4. Objectives
• Understand the concept of enterprise risk
management
• Apply examples of a well-defined risk
assessment program to your organization
• Articulate benefits of a risk assessment
program
EnterpriseRiskManagement
5. Enterprise Risk
Management Defined
• The process of identifying and analyzing
relevant risk from an integrated,
organization-wide perspective
• The concept is designed to identify potential
events that may prevent an organization
from achieving its operation, financial and
compliance objectives
EnterpriseRiskManagement
6. Risk: Definition
“The uncertainty of an event occurring that
could have an impact on the achievement of
objectives.”
– Institute of Internal Auditors (IIA)
EnterpriseRiskManagement
7. Risk: Key Terms
Key terms to note when evaluating risk
in an organization:
– Likelihood/occurrence
– Impact/consequences to the nonprofit or
association
EnterpriseRiskManagement
8. Types of Risk
Technology Financial Operations Reputation
Human
Strategic Compliance Donors
Capital
EnterpriseRiskManagement
17. Attributes For Implementing A
Successful Enterprise Risk Program
• Obtain strong, visible support from senior
management and/or the Board of Directors
• Dedicate a cross-functional group to drive the
implementation and continue to push it in the
operational phase
• Closely link ERM to key strategic/financial
objectives and to the business planning process
• Introduce ERM as an enhancement to well-
accepted processes—not a standalone process
EnterpriseRiskManagement
18. Risk Assessment
Activities
Establish goals and objectives
Identify risks
Analyze risks
Evaluate the risks
Address the risks
EnterpriseRiskManagement
19. Nonprofit Risk Universe
Governance
Performance goals and results
Information technology/network
security/data privacy
Human resources
Succession planning
Donor demographics
Safety and security
Business continuity
Financial reporting/grant
EnterpriseRiskManagement
20. Evaluation Criteria
Area of Focus
Impact Vulnerability Scale
• Financial • Control efficiency & Operating effectiveness • High Risk
• Stakeholder • Speed of response • Moderate Risk
• Reputation • Complexity • Low Risk
• Legal/Regulatory • People
• Operations • Operational efficiency
• System change
• Rate of change
EnterpriseRiskManagement
21. Risk Scoring During The
Risk Assessment Process
Low Moderate High
EnterpriseRiskManagement
Understand the concept of enterprise risk managementApply examples of a well-defined risk assessment program to your organizationArticulate benefits of a risk assessment program
The process of identifying and analyzing relevant risk from an integrated, organization-wide perspectiveThe concept is designed to identify potential events that may prevent an organization from achieving its operation, financial and compliance objectives------Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued “Internal Control – Integrated Framework” to help businesses and other entities assess and enhance their internal control systems.Recent years have seen heightened concern and focus on risk management. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers (PWC)to develop framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management. The period of the framework’s development was marked by a series of high-profile business scandals and failures.The underlying premise of enterprise risk management is that every entity exists to providevalue for its stakeholders. All entities face uncertainty, and the challenge for management isto determine how much uncertainty to accept as it strives to grow stakeholder value.Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.Enterprise risk management enables management to effectively deal with uncertainty andassociated risk and opportunity, enhancing the capacity to build value.Enterprise riskmanagement helps ensure effective reporting and compliance with laws and regulations, andhelps avoid damage to the entity's reputation and associated consequences. In sum, enterpriserisk management helps an entity get to where it wants to go and avoid pitfalls and surprisesalong the way.
Key terms to note when evaluating risk in an organization:Likelihood/occurrenceImpact/consequences to the nonprofit or association
This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed and accuracy of recovery/replacement of systemsAddresses the overall importance of technology within the organization and the availability and quality of information the organization can access to support decision-making and the security of key information
The risk that the organization’s financial reporting is inaccurate, incomplete or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet investor expectations
The organization provides or relies on outsiders to provide processing activities supporting the delivery of services or products to their customersThis risk addresses barriers to the timeliness, accuracy, authorization and completeness of these processing activities
The process of identifying and analyzing relevant risk from an integrated, organization-wide perspectiveThe concept is designed to indentify potential events that may prevent an organization from achieving its operation, financial and compliance objectives
Addresses the type of behaviors encouraged by managementThe methods used to reward employeesThe approach to consistently enforce policies and proceduresThe selection, screening and training of employeesThe reason for and frequency of turnovers
The organization is subject to a variety of federal, state and local laws, regulations and directives or accreditation agenciesFailure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulations.
Need notes…
Obtain strong, visible support from senior management and/or the BODDedicate a cross-functional group to drive the implementation and continue to push it in the operational phaseClosely link ERM to key strategic/financial objectives and to the business planning processIntroduce ERM as an enhancement to well-accepted processes—not a standalone process
In order to complete a successful ERM program you need to:Establish goals and objectivesIdentify risksAnalyze risksEvaluate the risksAddress the risks
Each process within the functional unit is evaluated for cumulative impact and organizational vulnerability using a 3-point scale
Identify risk factors and assign weighted risk scores. Utilize a risk multiplier to calculate your average risk scores (Low, Moderate, High)Identify objective/assets/auditable activitiesAnalyze the risks by considering their likelihood and consequence/impactAssign ratings to the risksReview with the BODs, senior management, and outside advisorsUse ranking to develop risk mitigation and action plans (involve line managers in ERM process and roll up firm initiatives to the BODs and senior management)
Goals/outcomeStrong and long-lasting donor relationshipsContinuity of programs and serviceInfrastructure to capture and manage donor databaseIdentified RisksLoss of reputationComplexity of giving instrumentsMissed opportunity; wealth transferConflict between development and financeOnline capabilities
Goals/outcomeStrong and long-lasting donor relationshipsContinuity of programs and serviceInfrastructure to capture and manage donor databaseIdentified RisksLoss of reputationComplexity of giving instrumentsMissed opportunity; wealth transferConflict between development and financeOnline capabilities
Nonprofits need to understand the overall inherent levels of risk embedded within their processes and activitiesIt is important for the organization to then recognize and prioritize significant risks and identify the weakest critical controls
GovernanceHow engaged are your BOD members?How effective are BOD members in aligning themselves with the organization’s strategy and short/long-term goals?Do they have the right skills sets?Do they stay up-to-date with current events that may or may not affect their organization/industry?