Enterprise risk management (ERM) may sound like something that is only relevant for large businesses, but it’s just as important for nonprofits (NFP) – including smaller organizations. At its core, ERM represents a systematic approach to help leaders minimize harm to the organization while supporting its ability to capitalize on new opportunities. Viewed through that lens, it’s easy to see why ERM merits a high place on your NFP’s priority list.
ERM and the urgency of “normal”
The 21st century has provided ample evidence of the variety and severity of threats that can beset a nonprofit organization. From natural disasters and pandemics to cybercrimes and economic calamities, there is no shortage of unforeseen challenges that can derail mission fulfillment or even pose an existential threat to the organization.
But rare, one-time events are not the only source of risk for nonprofits – or any organization. In a dynamic world, change itself creates both opportunity and risk.
Some everyday risks affect your individual NFP: funding concerns, fraud, data breach, loss of assets, and functional capacity due to localized catastrophic events such as fire and flood. Wider threats create logistical barriers while massively increasing demand for nonprofit services; COVID-19 immediately springs to mind, along with issues like global conflict and climate change that underlie a rise in natural disasters, famine and migration.
Regulatory risks and those driven by macroeconomic factors can also hit nonprofits especially hard. Whereas profit-driven businesses and well-resourced larger nonprofits may easily navigate inflationary pressures, regulatory change, or a nationwide shortage of skilled workers, for example, smaller organizations often struggle to adapt.
Major risk categories for ERM
The first step in managing risk is identifying potential threats and determining their impact. Many nonprofits share a common threat landscape with additional risks that are unique to the organization. Generally speaking, your ERM program should address risks associated with these five major risk categories:
- Financial
- Fraud
- Regulatory
- Staffing
- Technology
The categories overlap to a significant degree. For example, a data breach (technology) or highly publicized theft (fraud) could cause lasting reputational damage and possibly carry financial and regulatory risks as well.
Your ERM program should capture risk broadly to inform big-picture risk management, e.g., the five major risk categories. At a more granular level, the ERM identifies and mitigates specific risks through highly targeted processes and procedures.
Key processes for ERM
What resources and support will you need to limit identified risks, where possible? How does each risk affect long-term plans? Can internal controls prevent or limit negative impacts? How will you gauge how well your risk management strategy protects against different threats? And what opportunities are associated with a particular risk scenario?
Besides identifying the full range of risks to the organization, a complete ERM program gives current answers to each of those questions. But risk management is an ongoing process, not a one-time task you can check off a list. It’s helpful to think of ERM as a cycle designed to gather and incorporate new information to continuously address risk.
Your ERM should have clear steps that build on one another, with enough flexibility to adapt to your findings. Building awareness into your long-term planning is the most appropriate response to some threats, while other risks demand immediate hands-on action. A typical nonprofit ERM program looks something like this:
Overview of ERM reporting best practices
An effective ERM program depends on accurate information; it’s essential to maintain open lines of communication between leadership and staff across the organization to eliminate information gaps. You’ll also need a clear reporting structure with detailed documentation. They support your processes to determine optimal risk mitigation strategies for identified threats, implement appropriate controls, provide training and monitor compliance.
For maximum impact, focus on these additional best practices and priorities as you implement your ERM program:
- Ensure that you have full buy-in and support from leaders
- Seek expert guidance from qualified ERM consultants
- Create organization-wide awareness and engagement for ERM program elements
- Design your ERM with your organization in mind, tailoring the plan to fit
- Standardize ERM terminology and policies across the organization
- Clearly define specific tasks and assign ownership of each one
- Document all discussion, decision processes, implementation and compliance
- Provide ongoing training for individual ERM responsibilities and monitor compliance
- Allocate adequate resources to implement the plan and fulfill each of its elements
Don’t panic – plan
It’s impossible to predict and prepare for all possible threats, completely eliminating their potential to harm your nonprofit. However, a robust ERM strategy can help reduce many types of risk and build a more resilient organization. Connect with the ERM experts at Mauldin & Jenkins and discover how a smarter approach to risk management can help your nonprofit thrive in a shifting threat environment.
