As more and more nonprofit managers learn that risk is not something confined to the entity known as “Someone Else,” they might find that their own risk-prevention and risk-management policies are inadequate for modern-day contingencies.

Risk management is crucial, and at the AICPA Not-for-Profit Industry Conference, Mitchell Lewis, David McRoberts and William Mellon reviewed enterprise risk management (ERM). They explained that a risk management process is important, but they also said no organization should try to establish one over night. They advocated following a phased approach enhancing transparency and accountability in overall organization and structure. They also advised developing and maintaining a manageable risk and risk-event universe, and they cautioned that one size does not fit all.

They said that an ERM implementation process involves five phases:

• Analyze the organization’s risk management governance structure (e.g., establishment of risk committees, risk policy, defining of risk appetite);
• Identify the risk and risk-event universe;
• Create a risk profile, defining risk event likelihood and impact and risk tolerance, quantifying and prioritizing risk events, identifying current controls, etc.);
• Establish risk responses, including accepting, sharing, reducing or avoiding risks, implementing controls and procedures, creating a Risk Analysis Report; and,
• Enhance the monitoring and reporting process, for example, with the creation of Key Risk Indicators (KRI) and related reports.