Protecting Your NPO: Take A Deeper Look at Enterprise Risk Management

Recently, an HR colleague of mine mentioned “When I think about risk management, I think about insurance coverage.” My response was “Think again!”

Enterprise risk management (ERM) is both broader and deeper. The tangible risk mitigated by insurance policies and financial risks is but a small portion of overall ERM. With the evolution of work done by NPOs, the need for thorough ERM plans is important. While it is valuable to address this for ongoing sustainability, it is now expected if you want that insurance coverage about which my HR colleague thinks.

For example, a client of mine visited me last week and mentioned she was seeking Commission on Accreditation of Rehabilitation Facilities (CARF) accreditation for its VA programs and the CARF surveyor asked her about her ERM plan. Her organization is large and she was confident she has the basic plan components but was not so sure she had a document which laid out the ERM structure for the organization. Fortunately, my client did have the basics for a plan and we documented it and communicated it successfully.

Another client is seeking Council on Accreditation (COA) accreditation and needs to now examine policies and procedures and develop best practices in all areas of business management as part of its overall ERM planning.

Access to accreditation and insurance is increasingly tied to having a solid ERM plan. Yet, my research indicates many NPOs do not have formal plans in place and do not monitor on-gong risk. If that is true for you, it is wise to get started on a plan. Here are some first questions to explore:

  1. What is the structure of your legal support team?
  2. What contingency plans do you have in place for your financial operations?
  3. How do you define your operational risks today?
  4. What human capital risks do you believe exist for you now?
  5. What exposures may affect your fund-raising capability?
  6. How do you interface with government funders? Do you understand their requirements for their continued support for those you serve?

Answers to these types of questions help identify both vulnerabilities and gaps to address in any ERM plan you design. My evaluation of organizations indicates several key areas of risk to consider:

  1. Legal
  2. Financial
  3. Operational
  4. Human Resource Talent
  5. Fundraising
  6. Government Relations/Support

Each of these should be considered relative to the nature of any risks to the stability of your organization. Factors can make these different for each organization, based on industry, dynamics in the market, scale of your organization and levels of uncertainty at play in the world during any given time. For example, the cost and retention of human capital may be a huge risk for an organization if it is trying to rebuild and grow. It may not be if it is merging with another organization.

A grounded understanding of the environment in which you serve and the planning horizon you set are both helpful to guide you.

To develop an ERM plan, the key is to properly integrate it into your overall strategic plan for your organization. Strategic plans usually include an updated SWOT analysis, which can easily lead to the development of the basics for an ERM plan. A discussion tied to your SWOT analysis should easily surface the key risks in the six areas noted above. And, with your team all present, this makes it a meaningful discussion with perspectives from all angles of the operation to help weigh the risks and better understand any inter-relationships and cross-operational dependencies related to each risk. This discussion can lead to effective solutions and even best practices.

If you are not doing this to date, encourage your facilitator of your strategy session to include this as a discussion during your planning time. This will help you establish the “creative framework” for the content of your ERM plan.

Taking a balcony view on ERM planning, here are the primary steps to take to develop an effective ERM planning process for the long-term:

  1. Develop and maintain a risk policy statement
  2. Define the organizational material and realistic risk events
  3. Create and manage a risk profile for the organization (i.e., create a “risk register” to define risk tolerance and the potential for risk events)
  4. Establish risk response to key scenarios
  5. Monitor and report (key risk indicators and key performance indicators may be part of this reporting process).

Developing an ERM plan builds both prospects for good management in both good times and bad times. We are happy to guide you on this process!