not-for-profit risk management whitepaper: the new best practice
Post on 07-Nov-2014
1.206 Views
Preview:
DESCRIPTION
TRANSCRIPT
NOT-FOR-PROFIT RISK MANAGEMENT :
THE NEW BEST PRACTICE
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
Risk management is regarded internationally as a best
practice; yet most organizations and many companies in the
U.S. have not embraced it voluntarily. Regulatory pressure has
been the primary driver behind large companies implementing
a risk management framework. Smaller organizations have
tended to shy away from it, mistakenly considering it to be a
tool for larger companies only. Several back-to-back years of
extreme weather disasters, cyber issues (think Blackberry’s
lost transmission days), and the domino effect of economic
recession are contributing to rethinking the place of risk
management as a business process and management strategy.
Typically, not-for-profits are not considered risk takers. It is
not surprising that the nonprofit sector would consider risk
management to be a non-critical function for organizations
whose mandate is not driven by the need to take risk. As you
might expect, this sector, like many others, has been hesitant
to embrace risk management as an important component of
their business model.
Risk Management in the Not-for-Profit World
Enter the brave new world of the 21st century, where risk
management is as relevant in the nonprofit space as it is in
the commercial environment. While nonprofits take on less
risk from a strategic standpoint (internal risk), they are faced
with far more significant external risks than their commercial
counterparts. Some unique risks facing the nonprofit sector
include:
Funding risk. In a recession, organizations that provide grants
and funding often have less to give away. Not-for-profits that are
at the mercy of their funding sources can face declining funding
support and be forced to manage with lower budgets.
Declining non-financial support. Not-for-profits often require
community support in order for their programs to thrive. During
difficult economic times, this support often wanes and the
impact on programs can be significant.
Competition. Competition for the same funds becomes
more intense in cases where limited funding is available.
Greater scrutiny is placed on the organization’s value and
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
the effectiveness of its programs. Online services offer
individual and corporate donors the opportunity to review an
organization’s ratings (Charity Navigator, Guidestar) before
choosing causes to support.
Mission appeal. For causes that depend greatly on individual
or corporate donations, mission appeal is critical. When an
organization’s mission is “popular” or top of mind, it is easier
to develop funding and external support. However, as new
ideas are developed and events drive other causes to become
popular, an organization’s mission may become stale and the
case for support is tougher to make.
Regulatory pressure. Not-for-profits are facing growing
regulatory pressure as government policies are now designed
to evaluate organizations not only on operations but also on
their ability to effectively manage risk (e.g., management and
protection of financial resources, reputation management/
social media risks, fraud).
Stakeholder risk. Heightened emphasis on compliance,
governance and transparency have shined a bright light
on all organizational levels, from operations and financial
administration to leadership and Board oversight. Several
studies over the past year have indicated that risk
management is now the top issue facing Boards and
stakeholders.
A New Risk Management Paradigm & New Best Practice
We live in an ever-changing environment with internal and
external factors that can significantly impact our operations
and outcomes, whether for-profit or not-for-profit. Business and
not-for-profit leaders face the daunting challenge of decision
making amid a myriad of changing forces. Boards of Directors
are tasked with an even larger challenge of creating long-term
sustainable growth for their shareholders. Risk is inherently
increased as organizations experience growth. Analyzing new
and potential risk exposures created by growth opportunities
is critical to the success of any growth initiative.
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
There is no doubt that risk management is emerging as a
business fundamental in this environment. It’s time to make a
few things clear.
n Risk management is a tool for all organizations (large
or small).
n Risk management is a tool for minimizing or mitigating risk
AND for maximizing the realization of opportunities, often
returning competitive advantages.
n Most small and mid-sized nonprofit leaders, business
owners and executives do not have an effective grasp of
risk, although they may think they do.
n There are several affordable options for implementing
a risk management framework. In fact, the earlier risk
management is implemented, the less expensive a
proposition it becomes.
A Straightforward Approach
Steps 1 and 2 below are simple yet effective steps an
organization can take to initiate the risk management journey.
Steps 3 through 10 represent a higher level implementation
that will likely require the assistance of a risk management
consultant.
1. Establish a high level Risk Management Committee.
Depending on your organization’s structure, this Committee
will either be a Board level or Executive level function.
Representatives should include key Board members
(Chairman of the Board and/or Audit Committee Chair) and
all members of Senior Management. The purpose of this
Committee is to create a forum for active discussion of risk
and the relevant mitigation strategies and management
actions.
2. Identify your most important risks. Identify the key risks
facing your organization (initially limit to your top ten) based
on likelihood and impact, and evaluate the mitigation
strategies that you currently have around them. You may
refer to the aforementioned list of unique risks faced by not-
for-profits as a starting point.
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
3. Rank the critical risks facing your organization. These
risks should reflect the organization’s strategic objectives
as well as its financial and operational processes. It will
be helpful in most cases to engage a consultant to advise
you on the development and ranking of risks for your
organization if you do not have this skill set in-house, as
this step is a fundamental building block of your overall
plan.
4. Establish a risk mitigation strategy. The commonly
accepted approaches to risk mitigation include risk transfer
and risk management. Risk transfer refers to the transfer
of risk to an external third party (e.g., insurance). Risk
management involves establishment of an internal control
environment designed to mitigate the particular risk.
