup. You know, I know I should go for the checkup, but I don't. And it's something similar where how do you identify these grey rhinos in your industry or in the in the community that you serve?

And then think about how you could prepare for them. And the key change that I think's happened is that previously we saw operational resilience or we could call it organizational resilience or financial resilience. But we saw these as sort of risk team things.

And I think what boardrooms can do is they can they can embed that into your corporate strategy. So our corporate strategy is to become operationally resilient. And these are the benefits we can achieve.

And that that could be driven through a boardroom. You have good governance. You'll you'll deal well with a crisis because you've prepared adequately.

You've talked a little bit about those dress rehearsals for a bad day and, you know, and leaning in like that. I also think that one of the key takeaways should be we've all got to and, you know, I'm from a certain vintage myself. But we've got to build a sort of a continuous learning mentality.

So what board members had to know and what they need to know today and in the future is changing. And so it's changing that learning culture where you're continuing learning. I think it's super important.

And then finally, communication. I don't want to think about, you know, we talked a little bit about, for example, accountability of boards. I don't actually want that to be a negative.

I mean, it'll drive behavior. But I actually think there's an opportunity there so that what the boardroom needs to do is learn more about these issues rather than just having oversight. Actually understand how the risk process happens, why the controls are being implemented, and then they can learn how to ask the right questions.

Jill Holtz: Asking the right questions and be informed.

Dale Waterman: And it should be it should be almost like a safe space where whether you're in a senior leadership team or whether you're a GRC professional, you're not offended by these questions. This is a boardroom who comes with a different perspective to yours and can ask questions that should be helpful in helping make the organization more resilient. And then probably the other one takeaway is what the GRC pros and the leadership team would want to hear is that you're going to make those decisions more quickly.

So, you know, the idea of good communication and agility is super important. We have less excuses today than maybe in the past. We don't need to get together for boardrooms.

We can meet remotely. We've got amazing technology that can give us the latest signals, near term information to help us make informed decisions, sift through huge amounts of information and give us summaries so that we can be informed and useful in those conversations. And I think that's something that board members should embrace.

Advice to nonprofits about future proofing against regulatory change

Jill Holtz: So as we wrap up, Dale, I'm going to ask you one final question. I'm going to ask you to pin your colours to your mast. What one piece of advice would you give board chairs, governance professionals about future-proofing their organizations against regulatory uncertainty?

Dale Waterman: I think the one thing that we possibly haven't mentioned is that you want to identify the right risks and then you want to prioritize the right risks that will have an impact on your goals and ambitions. And then you will implement, you know, a lot of what we've talked about. But I think one thing that we need to do more, and you can drive this good behavior as a boardroom member, is we need more of those simulations.

So it's no longer just about the compliance tick box and saying, yes, I've got the policies. Here's my folder. Our outside counsel have produced it.


It looks good. I can share it with a regulator. It's like to actually reduce and mitigate those risks and prepare for that bad day and make sure that you manage it as well as you can.

You need to practice. And so I think that's where a boardroom can make sure there are simulations. And in a positive way, make sure that the controls that we, essentially our vision around our policies is actually being brought to life through operationalization of that program.

And you do that by making sure and learning through those simulations. And that would be a key takeaway and a great learning opportunity for the boardroom, too.

Jill Holtz: I love that, Dale. I think that's excellent advice when it comes to the whole area of organizational resilience that you've talked so much today. So I want to thank you very much for coming to talk to me today.

I know you have a very busy schedule, so I really appreciate you taking the time to share the benefit of your wisdom and experience. Thank you, Dale.

Dale Waterman: Thank you.

Jill Holtz: Thanks for tuning into Leading with Purpose today. I really hope you found today's discussion useful, interesting and insightful. This series supports our nonprofit 2026 Regulations Outlook, a concise guide to the mandates and trends shaping the year ahead with practical steps boards can act on now.

To learn more and download the guide and other resources visit www.boardeffect.com/leadingwithpurpose.

Building smarter nonprofit governance & regulations outlook