mission Matters 4 Point Checklist: Enterprise Risk Management December 04, 2015 ERM is a system that allows nonprofits to collect risk information from all parts of the organization to be in a better position to win new business. Like all industries, nonprofits need strong risk management systems, to prevent destruction, win new business, and ensure stability. Risks in nonprofits typically involve people, property, income, or goodwill, so an effective Enterprise Risk Management (ERM) system depends on pinpointing and controlling forces that affect any of these categories in a more holistic way than traditional risk management. The role of the audit committee This holistic approach in ERM is driven by the fact that everyone from the board who volunteers is expected to be involved in the risk management process. Many organizations use their audit committees to oversee and maintain risk management processes, however. The audit committee’s responsibilities regarding ERM should be clearly outlined in the organization’s charter, and are largely based on setting the right tone and getting management on board with the system. The committee should represent the interests of shareholders and diligently oversee upper management’s approach and dedication to implementation and upkeep of ERM. 4 parts of effective ERM Identifying and evaluating the risks (internal and external)- Before ERM can help your organization, you need to pinpoint all risk areas in your organization. All people involved in your organization will be able to pinpoint risks that they have come across. These might include: Legal risks- compliance with laws and regulations, maintaining 501(c)(3) status, etc. Operational risks- anything risky involving day to day operations of the organization Financial risks- issues surrounding revenues, expenses, allocation of expenses, and monitoring finances Risks involving personnel- Have you properly screened and trained all employees and volunteers? Fundraising risks- Have you identified all potential risks involved in fundraising events you’re hosting? Fraud risks Determining proper internal control procedures- Once you’ve identified the risks, policies and internal control procedures should be developed in order to mitigate them. Existing controls might need to be updated according to feedback from your staff, and new controls may need to be put in place to address other areas of risk that you’ve identified. Controls should be prioritized in a “risk assessment” according to which risks are most likely to happen, as well as the risks that will cause the most detriment to your nonprofit. Maintaining and monitoring- The audit committee’s job is to oversee ERM, but maintaining it falls on all members of the organization. All internal control procedures should be clearly outlined to employees, and each part of the organization will have a unique responsibility in the collective implementation of ERM. Reporting on the progress- The audit committee should put together a report on the progress of ERM and present it to the board of directors, other members of the executive management team, and external stakeholders. It is vital to have adequate policies in place given the financial, organizational and technological risks facing nonprofits today. If you do not have adequate policies in place to respond to a crisis situation, your organization’s reputation and mission could be in danger. Questions? Contact any member of our Not-for-Profit Services Team.