Five Key Tips for Your Not-For-Profit Organization’s ERM Process

Having a defined structure in place for your organization’s ERM process will help to formalize a process that may seem elusive, and encourage buy-in from all stakeholders involved in the structure. A common element in this structure is a central risk management officer and/or risk management committee who facilitates progress throughout the ERM framework components and reports to the appropriate stakeholders.

Before an organization can begin identifying and prioritizing its risk portfolio, it must first define the objectives and strategies that the risks may be impeding. Objectives should be at the organizational, departmental, and/or process level and can be defined in qualitative and/or quantitative terms. The objectives should align with the organization’s mission, values, and risk appetite, which is also defined in the ERM process. The COSO 2017 update also stresses the importance of using the results of ERM to help in continuous objective-and-strategy setting.

Be sure to consider various sources and types of risk that could impact your organization’s path to achieving objectives. Risks may result from both internal and external factors, and can be operational, financial, strategic, regulatory, and, most importantly for most not-for-profit organizations, reputational in nature. While boards are ultimately charged with risk oversight, we believe risks can be delegated and “owned” by different stakeholders in an organization to optimize effectiveness and efficiency. Most strategic and reputational risks could be owned by the board of directors; and most operational, financial and regulatory level risks could be managed by the department heads or process owners in management. In organizations with highly-functioning environments, the board and management are appropriately engaged and collaborative about ERM.

Some of the risks, mitigating processes and controls, along with the prioritization assessed as part of ERM will be ever-changing. Therefore, the ERM process should continuously stay up to date with these changes. The risk management officer or committee can be charged with ensuring that both internal and external changes are considered and that all other stakeholders in the ERM structure are involved in continuously keeping updated. The risk management officer or committee can also be charged with making sure the ERM process itself is effective by establishing performance measures, comparing progress against them, and making changes to the process as necessary.

As is emphasized in the 2017 COSO ERM Framework, risk-driven performance management, not just risk monitoring, is what will enhance value. Organizations can drive value by incorporating the risks assessed and prioritized and key performance indicators into operational and strategic decision-making. Example decisions where incorporating ERM can be valuable are: investing in new technology, hiring new management, investing in capital projects, expanding beneficiaries and customers, adding revenue streams, accepting or giving certain grants, and implementing new marketing strategies.

Specific organizations and industries are at varying levels of ERM implementation and sophistication; ERM is not a one-size-fits-all process. Organizations can start to approach ERM by understanding and analyzing their current risk management practices, getting the board and senior management involved, and then developing their near- and long-term ERM goals. Using our industry knowledge and risk management experience, CohnReznick Advisory can also assist organizations with developing their ERM process, assessing and prioritizing risks, and ultimately achieving their ERM goals.

For more information about ERM implementation for not-for-profit organizations, please contact Allison Guttenplan, Senior Manager, CohnReznick Advisory at 646-601-7835 or allison.guttenplan@cohnreznick.com; or John Alfonso, Partner CohnReznick Advisory at 646-254-7415 or john.alfonso@cohnreznick.com.