Accountants can definitely help the board understand the top risks for the organization. And, really, that starts with the board, that conversation. Having a risk appetite statement. Really understanding from the board’s governance standpoint what risks they’re willing to take, and within those risks, what the risk tolerance is. And I think the accounting team and the leadership team in general can really play a key part in that, and really—once you have that risk appetite statement, having an enterprise risk management system that really addresses those key risks and really puts the mitigation controls in place, in line with the risk appetite and those tolerance levels.
I’ve seen very varying types of risk appetite statements, and they can be very complicated, or they could be more high-level. And basically what it is, is just for the management of the organization to have direction and a conversation from the board as to what the board is willing to take risks on. So, for example, in a nonprofit organization, in my experience, you’d want to have very, very low risk on anything that’s going to jeopardize your tax-exempt status. You want to have low risk on anything that’s going to jeopardize your reputation. But you might want to take higher risks as you’re innovating and thinking about new programs to help the people that you serve.
So, CFOs play an important role in an organization’s enterprise risk management system, and often times the CFO is the lead person on point for developing and overseeing the risk management system. But again, like the budgeting process, it’s a team sport. Again, you can’t just have the CFO in the corner going through the risk management system and reporting up to the board. … The CFO leads it, but you really have to take a look at, what are the risks at the organization level, at the department level, and even as low as the business unit or the program level. Because the risks will vary.
And the key thing for the CFO in managing the risk management system is really making sure that we’re identifying the potential risks that are out there, and what other controls that we can have in place to mitigate those risks. Because we’re never going to eliminate the risk, but the key is to mitigate the risk so that if a risk is triggered, we have a plan in place. Now, each event will be different, but at least we’ll have the minimum of a plan in place so we’re not coming up with our response plan in the midst of a crisis. That we’ve already thought it through and we can adapt as the situation allows.