Adopting a new enterprise risk management program
We continue to see growing interest in the discipline of enterprise risk management (ERM) within the nonprofit industry, and the results of RSM's recent ERM survey provide even more evidence of this trend. In fact, 37 percent of nonprofit organizations have some form of ERM program in place. This is even higher for those organizations with over $100 million in annual revenue and contributions, with 62 percent having a formalized program.
Many organizations are looking for ways to enhance their current risk management approach and process, yet 63 percent of survey respondents described risk management as informal at best within their organization. Many of these organizations have expressed interest in developing a more mature capability.
We have outlined below several key considerations for organizations that are looking to either start or enhance their enterprise risk management processes:
1. ERM frameworks - Organizations may choose to implement ERM in different ways, but we believe that adopting a formal ERM framework enhances consistency and provides tangible benefits.
Two popular and developed ERM frameworks used by many nonprofit organizations are the COSO ERM – Integrated Framework and ISO 31000. The frameworks are similar in nature, but have differences in the terminology and the number of components defined. In addition, organizations in the public sector space may consider the Government Accountability Office (GAO) Risk Management Framework, which was developed from numerous government, industry and academic sources.
Regardless of the framework used, both provide a structured approach to ERM, and many organizations choose to use one or a combination of both frameworks to help lay the foundation and approach for risk management.
2. Key components that should be in place for an effective program - ERM is not just a periodic “risk assessment,” but a management discipline that allows management to analyze risks across the whole organization on a continual basis. The premise is that most key or critical risks affect the entire organization and are interrelated, and thus, should be managed holistically. Within most ERM frameworks, there are four primary components that drive an effective ERM program: strategic and business objectives, risk governance, risk culture and risk appetite and risk management processes.
Numerous factors, such as an organization's size and culture, will determine the level of depth for each component, but the basic pieces should be in place whether ERM at your organization is just getting started or in an advanced state.
- Risk management processes - Defined risk management processes help organizations make their ERM processes consistent. Risk processes are repeatable and executed at all levels of the organization to identify strategic and operational level risks. Technology should be used whenever possible to enable efficient and effective processes. Processes include identifying, assessment or measurement, response and control, monitoring and reporting or communication of risk. 58 percent of respondents said they have performed a risk assessment, but only 45 percent of those that performed an assessment continue to monitor response strategies.
- Strategic business objectives - The primary purpose of ERM is to help an organization achieve its objectives through effective and efficient risk management. In order to achieve this purpose, strategic, business and program objectives need to be defined, known and included as a core part of your ERM activities. While this may seem like common sense, some organizations have tried to implement ERM, or risk management in general, in a vacuum, without any connection to the strategic plan. As the other three components are built, an organization needs to stay focused on the goal of enhancing strategic planning. This is accomplished by increasing the availability of risk information to support and analyze various risk scenarios and outcomes.
- Risk governance - Governance is the combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.1
- Boards set the overall attitude and approach towards risk management and are responsible for approving the organization's risk appetite (i.e., amount of risk the organization is willing to accept during the pursuit of strategic plan), comparing the portfolio of risks to the agreed risk appetite, determining if management is responding to significant risks appropriately and monitoring the overall effectiveness of ERM. Risk committees help the board discharge their responsibilities and should exist at both the executive and operational levels. Risk committees may be responsible for implementing ERM, managing risk and ensuring ERM's continuous alignment with strategy and objectives. Risk committees at operational levels are responsible for managing specific types of risk (e.g., risk category or program-specific risks).
- Risk culture and risk appetite - Risk culture is necessary to make ERM sustainable within an organization. It is an organization's overall attitude toward risk and risk-taking. The “tone at the top” set by senior management ultimately determines and influences risk culture and the amount of support behind ERM. Risk culture encompasses: 1) clear roles and responsibilities for identifying, assessing and managing risks, 2) code of conduct and ethics and 3) risk factors incorporated into incentive plans and performance evaluations. Of the overall survey responses, 42 percent said there is a tone at the top that supports risk management and works to integrate it throughout the organization. Not surprisingly, 62 percent of those organizations with the right tone at the top have formally implemented ERM.
- Risk appetite provides decision-makers guidance on the acceptable levels of risk as they consider ways of accomplishing objectives (organization-wide and program-specific). It is the amount of risk (nonfinancial and financial) an organization is willing to accept in the pursuit of its strategic objectives. A risk appetite consists of a set of definitions and guidance that outline the various tolerances and thresholds for all risk types. Only 5 percent of respondents said that they have defined a risk appetite. These organizations were noted to have ERM integrated throughout the organization and used as part of the strategic planning process. This component of ERM represents a good opportunity for most organizations to better define acceptable levels of risk and better guide mission-focused decision-making.
3. Considerations and best practices for ERM implementation - Based on the survey, approximately 22 percent of nonprofit organizations are planning to implement a more formal ERM program within the next year. We have seen the following considerations as key toward the success of sustainable ERM program:
- Tone at the top – The board, CEO and executive management all need to be behind ERM in order for an organization to realize the expected benefits. Implementing ERM may require behavioral changes that will be beneficial in the long run, but uncomfortable during the short term, so leadership support is critical for navigating an organization through those changes.
- Crawl, walk, run – This approach is successful for implementing various management practices and is also helpful for ERM. Organizations that have minimal risk management practices in place should start with simple activities that provide immediate returns and build momentum. For example, a strategic risk assessment or inventory of existing risk management practices (see next consideration) would be a better place to start than immediately implementing a governance, risk management and compliance (GRC) software solution.
- Build on tools and processes in place – More often than not, organizations already have risk management activities in place, but those activities have different names. For example, most organizations complete an annual budgeting and forecasting process. Certain assumptions are used to create budgets and forecasts, and some of those assumptions are risks that can be used as input into other processes or decisions. Also, risk assessment (strategic and operational) results should be incorporated into budgeting and forecasting models, if they are not already. Reporting is also an area that we have seen organizations use as a starting point for building on existing tools. Rather than create a specific “ERM report,” clients have incorporated risks or a risk management section to existing reports. Regardless of the tools or processes that are used as a foundation, building on what is in place and working well will help with ERM adoption.
- Culture – culture – culture – Well-developed and implemented tools and processes will only take an organization so far. Success with ERM is dependent on culture and change management initiatives that support the tools and processes. Organizations have found themselves in situations where resources were wasted on a tool or process that was state of the art, but rejected by employees because culture changes were not addressed.
Organizations that have adopted a formal ERM program are noticing more in-depth conversations with senior management and board members about the risks facing the organization. For some nonprofit organizations, breaking down department ”silos” and facilitating risk discussions across the organization are resulting in meaningful dialogue about both current and emerging risks and how those risks are being managed. Boards playing a more active oversight role are having a better understanding of the risks the organization faces and how management is addresses those risks. With a well-developed and implemented ERM framework, nonprofit organizations are creating greater structure and attention around the risk management discussions, focusing on the critical risks to the organization's mission, strategy and programs, thus allowing management to respond appropriately to those risks based on the appetite and tolerance for specific risk.
1 IIA Standards and Guidance – IPPF 2110 - Governance Definition