5 rules of enterprise risk management

As more and more nonprofit managers learn that risk is not something confined to the entity known as “Someone Else,” they might find that their own risk-prevention and risk-management policies are inadequate for modern-day contingencies.

Risk management is crucial, and at the AICPA Not-for-Profit Industry Conference, Mitchell Lewis, David McRoberts and William Mellon reviewed enterprise risk management (ERM). They explained that a risk management process is important, but they also said no organization should try to establish one over night. They advocated following a phased approach enhancing transparency and accountability in overall organization and structure. They also advised developing and maintaining a manageable risk and risk-event universe, and they cautioned that one size does not fit all.

They said that an ERM implementation process involves five phases:

  • Analyze the organization’s risk management governance structure (e.g., establishment of risk committees, risk policy, defining of risk appetite);
  • Identify the risk and risk-event universe;
  • Create a risk profile, defining risk event likelihood and impact and risk tolerance, quantifying and prioritizing risk events, identifying current controls, etc.);
  • Establish risk responses, including accepting, sharing, reducing or avoiding risks, implementing controls and procedures, creating a Risk Analysis Report; and,
  • Enhance the monitoring and reporting process, for example, with the creation of Key Risk Indicators (KRI) and related reports.