Skip to content

Implementing Nonprofit ERM Strategies

Jun 15, 2019

Many not-for-profit organizations are gambling with risk by failing to implement enterprise risk management (ERM) strategies. The nonprofit ERM process involves identifying internal and external risks, assessing these potential risks, and creating controls to mitigate them.

Identifying Risks

Begin by selecting an ERM team to identify all possible threats and dangers: from internal and external fraud to possible natural disasters, regulatory non-compliance, civil and criminal litigation, and economic and competitive forces.

Assessing Risks

Once the not-for-profit’s risks are identified, evaluate and prioritize them. Ask how likely these risks are to happen and what would be the consequences if they occurred.

  1. Internal Risks: For example, a restaurant operated by a university generates income from food sales unrelated to the university’s exempt purpose – education. This income must be reported as unrelated business income (UBI) to the IRS. If UBI is not reported or if it becomes so substantial that the university is no longer operating primarily for tax-exempt purposes, then its tax-exempt status may be revoked.

External Risks: Mother Nature can’t be controlled, but the risk of related damages can be mitigated. If a nonprofit is located in a flood zone with the possibility of major floods every few years, then the risk of costly property damage is high. Even worse is the likelihood of operational interruptions during the rebuilding period.

  1. Developing Risk Responses

After the ERM team has assessed the organization’s risks, a response plan can be developed. Some questions to pose include:

  • Can the risk be avoided? Using the possible flooding example above, the ERM team will likely conclude the risk is unavoidable.
  • Can the risk by shared? “Sharing risk” usually implies having adequate insurance — this is a factor that the organization can control. Purchasing flood insurance can offer protection that makes the risk acceptable.
  • Can the risk be reduced through policies and procedures? In the UBI example above, implementing procedures to track and report food sales can reduce risk. Assigning an employee to gather the information and report the results to a manager for review is another procedure that further reduces risk.
  • Can the risk be accepted by taking no action? Sometimes the risk is so minimal — or the consequences so minor — that the ERM team may decide to accept a risk and take no action.

Creating Controls to Mitigate Risk

Controls — in the form of policies, procedures and other safeguards — can help contain risks. For example, the area surrounding the organization has been experiencing an increase in thefts. The nonprofit ERM team determines there is a risk of staff and volunteers becoming victims of crime as they go to and from the parking lot. The ERM team implements a buddy system requiring two people to walk to the parking lot together during business hours. After hours, a security guard will be on premise to offer escorts.

Monitoring and Reporting Controls

It’s critical to monitor the controls in the nonprofit ERM program on an ongoing basis. Designating employees to review controls on a regular basis helps ensure compliance.

Consider an internal control assessmentt to help evaluate whether the control procedures are being followed and identify any additional risks. The results of all monitoring activities should be reported back to the ERM team.

Nonprofit ERM

CRI’s not-for-profit CPAs can help your organization throughout the ERM process, including implementing controls to deter fraud.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.