How well are you handling “Risk” in your nonprofit organization?
Norman Olshansky, President: NFP Consulting Resources, Inc.
Over the past few years, increasing attention has been given to potential liability, mismanagement and ethical practices within the nonprofit sector. Whether as a result of the Sorbanes-Oxley Act of 2002 or more recent high profile ponzi schemes and fraud cases, boards and executives of nonprofit organizations have begun to put more focus on risk management.
A formal definition of risk management is: “the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities”.
When was the last time your organization conducted a serious risk management process?
While many of the prime areas of risk are related to finances, personal injury liability, and unforeseen disasters, there are many other areas of nonprofit operations and governance which can create risk for an organization.
The following are a few of the more common areas of risk which can be assessed and addressed:
1. Availability of Information for Decision Making
2. Billing and Collections
3. Business Expenses
4. Business interruption
5. Cash Management
7. Contract compliance
8. Copyright infringement
9. Corporate Governance
10. Data Security
11. Donor/member records
12. Donor/member recognition and benefits
13. Emergency preparedness
14. Facility Management
15. Financial Reporting
16. Fraud & Ethical Behavior
17. Fund Raising
18. Gift Acceptance
19. Harm to clients
20. Human Resources
22. Investment policies
23. IT Infrastructure
24. Litigation Risk
27. Operational Quality Performance
28. Personnel/Volunteer Behavior
29. Regulatory Compliance
30. Related Party Transactions
31. Special Events
32. Storm damage
33. Subcontractor Utilization
34. Succession Planning
35. Tax Exempt Status
37. Unrelated Business Income
38. Use of intellectual property
As you can see from the partial list above, there are many areas of potential concern. In most cases, it would be cost prohibitive and next to impossible to attempt to eliminate all risks in a nonprofit. However, depending on the type of organization and its operating issues, there are usually several high priority potential problem areas which should be addressed. The cost of prevention is usually a fraction of the cost of correction after the fact. Typically, discussions related to risk management are first initiated by financial advisors and/or auditors. However, the scope of their concern if often limited to financial issues.
There are risk management tools that can be used as part of a nonprofit organization’s annual audit process. The assessment is typically a comprehensive problem solving process that starts with an analysis of needs, prioritization of areas of concern, a recommendation on how to address those concerns and measurement of progress. Progress is only possible if the starting point is identified correctly and candidly. Nonprofits are asked to provide data for the baseline assessment - the more accurate the data, the greater the prospect of substantial improvement.
The assessment is administered again annually in order to assess impact. The assessment should be conducted by an external assessor which is why doing so, as part of an annual audit, is advantageous. By comparing year to year results, nonprofits can observe their progress and continually reduce the extent of risk in their organization.
Most auditors will address issues such as separation of duties related to bookkeeping and accounting, or documentation which is required in personnel files. However, a more thorough risk assessment will also include a review many other potential areas of concern.
Consider some of the following questions:
When was the last time you looked at your facilities to determine if they are safe and secure, if data is protected, how to minimize damage in a storm or to determine if computers or other electronics are located under sprinkler systems. Does your organization have a published plan that is reviewed annually with staff and volunteers related to procedures should there be a natural disaster, bomb threat, or fire? Who is responsible for what when an emergency occurs? What type of reporting takes place when someone incurs a work related injury or has an accident on your property? What have you done to minimize risk associated with activities which could result in litigation against your organization? Is there clutter or areas of storage that are potential fire hazards? What have you done to educate your leadership, staff and volunteers regarding ways to avoid potential ethical or conflict of interest concerns?
Have you addressed the potential “Mack Truck” problem? This is when you have a key employee, volunteer or vendor who you rely on so much that if they were hit by a truck and were unable to continue their involvement, your operations could be significantly impacted. Do you cross train staff? Are you prepared for the “Mack Truck” incident that takes away the one person who knows everything about your accounting, computer systems or service delivery? What insurance do you need? (liability, business interruption, property, automobile, travel, health, equipment or other potential losses, etc.) These are some of the issues that should be evaluated as part of your risk management assessment.
The time to be concerned and take action around risk management is before you have the problem. As the saying goes, “An ounce of prevention……….