Developing effective enterprise risk management

Experience might be the best teacher, but experience has shown nonprofit leaders that waiting for a fiasco and then hiding under the desk is not the way to go.

Nonprofit manager are looking more toward preventing problems, and at the American Institute for CPAs (AICPA) Not-for-Profit Industry Conference, Mitchell Lewis and Bob Cummings presented details about enterprise risk management (ERM).

Lewis and Cummings said that both the Committee of Sponsoring Organizations (COSO) and the Institute of Internal Auditors (IIA) have their own definitions, but they offered this handy brief definition: Identifying, considering and developing responses to potential events, both internal and external to an organization, that might negatively impact an organization. They emphasized that it is not an internal audit.

The characteristics of an effective ERM are that it:

  • Furthers the achievement of business objectives;
  • Enhances transparency and accountability throughout the organization;
  • Motivates desired conduct and identifies unethical/illegal behavior;
  • Furthers operation within legal, contractual, internal, social and ethical boundaries;
  • Provides relevant and timely information to appropriate stakeholders;
  • Reduces the number and impact of unwanted “surprises;”
  • Focuses management attention on the truly important risks;
  • Links organizational decision making so that returns align with risks taken; and,
  • Increases stakeholder confidence and organizational value.