Five Key Tips for Your Not-For-Profit Organization’s ERM Process

    As more and more not-for-profit organizations are appreciating the importance and value of an enterprise risk management (ERM) process, many are asking how to best implement one.

    An ERM process allows those charged with governance, management, staff, and other stakeholders to have a consistent and prioritized perspective on the portfolio of risks across an organization. With this baseline information, these stakeholders can make informed, risk-based decisions in the pursuit of achieving the organization’s objectives.

    The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the key authority providing thought leadership on ERM and internal controls, developed the following ERM process framework:


    Source: COSO 2017 publication: Enterprise Risk Management – Integrating with Strategy and Performance

    While there are many contributing factors to a successful ERM process, the following are five key steps to implementing and/or improving your organization’s process, each correlating to one of the COSO framework components:

    1.Develop a formal governance structure 

    Having a defined structure in place for your organization’s ERM process will help to formalize a process that may seem elusive, and encourage buy-in from all stakeholders involved in the structure. A common element in this structure is a central risk management officer and/or risk management committee who facilitates progress throughout the ERM framework components and reports to the appropriate stakeholders.

    2.Objectives and strategies are at the core of ERM

    Before an organization can begin identifying and prioritizing its risk portfolio, it must first define the objectives and strategies that the risks may be impeding. Objectives should be at the organizational, departmental, and/or process level and can be defined in qualitative and/or quantitative terms. The objectives should align with the organization’s mission, values, and risk appetite, which is also defined in the ERM process. The COSO 2017 update also stresses the importance of using the results of ERM to help in continuous objective-and-strategy setting.

    3.Consider various perspectives when identifying and prioritizing risk

    Be sure to consider various sources and types of risk that could impact your organization’s path to achieving objectives. Risks may result from both internal and external factors, and can be operational, financial, strategic, regulatory, and, most importantly for most not-for-profit organizations, reputational in nature. While boards are ultimately charged with risk oversight, we believe risks can be delegated and “owned” by different stakeholders in an organization to optimize effectiveness and efficiency. Most strategic and reputational risks could be owned by the board of directors; and most operational, financial and regulatory level risks could be managed by the department heads or process owners in management. In organizations with highly-functioning environments, the board and management are appropriately engaged and collaborative about ERM.

    4.Remember that this is an ongoing process

    Some of the risks, mitigating processes and controls, along with the prioritization assessed as part of ERM will be ever-changing. Therefore, the ERM process should continuously stay up to date with these changes. The risk management officer or committee can be charged with ensuring that both internal and external changes are considered and that all other stakeholders in the ERM structure are involved in continuously keeping updated. The risk management officer or committee can also be charged with making sure the ERM process itself is effective by establishing performance measures, comparing progress against them, and making changes to the process as necessary.

    5.The value of the ERM process is achieved only after it is woven into the decision-making process

    As is emphasized in the 2017 COSO ERM Framework, risk-driven performance management, not just risk monitoring, is what will enhance value. Organizations can drive value by incorporating the risks assessed and prioritized and key performance indicators into operational and strategic decision-making. Example decisions where incorporating ERM can be valuable are: investing in new technology, hiring new management, investing in capital projects, expanding beneficiaries and customers, adding revenue streams, accepting or giving certain grants, and implementing new marketing strategies.

    Specific organizations and industries are at varying levels of ERM implementation and sophistication; ERM is not a one-size-fits-all process. Organizations can start to approach ERM by understanding and analyzing their current risk management practices, getting the board and senior management involved, and then developing their near- and long-term ERM goals. Using our industry knowledge and risk management experience, CohnReznick Advisory can also assist organizations with developing their ERM process, assessing and prioritizing risks, and ultimately achieving their ERM goals.

    Gain insight

    For more information about ERM implementation for not-for-profit organizations, please contact Allison Guttenplan, Senior Manager, CohnReznick Advisory at 646-601-7835 or; or John Alfonso, Partner CohnReznick Advisory at 646-254-7415 or

    Subject matter expertise

    • John Alfonso
      Contact John John+Alfonso
      John Alfonso

      CPA, CGMA, Partner - Not-for-Profit & Education Industry Leader

    • Close


      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic

    CohnReznick’s Not-for-Profit & Education Industry Practice

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.