The NonProfit Times - February 1, 2008 - (Page 16) STREETSMART NONPROFIT MANAGER THOMAS A. MCLAUGHLIN Managing Risk Using ERM is a new way of thinking W e live in a risky world. The litany of risks that nonprofit organizations face is long and complex. The list of organizations that have been damaged by an unexpected event or unrecognized trend is also long. But there have always been risks, real and perceived. Sensing our tendency to dwell on the negative, one national leader reassured his readers in a well-known essay that “terrorists are not going to destroy the country.” This sounds like post-September 11th commentary, but it is from the 1952 book The Power of Positive Thinking by Norman Vincent Peale. Certain risks, it seems, never go away. What is different about past attitudes toward risk versus today’s managers’ approach is that at some point managers came to the realization that risk was not something that just happened to them but that it could be managed just like most other aspects common sources of risk must be identified and planned for in some systematic way, and each involves many different facets of the organization. But since the nature and implications of risk are very different for nonprofits there are crucial differences in managing risk holistically in this sector. FACING RISK, NOT RUNNING FROM IT The business model of most forprofits that adopt ERM is based on mass production of products or services. Identifying and eliminating or mitigating risk is central to increasing the return to ownership. Nonprofits, of course, can have no owners, although for risk purposes this is largely a cosmetic difference because those who put funds into a nonprofit are interested in a social return at least on a par with direct financial return. The real difference is that in many ways nonprofits exist to take on risk, not to avoid it. The non-gov- The essence of liability law is that an individual or an entire organization can be considered civilly liable only if their choices and behaviors There are two reasons why ERM is rooted in large-scale producers. First, they are the ones most likely to have an overhead infrastructure that can support risk management activities. But the nature of risk is also different there. The essence of liability law is that an individual or an entire organization can be considered civilly liable only if their choices and behaviors departed from accepted practice. Business risk in the nonprofit sector is different.Although there are notable exceptions, most nonprofits are not engaged in the mass production of some well-recognized product or service demanded by a broad base of individual consumers. Also, consumers of the services are often not the funders, thereby splitting into two parts the single role which is the source of most for-profit risk. On the other hand, managing reputational risk is more important in the nonprofit sector because so many years’ worth of trust are often bundled up in a nonprofit brand, and because individual donors are easily spooked by even unproven allegations of wrongdoing. So risk management still has an important place at the nonprofit management table. SOME COMPONENTS OF ERM its are voluntarily adopting their own version of this validation process. INSURANCE Insurance is the obvious way of mitigating many risks, but a good ERM system also systematically evaluates the potential gaps in current insurance products, which can themselves become serious sources of risk. FORMAL QUALITY ASSURANCE PROGRAMS Many nonprofits, especially in health and education, were leaders in adopting formal QA programs. That’s what accreditations are all about, for example. A systematic means of assessing and improving program quality not only can lead to more satisfied consumers, it is one of the most effective risk prevention methods available. INTERNAL AUDIT departed from accepted practice. of a functioning organization. If risks can’t be eliminated they can at least be managed. Many nonprofit managers tend to think of risk management as a dreary process related to things such as workplace injuries. But managing risks is more than just making sure that someone braces the stepladder whenever a colleague is standing on it.Today’s risk management discipline spans practices as diverse as strategy formulation, operations management, and accounting policies. And the implicit message is much the same as Dr. Peale’s: “Through positive action we can handle it.” ENTERPRISE RISK MANAGEMENT The term of art for this new way of thinking about risk is Enterprise Risk Management, or ERM. While ERM is characterized in different ways by different types of specialists, one thing that most approaches have in common is a relatively new emphasis on thinking about risk holistically, not just on a function-by-function basis. Common risks that nonprofits encounter include new organizations competing for the same revenue sources, technological advances that change service models, and recommendations from external parties such as charity rating services.Each of these 16 ernmental organizations that send their staffs to remote earthquakestricken sites, or who seek out disaffected urban gang members, are confronting risks head-on. To avoid them would be to diminish their missions.These are not market-driven actions, and shareholders of a for-profit would be horrified if their managers behaved in this way. Most nonprofits also have an unusual degree of protection from legal action. Liability laws are established on a state level. But especially in states with a strong English common law heritage, there is often an explicit ban or limitation on suing public charities for civil wrongdoing. And the liability insurance crisis of the 1980s prompted increased protections for boards of directors of many corporations, including nonprofits. Perhaps the largest difference in the typical approach to enterprise risk management in the nonprofit sector is the nature of the organizations. ERM took hold first in large, publiclyheld companies with a clear chain of command. It originated partly in a widely accepted framework for assessing risk known today as the COSO framework, from the Council of Sponsoring Organizations, an economywide initiative to codify thinking about business risk. FEBRUARY 1, 2008 While a formal enterprise risk management program might not be viable for many nonprofits, there are many common ways to manage risks that could be adopted individually. In fact, streetsmart managers have already adopted many of these activities for other purposes. A formal ERM program simply integrates them in a framework designed to identify and manage the risk environment. STRATEGIC PLANNING Most managers see strategy formulation as a leadership activity, which of course it is. But with attention being paid to competitive threats and the fit between various initiatives and the organization, it’s not much of a stretch to see this common practice as a way to identify and manage risks. ETHICS PROGRAMS Wise boards of directors already insist on conflict of interest policies, whistleblower protections, greater executive oversight, and a beefed-up program of internal controls.The risk mitigation function of these efforts is obvious. TECHNOLOGY MANAGEMENT A relative newcomer to many nonprofits, internal audit functions can become a kind of command central for risk management functions, and the source of operational improvements as well. Only the very largest and most sophisticated of nonprofits, such as hospitals, universities, and large national name-brand entities, are likely to undertake a formal ERM program. For them, the benefits can be measurable in terms both quantifiable and qualitative. These organizations will adopt ERM practices in the near future if they have not already. Finally the push for ERM has to start at the top, with boards of directors and senior management. In a post-Sarbanes-Oxley world, this is also consistent with the emerging framework of legal requirements. But even smaller nonprofits can benefit from using the principles of ERM without creating an expensive overhead structure to implement it. Many already carry out one or more of the above elements without necessarily thinking of it in a risk management context. The next step for them is to begin thinking in a more structured, disciplined way about how to manage whatever risks they routinely occur. The best risk is the one that never materializes because someone was streetsmart enough to prevent it from happening. NPT Thomas A. McLaughlin is a national nonprofit management consultant with Grant Thornton in Boston. He is the author of the book Nonprofit Strategic Positioning (John Wiley and Sons, 2006). His email address is thomas.mclaughlin@gt.com The Sarbanes-Oxley law requires independent verification of the effectiveness of certain technologies related to internal controls. It does not apply directly to nonprofits,but many nonprofwww.nptimes.com THE NONPROFIT TIMES http://www.nptimes.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.