Not-for-profits’ interest in ERM is growing, as leadership seeks to identify high-risk areas (including those once thought to be improbable), develop appropriate mitigation or response strategies to protect the organization’s interests and assets, and guide subsequent risk management activities. See more in our State of not-for-profit industry 2014: http://gt-us.co/StateofNFP2014

1. 1
How enterprise risk management can help
not-for-profits thrive
Paul Klein, Business Advisory Services Managing Director, Not-for-Profit and Higher
Education Practices
Mark Oster, National Managing Partner, Not-for-Profit and Higher Education
Practices, Business Advisory Services Principal
Not-for-profits’ interest in enterprise risk management (ERM)
is growing, as leadership seeks to identify high-risk areas
(including those once thought to be improbable); develop
appropriate mitigation or response strategies to protect the
organization’s interests and assets; and guide subsequent risk
management activities.
The pressures on management, boards and audit committees
to understand and address organizational risks have never been
greater. In today’s economic climate, not-for-profit organizations
must be able to protect their key assets — most importantly, their
good name and reputation. Whether due to changes in leadership,
direction, growth, technology, or program offerings and services,
it is likely that your organization is facing increased risk. The
potential reputational, legal, financial, operational and mission-
related impacts associated with such exposure have increased, as
have stakeholder expectations regarding good stewardship. This
places even more responsibility on leadership to identify and
understand potential risks, establish a risk-focused culture and
prioritize mitigation strategies going forward.
External forces have also put the spotlight on ERM. Not-for-
profit organizations are facing unprecedented scrutiny by donors
and watchdog agencies. The demand to operate transparently
and with more sophisticated board engagement is higher than
ever. Even without any dramatic changes to your business
model, external pressures — regulatory, competitive, legal,
economic or constituent-related — coupled with inadequate risk
management practices may leave your organization vulnerable.
Without carefully assessing and managing both existing and
emerging risks, new initiatives may not succeed and responses
to external pressures may fall short, thus exposing your
organization to risks that could ultimately destroy its reputation
and threaten its survival.
Establishing a strong ERM program shields your organization
from threats while enabling you to capitalize on new
opportunities. ERM is a process that identifies, analyzes,
addresses and monitors potential risks to your organization. By
understanding and prioritizing these risks, you can build and
execute a top-notch strategic plan that enables your organization
to seize new opportunities and mitigate existing or emerging risks.
Benefits of implementing ERM
A rapidly increasing number of not-for-profit boards are
committing to ERM programs. Adoption is being driven by
stronger fiduciary oversight, more robust strategic planning
initiatives, a new generation of managers, and concerns over
radical industry shifts, including pressure to cut costs, innovate
and respond to regulatory inquiries.
An effective ERM program keeps organizations focused on
optimizing strategic objectives, actively engages the executive
team and enhances the board’s oversight of risk management.
Furthermore, industry watchers recognize the importance
of ERM in the continued success and sustainability of
any organization, and they are factoring its existence and
effectiveness into their overall ratings.

2. How enterprise risk management can help not-for-profits thrive
2
ERM requires a cultural change. To instill ERM into
your culture, the organization first needs to establish a
common definition of what risk means, and then gain
consensus regarding risk tolerance and appetite. As the
ERM process unfolds, spending time to truly deliberate
risk is hugely important. Risk consideration needs to
become a shared way of thinking, and it should be
on the agenda for every strategic discussion. Defining
guiding principles for the ERM program is also critical
so that expectations are properly set from the start
and there is a shared understanding of what needs to
happen when unexpected events occur.
ERM needs to be championed from the top.
Setting the tone from the top and getting senior-
level endorsement are critical to organizational
change. A leading not-for-profit recently
transformed its risk program when a newly hired
executive advocated ERM. At another not-for-
profit organization, the president made a point to
inform his senior leadership and board that risk
management was a top organizational priority. In
both cases, the organizations adopted an integrated,
holistic approach to managing risk that created
accountability, defined a process for identifying and
mitigating risk, and emphasized realistic but firm
implementation time frames. As the respective boards
and an ever-wider group of executives have embraced
and owned the process, the organizations have
permanently changed the way they approach risk.
Perceived obstacles to ERM adoption
If ERM is a proven tool, why have not-for-profits struggled with
building successful ERM programs? There are many possibilities:
• Not-for-profits may view ERM as an occasional project,
rather than a continuous process.
• Not-for-profits may see ERM as a way of identifying all
possible internal risks to the organization, thus creating
an unmanageable amount of information and hindering
its ability to focus on the most critical threats and
advantageous opportunities.
• Organizations may create a completely new process and
organization around ERM — separate from strategic and
business planning — or delegate ERM to internal audit or
other risk management groups.
• Not-for-profits may ignore critical and threatening risks
because they are perceived as unlikely or out of their control.
• Not-for-profits may not recognize the value of
management’s consideration of uncontrollable risk events
and the development of anticipated responses if those events
were to occur.
• They may lack adequate processes or indicators to monitor
and respond to emerging risk events.
4 ways ERM can transform not-for-profits
As leading organizations that have embraced ERM have shown,
this process can work throughout the not-for-profit sector.
Here’s how:

3. 3
Don’t delay your ERM program adoption
As financial, regulatory, technological, organizational and
programmatic pressures weigh on not-for-profits, the inability
to adequately respond to these rapidly emerging and intensifying
events can knock even the most solid organization off its feet.
Being prepared can make all the difference; it’s never too late
to start implementing ERM. A robust program will help your
organization recognize and prepare for emerging risks, and
minimize the impact of unforeseen events, allowing you to seize
new opportunities while protecting your organization’s mission
and reputation.
ERM is a vital strategic planning driver.
A critical flaw in many enterprise risk approaches
is misunderstanding the difference between
enterprisewide risk assessments and ERM programs.
Enterprisewide risk assessments collect all plausible
risks, and the resulting list can be huge, unfocused
and difficult to analyze. The result is a one-off report
to the board or senior management. On the other
hand, a strong ERM program addresses the most
critical organization-level risks and supports the
strategic plan. A strategic plan can inform the ERM
process by identifying new opportunities that may
introduce new organizational risks. The ERM process
can likewise inform the strategic plan by defining the
organization’s risk tolerance and appetite to ensure
that undue conservatism doesn’t preclude new efforts
from being undertaken (i.e., opportunity risk). When
used appropriately, ERM can be a proactive partner
to strategic planning.
ERM is a safety net, offering protection against
broad or sudden industry changes. A successful
ERM program is risk-intelligent. It includes
the monitoring of key internal and external risk
indicators so leadership can react quickly and
effectively to reduce the impact of negative events or
seize new opportunities. Strong ERM programs can
give not-for-profits the edge they need in a risky and
increasingly competitive environment. Whether the
identification of an emerging risk such as inaccuracy
of nonfinancial outcome assessments, the opportunity
risk of investing in new technologies, or a strategic
risk associated with a shift in the business model, an
ERM program enables leadership to thoughtfully
consider and plan for what tomorrow may bring.
How enterprise risk management can help not-for-profits thrive