Not-for-profits are not known as risk takers. Unlike some commercial entities, not-for-profit organizations tend not to have pressure to take internal or strategic risks. Today’s world, however, holds its share of risks for not-for-profits. From unstable funding sources to regulatory pressure and stakeholder concerns, not-for-profits face numerous unique challenges.
Just as in the for-profit world, growth and success for not-for-profits hinge on the ability to control potential risk and exposure areas. Not-for-profit leadership must continuously adjust and enhance risk management procedures in order to ensure adequate coverage for their organizations. Below, we have outlined a 10-step approach to help not-for-profits manage their risks. Examining these best practices can help determine whether you need to update your organization’s risk management approach.
- Establish a High-Level Risk Management Committee
A cross-section of individuals within your organization should participate in risk management discussions. Create a risk management committee to help facilitate these conversations. Depending on your organization’s structure, this committee will be either a Board level or executive level function. Representatives should include key Board members (Chairman of the Board and/or Audit Committee Chair) and all members of senior management.
- Develop a Risk Appetite and Taxonomy
Establish your organization’s risk appetite and vocabulary/common risk language. Your risk appetite should reflect quantitative and qualitative risk thresholds that would be considered harmful to the organization (e.g. a material loss could be defined quantitatively as any loss in excess of $100,000 or a threat that would cause a life-threatening injury requiring emergency intensive care or specialized treatment). These thresholds must be definable and measurable in order to be effective measures of risk. Establishing a risk vocabulary provides for consistency in the communication and interpretation of risk concepts and principles.
- Identify and Rank Your Most Important Risks
With your risk management committee, pinpoint the key risks that face your organization. Consider the likelihood and potential impact of the exposure areas and identify 10 or so that your organization should monitor closely.
Not-for-profits face unique external risk factors including unstable financial support, competition for grants and federal funding, inadequate oversight of financial resources and increased regulatory pressure for transparency.
Ranking your organization’s risks allows you to establish priorities for risk mitigation. While it is not essential to rank all risks, you should have a clear idea of where your most pressing issues fall in relation to other risks. Perhaps your organization has historically had difficulty managing donor expectations. Maybe a former employee embezzled money from your not-for-profit. Whatever the case, the high-risk areas your committee identifies will dictate the shape of your risk management plan. Hence, it is essential that the committee accurately identifies your organization’s most pertinent risks.
- Establish a Risk Mitigation Strategy
Your organization can minimize its existing risks in a variety of ways. The commonly accepted approaches to risk mitigation include risk transfer and risk management. Risk transfer refers to the transfer of risk to an external third party (e.g., insurance). Risk management involves establishment of an internal control environment designed to mitigate the specific risk.
Third party consultants can help your organization identify and implement your organization's ideal risk mitigation options.
- Evaluate Your Internal Control Environment
Managing risks is an ongoing process. As your organization grows or progresses through its life cycle, its risks will also change. Be sure your monitoring process keeps you current on the risks you take on. Create a system to alert management and your risk management committee to any new problems that may emerge, so that you can quickly and efficiently respond to the issue.
Do not wait for a triggering event. Organizations should update and review their risk management procedures periodically in order to maximize their strategy’s effectiveness.
- Evaluate All New Business Ventures/Initiatives from a Risk Perspective
We encourage organizations to include risk assessments as part of the process for vetting new programs or initiatives. Consider questions such as the following: - Does the new program expose your organization to unnecessary reputational risk?
- Will it create additional financial strain or risk?
Proactively addressing exposure areas makes new risks much easier to control in the long term.
- Develop Key Risk and Control Metrics
Identifying risks means nothing unless you have a way to measure impact. Determine how your organization can track the effect risks may have on your organization. Map the relevant internal control to the risk it mitigates. This way, if your organization encounters a risk-related issue, it can address the exact system of internal controls that failed to prevent the event from happening.
- Develop Periodic Reporting of All High-Risk Activities
High-risk activities can bring immediate and impactful consequences to your organization. They should be among the most monitored areas of your operations. Keep detailed records of any programs or transactions that pose a risk to your organization. A thorough approach coupled with periodic reviews of the reporting goes a long way in identifying problems before they become major issues.
- Enhance HR Policies
Since many not-for-profits do not face the same internal risks as commercial entities, risk management may not be a large priority within your organization. Performance evaluations to help incentivize participation in risk control strategies. For key risk control staff and personnel, include an evaluation of their risk management and control activities as part of their annual performance assessments.
- Develop an Organization-Wide Training Program
Risk control should be part of your organization’s overall employee culture. To that end, develop and implement organization-wide risk control programs to help everyone understand what actions or activities increase your organization’s risk. A culture of risk management can help reduce the incidence of employee-related fraud or other risks. Employees may also be more likely to come forward about risks of which management may not be aware.
For further guidance on how to improve and enhance your organization's response to its risks, please contact your local CBIZ office for more information.
Copyright © 2014, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. To ensure compliance with requirements imposed by the IRS, we inform you that-unless specifically indicated otherwise-any tax advice in this communication is not written with the intent that it be used, and in fact it cannot be used, to avoid penalties under the Internal Revenue Code, or to promote, market, or recommend to another person any tax related matter. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).