Many nonprofit leaders are familiar with the concept of enterprise risk management (ERM). What they might not know is what goes into ERM.
During the American Institute for CPAs (AICPA) Not-for-Profit Industry Conference, speakers Mitchell Lewis and Bob Cummings said ERM means identifying, considering and developing responses to potential events, both internal and external to an organization, that might negatively impact an organization. It is not an internal audit.
Lewis and Cummings said that there six key components to an effective ERM process:
- Have/develop a risk management governance structure. It should align with organizational structure and goals and include clarity of risk management goals and responsibilities.
- Follow a risk management framework. Examples of this includes those established by the Committee of Sponsoring Organizations (COSO) or ISO 31000.
- Continuously identify the risk and risk event universe through creation of a risk register. This can be done through surveys, interviews, brainstorming sessions and comparison to other organizations.
- Create and manage a risk profile. It should include a defined risk tolerance, quantification and prioritization of risk events and identification of risk event triggers, risk event consequences and key risk triggers.
- Establish risk responses. It should include accepting, sharing or avoiding risk, mitigating risk, a communications plan and a public relations plan.
- Monitor and report. This process should be performed at intervals appropriate to the risk universe in which the organization operates.