By: Susan Colladay, CPA, Partner
Before diving into ERM, a quick history lesson about how it evolved is helpful background. Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework which provided guidance to assess and enhance internal control. The COSO Framework includes the following, hopefully familiar, five interrelated elements:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Risk Assessment, as it relates to the objective of reliable financial reporting, involves the identification and analysis of the risks of material misstatement. Risk Assessment includes forming a basis for determining how an organization’s identified risks should be managed. This COSO element encourages organizations to implement mechanisms designed to identify and address the specific risks associated with its industry or line of business.
Risk Assessment in a small organization, such as a nonprofit, can be relatively efficient, often because in-depth knowledge of the organization’s operations enables the CEO and other senior managers to have first-hand information of potential risks. In carrying out their normal responsibilities, including obtaining information gained from employees, members, suppliers, and others, managers identify risks inherent in business processes. In addition to focusing on operations and compliance risks, managers are positioned to consider risks to reliable financial reporting as well.
Over the past decade, the COSO Framework has been incorporated into policy, rule, and regulation, and is used by thousands of organizations, including nonprofits, to improve control over their activities and thereby carry out their missions. In essence, organizations needed to more fully understand and be able to implement the Risk Assessment element of COSO and this is the primary reason for the development of COSO’s Enterprise Risk Management – Integrated Framework (ERM).
A heightened focus on risk management spurred COSO to develop ERM which provides guidance to evaluate and improve enterprise risk management and expand on internal control in order to provide a more robust and extensive focus on the broader subject of enterprise risk management. Similar to the COSO Framework, ERM includes the following eight interrelated components:
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Response
- Control Activities
- Information and Communication
- Monitoring
For nonprofit organizations, ERM is useful guidance which can be used during the process of establishing and monitoring a target level of reserves. Virtually every decision an organization makes affects its reserves and monitoring the level of reserves is a key task of the board of directors and management. A robust ERM function not only identifies and attempts to mitigate potential risks, it also incorporates key decisions regarding strategic, operational, financial, and capital allocation planning so that nonprofit organizations may more effectively and efficiently carry out their missions.
Susan Colladay is a partner in Tate & Tryon’s audit and assurance services department and can be reached at scolladay@tatetryon.com.
