How well does your nonprofit measure risk? Risks occur in almost every aspect of business. Managing risk is part of a leader’s job. Enterprise risk management, or ERM for short, offers opportunities to both mitigate and manage risks as well as seize opportunities that present themselves to your organization.
ERM embraces elements of internal controls, the Sarbanes-Oxley Act, and strategic planning. It also echoes the marketing SWOT analysis (strengths, weaknesses, opportunities and threats) by exposing weaknesses and threats and enhancing opportunities and strengths.
ERM evolved as a method to assess risks in a complex business environment. It applies equally as well to nonprofit organizations as it does to for profits, helping senior leaders assess risks and respond appropriately once all of the risk factors and influences are known.
The Committee of Sponsoring Organizations and Treadway Commission (COSO) recently released a new ERM framework. To use it effectively, COSO recommends the following:
- Compare your current ERM practices to the five components and 20 principles of the framework, Enterprise Risk Management — Integrating With Strategy and Performance.
- Identify opportunities as they pertain to specific principles that might add the most value and might help your organization manage risk better.
- Watch out for and identify areas of potential risk. Potential areas of risk are typically new items added to a system, such as new software, new regulations, new programs or other major changes. Anytime there is significant change, there is risk.
- Evaluate the alternatives. If you have identified and evaluated alternatives, you can mitigate risk by having a second or third option to turn to in the event that the first is too risky.
- Examine the business context of the risk and reward. If the reward outweighs the risk, it may be time to act.
- Note connections. Business decisions rarely stand in isolation and are frequently interconnected. Some risks may have a domino effect, imparting additional risks or openings for risk in other areas of the business. Conversely, closing gaps and mitigating risks may have positive impacts. Understanding these impacts is vital for good management.
Frameworks Can Free or Limit
Does the ERM framework feel freeing or limiting? Some leaders claim they can manage just fine without a risk management framework such as ERM while others find it helpful.
Why do some leaders find frameworks stultifying rather than freeing? It may be because they automatically think in terms of such frameworks without consciously applying them to the decision-making process. For example, an experienced nonprofit leader may think ahead to the risks of a potential new software purchase without consciously examining them and applying them in a framework. He may come to a swift decision regarding rewards versus risks without ever saying the words risk management. This may look like instant decision-making to his colleagues, but it’s actually a skill that’s been honed through practice.
Think of an Olympic gymnast; she makes the balance beam look absolutely effortless. Yet it wasn’t always effortless. At some point her career, she had to take the first steps out onto the beam. She made mistakes and she tumbled to the ground. But over time, with continuous effort, practice, coaching and study, she’s mastered a routine that earns a gold medal.
Seasoned CEOs, CFOs, and other top organizational leaders are akin to Olympic athletes. They’ve mastered the craft of decision making and so it looks effortless.
For those who are still learning such craft, studying and practicing decision making frameworks such as ERM can help you become a gold medalist of risk management too.
For more information on the COSO framework, see Enterprise Risk Management: Integrating with Strategy and Performance.
Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.