5. Evaluate your internal control environment to assess
the adequacy of your activity level and monitoring controls
designed to mitigate your most important risks.
6. Evaluate all new business ventures/initiatives from a
risk perspective and include the risk assessment in the
decision-making process.
7. Develop key risk and control metrics by determining which
risks are most critical to your organization and mapping the
relevant controls to the risks.
8. Develop periodic reporting of all high risk activities and
the results of the evaluation of their related controls.
9. Enhance HR policies to include an evaluation of risk and
control activities of management and relevant staff as part
of their annual performance assessments.
10. Develop an organization-wide training program to educate
all staff on the importance of risk management to your
organization and their role in the risk/control culture.
Benefits of Risk Management
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a voluntary private-sector organization
dedicated to providing guidance to executive management
and governance entities on critical aspects of organizational
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
governance, business ethics, internal control, enterprise
risk management, fraud, and financial reporting. In its 2004
seminal work, Enterprise Risk Management – Integrated
Framework, COSO suggests that “among the most critical
challenges for managements is determining how much risk the
entity is prepared to and does accept as it strives to create
value (emphasis added).” COSO offers a salient list of risk
management benefits, namely:
Aligning risk appetite and strategy. Management considers
the entity’s risk appetite in evaluating strategic alternatives,
setting related objectives, and developing mechanisms to
manage related risks.
Enhancing risk response decisions. Risk management
provides the rigor to identify and select among alternative
risk responses – risk avoidance, reduction, sharing, and
acceptance.
Reducing operational surprises and losses. Entities gain
enhanced capability to identify potential events and establish
responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks.
Every enterprise faces a myriad of risks affecting different
parts of the organization, and risk management facilitates
effective response to the interrelated impacts and integrated
responses to multiple risks.
Seizing opportunities. By considering a full range of potential
events, risk management is positioned to identify and
proactively realize opportunities.
Improving deployment of capital. Obtaining robust risk
information allows management to effectively assess overall
capital needs and enhance capital allocation.
Improved decision making. Risk management information is
used along with other corporate information to arrive at a risk
management decision.
Allows for more effective growth. Having a robust risk
management process allows for better growth decisions since
downside capacity, structural, and integration risks are more
actively evaluated as part of the decision process.
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
Case Studies in Not-for-Profit Risk Management
Lesson Learned. Example A is a not-for-profit organization with
a large source of Government Grant funding. The organization
believed that it had a good handle on risk and had recently
updated its governance structures. During a review of the
organization, it was noted that the governance structure did
not include a structure for risk management. After performing
a one-day review of risk exposures, it was noted that the
organization’s compliance program did not cover all relevant
compliance requirements. Further tests revealed that it was not
in compliance with a Government regulation and had utilized
the Grant inappropriately. The amount of the misappropriation
was significant to the survival of the organization. A simple
risk management infrastructure would have prevented this loss
from occurring.
Performance Improved. Example B had a database of over
2,500 outside contractors for various levels of technical
support. They realized that they were vulnerable to significant
operational risk if their contractors did not adequately fulfill
their contracts, but were struggling to manage such a vast
contractor base. They decided to implement a risk management
framework over their procurement function as well as their
vendor management process to improve vendor oversight.
A risk-based framework was developed to determine which
contractors presented the greatest risk to the organization,
and procedures were developed to monitor the specific
risks identified. The outcome was that only 15 of the 2,500
contractors were critical to the company, requiring extensive
oversight. An additional 35 vendors were identified as moderate
risks requiring a minimum level of oversight, and 300 were
identified as low-risk contractors. The remainder represented
inactive vendors. The resulting oversight program was more
efficient, utilized fewer resources, and provided superior risk
coverage than their previous business model. The organization
was able to reduce the number of supporting contractors
without impacting the level of service being provided. Risk was
managed, performance was improved, and, presumably, dollars
were saved.
NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE
Perceived Costs Are Major Barrier to Implementation
The most common barrier to implementation of risk
management in not-for-profits and small businesses is
perceived cost. As with any business decision, the benefits
should outweigh the cost of such an implementation. Several
of the steps provided in the approach described earlier can
be performed with internal resources; however, it is advisable
to obtain the services of an experienced professional firm
to oversee this effort. Risk management solutions can
range from a one- or two-day review to the development of a
comprehensive risk framework. Fees are often more affordable
than imagined and often can be managed by implementing a
co-sourcing strategy once an initial consultation sets the path
forward.
Be sure to partner with a competitively priced, experienced, risk
management service provider that can recommend an efficient
approach to accomplishing this goal while understanding and
working within your budget restrictions.
The Bottom Line
Whether your organization is small or large, when risk turns
into reality, your damage will be minimized and recovery will be
maximized by an approach that addresses risk mitigation as an
enterprise solution.
If you have any questions about this whitepaper or related
issues, please contact Remonde Brangman, CPA, a Risk
Advisory Practice Leader for CBIZ MHM, LLC. He may be
reached at rbrangman@cbiz.com or 301.951.3636.
© C
opyr
ight
2012. C
BIZ
, In
c. N
YS
E L
iste
d: C
BZ.
All
righ
ts r
eser
ved.
www.cbiz.com
top related