Managing Risk in the Nonprofit World
Most for-profit companies consider a comprehensive risk assessment or survey process to be a critical part of their overall risk management process. However, many not-for-profit organizations do not necessarily understand or appreciate the benefits of such an approach and this can expose the organization to future problems that could be avoided.
Whether you are for profit or not for profit the goals of a sound risk assessment process are as follows:
- To identify, analyze and prioritize legal/ethical misconduct and compliance risks;
- To provide a basis for possible compliance, training and ethics programs;
- To develop risk mitigation approaches;
- To identify areas where deeper analysis and/or measurement of risk may be required;
- To measure the effectiveness of any risk mitigation controls or steps that may have been instituted.
A Simple Risk Assessment Approach
A good risk assessment should aim to discuss and review the probability of occurrence of each risk assessed and then the impact or severity of the risk should it occur. It should then look at possible mitigating factors to various risks and suggest a process for monitoring and controlling risk. At a more detailed level the process works in the following way:
1. Identify All Major Risks
Here we start by listing all types of risks faced by the organization. Many risks are often called “threat risks” which can often result in fines, penalties, liabilities or even loss of tax exemption and can be operational, legal, financial, or related to the investments of the organization. Other risks relate to possible failure (such as the chances of a strategy or program to fail). For many nonprofit organizations, failing to embrace risk in their programs or grants may result in a cautious, unimaginative organization. An organization may wish to adopt a risk “appetite” that defines how it generally views the risks it will embrace. Most nonprofit organizations may have similar risks that can be generally described as follows:
- Internal or external fraud
- Misuse of assets
- Inadequate monitoring or understanding of investments
- Incomplete, unreliable or improperly reported information
- Damage to reputation caused by a variety of potential factors
- Violations of legal rules, regulations and laws
- Government investigations or audits
2. Talk to “Front-line” Employees
Once possible risks have been identified, employee input needs to be sought to validate which risks look most pressing and to understand the detail in some cases. A risk assessment will include discussions with staff at varying levels of and in different areas of the organization but the closer they are to the process and how it works in practice, the better. Particular care and attention should be paid to those risks that have a higher likelihood of occurrence and a more significant impact or severity.
3. Rate the Risk to Assess Likelihood and Severity of Impact
In assessing the likelihood of a particular risk occurring, the following factors might be considered:
- Your organization’s risk appetite in general
- The organization’s culture
- The legal or compliance regime which broadly applies
- Specific Policies;
- Existing Internal controls;
- Workforce awareness and knowledge;
- Past history; and
- Employee intent and motivation
When assessing likelihood the following scale may be useful in categorizing the probability of a risk’s occurrence:
|Almost Certain||Highly likely, this event is expected to occur.|
|Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it.|
|Possible||Event may occur at some point – typically, there is history to support it.|
|Very Rare/Unlikely||Highly unlikely, but it may occur in unique circumstances.|
Similarly, the impact or severity of a risk can be assessed using the following example scale:
|Impact or Severity||Explanation|
|Minor||Low severity or little impact on people, quality or costs|
|Moderate||Moderate severity or some measurable impact on people, quality or costs|
|Severe||Moderate severity or some measurable impact on people, quality or costs. In human terms this would include possible long term injury potential or even death|
4. Addressing or Mitigating Risk
There are several steps that any organization, regardless of its size or type, can take to address or mitigate risks. These steps are outlined below.
- Set the right tone at the top: Risk control is extremely difficult unless the leaders of the non-profit—senior staff and the board—take risk determination seriously and act as good role models. In other words, compliance and risk management starts at the top, with the executive and the board. The board of the nonprofit must therefore maintain vigilant oversight of the organization directly or through committees with very specific roles and responsibilities to assess risk and then act to mitigate it.
- Segregate duties: It is critical that staff duties regarding oversight of assets, reporting, and payments be segregated so that there are sufficient checks and balances to protect against possible fraud or asset misuse.
- Set payment controls: The greatest fraud often arises from a lack of adequate payment controls where one party or department has the ability to shield payments from other departments or parties. For example, payment controls can include requiring two signatures on checks as an appropriate reconciliation process. Accountant and attorneys can be helpful in suggesting the appropriate controls for the nature of the specific organization.
- Conduct “due diligence” exercises: Any nonprofit should conduct adequate due diligence and ensure that there has been legal review of contracts or other agreements. Due diligence checklists for investments, grants and vendors are available from a variety of sources.
- Conduct audits (external and internal): Even the best set of controls or processes should be subject to periodic review and audit. The use of an independent outside firm to perform periodic audits on specific processes or controls is ideal but even an internal review is better than doing nothing.
- Implement and follow strong internal policies: A well governed nonprofit should have a range of key internal policies in place which everyone has read and understands. This should include conflicts of interest, whistle-blowing, payment controls, code of ethics, and dealing with sexual/other harassment and bullying etc.
Performing a thorough and comprehensive risk assessment may seem both time consuming and burdensome to many organizations. However, it should be seen as a key part of the responsibility of the managers or stewards of any non-profit entity. Hopefully, this article offers guidance to allow any organization to initiate, continue, or improve its own risk assessment process.