How enterprise risk management (ERM) can help not for-profits thrive


Published on

Not-for-profits’ interest in ERM is growing, as leadership seeks to identify high-risk areas (including those once thought to be improbable), develop appropriate mitigation or response strategies to protect the organization’s interests and assets, and guide subsequent risk management activities. See more in our State of not-for-profit industry 2014:

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How enterprise risk management (ERM) can help not for-profits thrive

  1. 1. 1 How enterprise risk management can help not-for-profits thrive Paul Klein, Business Advisory Services Managing Director, Not-for-Profit and Higher Education Practices Mark Oster, National Managing Partner, Not-for-Profit and Higher Education Practices, Business Advisory Services Principal Not-for-profits’ interest in enterprise risk management (ERM) is growing, as leadership seeks to identify high-risk areas (including those once thought to be improbable); develop appropriate mitigation or response strategies to protect the organization’s interests and assets; and guide subsequent risk management activities. The pressures on management, boards and audit committees to understand and address organizational risks have never been greater. In today’s economic climate, not-for-profit organizations must be able to protect their key assets — most importantly, their good name and reputation. Whether due to changes in leadership, direction, growth, technology, or program offerings and services, it is likely that your organization is facing increased risk. The potential reputational, legal, financial, operational and mission- related impacts associated with such exposure have increased, as have stakeholder expectations regarding good stewardship. This places even more responsibility on leadership to identify and understand potential risks, establish a risk-focused culture and prioritize mitigation strategies going forward. External forces have also put the spotlight on ERM. Not-for- profit organizations are facing unprecedented scrutiny by donors and watchdog agencies. The demand to operate transparently and with more sophisticated board engagement is higher than ever. Even without any dramatic changes to your business model, external pressures — regulatory, competitive, legal, economic or constituent-related — coupled with inadequate risk management practices may leave your organization vulnerable. Without carefully assessing and managing both existing and emerging risks, new initiatives may not succeed and responses to external pressures may fall short, thus exposing your organization to risks that could ultimately destroy its reputation and threaten its survival. Establishing a strong ERM program shields your organization from threats while enabling you to capitalize on new opportunities. ERM is a process that identifies, analyzes, addresses and monitors potential risks to your organization. By understanding and prioritizing these risks, you can build and execute a top-notch strategic plan that enables your organization to seize new opportunities and mitigate existing or emerging risks. Benefits of implementing ERM A rapidly increasing number of not-for-profit boards are committing to ERM programs. Adoption is being driven by stronger fiduciary oversight, more robust strategic planning initiatives, a new generation of managers, and concerns over radical industry shifts, including pressure to cut costs, innovate and respond to regulatory inquiries. An effective ERM program keeps organizations focused on optimizing strategic objectives, actively engages the executive team and enhances the board’s oversight of risk management. Furthermore, industry watchers recognize the importance of ERM in the continued success and sustainability of any organization, and they are factoring its existence and effectiveness into their overall ratings.
  2. 2. How enterprise risk management can help not-for-profits thrive 2 ERM requires a cultural change. To instill ERM into your culture, the organization first needs to establish a common definition of what risk means, and then gain consensus regarding risk tolerance and appetite. As the ERM process unfolds, spending time to truly deliberate risk is hugely important. Risk consideration needs to become a shared way of thinking, and it should be on the agenda for every strategic discussion. Defining guiding principles for the ERM program is also critical so that expectations are properly set from the start and there is a shared understanding of what needs to happen when unexpected events occur. ERM needs to be championed from the top. Setting the tone from the top and getting senior- level endorsement are critical to organizational change. A leading not-for-profit recently transformed its risk program when a newly hired executive advocated ERM. At another not-for- profit organization, the president made a point to inform his senior leadership and board that risk management was a top organizational priority. In both cases, the organizations adopted an integrated, holistic approach to managing risk that created accountability, defined a process for identifying and mitigating risk, and emphasized realistic but firm implementation time frames. As the respective boards and an ever-wider group of executives have embraced and owned the process, the organizations have permanently changed the way they approach risk. Perceived obstacles to ERM adoption If ERM is a proven tool, why have not-for-profits struggled with building successful ERM programs? There are many possibilities: • Not-for-profits may view ERM as an occasional project, rather than a continuous process. • Not-for-profits may see ERM as a way of identifying all possible internal risks to the organization, thus creating an unmanageable amount of information and hindering its ability to focus on the most critical threats and advantageous opportunities. • Organizations may create a completely new process and organization around ERM — separate from strategic and business planning — or delegate ERM to internal audit or other risk management groups. • Not-for-profits may ignore critical and threatening risks because they are perceived as unlikely or out of their control. • Not-for-profits may not recognize the value of management’s consideration of uncontrollable risk events and the development of anticipated responses if those events were to occur. • They may lack adequate processes or indicators to monitor and respond to emerging risk events. 4 ways ERM can transform not-for-profits As leading organizations that have embraced ERM have shown, this process can work throughout the not-for-profit sector. Here’s how:
  3. 3. 3 Don’t delay your ERM program adoption As financial, regulatory, technological, organizational and programmatic pressures weigh on not-for-profits, the inability to adequately respond to these rapidly emerging and intensifying events can knock even the most solid organization off its feet. Being prepared can make all the difference; it’s never too late to start implementing ERM. A robust program will help your organization recognize and prepare for emerging risks, and minimize the impact of unforeseen events, allowing you to seize new opportunities while protecting your organization’s mission and reputation. ERM is a vital strategic planning driver. A critical flaw in many enterprise risk approaches is misunderstanding the difference between enterprisewide risk assessments and ERM programs. Enterprisewide risk assessments collect all plausible risks, and the resulting list can be huge, unfocused and difficult to analyze. The result is a one-off report to the board or senior management. On the other hand, a strong ERM program addresses the most critical organization-level risks and supports the strategic plan. A strategic plan can inform the ERM process by identifying new opportunities that may introduce new organizational risks. The ERM process can likewise inform the strategic plan by defining the organization’s risk tolerance and appetite to ensure that undue conservatism doesn’t preclude new efforts from being undertaken (i.e., opportunity risk). When used appropriately, ERM can be a proactive partner to strategic planning. ERM is a safety net, offering protection against broad or sudden industry changes. A successful ERM program is risk-intelligent. It includes the monitoring of key internal and external risk indicators so leadership can react quickly and effectively to reduce the impact of negative events or seize new opportunities. Strong ERM programs can give not-for-profits the edge they need in a risky and increasingly competitive environment. Whether the identification of an emerging risk such as inaccuracy of nonfinancial outcome assessments, the opportunity risk of investing in new technologies, or a strategic risk associated with a shift in the business model, an ERM program enables leadership to thoughtfully consider and plan for what tomorrow may bring. How enterprise risk management can help not-for-profits thrive