Similar to for-profit corporations, nonprofits and charitable organizations (hereafter “nonprofits”) are highly susceptible to myriad risks. Faced with pressures created by today’s economic environment, nonprofits participate in a fiercely competitive environment. Barriers to entry for new organizations are low, and donors can easily shift their giving to alternate organizations. Additionally, nonprofits are generally staffed with employees and volunteers who are first committed to helping the organization achieve its mission. The achievement of this mission requires considerable resources, often leaving less than adequate time for these individuals to establish and/or maintain enterprise risk management (ERM) processes.
When properly implemented, “ERM processes can not only help nonprofits safeguard assets and their reputation, they can also allow the organization to capitalize on opportunities afforded by risk taking,” says Harry Cendrowski, managing director, Cendrowski Corporate Advisors. “In this manner, ERM implementation is similar to corporate strategy initiatives.”
Smart Business spoke with Cendrowski about the risks faced by nonprofits and the manner in which a nonprofit can develop and implement an effective ERM process.
How should a nonprofit develop an ERM process?
Risk management for nonprofits begins at the highest levels of the organization, with the board and C-suite executives. Before risk management processes can be devised and implemented, these individuals must work together to identify an overarching, balanced philosophy of risk. This philosophy should detail the risks the organization is willing to bear, as well as the expected reward for taking such risks. It should also be accepted uniformly among high-level individuals, for if it is not, downstream employees and volunteers will see a fractured view of not only the organization’s risk philosophy but also the vision by which the organization will achieve its mission. This may, in turn, lead these individuals to make decisions that are not necessarily in the nonprofit’s best interest and most certainly not aligned with its balanced risk philosophy.
Once a balanced risk philosophy has been established, the risks faced by a nonprofit should be enumerated and evaluated according to their potential impact to the organization and likelihood of occurrence. A priority should be placed on mitigating high-impact/high-likelihood events, as these risks pose the greatest threat to the organization. Mitigation might include the implementation of processes designed to detect and correct risks once they have occurred, or processes designed to prevent risks from occurring.
What mistakes do organizations make in establishing ERM processes?
Many nonprofits and for-profit corporations do not allow enough time for an ERM process to take hold within the organization. They sometimes rush implementation, which, in turn, causes a lack of process ownership at the employee or volunteer level.
The implementation of an ERM process first requires significant cultural change; this is not something that can be altered overnight. Cultural change is an indirect effect of other organizational changes and leadership behavior; it cannot be directly effected by leadership. However, once cultural change has been embraced, and a risk-focused culture has been adopted, employees and volunteers will be conscious about the risks associated with their jobs and the impact such risks may have on the organization.
How much time should leaders and the board allot for the implementation of an ERM process?
The amount of time required for an ERM process’s implementation varies for every organization. In addition to being a function of the organization’s size, it is also a function of the current state of the organization’s environment and the approach of its employees and volunteers. If these individuals have rarely had to think about risk, an ERM process will take a considerable amount of time to implement. ERM is very similar to corporate strategy in that changes can certainly take place, but they may require considerable time to implement. Short- and long-range ERM plans should be developed, complete with key milestones and roles and responsibilities for process managers. These plans should subsequently be monitored to ensure that the organization is progressing and that the ERM process is evolving as the organization intended. This will ensure that realized benefits of the ERM process are maximized.
What benefits can nonprofits realize from ERM processes?
ERM helps nonprofits maintain their relevance and capitalize on opportunities presented by risk. For example, when its goal of defeating polio was achieved, the March of Dimes made a conscious change to focus its efforts on preventing birth defects. Without this change — or the support of the change from its donor base — the organization would probably have become irrelevant to its donors. ERM also helps nonprofits mitigate perhaps the largest risk they face: reputational risk. Stripped of a once-sterling reputation, a nonprofit will find it extremely difficult to rebuild its image. This could have far-reaching consequences beyond the direct realization of a risky event.
For example, in a university setting, misappropriation or misuse of university endowment funds could have a significant impact on the organization’s overall reputation. Both Princeton and Yale University recently settled lawsuits in which the plaintiffs alleged the universities misused millions of dollars of endowment funds. The lawsuits harmed the reputation of the university not only in the eyes of existing donors, but also potential donors looking to make contributions, faculty, staff and even potential students.
It is important to note that what begins as the realization of a seemingly isolated risk may soon impact the organization as a whole — on many levels — if a functioning ERM process is not in place.