Many for-profit companies consider a comprehensive risk assessment to be a critical part of their overall risk management process. Regrettably, some not-for-profit organizations do not take the time to perform a risk assessment for a variety of reasons: some do not understand or appreciate the benefits of such an exercise; some believe they adequately understand their risk profile; or some may feel they lack the resources to adequately perform the job.
This article provides a framework that all not-for-profit organizations can use as a starting point to implement a periodic risk assessment.[i] It describes the goals of a risk assessment, identifies the nature of the broad risks facing many organizations, suggests a proposed approach, and offers suggested steps to mitigate and control the risks. While the mechanics of a risk assessment may be undertaken by staff or consultants, the role of the board in understanding, evaluating, and assessing risk cannot be understated. It is executive leadership and the board that must set the appropriate tone, understand the dynamics of risk for any given organization, and articulate a clear philosophy on an organization’s approach to risk.
Goals of Risk Assessment
Nonprofit organizations face different types of risks than for-profit companies, but the goals of a risk assessment should be similar:
- To identify, analyze and prioritize legal/ethical misconduct and compliance risks specific to the operations and culture of the organization;
- To provide a basis for possible compliance, training and ethics programs;
- To refine or develop risk mitigation and monitoring strategies;
- To identify areas where deeper internal reviews would be warranted; and
- To develop a benchmark for ongoing risk assessment and measurement of the effectiveness of mitigation steps that may be taken.
Who Should Undertake Risk Assessment
A comprehensive risk assessment can be done by staff if competent to do so or by outside consultants, such as a law or accounting firm. Even if staff is capable of performing the risk assessment, there is value to having outsiders perform this task occasionally. This assures a fresh perspective is brought to risk evaluation and allows all parts of the organization to be evaluated without any potential for the self-interest of staff to color the assessment. These benefits must be weighed against the additional costs of an outside review. A useful compromise is to have an outside reviewer evaluate the work of staff at the end of the process, or to consult with staff during the process. Some outside firms will undertake a risk assessment pro bono, while others may discount fees.
One Methodology for In-House Risk Assessment
A risk assessment should identify a broad parameter of risks within specific categories, analyzing the probability of occurrence and the severity of impact. It should also identify mitigating factors to various risks and suggest a process for tracking or monitoring risk. All of these steps require the exercise of judgment based on knowledge of the organization. In general, this process is as much art as science.
1. Identify Risks
Step one is to carefully consider the types of risks faced by the organization. Think broadly and do not constrain yourself to solely legal risks. Risks can be broadly conceptualized into two categories: risks an organization should usually seek to avoid (what I will refer to as “threat risks”), and the risk of failure, which an organization may choose to embrace. Threat risks can result in fines, penalties, liabilities or even loss of tax exemption and can be operational, legal, financial, or related to the investments of the organization.
Risks of failure include the risk that an underlying program objective or strategy may not succeed or that the investment or financial performance necessary to sustain the organization cannot be achieved. For many nonprofit organizations, particularly foundations, failing to embrace risk in their programs or grants may result in a cautious, unimaginative organization. Foundations, in particular, have the freedom to take risks that other types of organizations or government may be unable or unwilling to take. An organization may wish to adopt a risk philosophy that articulates how it views the risks it will embrace and how it approaches threat risks.
This article focuses primarily on threat risks. It is important, however, for an organization conducting a risk assessment to recognize the different types of risks and their attendant consequences. Ultimately, in assessing any action or inaction that carries risk, an organization must balance the benefits to be achieved against the downside. An organization may also consider adopting a risk management philosophy that would entail, among other things, defining the risk appetite of the organization, determining how to implement a comprehensive risk management process, and building the process into the many facets of the organization.
Incorporating an agreed upon framework regarding risk management into the DNA of an organization helps align the balance between risk and reward, reduces the potential for unwelcome surprises, permits better planning and response time, enhances the ability to take advantage of opportunities, and more effectively allows the organization to make decisions as to how and where to use scarce resources.
Most nonprofit organizations will share the same type of broad risks that can be generally described as follows:
- Internal or external fraud
- Misuse of assets
- Inadequate monitoring or understanding of investments
- Incomplete, unreliable or improperly reported information
- Damage to reputation caused by a variety of potential factors
- Violation of legal requirements
- Government investigations or audits
Within these broad categories there are a host of specific risks that should be considered and analyzed. A listing of many of these risks can be found here. Of course, not all of these risks will apply to every organization.
