Not-for-profits delve into risk management


Many not-for-profits lack the resources to implement a holistic approach to risk across the enterprise. So it’s no surprise that they often lag behind public companies in implementing enterprise risk management (ERM).

Just 13% of not-for-profits responding to a recent survey said they have complete formal enterprisewide risk management processes in place. By comparison, 52% of public companies participating in the Current State of Enterprise Risk Oversight survey performed by North Carolina State University’s ERM Initiative for the AICPA have formal enterprisewide risk management processes.

Meanwhile, 24% of not-for-profits have no enterprisewide risk management in place, compared with just 6% of public companies. But experts say not-for-profits are paying much more attention to risk.

“Some of them are doing that [risk management] kind of on the back of the envelope because they don’t want to pay a consultant $25,000 to come in and say, ‘I’ll take the inventory for you,’ ” said Mike Burns, CPA, who is based in Boston and heads the not-for-profit and education practice for CBIZ & Mayer Hoffman McCann.

Some not-for-profits are turning to ERM as a marketing tool to attract discerning donors who are concerned about good stewardship of their contributions, said Bob Cummings, CPA, consulting partner at WeiserMazars in New Jersey, who helps businesses implement ERM.

“The different online sources that people can go to and investigate where their money is going, they’re going to start asking for this,” he said. “Because if you look at the donors, they often come from successful public companies. So they want to see that their money is being well-spent.”

Six factors are critical for organizations in implementing and maintaining ERM, according to a presentation Cummings helped give at the AICPA Not-for-Profit Industry Conference in June. They are:

  1. Have a risk management governance structure. The structure should be aligned with organizational strategy and goals, with clear management roles and responsibilities. Organizations can define a risk appetite and maintain a risk policy statement to ensure clarity.
  2. Follow a risk management framework. The 2004 ERM Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, which includes the AICPA) is one such framework. The International Organization for Standardization’s ISO 31000 is another.
  3. Continuously identify risk and the risk event universe. Risk surveys, board-level and management interviews and brainstorming sessions, and comparison to similar organizations can help identify risks. Material and realistic risk events should be emphasized.
  4. Create and manage a risk profile. A risk register can be used to define risk tolerance, quantify potential risk events, and identify risk event triggers, consequences, and indicators.
  5. Establish risk responses. An organization can choose to accept, share, or avoid risks. Implementing procedures and responses to mitigate the impact of risks can help an organization minimize the damage when a risk event occurs. Communicating the plan for these situations is a critical element.
  6. Monitor and report. Key risk indicators and key performance indicators may be a part of these reports. Internal audit can participate in monitoring, and the board should be informed in the reporting.

“ERM, when it’s properly implemented, will further the achievement of your business objectives,” Cummings said. “And this is all about aligning your strategy to your day-to-day activities and making sure that everything going on in your organization is pursuing that strategic goal.”

Not-for-profits that are not formally implementing ERM are at least asking many of the right questions about risk, Burns said. He said risk-focused activities he is seeing with greater frequency from not-for-profit clients include:

  • Audit committee review with insurance brokers, every three years, of insurance coverage. In one case, the board at a private school with an expensive art collection raised the level of coverage to $250 million after management proposed $200 million.
  • Fearful of technology and cybersecurity risks, audit committees are hiring IT consultants to assess their risks and plug holes in this area.

The original version of this article, “Six Ways Not-for-Profits Can Get Value From Risk Management,” by Ken Tysiac, is available at

Jack Hagel, editorial director
CGMA Magazine

Also at

Organizations Cautious When It Comes to Corporate Cash

While more than one-third of companies continued to build cash reserves, those that disbursed cash did so more often for capital expenditures.

The latest annual liquidity survey by the Association for Financial Professionals (AFP) shows that 43% of companies that disbursed cash did so for capital expenses. That’s up from 32% in the survey from 2013, when about the same percentage of companies said their cash balances decreased.

The primary reason for growth in short-term holdings in the past year is improved operating cash flow. That’s also the top reason listed for companies that expect to increase cash over the next 12 months, according to the survey, which used the responses of 740 senior finance and treasury executives, mainly from large, U.S.-based multinational companies.

The full version of this article is available at

Inadequate Staffing Levels Are Primary Cause of Workplace Stress

High workplace stress can engender disengagement and absenteeism, which in turn results in reduced productivity.

Inadequate staffing levels were cited as the primary cause of stress by 53% of the employees who responded to the Towers Watson Global Benefits Attitudes survey, which polled more than 22,000 employees in 12 countries. Lack of work/life balance was the second most common cause of stress among employees, cited by 40% of respondents.

The research identified a lack of understanding among employers of the causes of stress in their organizations. For instance, just 15% of employers identified lack of staff as a contributing factor. The key concern among employers is the impact of technology enabling professionals to access work out of hours (34%). However, just 8% of employees agreed.

The full version of this article is available at


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.