Not-for-Profit Risk Management Whitepaper: The New Best Practice


Published on

This whitepaper discusses the unique risks faced by nonprofits and how strategic risk management, even when implemented on a basic level, can benefit your Organization. Visit for more information.

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Not-for-Profit Risk Management Whitepaper: The New Best Practice

  2. 2. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE Risk management is regarded internationally as a best practice; yet most organizations and many companies in the U.S. have not embraced it voluntarily. Regulatory pressure has been the primary driver behind large companies implementing a risk management framework. Smaller organizations have tended to shy away from it, mistakenly considering it to be a tool for larger companies only. Several back-to-back years of extreme weather disasters, cyber issues (think Blackberry’s lost transmission days), and the domino effect of economic recession are contributing to rethinking the place of risk management as a business process and management strategy. Typically, not-for-profits are not considered risk takers. It is not surprising that the nonprofit sector would consider risk management to be a non-critical function for organizations whose mandate is not driven by the need to take risk. As you might expect, this sector, like many others, has been hesitant to embrace risk management as an important component of their business model. Risk Management in the Not-for-Profit World Enter the brave new world of the 21st century, where risk management is as relevant in the nonprofit space as it is in the commercial environment. While nonprofits take on less risk from a strategic standpoint (internal risk), they are faced with far more significant external risks than their commercial counterparts. Some unique risks facing the nonprofit sector include: Funding risk. In a recession, organizations that provide grants and funding often have less to give away. Not-for-profits that are at the mercy of their funding sources can face declining funding support and be forced to manage with lower budgets. Declining non-financial support. Not-for-profits often require community support in order for their programs to thrive. During difficult economic times, this support often wanes and the impact on programs can be significant. Competition. Competition for the same funds becomes more intense in cases where limited funding is available. Greater scrutiny is placed on the organization’s value and
  3. 3. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE the effectiveness of its programs. Online services offer individual and corporate donors the opportunity to review an organization’s ratings (Charity Navigator, Guidestar) before choosing causes to support. Mission appeal. For causes that depend greatly on individual or corporate donations, mission appeal is critical. When an organization’s mission is “popular” or top of mind, it is easier to develop funding and external support. However, as new ideas are developed and events drive other causes to become popular, an organization’s mission may become stale and the case for support is tougher to make. Regulatory pressure. Not-for-profits are facing growing regulatory pressure as government policies are now designed to evaluate organizations not only on operations but also on their ability to effectively manage risk (e.g., management and protection of financial resources, reputation management/ social media risks, fraud). Stakeholder risk. Heightened emphasis on compliance, governance and transparency have shined a bright light on all organizational levels, from operations and financial administration to leadership and Board oversight. Several studies over the past year have indicated that risk management is now the top issue facing Boards and stakeholders. A New Risk Management Paradigm & New Best Practice We live in an ever-changing environment with internal and external factors that can significantly impact our operations and outcomes, whether for-profit or not-for-profit. Business and not-for-profit leaders face the daunting challenge of decision making amid a myriad of changing forces. Boards of Directors are tasked with an even larger challenge of creating long-term sustainable growth for their shareholders. Risk is inherently increased as organizations experience growth. Analyzing new and potential risk exposures created by growth opportunities is critical to the success of any growth initiative.
  4. 4. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE There is no doubt that risk management is emerging as a business fundamental in this environment. It’s time to make a few things clear. n Risk management is a tool for all organizations (large or small). n Risk management is a tool for minimizing or mitigating risk AND for maximizing the realization of opportunities, often returning competitive advantages. n Most small and mid-sized nonprofit leaders, business owners and executives do not have an effective grasp of risk, although they may think they do. n There are several affordable options for implementing a risk management framework. In fact, the earlier risk management is implemented, the less expensive a proposition it becomes. A Straightforward Approach Steps 1 and 2 below are simple yet effective steps an organization can take to initiate the risk management journey. Steps 3 through 10 represent a higher level implementation that will likely require the assistance of a risk management consultant. 1. Establish a high level Risk Management Committee. Depending on your organization’s structure, this Committee will either be a Board level or Executive level function. Representatives should include key Board members (Chairman of the Board and/or Audit Committee Chair) and all members of Senior Management. The purpose of this Committee is to create a forum for active discussion of risk and the relevant mitigation strategies and management actions. 2. dentify your most important risks. Identify the key risks I facing your organization (initially limit to your top ten) based on likelihood and impact, and evaluate the mitigation strategies that you currently have around them. You may refer to the aforementioned list of unique risks faced by not- for-profits as a starting point.
