More than six out of 10 (64%) not-for-profits haven’t assessed their organizations for certain risks in the last year, according to a recent study by Crystal & Company, a strategic risk and insurance advisor. And nearly eight out of 10 (78%) don’t have an employee dedicated to managing such risks.
Those could be viewed as alarming statistics — many believe that inattention to risk was a contributing factor in the nation’s recession and economic downturn.
Identifying your risks
Although many nonprofits don’t seem to be paying enough attention to risks facing their organization, some are using the strategy of enterprise risk management (ERM) or similar methods to manage their risks.
The ERM process starts with identifying your organization’s internal and external risks. Brainstorm with your staff. Think about all possible threats and dangers: from internal and external fraud to possible natural disasters, regulatory noncompliance, civil and criminal litigation, and economic and competitive forces.
Assessing the risks
Once you’ve pinpointed the not-for-profit’s risks, evaluate and prioritize them. Ask yourself how likely these risks are to happen and what would be the consequences if they occurred.
Let’s say that you’re selling a member-written book that isn’t related to your exempt purpose, and your income from the sales is considered unrelated business income (UBI) by the IRS — this is the identified risk. If you fail to report the income from the book sales, or if it becomes so substantial that your organization is no longer operating primarily for tax-exempt purposes, you could risk losing your tax-exempt status — which, of course, has far-reaching repercussions.
Here’s another example: Your headquarters is in a flood zone and there are major floods in your immediate area on the average of every eight years. If a flood hits your facility, you face losing thousands of dollars in property damage. Worse, your facility might be unusable for months.
After your risk management team has assessed your organization’s risks, decide how to respond to them. Some questions to pose include:
Can we avoid this risk? Using the possible flooding example above, you’ll likely answer “no” — you have no control over Mother Nature. On the other hand, a decision to invest in quickly appreciating stock is a risk that could be avoided.
Can we share the risk? “Sharing risk” usually connotes having adequate insurance — this is a factor your organization can control. You can buy insurance that includes protection in case of a flood.
Can we reduce risk through policies and procedures? Often, the answer to this question is “yes.” In the UBI example above, you could have certain procedures in place to keep track of and report book sales. An employee could be responsible for gathering this information and completing the form. And a deadline could be set for a manager to review the form before it’s submitted to your CPA to include on Form 990-T.
Can we accept the risk and take no action? Sometimes the risk is so minimal — or the consequences so minor — that your team may decide to accept a risk and take no action. For example, your nonprofit is located in an area where earthquakes never hit. It’s a simple decision to forgo special earthquake insurance, because you view the risk of your headquarters being affected by an earthquake as extremely low.
Controls — in the form of policies, procedures and other safeguards — can help contain risks. For example, let’s say that your nonprofit is a food bank, which is located in an economically depressed area. Based on the crime rate in your area, you determine that there’s a substantial risk of recipients, staff and volunteers becoming victims of theft or other crimes as they go to and from your facility.
So, you set a policy aimed at protecting these constituents from crime, which includes keeping your facility within a short walking distance of public transportation, operating only until 7 p.m. and offering free parking in a lot adjacent to your facility. You install bright lighting in the parking lot as a security measure. You also put various procedures in place, including having an employee escort visitors to their cars and requiring employees to walk in pairs to the parking lot.
Monitoring and reporting
It’s critical to monitor the controls in your risk management program on an ongoing basis. For example, you could monitor the procedure of requiring two people to walk to the parking lot together by having everyone sign out when they leave the building. And a designated employee would review the sign-out log daily.
An annual audit report can help evaluate whether the control procedures are being followed and identify any additional risks. Auditors address such questions as, “Has monitoring people leaving the food bank in pairs improved that practice?” And, “Has the control affected the frequency of crimes reported by your constituents?” The results of your monitoring activities should be reported back to the ERM team.
Asking for help
No organization can eliminate risks altogether. But you can take certain steps to control them.
Additionally, certain threats call for special monitoring and reporting. For example, every nonprofit needs to create a set of internal controls to guard against fraud. AAF can help formulate your risk management process and establish effective internal controls.