Nonprofit Accounting Basics

Be Prepared: Why Enterprise Risk Management is Essential for Nonprofits

Corporations and organizations have long understood the value of systematic planning for worst-case scenarios to avoid unwelcome surprises, known as enterprise risk management (ERM). ERM is a proactive, multidimensional process of identifying, assessing, cataloguing, and preparing for potential negative organizational outcomes in order to reduce business and reputational impacts and help meet core goals. Historically, ERM has been viewed as a necessity chiefly for for-profit enterprises or large nonprofits. This type of top-down strategic planning is especially important for international non-governmental organizations with field offices worldwide.

In today’s increasingly uncertain world of volatile global economic conditions, fast-changing technology, and a shifting regulatory environment, ERM is essential to mitigate risk and ensure survival for entities of all sizes—including small nonprofits. Failing to manage risk jeopardizes the long-term viability of organizations’ business models and brand. Small nonprofits can protect themselves by fostering risk awareness, promoting strategic decision-making that furthers key objectives, and taking concrete action to plan for unexpected outcomes. The first step is understanding ERM. 

What is Enterprise Risk Management?

ERM is a deliberate approach of recognizing organizational risks and creating dynamic response plans with the support of boards of directors and senior executives. This formal process analyzes risks and benefits across an organization to protect it and enable it to continue effectively fulfilling its mission. ERM helps create a risk-aware mindset among staff, integrating risk consideration into organizational culture.

Likely future risks span a broad array of business functions, including management and operational challenges, reputational damage, financial fraud and corruption, compliance scrutiny, cyber threats and data breaches, talent management, and more. According to recent industry survey results, more and more entities are appointing individuals to lead risk management efforts, or creating executive-level risk committees, transforming what has traditionally been a board responsibility. While many organizations already have some elements of risk management in place, these practices are largely inadequate or do not align with strategic goals.

Risk Management for Small Nonprofits

Both for-profit and nonprofit leaders agree that anticipating and adapting to increasingly complex risks in today’s challenging environment is harder than ever. Robust risk management has become a best business practice. Organizations report growing pressure from boards of directors to boost leadership’s role in risk oversight. Small nonprofits must meet this growing demand for transparency from donors and stakeholders, in addition to complying with new regulations requiring greater information disclosure. Beyond these immediate needs, nonprofit leaders and boards have a fiduciary duty to manage industry risk. The threat is real: A 2013 investigation by The Washington Post found that, over a four-year period, more than 1,000 major U.S. nonprofits disclosed in federal filings that they had suffered a “significant diversion” of assets from internal wrongdoing.

Many nonprofits have already taken initial steps to control risk, such as requiring two signatures to issue all checks. Nonprofit boards usually receive annual reports identifying major risks. Other organizations have risk management policy statements or risk inventories, which are positive—if partial—safeguards. Overall, however, most small nonprofits lack a comprehensive risk management process integrated into its operational strategy. This deficit can be attributed in part to persistent perceptions that the costs of ERM outweigh the benefits, pushing enterprise-wide risk planning and mitigation to the bottom of priority lists.

The truth is that risk management improves a nonprofit’s resilience, expanding its range of potential business opportunities and increasing positive outcomes and profitability while reducing adverse impacts and losses. This leads to a more consistently strong performance and efficient use of resources.

Getting Started

Nonprofits should begin by securing buy-in and approval from the board of directors and designating a champion or committee dedicated to and responsible for risk mitigation. Linking risk management responsibilities to incentive compensation can help. This team should use strategic plans as context for prioritizing risks and creating a risk register. A risk committee or chief risk officer will explore and determine who leads and participates in risk assessments, what action steps to include, how best to resolve conflicts, and what documentation and reporting are required. Incorporating technical experts and consultants in the process helps develop sound ERM policy and procedures and effective board reporting tools. Stakeholders should also receive ERM training to ensure consistent understanding and implementation.

Although nonprofits are increasingly aware of the need to strengthen risk mitigation procedures, there is still scant guidance on when and how to adopt such a program, or the optimal early-stage structure. Risk advisors who specialize in developing right-sized ERM solutions can still be an option for small organizations who can also take several simple steps on their own to enact a comprehensive risk management program. Cost-conscious organizations can draw upon free, do-it-yourself ERM resources to kick-start the important work of containing risk.