As more and more not-for-profit organizations are appreciating the importance and value of an enterprise risk management (ERM) process, many are asking how to best implement one.

An ERM process allows those charged with governance, management, staff, and other stakeholders to have a consistent and prioritized perspective on the portfolio of risks across an organization. With this baseline information, these stakeholders can make informed, risk-based decisions in the pursuit of achieving the organization’s objectives.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the key authority providing thought leadership on ERM and internal controls, developed the following ERM process framework:

Source: COSO 2017 publication: Enterprise Risk Management – Integrating with Strategy and Performance

While there are many contributing factors to a successful ERM process, the following are five key steps to implementing and/or improving your organization’s process, each correlating to one of the COSO framework components:

1.Develop a formal governance structure 

Having a defined structure in place for your organization’s ERM process will help to formalize a process that may seem elusive, and encourage buy-in from all stakeholders involved in the structure. A common element in this structure is a central risk management officer and/or risk management committee who facilitates progress throughout the ERM framework components and reports to the appropriate stakeholders.

2.Objectives and strategies are at the core of ERM

Before an organization can begin identifying and prioritizing its risk portfolio, it must first define the objectives and strategies that the risks may be impeding. Objectives should be at the organizational, departmental, and/or process level and can be defined in qualitative and/or quantitative terms. The objectives should align with the organization’s mission, values, and risk appetite, which is also defined in the ERM process. The COSO 2017 update also stresses the importance of using the results of ERM to help in continuous objective-and-strategy setting.

3.Consider various perspectives when identifying and prioritizing risk

Be sure to consider various sources and types of risk that could impact your organization’s path to achieving objectives. Risks may result from both internal and external factors, and can be operational, financial, strategic, regulatory, and, most importantly for most not-for-profit organizations, reputational in nature. While boards are ultimately charged with risk oversight, we believe risks can be delegated and “owned” by different stakeholders in an organization to optimize effectiveness and efficiency. Most strategic and reputational risks could be owned by the board of directors; and most operational, financial and regulatory level risks could be managed by the department heads or process owners in management. In organizations with highly-functioning environments, the board and management are appropriately engaged and collaborative about ERM.

4.Remember that this is an ongoing process

Some of the risks, mitigating processes and controls, along with the prioritization assessed as part of ERM will be ever-changing. Therefore, the ERM process should continuously stay up to date with these changes. The risk management officer or committee can be charged with ensuring that both internal and external changes are considered and that all other stakeholders in the ERM structure are involved in continuously keeping updated. The risk management officer or committee can also be charged with making sure the ERM process itself is effective by establishing performance measures, comparing progress against them, and making changes to the process as necessary.

5.The value of the ERM process is achieved only after it is woven into the decision-making process

As is emphasized in the 2017 COSO ERM Framework, risk-driven performance management, not just risk monitoring, is what will enhance value. Organizations can drive value by incorporating the risks assessed and prioritized and key performance indicators into operational and strategic decision-making. Example decisions where incorporating ERM can be valuable are: investing in new technology, hiring new management, investing in capital projects, expanding beneficiaries and customers, adding revenue streams, accepting or giving certain grants, and implementing new marketing strategies.

Specific organizations and industries are at varying levels of ERM implementation and sophistication; ERM is not a one-size-fits-all process. Organizations can start to approach ERM by understanding and analyzing their current risk management practices, getting the board and senior management involved, and then developing their near- and long-term ERM goals. Using our industry knowledge and risk management experience, CohnReznick Advisory can also assist organizations with developing their ERM process, assessing and prioritizing risks, and ultimately achieving their ERM goals.

Gain insight

For more information about ERM implementation for not-for-profit organizations, please contact Allison Guttenplan, Senior Manager, CohnReznick Advisory at 646-601-7835 or [email protected]; or John Alfonso, Partner CohnReznick Advisory at 646-254-7415 or [email protected].