Not-for-profit organizations face a host of risks related to funding and budgeting, operations, technology, and resources. With increased scrutiny from regulatory agencies, donors, and those impacted by the organization’s mission, not-for-profit leaders should conduct a regular review of their risk management practices. As risks and complexities continue to change and grow, not-for-profit organizations can embrace enterprise risk management (ERM) as a strategic advantage.
Understanding your risks and risk profile
ERM enables not-for-profit leaders to clearly identify risk across the organization, understand potential impacts, monitor and mitigate risks with effective internal controls, stay compliant with complex regulations, and integrate risk considerations in critical decision-making processes. It can be used as a management tool as well as a communication vehicle for helping boards and senior leaders align around organizational risks. ERM also assists not-for-profits in identifying and managing risks within their risk appetite, while addressing risks to organizational objectives in order to assist in meeting strategic goals.
Some form or element of ERM is being utilized in not-for-profit organizations of all sizes and complexities. ERM is a principles-based approach to managing risk, and deals with risks and opportunities affecting value creation or preservation. Defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)1, ERM is a process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The current COSO ERM Framework2 outlines a set of principles and concepts that apply to organizations across multiple industries. While the framework will soon be revised (and we will provide updates once the proposed new framework is final), the components of the current framework remain relevant to understanding ERM as a concept. The current framework includes eight components layered with four objectives – Strategic | Operations | Reporting | Compliance:
- Internal Environment – refers to the tone of the organization, its risk appetite and elements such as board oversight.
- Objective Setting – refers to setting objectives at a strategic level, establishing a basis for operations, reporting and compliance objectives.
- Event Identification – senior leadership identifies potential events that could affect the entity either adversely or presents an opportunity and emanates from internal and external sources.
- Risk Assessment – consideration of the extent to which potential events have an impact on the achievement of the organization’s objectives.
- Risk Response – after the determination of relevant risk, senior leadership determines how it will respond.
- Control Activities – the policies and procedures that help ensure that senior leadership’s risk responses are carried out.
- Information & Communication – refers to the proper information being identified, captured and communicated in an adequate format and timeframe to the appropriate individuals.
- Monitoring – assessing the functions and components of risk management over time and making adjustments as necessary.
The four objectives are:
- Strategy – high-level goals, aligned with and supporting the organization's mission
- Operations – effective and efficient use of resources
- Financial Reporting – reliability of operational and financial reporting
- Compliance – compliance with applicable laws and regulations
Asking the right questions
To ensure a not-for-profit organization is prepared for ERM, there are obstacles to consider prior to implementation. A not-for-profit needs to consider its culture and tolerance for risk. Is the organization risk averse? That should be factored into the ERM program. Also, consider the culture of crisis management in the organization. An organization’s approach to risk – whether fragmented and inconsistent or clearly articulated and managed – matters deeply to an ERM program’s effectiveness. Does the not-for-profit tend toward proactive risk management or more of a reactive approach? Not-for-profits can apply risk monitoring and reporting tools to support effective risk management.
Once your organization has considered potential obstacles or cultural impacts that could influence the organization’s risk environment, incorporate the following leading practices to mitigate such obstacles:
- Strong visible support from senior leadership
- Dedicated team of cross-functional staff to operationalize ERM
- Defined owners and risk tolerance
- Clear communication to the audit committee and board
- Adequate training and supporting tools
Taking steps to manage enterprise risk
At its core, a sustainable not-for-profit ERM program should include the following:
- Initiation and Planning - Define key roles and responsibilities of the program
- Risk Analysis/Assessment - Agree upon and understand key risks
- Risk Response - Prioritize and focus on the most significant risks
- Sustaining ERM - Confirm the organization is kept abreast of changes to its risk profile and mitigation efforts
To implement a full ERM program or to refine a program already in place, the following fundamental steps are critical to an effective not-for-profit ERM program:
- Obtain buy-in and feedback from senior leadership
- Determine the organization’s risk appetite
- Identify and prioritize risks through a risk assessment
- Prioritize risks based on their potential likelihood and impact
- Develop a plan for risk mitigation or acceptance
- Create a process for routine monitoring and review
- Communicate across the organization
Leadership commitment matters
The successful implementation of ERM requires not-for-profit leadership across the organization to coordinate their efforts to develop comprehensive processes to gather, organize, measure, and report information on business risk and focuses on those business activities that represent the most significant risks to an organization. ERM provides not-for-profits with a dynamic assessment of relevant economic and business issues and provides management with timely and relevant information, enabling organizations to prioritize actions toward the most pressing issues.
For more information on this topic, or to learn how Baker Tilly risk management specialists can help, contact our team.
1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors), and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
2 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors), and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.