Similar to for-profit corporations, nonprofits and charitable organizations (hereafter “nonprofits”) are highly susceptible to myriad risks. Faced with pressures created by today’s economic environment, nonprofits participate in a fiercely competitive environment. Barriers to entry for new organizations are low, and donors can easily shift their giving to alternate organizations. Additionally, nonprofits are generally staffed with employees and volunteers who are first committed to helping the organization achieve its mission. The achievement of this mission requires considerable resources, often leaving less than adequate time for these individuals to establish and/or maintain enterprise risk management (ERM) processes.
When properly implemented, “ERM processes can not only help nonprofits safeguard assets and their reputation, they can also allow the organization to capitalize on opportunities afforded by risk taking,” says Harry Cendrowski, managing director, Cendrowski Corporate Advisors. “In this manner, ERM implementation is similar to corporate strategy initiatives.”
Smart Business spoke with Cendrowski about the risks faced by nonprofits and the manner in which a nonprofit can develop and implement an effective ERM process.
How should a nonprofit develop an ERM process?
Risk management for nonprofits begins at the highest levels of the organization, with the board and C-suite executives. Before risk management processes can be devised and implemented, these individuals must work together to identify an overarching, balanced philosophy of risk. This philosophy should detail the risks the organization is willing to bear, as well as the expected reward for taking such risks. It should also be accepted uniformly among high-level individuals, for if it is not, downstream employees and volunteers will see a fractured view of not only the organization’s risk philosophy but also the vision by which the organization will achieve its mission. This may, in turn, lead these individuals to make decisions that are not necessarily in the nonprofit’s best interest and most certainly not aligned with its balanced risk philosophy.
Once a balanced risk philosophy has been established, the risks faced by a nonprofit should be enumerated and evaluated according to their potential impact to the organization and likelihood of occurrence. A priority should be placed on mitigating high-impact/high-likelihood events, as these risks pose the greatest threat to the organization. Mitigation might include the implementation of processes designed to detect and correct risks once they have occurred, or processes designed to prevent risks from occurring.
