Enterprise Risk Management for Not-for-Profits
More and more not-for-profit directors are asking questions about enterprise risk management (ERM) and methods to monitor and control risks within their organizations. Balancing risk and reward has never been more challenging than it is today. Directors and executives are turning to creative methods to combine vision and execution to achieve their organizations’ strategic goals. Managing enterprise risks often determines success or failure, or at least the timing and degree thereof. They typically view enterprise risks through the lens of operational and legal risks, as well as financial-related risks such as uncertain donor or endowment commitments, but the reward of achieving the mission drives their vision of a successful ERM process forward.
Directors are now more educated about risk management and are asking for more information about ERM programs within their organizations. They are requesting that managers have a plan to manage, monitor and report risks on an ongoing basis.
The key opportunities and value that an ERM process can bring to not-for-profit organizations include:
- Embedding ERM into the overall culture;
- Setting the tone and structure at the board and management levels (i.e., ERM Working Group and Risk Committee);
- Identifying, evaluating, and responding to key risks (by area) including key action plans to further mitigate risks;
- Ensuring accountability and ownership of key risks (i.e., roles and responsibilities, ERM governance policy); and
- Establishing a continuous process or road map to reap the future value of ERM (managing risk = better performance).
An ERM program is typically comprised of four key steps:
- Step 1: Establishing a context: This requires educating all employees of the organization to be aware of the risks facing their departments as well as the entire organization.
- Step 2: Risk Identification, Analysis and Prioritization: As its name suggests, this is the step that provides the true value moments as risks from across the organization are collected, analyzed to determine if they are specific to an individual department or threaten the entire organization (the “E” in ERM). The result is a list of the top 12-20 risks (a “Risk Register”) which should be monitored closely.
- Step 3: Validate Risk Assessment and Risk Responses: Next, the likelihood and impact of each risk is assessed and appropriate mitigation steps are put in place.
- Step 4: Risk Monitoring and Reporting: Finally, processes to monitor risks, including changes in likelihood and impact, are developed. Over time, risks may move up or down the risk register or even fall off altogether.
Ideally, the end result of implementing an ERM program will give senior management a holistic view of the risks their organizations face as well as creating a risk-aware culture throughout the organization.