Many not-for-profits lack the resources to implement a holistic approach to risk across the enterprise. So it’s no surprise that they often lag behind public companies in implementing enterprise risk management (ERM).
Indeed, just 13% of not-for-profits responding to a recently released survey said they have complete formal enterprise-wide risk management processes in place. By comparison, 52% of public companies and 43% of financial services companies participating in the Current State of Enterprise Risk Oversight survey performed by North Carolina State University’s ERM Initiative for the AICPA have formal enterprise-wide risk management processes. Almost all of the organizations surveyed are based in the U.S.
Meanwhile, 24% of not-for-profits have no enterprise-wide risk management in place, compared with just 6% of public companies.
But experts say not-for-profits are paying a lot more attention to risk.
“Some of them are doing that [risk management] kind of on the back of the envelope because they don’t want to pay a consultant $25,000 to come in and say, ‘I’ll take the inventory for you,’ ” said Mike Burns, CPA, who is based in Boston and heads the not-for-profit and education practice for CBIZ & Mayer Hoffman McCann.
Some not-for-profits are turning to ERM as a marketing tool to attract discerning donors who are concerned about good stewardship of their contributions, said Bob Cummings, CPA, consulting partner at WeiserMazars in New Jersey, who helps businesses implement ERM.
“The different online sources that people can go to and investigate where their money is going, they’re going to start asking for this,” Cummings said. “Because if you look at the donors, they often come from successful public companies. So they want to see that their money is being well spent.”
Six factors are critical for organizations in implementing and maintaining ERM, according to a presentation Cummings helped give at the AICPA Not-for-Profit Industry Conference in Washington last month. They are:
- Have a risk management governance structure. The structure should be aligned with organizational strategy and goals, with clear management roles and responsibilities, Cummings said. Organizations can define a risk appetite and maintain a risk policy statement to ensure clarity.
- Follow a risk management framework. The 2004 ERM Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, which includes the AICPA), is one such framework. The International Organization for Standardization’s ISO 31000 is another.
- Continuously identify risk and the risk event universe. Risk surveys, board-level and management interviews and brainstorming sessions, and comparison to similar organizations can help identify risks. Material and realistic risk events should be emphasized, Cummings said.
- Create and manage a risk profile. A risk register can be used to define risk tolerance, quantify potential risk events, and identify risk event triggers, consequences, and indicators, according to Cummings.
- Establish risk responses. An organization can choose to accept, share, or avoid risks. Implementing procedures and responses to mitigate the impact of risks can help an organization minimize the damage when a risk event occurs. Communicating the plan for these situations is a critical element.
- Monitor and report. Key risk indicators and key performance indicators may be a part of these reports. Internal audit can participate in monitoring, and the board should be informed in the reporting, according to Cummings.
“ERM, when it’s properly implemented, will further the achievement of your business objectives,” Cummings said, “and this is all about aligning your strategy to your day-to-day activities and making sure that everything going on in your organization is pursuing that strategic goal.”
Not-for-profits that are not formally implementing ERM are at least asking many of the right questions about risk, Burns said. He said risk-focused activities he is seeing with greater frequency from not-for-profit clients include:
- Audit committee review with insurance brokers, every three years, of insurance coverage. In one case, the board at a private school with an expensive art collection raised the level of coverage to $250 million after management proposed $200 million.
- Fearful of technology and cybersecurity risks, audit committees are hiring IT consultants to assess their risks and plug holes in this area.
— Ken Tysiac ( firstname.lastname@example.org ) is a JofA editorial director.