Has your organization completed an enterprise risk management assessment? Your external auditors may ask this question, and you may wonder why.
Your financial statements are audited annually by an independent audit firm. You have insurance policies in place, including insurance that covers cyber-attacks. Your staff keeps current on the list of federal, state, and local regulations that apply to your particular industry and operations. Why should you perform an enterprise risk management assessment?
Following is some background on this topic, and why it is of increasing importance and emphasis for all entities, including your small not-for-profit (NFP).
What is Enterprise Risk Management?
Enterprise risk management (ERM) encompasses a wide scope of principles and concepts. This is because ERM is a framework that provides direction and guidance to organizations for designing and implementing effective processes to identify, mitigate, and monitor risks. If you think about the steps your organization currently takes to mitigate risks, they are reactions to risks that have been identified (or quite possibly, reactions to an adverse event that your organization was not prepared for). ERM is a comprehensive process that starts with identifying all kinds of potential risks, instead of waiting for a risk to pop up on the radar screen. It is proactive, not reactive.
The gold standard for establishing ERM, internal control, and fraud deterrence processes is the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This joint initiative was established in 1985 to provide thought leadership for private companies and not-for-profit organizations, specifically to reduce fraudulent financial reporting. COSO has since issued frameworks for ERM, with the most recent update in 2017. Risk management is one of the key elements of a robust internal control framework.
It’s tempting to think that ERM is only important for large or complex entities, not small not-for-profits. But not-for-profit organizations have risks that may not be addressed with a piecemeal approach to risk assessment. The goals of ERM are the same for any entity, it’s the risks that could be different. Some common categories of risk areas for organizations to assess include:
How to Begin the ERM Process
It can be daunting to figure out where to start with ERM, especially for smaller not-for-profits that don’t have a dedicated compliance officer to spearhead the project. The first step is to identify the risks. The brainstorming session around identifying risks needs to include different perspectives from both inside and outside the organization. Management and the board of directors should invite key stakeholders to share ideas, including program staff, volunteers, and clients. There are many resources available to not-for-profit organizations to get started, but it’s better to avoid the checklist mentality and encourage new ideas. An outside consultant can also be brought in to run the session and help foster discussions and out-of-the-box thinking.
Identifying potential risks is the first step. The next is rating them on a heat map, asking “How likely is the risk to occur (what’s the probability), and how severe would the impact be?”
It’s impossible to eliminate every possible risk out there and still run your organization. A “heat map” is like a cost-benefit analysis on steroids. Having more risks identified in step one means your organization has a more complete picture of where action needs to be taken, and where resources should be allocated to mitigate, share/transfer, or eliminate risks.
After mapping the risks, the organization can respond to each identified risk by sharing it (for example, through insurance or a joint venture), reducing it (by diversifying or limiting its involvement in risky activities), accepting it (typically if it is low probability and impact), or avoiding it altogether (by shutting down programs or choosing not to take on new programs with high-risk activities). Implementation will likely take a period of time to complete. Organizations should document their plan with completion dates for its responses.
Much like internal controls, ERM is not a one-and-done procedure. Rather, it’s a process that should include regular monitoring and reassessment when there are any changes within the organization or its environment.
Monitoring includes checking on a regular basis that the response to each risk is actively working as intended. A monitoring plan should be drafted along with the implementation calendar, with frequency of monitoring, the name of the person(s) responsible for performing the monitoring, and who they are reporting the results of the monitoring to. Building in accountability will help ensure that risks continue to be addressed into the future.
Reassessment of the risks and of the mitigation responses is necessary on a regular basis, and also when anything has changed in the organization or its environment. New legal requirements, a change in the internal reporting structure, or the launch of a new program would all warrant revisiting the potential risk population and how the entity will respond to each one.
Risks are everywhere, and it is impossible to eliminate all of them. ERM gives your organization the opportunity to get ahead of the game and avoid an uninformed reaction to an unforeseen emergency. It’s the 21st century’s version of “An ounce of prevention is worth a pound of cure.”
If you need help designing and implementing an enterprise risk management assessment, contact one of our professionals.
© Clark Nuber PS, 2019. All Rights Reserved