Not-for-profit organizations face a host of risks related to funding and budgeting, operations, technology, and resources. With increased scrutiny from regulatory agencies, donors, and those impacted by the organization’s mission, not-for-profit leaders should conduct a regular review of their risk management practices. As risks and complexities continue to change and grow, not-for-profit organizations can embrace enterprise risk management (ERM) as a strategic advantage.
ERM enables not-for-profit leaders to clearly identify risk across the organization, understand potential impacts, monitor and mitigate risks with effective internal controls, stay compliant with complex regulations, and integrate risk considerations in critical decision-making processes. It can be used as a management tool as well as a communication vehicle for helping boards and senior leaders align around organizational risks. ERM also assists not-for-profits in identifying and managing risks within their risk appetite, while addressing risks to organizational objectives in order to assist in meeting strategic goals.
Some form or element of ERM is being utilized in not-for-profit organizations of all sizes and complexities. ERM is a principles-based approach to managing risk, and deals with risks and opportunities affecting value creation or preservation. Defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)1, ERM is a process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The current COSO ERM Framework2 outlines a set of principles and concepts that apply to organizations across multiple industries. While the framework will soon be revised (and we will provide updates once the proposed new framework is final), the components of the current framework remain relevant to understanding ERM as a concept. The current framework includes eight components layered with four objectives – Strategic | Operations | Reporting | Compliance:
The four objectives are:
To ensure a not-for-profit organization is prepared for ERM, there are obstacles to consider prior to implementation. A not-for-profit needs to consider its culture and tolerance for risk. Is the organization risk averse? That should be factored into the ERM program. Also, consider the culture of crisis management in the organization. An organization’s approach to risk – whether fragmented and inconsistent or clearly articulated and managed – matters deeply to an ERM program’s effectiveness. Does the not-for-profit tend toward proactive risk management or more of a reactive approach? Not-for-profits can apply risk monitoring and reporting tools to support effective risk management.
Once your organization has considered potential obstacles or cultural impacts that could influence the organization’s risk environment, incorporate the following leading practices to mitigate such obstacles:
At its core, a sustainable not-for-profit ERM program should include the following:
To implement a full ERM program or to refine a program already in place, the following fundamental steps are critical to an effective not-for-profit ERM program:
The successful implementation of ERM requires not-for-profit leadership across the organization to coordinate their efforts to develop comprehensive processes to gather, organize, measure, and report information on business risk and focuses on those business activities that represent the most significant risks to an organization. ERM provides not-for-profits with a dynamic assessment of relevant economic and business issues and provides management with timely and relevant information, enabling organizations to prioritize actions toward the most pressing issues.
For more information on this topic, or to learn how Baker Tilly risk management specialists can help, contact our team.
1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors), and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
2 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors), and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.