  5. 5. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE 3. ank the critical risks facing your organization. These R risks should reflect the organization’s strategic objectives as well as its financial and operational processes. It will be helpful in most cases to engage a consultant to advise you on the development and ranking of risks for your organization if you do not have this skill set in-house, as this step is a fundamental building block of your overall plan. 4. stablish a risk mitigation strategy. The commonly E accepted approaches to risk mitigation include risk transfer and risk management. Risk transfer refers to the transfer of risk to an external third party (e.g., insurance). Risk management involves establishment of an internal control environment designed to mitigate the particular risk. 5. valuate your internal control environment to assess E the adequacy of your activity level and monitoring controls designed to mitigate your most important risks. 6. valuate all new business ventures/initiatives from a E risk perspective and include the risk assessment in the decision-making process. 7. evelop key risk and control metrics by determining which D risks are most critical to your organization and mapping the relevant controls to the risks. 8. evelop periodic reporting of all high risk activities and D the results of the evaluation of their related controls. 9. nhance HR policies to include an evaluation of risk and E control activities of management and relevant staff as part of their annual performance assessments. 10. evelop an organization-wide training program to educate D all staff on the importance of risk management to your organization and their role in the risk/control culture. Benefits of Risk Management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization dedicated to providing guidance to executive management and governance entities on critical aspects of organizational
  6. 6. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. In its 2004 seminal work, Enterprise Risk Management – Integrated Framework, COSO suggests that “among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value (emphasis added).” COSO offers a salient list of risk management benefits, namely: Aligning risk appetite and strategy. Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions. Risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses. Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. Identifying and managing multiple and cross-enterprise risks. Every enterprise faces a myriad of risks affecting different parts of the organization, and risk management facilitates effective response to the interrelated impacts and integrated responses to multiple risks. Seizing opportunities. By considering a full range of potential events, risk management is positioned to identify and proactively realize opportunities. Improving deployment of capital. Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. Improved decision making. Risk management information is used along with other corporate information to arrive at a risk management decision. Allows for more effective growth. Having a robust risk management process allows for better growth decisions since downside capacity, structural, and integration risks are more actively evaluated as part of the decision process.
  7. 7. NOT-FOR-PROFIT RISK MANAGEMENT :THE NEW BEST PRACTICE Case Studies in Not-for-Profit Risk Management Lesson Learned. Example A is a not-for-profit organization with a large source of Government Grant funding. The organization believed that it had a good handle on risk and had recently updated its governance structures. During a review of the organization, it was noted that the governance structure did not include a structure for risk management. After performing a one-day review of risk exposures, it was noted that the organization’s compliance program did not cover all relevant compliance requirements. Further tests revealed that it was not in compliance with a Government regulation and had utilized the Grant inappropriately. The amount of the misappropriation was significant to the survival of the organization. A simple risk management infrastructure would have prevented this loss from occurring. Performance Improved. Example B had a database of over 2,500 outside contractors for various levels of technical support. They realized that they were vulnerable to significant operational risk if their contractors did not adequately fulfill their contracts, but were struggling to manage such a vast contractor base. They decided to implement a risk management framework over their procurement function as well as their vendor management process to improve vendor oversight. A risk-based framework was developed to determine which contractors presented the greatest risk to the organization, and procedures were developed to monitor the specific risks identified. The outcome was that only 15 of the 2,500 contractors were critical to the company, requiring extensive oversight. An additional 35 vendors were identified as moderate risks requiring a minimum level of oversight, and 300 were identified as low-risk contractors. The remainder represented inactive vendors. The resulting oversight program was more efficient, utilized fewer resources, and provided superior risk coverage than their previous business model. The organization was able to reduce the number of supporting contractors without impacting the level of service being provided. Risk was managed, performance was improved, and, presumably, dollars were saved.
  8. 8. NOT-FOR-PROFIT RISK MANAGEMENT : THE NEW BEST PRACTICE Perceived Costs Are Major Barrier to Implementation The most common barrier to implementation of risk management in not-for-profits and small businesses is perceived cost. As with any business decision, the benefits should outweigh the cost of such an implementation. Several of the steps provided in the approach described earlier can be performed with internal resources; however, it is advisable to obtain the services of an experienced professional firm to oversee this effort. Risk management solutions can range from a one- or two-day review to the development of a comprehensive risk framework. Fees are often more affordable than imagined and often can be managed by implementing a co-sourcing strategy once an initial consultation sets the path forward. Be sure to partner with a competitively priced, experienced, risk management service provider that can recommend an efficient approach to accomplishing this goal while understanding and working within your budget restrictions. The Bottom Line Whether your organization is small or large, when risk turns into reality, your damage will be minimized and recovery will be maximized by an approach that addresses risk mitigation as an enterprise solution. If you have any questions about this whitepaper or related issues, please contact Remonde Brangman, CPA, a Risk Advisory Practice Leader for CBIZ MHM, LLC. He may be reached at or 301.951.3636.© Copyright 2012. CBIZ, Inc. NYSE Listed: CBZ. All rights reserved.