Not-for-Profit Risk Management Whitepaper: The New Best Practice

NOT-FOR-PROFIT RISK MANAGEMENT :

THE NEW BEST PRACTICE

NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE

Risk management is regarded internationally as a best

practice; yet most organizations and many companies in the

U.S. have not embraced it voluntarily. Regulatory pressure has

been the primary driver behind large companies implementing

a risk management framework. Smaller organizations have

tended to shy away from it, mistakenly considering it to be a

tool for larger companies only. Several back-to-back years of

extreme weather disasters, cyber issues (think Blackberry’s

lost transmission days), and the domino effect of economic

recession are contributing to rethinking the place of risk

management as a business process and management strategy.

Typically, not-for-profits are not considered risk takers. It is

not surprising that the nonprofit sector would consider risk

management to be a non-critical function for organizations

whose mandate is not driven by the need to take risk. As you

might expect, this sector, like many others, has been hesitant

to embrace risk management as an important component of

their business model.

Risk Management in the Not-for-Profit World

Enter the brave new world of the 21st century, where risk

management is as relevant in the nonprofit space as it is in

the commercial environment. While nonprofits take on less

risk from a strategic standpoint (internal risk), they are faced

with far more significant external risks than their commercial

counterparts. Some unique risks facing the nonprofit sector

include:

Funding risk. In a recession, organizations that provide grants

and funding often have less to give away. Not-for-profits that are

at the mercy of their funding sources can face declining funding

support and be forced to manage with lower budgets.

Declining non-financial support. Not-for-profits often require

community support in order for their programs to thrive. During

difficult economic times, this support often wanes and the

impact on programs can be significant.

Competition. Competition for the same funds becomes

more intense in cases where limited funding is available.

Greater scrutiny is placed on the organization’s value and


the effectiveness of its programs. Online services offer

individual and corporate donors the opportunity to review an

organization’s ratings (Charity Navigator, Guidestar) before

choosing causes to support.

Mission appeal. For causes that depend greatly on individual

or corporate donations, mission appeal is critical. When an

organization’s mission is “popular” or top of mind, it is easier

to develop funding and external support. However, as new

ideas are developed and events drive other causes to become

popular, an organization’s mission may become stale and the

case for support is tougher to make.

Regulatory pressure. Not-for-profits are facing growing

regulatory pressure as government policies are now designed

to evaluate organizations not only on operations but also on

their ability to effectively manage risk (e.g., management and

protection of financial resources, reputation management/

social media risks, fraud).

Stakeholder risk. Heightened emphasis on compliance,

governance and transparency have shined a bright light

on all organizational levels, from operations and financial

administration to leadership and Board oversight. Several

studies over the past year have indicated that risk

management is now the top issue facing Boards and

stakeholders.

A New Risk Management Paradigm & New Best Practice

We live in an ever-changing environment with internal and

external factors that can significantly impact our operations

and outcomes, whether for-profit or not-for-profit. Business and

not-for-profit leaders face the daunting challenge of decision

making amid a myriad of changing forces. Boards of Directors

are tasked with an even larger challenge of creating long-term

sustainable growth for their shareholders. Risk is inherently

increased as organizations experience growth. Analyzing new

and potential risk exposures created by growth opportunities

is critical to the success of any growth initiative.


There is no doubt that risk management is emerging as a

business fundamental in this environment. It’s time to make a

few things clear.

n Risk management is a tool for all organizations (large

or small).

n Risk management is a tool for minimizing or mitigating risk

AND for maximizing the realization of opportunities, often

returning competitive advantages.

n Most small and mid-sized nonprofit leaders, business

owners and executives do not have an effective grasp of

risk, although they may think they do.

n There are several affordable options for implementing

a risk management framework. In fact, the earlier risk

management is implemented, the less expensive a

proposition it becomes.

A Straightforward Approach

Steps 1 and 2 below are simple yet effective steps an

organization can take to initiate the risk management journey.

Steps 3 through 10 represent a higher level implementation

that will likely require the assistance of a risk management

consultant.

1. Establish a high level Risk Management Committee.

Depending on your organization’s structure, this Committee

will either be a Board level or Executive level function.

Representatives should include key Board members

(Chairman of the Board and/or Audit Committee Chair) and

all members of Senior Management. The purpose of this

Committee is to create a forum for active discussion of risk

and the relevant mitigation strategies and management

actions.

2. Identify your most important risks. Identify the key risks

facing your organization (initially limit to your top ten) based

on likelihood and impact, and evaluate the mitigation

strategies that you currently have around them. You may

refer to the aforementioned list of unique risks faced by not-

for-profits as a starting point.


3. Rank the critical risks facing your organization. These

risks should reflect the organization’s strategic objectives

as well as its financial and operational processes. It will

be helpful in most cases to engage a consultant to advise

you on the development and ranking of risks for your

organization if you do not have this skill set in-house, as

this step is a fundamental building block of your overall

plan.

4. Establish a risk mitigation strategy. The commonly

accepted approaches to risk mitigation include risk transfer

and risk management. Risk transfer refers to the transfer

of risk to an external third party (e.g., insurance). Risk

management involves establishment of an internal control

environment designed to mitigate the particular risk.

5. Evaluate your internal control environment to assess

the adequacy of your activity level and monitoring controls

designed to mitigate your most important risks.

