Managing risk in your nonprofit organization
Risk is not inherently a bad thing. Depending on how management approaches it, risk can be either a threat or an opportunity. For an organization to grow, some risk is necessary and unavoidable. So the goal is not to eradicate risk, but to manage it effectively. These ideas are at the core of enterprise risk management (ERM), a management discipline that analyzes risks across the whole organization. The key premise is that most risks affect the entire organization, are interrelated, and thus, must be managed holistically. Put simply, ERM is a consistently-applied, systematic approach to understanding, evaluating and treating risk throughout an organization.
On June 18, 2013, RSM held a webcast on this topic. The discussion centered on practical approaches to using ERM in a nonprofit (NFP) organization. The complete webcast is available on the RSM website. Here is a summary of some of the topics covered.
What is ERM?
Here are several perspectives on ERM:
- Institute of Internal Auditors - "…a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives."
- Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Integrated Framework (2004) - "…a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives."
- International Organization for Standardization (ISO) 31000 (2009) - "A systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk."
Regardless of the source; however, the underlying concept remains constant – ERM is a process executed throughout an entire organization to understand and manage risk in a consistent and systematic manner.
Traditional risk management vs. ERM
Traditional risk management
- Is tactical, not strategic
- Is focused on compliance issues
- Is a silo-based process
- Assesses risk by business line or risk type
- Looks at risks individually
- Does not closely link business decisions to risks
- Is driven by the risk management and internal audit departments
- Is supported by rules
Enterprise risk management
- Is strategic and performance focused
- Has a consistent risk management approach across the enterprise
- Is a holistic view of key risks
- Considers risk interactions
- Makes business decisions based on a clear understanding of risks
- Is driven by the board and owned by the business
- Is supported by a risk culture
Why effective risk management is critical
Business volatility, economic uncertainty and regulatory complexity are challenges facing all NFP organizations. Changes in the internal and external environment of organizations have created increased risk, as well as risk velocity. The increased complexity of business models is stifling performance and creating inefficiencies. The pace of business change is also speeding up, requiring quicker responses.
Individual risks cannot be viewed in isolation. They tend to affect nearly every department, decision and issue facing the organization, and so, must be analyzed across the entire enterprise. The emergence of new risks requires improved oversight and access to new skill sets. New strategic approaches are needed if risk management is to improve the organization's resilience and enhance value creation.
Some organizations, however, do not even have a basic enterprise risk framework in place. The focus is still too much on financial risks, and not enough on operational and strategic risks. In these cases, risk tolerance and limits have not been established, and even if such key risks are identified, they are not analyzed for an appropriate response.
What are the goals of an ERM framework?
- Appropriate risk governance
- Well-informed, risk-aware culture
- Defined organizational risk appetite
- Consistently-applied risk management techniques
- Integration with business decision making
Appropriate risk governance
Governance begins with identifying the responsibilities of three primary groups – key business process owners, management and the board.
- Business process owners – own responsibility for identifying, assessing and treating risks
- Management – enables and facilitates a consistent approach to risk management
- Board – reviews and approves risk strategies, frameworks and policies
Fostering a risk-aware culture
To create a risk-aware culture, you must first start with executive management. Tone at the top is the starting point for a truly risk-conscious, risk-averse culture. To achieve this, risk management should be incorporated into the organization's stated mission or objectives. Executive and board communications should all incorporate the necessary processes and practices. The organization should have and distribute a Code of Conduct or Code of Ethics to all employees and executives. Incentive and performance evaluation plans also should include risk management factors. Last but not least, top-tier management should continuously demonstrate the desired risk management behaviors to other employees.
The organization's risk appetite (i.e., tolerance for risk) should be clearly articulated and communicated to all relevant parties throughout the organization. A risk appetite:
- Should be a thoughtful, frequently revisited exercise that considers both quantitative and qualitative factors
- Should help employees to understand the specific risks that the organization is willing and not willing to take
- Should provide a means for ensuring that actual risk-taking is consistent with the company's risk-taking capacity
Consistently-applied risk management techniques
Risk management techniques can be grouped in different ways, but generally includes the following:Identification
Risk identification begins with appropriate planning, and could include the following:
- Mapping of the organization's services, products and processes
- Determination of the risk types to be included in the process (e.g., operational, legal, reputational)
- Identification of process owners in each area
Best practices in risk assessment include:
- Identifying risks relative to key business objectives
- Utilizing interviews, surveys or facilitated workshops to ensure consistency
- Incorporating existing data and quantitative methodologies
- Considering multiple, forward-looking scenarios
- Risk responses should be based on assessment of loss likelihood and impact.
- Management actions should be specific to reducing likelihood, or impact or both.
- The most common risk responses are:
- Avoid (get out)
- Accept (monitor)
- Mitigate (internal controls)
- Transfer (insurance, contractual)
- Action plans with assigned owners should be developed and monitored by management.
- Risk responses should guide resource allocation.
- Risk monitoring should also be driven by the risk assessment.
- Highest-priority risks should be monitored thoroughly.
- Key risk indicators (KRIs) are critical to early identification of conditions that could lead to the manifestation of risks.
- KRIs should be forward-looking.
- Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action.
- Volumes of detail should be avoided, particularly for board reporting.
- Reports should include early indicators and emerging risks.
- Leading practices include integrating risk data into existing reports.
Integrating risk into business decision-making
- To be effective, risk management must be integrated into day-to-day business activities and decisions.
- Everyone who makes decisions should consider themselves risk managers.
- Risk management should work within your organization's culture, not outside of it.
- Risk information should be shared across the company to break down traditional silos.
- Difficult conversations about what could go wrong should be encouraged.
- ERM is a simple and straight-forward process for managing risk that should not be over-engineered.
- ERM can be built on the foundation of frameworks, processes and tools that most organizations already have in place.
- Understanding and managing strategic risks is critically important and cannot be accomplished solely through internal controls.
- Everyone in the organization needs to understand how to incorporate risk into their decision making.
- Effective ERM processes work within the organizational culture, not against it.
- Successful execution requires tailoring the ERM process to the individual organization – one size does not fit all.