What is risk? Fundamentally, it is the threat that an event or action (or inaction) will adversely affect an organization 's ability to achieve its strategic objectives.
As categorized by the World Economic Forum, global risks can range from extreme weather events, failure of major financial institutions, large-scale involuntary migration, food crises, large-scale cyberattacks, interstate conflicts—the list goes on.1
From a CFO's perspective, regulatory compliance, communications and financial planning all contain the potential for risk. So how do globally active nonprofit organizations prioritize and prepare?
When it comes to cybersecurity, most companies focus on prevention at the expense of preparing for the inevitable, that is, for what happens when they get hacked. Many organizations rely on defense mechanisms for their security but because no system is foolproof and completely secure, organizations should be concerned with how quickly they can detect a breach when it does happen—and how they will make a correction.
Increasingly, privacy is more than an operational activity or courtesy. Effective in May 2018, the European Union 's (EU) General Data Protection Regulation, for example, is an update of previous laws designed to bolster data privacy protections for EU residents. Any organizations that are storing, transmitting or processing data for individuals residing in any EU-member countries must comply with this regulation. It does not matter whether or not the company has physical operations in the EU. Organizations must have the proper procedures in place to prevent, detect and respond to data breaches.
Compliance and fraud
The Institute of Internal Auditors defines fraud as “any illegal act characterized by deceit, concealment or violation of trust.” An internal auditor 's (IA) general role in preventing fraud is evaluating the system for internal controls, with a focus on preventative controls and segregation of duties. While they are not expected to be specialists in detecting and investigating fraud, IAs should have sufficient knowledge of fraud risk, understand how it is managed by the organization and be able to identify fraud indicators. Organizations receiving federal funding should have a whistleblower policy in place.
When it comes to fraud in global operations, the motivations and types of schemes may be similar around the world, and range from asset misappropriation and conflicts of interest to third-party fraud and corruption or bribery. But fraud may be more prevalent in some locations than in others. Participants in a 2018 survey by the Association of Certified Fraud Examiners estimated that the typical organization loses 5 percent of revenues each year to fraud, with median losses per case costing $130,000; only about 15 percent of cases result in full recovery. According to the study, nonprofit organizations accounted for 9 percent of the total fraud cases globally with a median loss of $75,000 per case.
Additional areas of concern include:
Disaster recovery: Whether it is driven by a man-made situation or a natural disaster event, business continuity disaster recovery planning is prudent risk management and falls under the fiduciary responsibility of management and the board.
Reliance on third parties: With more than 60 percent of revenue being driven by third parties, there are myriad risk considerations regarding compliance, regulatory, privacy and reputational issues, among other areas. Globally, there is increasing enforcement of bribery and corruption compliance. Board expectations of corporate risk management and appeals for transparency are rising as well.
Culture: As global economies continue to open up and doing business globally becomes more of a business imperative, cultural values and communications present their own sets of risks. Business practices and etiquette in different countries are beginning to align more closely; nevertheless, the cultural values of individuals, businesses and countries are deep-seated and need to be acknowledged if a business is to succeed overseas.
Be proactive in mitigating risks
All of these risks could have an impact on an organization 's reputation. In most situations, reputation is the organization 's biggest asset, so it needs to be protected.
Organizations operating globally should identify potential key risks and barriers and develop mitigation plans; adopting and documenting formal controls, and assigning responsibilities to control owners. Management should develop a rating for each risk regarding potential impact and likelihood, then create mitigation plans accordingly.
The Committee of Sponsoring Organizations (COSO)—a cohort of five major U.S. professional associations—developed internal control principles to mitigate risk. Organizations should map their control environment against the 17 principles of the COSO framework, identify gaps and remediate.
The primary areas include:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitor activities
Organizations should also consider adopting an enterprise risk management program (ERM) to better understand the risk profile of the organization as it becomes global. To be effective, enterprise risk management must be integrated into day-to-day business line activities and corporate decisions. As emerging risks and scenarios are identified, management can use the ERM activities as a means to better direct resources and response needs while staying on top its day-to-day operations. For example, during a pandemic situation like COVID-19, organizations can use ERM to ensure that emerging risks are identified and action plans established to respond appropriately. ERM can provide a disciplined approach to prioritizing emerging risk and allocating resources to where organizations are most vulnerable.