Not-for-profit (NFP) organizations face many of the same challenges as their for-profit counterparts. Calls for greater transparency, an increasing level of regulatory scrutiny and higher expectations of board engagement have driven an increased focus on enterprise risk management (ERM). Some NFP organizations are now embracing ERM to identify strategies to monitor and manage risks that may affect the accomplishment of their goals and objectives. Since many NFPs already have effective risk management programs, a legitimate question NFP executives commonly ask is, “If we already manage risks, what’s the value proposition of ERM?”
What Is ERM?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, on September 6, 2017. Take a look at BKD’s framework summary “Five Takeaways from COSO’s Updated ERM Framework,” which also covers what you need to know about the release.
The updated framework defines ERM as “the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”
This is a broad definition, but there are two crucial concepts embedded in the definition that are important for NFPs to understand: the focus on integrating risk management processes with strategy and the focus on value. The framework strongly encourages the organization to integrate risk decisions in a way that aligns with the organization’s strategy. It also suggests properly executed ERM can help the organization create, preserve and realize value. The updated framework highlights five components and 20 principles necessary for an effective ERM program. While the framework does an excellent job of describing what should be done, it’s not clear about the benefits of implementing ERM in an NFP.
How Is NFP Risk Management Different?
Every NFP is unique and has its own challenges. While traditional risks such as strategic and financial risks are still important, NFPs must consider some risks that aren’t as common in for-profit organizations. The table below provides an overview of some of those risks.
Unique Aspects of NFP Risk Management
BKD’s ERM Implementation Approach for NFPs
BKD helps organizations understand how an effective ERM program can be implemented. Our approach for NFPs is very similar to our approach to ERM at for-profit organizations. We’ve found that any effective ERM program contains four important structural components. First, every NFP should have a good understanding of its risks, and those risks should be documented in an easy-to-understand format. Second, those risks should be periodically analyzed and prioritized in a way that allows the organization to compare risks across multiple departments and disciplines as well as year-over-year. Third, the NFP needs a dynamic ongoing process to identify changes and emerging risks. Finally, there needs to be some governance, oversight and open communication regarding the ERM process. These four components can help position an NFP to strengthen risk management across its entire enterprise. For a more detailed explanation of these four ERM components, take a look at our article, “A Practical Approach to ERM”.
BKD surveys each organization’s board, executive team, line management team and specific subject matter experts to gain an understanding of perspectives from different parts of the organization. By stratifying the survey results into these groups, important information can be gleaned from the survey. Many senior executives find it useful to understand how their views align with those of the board or their line managers. Of course, it’s also very informative to know how the subject matter expert in an area feels about the risk environment. By comparing results from different stakeholder groups, it’s easy to identify risks where the various parties aren’t aligned.
The Value Proposition of ERM for NFPs
Effective ERM can enable an organization to formalize the oversight of risk management and provide a structure and framework to help the organization better understand its risks. By comparing and contrasting risks, management and the board can prioritize the most significant risks and focus more attention on the risks that could meaningfully affect the organization’s goals and objectives. This helps management evaluate and mitigate specific risks, identify emerging risks and consequently drive improved performance. In many organizations, the ERM process has highlighted risks and allowed management to react faster.
Another benefit of robust ERM is the assurance and comfort an effective process can provide for executive management and the board. By implementing strong ERM, organizational leaders can have more confidence risks are being identified and managed, processes are becoming more efficient, laws and regulations are being followed and the organization is performing at a high level.
If you’d like to learn more about how to implement an effective ERM program, contact Charlie.