Dealing aggressively with risk to prevent problems from happening is standard practice at many nonprofits. One form of such pre-emptive action is known as enterprise risk management (ERM).
It is becoming popular with nonprofit leaders, but as with any practice, over time it can accumulate a set of misunderstandings about its purpose or methodology.
During the recent American Institute for CPAs (AICPA) Not-for-Profit Industry Conference, Mitchell Lewis, CPA, and Bob Cummings, CPA, both of accounting firm WeiserMazars, discussed effective ERM. They clarified some of the misconceptions that have sprung up about it.
They said ERM means identifying, considering and developing responses to potential events, both internal and external to an organization, that might negatively impact an organization. They emphasized that it is not an internal audit.
According to Lewis and Cummings, the following are the most common misconceptions about ERM:
- An organization’s ERM process needs to follow a specific form;
- “An ERM process is too expensive for our organization;”
- The existence of a Chief Risk Officer (CRO) or “risk manager” indicates that an organization has a robust ERM process;
- There are limited tangible benefits to ERM, so that the cost/benefit to implementing it throughout the organization is minimal;
- An organization can execute its strategy effectively and perform successfully over the long term without having a sound ERM process; and,
- ERM is an annual process that requires little follow-up.