Risk & Data Considerations + Proactive CFO + Engaged Audit Committee = Enterprise Risk Management
Forward looking nonprofits are increasingly focusing on risk management and metrics in the strategic planning process led by a proactive CFO in collaboration with the audit committee. So what is enterprise risk management?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines enterprise risk management as:
“A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Risk Considerations for the Nonprofit:
- Does your strategic plan focus on risks, their identification and quantification including things like SaaS and cloud-based contracts?
- Are economic, environmental, political, social, and technological risks considered?
- Are risk mitigation factors considered such as cyber insurance and human resource policies/protocols?
- Do the identified risks align with the board and management’s risk appetite?
Metrics and Data Management Considerations for the Nonprofit:
Many strategic plans sound more like a mission statement, devoid of timelines, accountabilities, and metrics.
- Does your strategic plan contain meaningful, measurable and actionable data?
- If such metrics are identified, can the data be extracted from the organization’s database (AMS, CRM or similar constituent database)?
- If the data can be extracted from the database, is it presented in a dashboard that tells a story – from strategy through execution?
We are seeing a rapid integration of risk management into strategic planning, with an intense emphasis on measurable outcomes and relevant data analytics. However, many nonprofits take a disaggregated approach where strategy setting is done in isolation by the board and CEO, without the CFO’s input or consideration of risk. To achieve effective strategic planning, we recommend that a collaborative enterprise risk management assessment be completed on an annual basis or more frequently as major initiatives or investments are developed.
If your organization would like assistance with developing a good process for integrating strategy, risk management, and data analytics, please contact us to learn more.