For as much as nonprofit leaders have a healthy respect for risk and a desire to implement leading-edge enterprise risk management (ERM) programs, many still struggle with translating the theory they find in literature into a practical and effective program. There is no single, correct way to implement ERM, which leaves managers to their own devices in interpreting ERM concepts as they attempt to adopt risk management protocols.
This often leads to suboptimal efforts that fall short of achieving their objectives — or worse, to abandonment of ERM initiatives altogether. However, effective implementation of ERM can indeed be achieved, and the common pitfalls that organizations face when designing an ERM program from scratch can be overcome.
Success comes from utilizing a comprehensive, structured methodology, informed by the experience of others, to identify, evaluate, report and mitigate key risks to your organization. Here are best-practices strategies — from organizations that have recently successfully deployed ERM or those that are currently in the midst of successful implementation — to overcome the challenges you will face and translate theory into meaningful, practical action. Recognize that risks do not all have the same impact.
Even the most introductory primer on ERM will tell you that you have to evaluate the impact of a risk. Put simply, risk impact is the degree to which you will be affected by a risk if it were to happen. However, not all risks will affect an organization in the same way. While senior leaders are typically adept at identifying their organization’s top risks, they often perceive the impact of each risk, and what therefore constitutes an appropriate response, quite differently.
Example: A chief financial officer (CFO) might not perceive a significant impact associated with inaccurate reporting of nonfinancial data (e.g., program impact data) because it would not cause an appreciable change in revenue or expense. The vice president of communications, on the other hand, would be highly attuned to the consequences of negative press associated with such an incident. The key is to recognize that impact has many different facets.
- To align discussions around why risks are significant and what should be done about them, divide your analysis into types of impact:
- Strategic — Causes a strategic objective to fail;
- Financial — Incurs unanticipated cost or reduces revenues;
- Operational — Affects the quality or efficiency of how work gets done;
- Reputational — Creates negative media attention:
- Environmental, health and safety — Jeopardizes staff, volunteer or others’ well-being;
- Technology — Exposes applications, data, operating systems, network or infrastructure to inappropriate access/change; and,
- Legal — Triggers arbitration or litigation against your organization.
When evaluating risks, you should consider the resulting impact. One risk may have a high financial and technology impact, while another may be more reputational in nature. At times, one or more of the impact types won’t apply at all. While these are typical impact categories, management may decide that other types of impact apply.
Matt Lerner is director, Advisory Services, Not-for-Profit and Higher Education practices at Grant Thornton LLP. His email is firstname.lastname@example.org. Paul Klein was managing director, Advisory Services, Not-for-Profit and Higher Education practices at Grant Thornton.