6. Evaluate all new business ventures/initiatives from a

risk perspective and include the risk assessment in the

decision-making process.

7. Develop key risk and control metrics by determining which

risks are most critical to your organization and mapping the

relevant controls to the risks.

8. Develop periodic reporting of all high risk activities and

the results of the evaluation of their related controls.

9. Enhance HR policies to include an evaluation of risk and

control activities of management and relevant staff as part

of their annual performance assessments.

10. Develop an organization-wide training program to educate

all staff on the importance of risk management to your

organization and their role in the risk/control culture.

Benefits of Risk Management

The Committee of Sponsoring Organizations of the Treadway

Commission (COSO) is a voluntary private-sector organization

dedicated to providing guidance to executive management

and governance entities on critical aspects of organizational


governance, business ethics, internal control, enterprise

risk management, fraud, and financial reporting. In its 2004

seminal work, Enterprise Risk Management – Integrated

Framework, COSO suggests that “among the most critical

challenges for managements is determining how much risk the

entity is prepared to and does accept as it strives to create

value (emphasis added).” COSO offers a salient list of risk

management benefits, namely:

Aligning risk appetite and strategy. Management considers

the entity’s risk appetite in evaluating strategic alternatives,

setting related objectives, and developing mechanisms to

manage related risks.

Enhancing risk response decisions. Risk management

provides the rigor to identify and select among alternative

risk responses – risk avoidance, reduction, sharing, and

acceptance.

Reducing operational surprises and losses. Entities gain

enhanced capability to identify potential events and establish

responses, reducing surprises and associated costs or losses.

Identifying and managing multiple and cross-enterprise risks.

Every enterprise faces a myriad of risks affecting different

parts of the organization, and risk management facilitates

effective response to the interrelated impacts and integrated

responses to multiple risks.

Seizing opportunities. By considering a full range of potential

events, risk management is positioned to identify and

proactively realize opportunities.

Improving deployment of capital. Obtaining robust risk

information allows management to effectively assess overall

capital needs and enhance capital allocation.

Improved decision making. Risk management information is

used along with other corporate information to arrive at a risk

management decision.

Allows for more effective growth. Having a robust risk

management process allows for better growth decisions since

downside capacity, structural, and integration risks are more

actively evaluated as part of the decision process.


Case Studies in Not-for-Profit Risk Management

Lesson Learned. Example A is a not-for-profit organization with

a large source of Government Grant funding. The organization

believed that it had a good handle on risk and had recently

updated its governance structures. During a review of the

organization, it was noted that the governance structure did

not include a structure for risk management. After performing

a one-day review of risk exposures, it was noted that the

organization’s compliance program did not cover all relevant

compliance requirements. Further tests revealed that it was not

in compliance with a Government regulation and had utilized

the Grant inappropriately. The amount of the misappropriation

was significant to the survival of the organization. A simple

risk management infrastructure would have prevented this loss

from occurring.

Performance Improved. Example B had a database of over

2,500 outside contractors for various levels of technical

support. They realized that they were vulnerable to significant

operational risk if their contractors did not adequately fulfill

their contracts, but were struggling to manage such a vast

contractor base. They decided to implement a risk management

framework over their procurement function as well as their

vendor management process to improve vendor oversight.

A risk-based framework was developed to determine which

contractors presented the greatest risk to the organization,

and procedures were developed to monitor the specific

risks identified. The outcome was that only 15 of the 2,500

contractors were critical to the company, requiring extensive

oversight. An additional 35 vendors were identified as moderate

risks requiring a minimum level of oversight, and 300 were

identified as low-risk contractors. The remainder represented

inactive vendors. The resulting oversight program was more

efficient, utilized fewer resources, and provided superior risk

coverage than their previous business model. The organization

was able to reduce the number of supporting contractors

without impacting the level of service being provided. Risk was

managed, performance was improved, and, presumably, dollars

were saved.


Perceived Costs Are Major Barrier to Implementation

The most common barrier to implementation of risk

management in not-for-profits and small businesses is

perceived cost. As with any business decision, the benefits

should outweigh the cost of such an implementation. Several

of the steps provided in the approach described earlier can

be performed with internal resources; however, it is advisable

to obtain the services of an experienced professional firm

to oversee this effort. Risk management solutions can

range from a one- or two-day review to the development of a

comprehensive risk framework. Fees are often more affordable

than imagined and often can be managed by implementing a

co-sourcing strategy once an initial consultation sets the path

forward.

Be sure to partner with a competitively priced, experienced, risk

management service provider that can recommend an efficient

approach to accomplishing this goal while understanding and

working within your budget restrictions.

The Bottom Line

Whether your organization is small or large, when risk turns

into reality, your damage will be minimized and recovery will be

maximized by an approach that addresses risk mitigation as an

enterprise solution.

If you have any questions about this whitepaper or related

issues, please contact Remonde Brangman, CPA, a Risk

Advisory Practice Leader for CBIZ MHM, LLC. He may be

reached at [email protected] or 301.951.3636.

© C

opyr

ight

2012. C

BIZ

, In

c. N

YS

E L

iste

d: C

BZ.

All

righ

ts r

eser

ved.

www.cbiz.com

Date post:	07-Nov-2014
Category:	Business
Upload:	cbiz-inc
View:	1,206 times
Download:	0 times