Risk Management for Not-for-Profit Organizations
By Paulette Vinette, CAE
July 25, 2005
The following article is the first in a four-part series dealing with risk management and not-for-profit organizations. We will discuss the broad range of risks organizations can face and how to prevent them from occurring and/or mitigate damage when they occur.
What is a risk management? Simply said, risk management is an approach that incorporates strategies for recognizing and confronting any threat or danger that may cause harm and hinder an organization from fulfilling its mission. A risk management strategy is a detailed plan to recognize and confront any threat or danger that may cause harm and hinder the organization from fulfilling its mission.
Some readers may be thinking that some risks are positive - indeed that is true. In this series, we are focused on the negative type of risk. So what are some examples?
- Fraud, theft or embezzlement
- Loss of key staff/volunteers
- Board/staff mismanagement
- Lawsuits
- Fines, penalties, non-compliance to government requirements
The list of predictable risks is long, so we have divided our review into four broad categories:
- Fiscal matters
- Human resource matters
- Technology and intellectual property matters
- Regulatory matters
Who determines what risks need to managed? In a not-for-profit organization it is best if it is a team effort of board, staff and volunteers representatives who serve together on a Risk Management Committee. Those selected should be knowledgeable about risk management and monitoring. The committee's mandate should include putting in place risk management activities that are monitored and evaluated by the committee and a summary report should be provided to the board on a regular basis. In larger organizations, such committees may be populated by senior staff supported by risk management professionals.
The Risk Management Committee should start by identifying potential, predictable risks and then determining the organization's risk appetite, which is best described through a risk tolerance position. A common approach is to determine an organization's risk tolerance, establish the likelihood of each risk, and then the magnitude of each risk according to a scale of 1 - 4. Likelihood is the probability of the event occurring and magnitude is the potential impact.
The next step would be to develop a risk management strategy that sets out the organization's risk tolerance levels for each category, giving explicit direction as to what approvals are required before such risks can be taken.
An important fact to remember is that it is the governing board that is accountable for protecting the assets of the organization; while they may delegate related work, "the buck stops at the board's table".
Let's look at the first category of risks, fiscal risks. Our review is by no way exhaustive, and is intended to inspire readers to create their own comprehensive list.
Fiscal Risks
1. Property loss
To avert property loss, install burglar, smoke detection and carbon monoxide alarms. Ensure that you are compliant with building and safety codes. Set up health and safety office procedures with designated staff who monitor and report on adherence.
To mitigate property loss, have sufficient insurance coverage for the variety of potential risks. Develop an Asset Protection Plan that documents information you will need in the event of a loss.
In all cases, you should address how to manage and recover from all types of losses in your Crisis Management Plan.
2. Asset loss, damage or theft
Security systems are a recommended prevention tool. Secure valuable assets by locking or storing them. Establish a system for distributing keys or security codes to employees and others and ensure that your system is frequently updated and monitored.
To mitigate such risks, work with your insurers to validate your Asset Protection Plan, which should list all major assets with manufacturer information, serial numbers etc. The plan should also lay out actions to take to recover from both short and long-term losses.
3. Misappropriation of funds
Ensure that anyone working with organization funds is monitored by a more senior manager who is working from documented internal controls. Given public pressure to ensure management accountability of organizational funds, external auditors will likely be required to comment on the effectiveness of internal controls in the near future. Introduce yours now while you have time. Some organizations invite occasional unscheduled audit of specific accounts. Should you uncover embezzlement, fraud or the like, invite and follow your legal counsel/law enforcement's direction - do not deviate lest you render your organization exposed in ensuring litigation solutions.
Budget non-compliance and travel privilege abuses are other potential risk areas. Ensure you accounting system flags transactions that do not comply with approved limits; regularly update your Policies and Procedures Manual, which refers to travel privileges. Have a director or Audit Committee member spot check travel reimbursement claims regularly. In the event of a problem, involve appropriate board members promptly.
4. Event mishaps
Anticipate cancellation conditions that do not put your organization at risk, such as cancellation insurance. Negotiate event cancellation terms such as rebooking versus just penalties. Make the decision to cancel at least 72 hours in advance to provide sufficient time for those implicated to make new plans.
Always announce exit directions and procedures at any event; for larger events, appoint exit marshals. Have a thorough critical path and checklist to anticipate event-associated problems and ensure the mitigation strategies are well documented in your Crisis Management Plan.
Next time, we will focus our attention on risks involving Human Resource matters and also examine the elements of a Risk Management Committees' Terms of Reference. Please send your questions or comments to the author.
Paulette Vinette, CAE, is the co-author of Risk Management - A primer for directors of not-for-profit organizations, which was recently published by the Canadian Society of Association Executives in 2005 (ISBN 0-921998-01-5). Paulette in President of Solution Studio Inc., a consulting practice that serves the not-for-profit association community. She can be reached at 1-877-787-7714 or Paulette@solutionstudioinc.com.
