By: Charles Tate, CPA, Managing Partner
In the aftermath of high-profile scandals and failures, nonprofit boards have turned their attention to enhanced corporate governance, strategic planning, and risk management. All nonprofits face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to meet its mission through the strategic plan. Uncertainly presents both risk and opportunity. Enterprise risk management enables nonprofits to effectively deal with uncertainty and associated risk and opportunity. A mission is more likely to be achieved when boards and management set strategy and objectives to strike an optimal balance between growth and goals and related risks, and then efficiently and effectively deploy resources in pursuit of the goals.
So how does the nonprofit assess risk? One thing is certain; it is not merely assessing the adequacy of insurance coverage or the risk of a terrorist attack. Nor can it be reduced to a simple mathematical formula. Until 2004, these common misunderstandings about risk assessment existed because there was no framework to effectively identify, assess, and manage risk.
Today, the principal guidance of entity-wide risk management is found in COSO’s 2004 Enterprise Risk Management (ERM) – Integrated Framework. From a strategic perspective, ERM considers the following activities and their associated risks:
Strategic: These are the high-level activities that support the nonprofit’s mission and could include consideration of risks such as emerging educational delivery systems, quality of programs, physical capacity, demographics of donors, members, customers, employees, etc., and their increasing expectations.
Financial: These are activities that relate to the effective and efficient use of resources such as office space, personnel, deferred capital maintenance, cost of capital (debt), endowment management and sources of support, and cost of new technologies versus related efficiencies.
Operational: These are system related activities with risks relating to changes in financial, technology, and administrative systems, security, internet access, electronic records, human resource management, hiring, continuity, and succession.
Compliance risk: These risks relate to the increasing regulatory scrutiny and accountability and include the risk of loss of federal funding, tax exemption, grants, and contracts due to inadequate processes.
Reputational risk: This risk is a function of the strategic, financial, operational, reporting, and compliance risks and if not managed properly, would tarnish the nonprofit’s reputation and hamper future funding.
ERM is a broad framework that incorporates COSO’s 1992 Internal Control – Integrated Framework within it but does not replace it. The ERM framework expands on internal control concepts by providing a more robust focus based on the broader subject of enterprise risk management. The frameworks are compatible and are based on the same conceptual foundation. ERM was designed to offer organizations a commonly accepted model for evaluating risk management efforts. Risk management typically involves COSO’s eight interrelated ERM components as they relate to these objectives:
- Internal environment – the culture, values, and environment in which the nonprofit operates.
- Objective setting – the process that management uses to set its strategic goals and objectives.
- Event identification – internal and external events that could affect the nonprofit’s ability to achieve its objectives.
- Risk assessment – assessment of the impact of risks and prioritization of those risks.
- Risk response – how management will respond to the risks the nonprofit faces (e.g., mitigate the risk, or share the risk).
- Control activities – policies and procedures that the nonprofit establishes to ensure that it responds to risks.
- Information and communication – identification and communication of the right information to the right people.
- Monitoring – monitoring and taking corrective action as needed.
COSO’s approach to risk management will assist you in determining how efficiently and effectively your organization is currently managing risk. The organization’s enterprise risk management (ERM) approach should be designed to identify potential risks, and then manage those potential risks. We view the nonprofit’s risk assessment process as a means of not only managing downside risks (hazards) but also looking at opportunities to increase operating performance.
Tate & Tryon can help nonprofits with establishing a comprehensive risk management process. For information on our nonprofit risk assessment services, please contact us.
 Committee of Sponsoring Organizations of the Tread way Commission (COSO)