6 components of enterprise risk management

Even with constant awareness, people will find ways to commit fraud, and in the nonprofit sector that can be lethal.

Speaking during the AICPA Not-for-Profit Industry Conference, Mitchell Lewis, David McRoberts and William Mellon covered various aspects of fraud prevention, including enterprise risk management (ERM), which takes a broader portfolio approach than managing risks within individual departments and addresses risks including threats and opportunities affecting the creation or preservation of organizational value.

They said that an ERM process involves six key components:

  • Have a risk management governance structure that includes clarity of risk management roles and responsibilities, a risk policy statement, a defined risk appetite and universal risk language.
  • Follow a framework, for example the one offered by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
  • Have a process to continuously identify a risk and risk-event universe.
  • Create a risk profile that includes a defined risk tolerance, quantification and prioritization of risk events and identification of current controls.
  • Establish risk responses that include accepting, sharing reducing or avoiding risks and implementing controls and procedures.
  • A monitoring and reporting process that includes creation of key risk indicators (KRIs), key performance indicators (KPIs) and related reports and use of internal audit as a monitoring and board reporting component of the process.