San Francisco, Calif. — Nonprofit financial managers could have been counting calories and poundage as part of a service project in advance of this week’s Nonprofit Financial Executives Forum sponsored by the American Institute of Certified Public Accountants (AICPA).

The managers packed more than a peck of pears — 32,976 of them to be precise — helping out at the San Francisco Food Bank. The food bank daily ships 100,000 pounds of food to organizations in San Francisco and Marin counties. They then retired to the hotel for nearly three hours of risk management training.

While preparing 100,000 pounds of food is a process, so is enterprise risk management. And just as there are numerous types of pears, there are many ways of handling risk management. The first element is to understand the difference between risk management and enterprise risk management. Organizations must agree on the definition of terms, according to Melanie Lockwood Herman, executive director of the Nonprofit Risk Management Center in Leesburg, Va. She offered a definition of risk from the Health Education Funding Council for England, that risk is “the treat or possibility that an action or event will adversely or beneficially affect an organization’s ability to achieve its objectives.”

She explained that enterprise risk management (ERM) should be understood as “referring to any broadly based conception of risk management.” Specifically, Herman said ERM is:

• All encompassing in scope: It should help leaders look beyond the areas where the nonprofit is generally comfortable managing risk;
• Strategy and mission-focused: Should help achieve mission and objectives; and,
• Bird’s Eye View of organizational life: It should help leaders see overarching issues, with the ability to “drill down” to see risks and strategies in detail.

Herman said that ERM becomes the organization’s institutional radar and that, sometimes, organizational culture change is needed. Decision-making has to be inclusive and disciplined. The organization’s risk appetite needs to be understood.

There are key questions and organizational framework for ERM:

• What are your major categories of risk and what are the levels of risk?
• Who is involved in risk oversight and who should be involved?
• Who manages each category or level of risk?
• How is responsibility for risk and issues escalated or delegated?
• How do you ensure the bird’s eye view and a clear view of risk at the intersections? 

ERM can be a seismic shift in how an organization operates. Knowing the organization’s risk appetite is vital.