2. Talk to Other Staff
A useful risk assessment will include discussions with staff at varying levels of and in different areas of the organization. Staff members interviewed should be asked to identify what they see as the principal areas of risk within their areas, how the risk is currently addressed or mitigated, and ideas for more effectively addressing or mitigating the risks.
Particular care and attention should be paid to those risks that have a higher likelihood of occurrence and a more significant impact. Those that are less likely to occur but still would have significant impact should also be carefully reviewed.
3. Rate the Risk to Assess Likelihood and Severity of Impact
In assessing the likelihood of a particular risk occurring, the following factors might be considered:
- Your organization’s culture and ethics;
- Ongoing compliance;
- Internal controls;
- Workforce awareness and knowledge;
- History; and
- Employee intent.
There are different methodologies and charts that can be used to present the risk assessment and which one you choose is dependent on your organization’s needs, culture, and sophistication. Here is an example of one such chart.
|Almost Certain||Highly likely, this event is expected to occur.|
|Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it.|
|Possible||Event may occur at some point – typically, there is history to support it.|
|Unlikely||Not expected but there is a slight possibility it may occur.|
|Rare||Highly unlikely, but it may occur in unique circumstances.|
A judgment on the severity of impact can be made using the following scale: Minor, moderate or severe—or some combination thereof. In assessing the severity of a particular risk, the following factors might be considered:
- Possible fines and civil or criminal penalties;
- Impact on the manner and ability of the organization to continue to operate;
- Impact on the reputation of the organization;
- Impact on employees and possible loss of employees; and
- Costs of compliance.
4. Take Steps to Address or Mitigate Risk
There are steps any organization, regardless of its size or sophistication, can take to address or mitigate risks. These steps are outlined below.
It is important that duties regarding oversight of assets, reporting, and payments be segregated so that there are sufficient checks and balances to protect against one party or department orchestrating a fraud or misusing assets. For example, a department that orders purchases, whether computer equipment or other goods, should not control all aspects of the procurement. There should be an independent department or person checking the purchase and making the payment in accordance with policies and controls instituted by the organization. For many smaller organizations, this can be a challenge, as they might feel they lack the people power to differentiate functions. Nevertheless, establishing segregation of duties to some degree, even if that means using outside resources, is critical to the prevention of fraud.
Set payment controls
Payment controls are the first cousin to segregation of duties. The greatest mischief or fraud often arises from a lack of adequate payment controls where one party or department has the ability to shield payments from other departments or parties. Payment controls can include requiring two signatures on checks as an appropriate reconciliation process. Accounting firms can be helpful in suggesting the appropriate controls for the nature of the specific organization. What might be appropriate for a large private foundation with a robust finance department may not be practical for a small nonprofit organization. Yet, in each case, there should be thoughtful consideration of an appropriate control over payments, keeping track of inventory, reimbursements for travel and expenses, and similar matters.
Conduct due diligence and legal review
With respect to most transactions, contracts or investments, an organization must perform adequate due diligence and ensure that there has been legal review of contracts or other agreements. Whether the organization is a grantmaking organization, a provider of services or has varying levels of investments, each organization should have agreed upon protocols in place for what they believe is adequate due diligence and legal review. Due diligence checklists for investments, grants and vendors are available from a variety of sources.
Conduct audits (external and internal)
In addition to an annual audit of financial statements, even the best set of controls or processes should be subject to periodic review and audit. The use of an independent outside firm to perform periodic audits on specific processes or controls is advised, but even an internal review is better than doing nothing.
Implement and follow strong internal policies
An ad hoc approach to risk management is almost always doomed to failure. A well governed institution should at least have the following policies in place (and should periodically review the implementation of compliance with these policies): conflicts of interest, whistleblowers, payment controls, a code of ethics, and zero tolerance for sexual or other harassment.
Set the right tone at the top
No risk control environment can succeed in the long run if the leaders of the organization—senior staff and the board—do not reflect high ethical and professional behavior. The board of an organization must maintain vigilant oversight of the organization directly or through committees with specific roles and responsibilities. Committee charters should be strongly considered to be clear about roles and responsibilities.
For most organizations, compliance and risk management starts at the top, with the executive and the board. The tone set by top management and the board will permeate the organization. If the president or board does not show respect for the law, compliance and risk management through their actions and words, a culture of compliance and strong ethical practices will not grow.
Even well run organizations need to avoid complacency and the notion that bad things only happen to other organizations. No matter the size of the organization, period risk assessments are one way for boards and upper management to walk the walk of risk management and to avoid complacency. If your organization hasn’t done one recently or at all, now is the time to implement one. Hopefully this article and related resources will give you the tools to start.
The Mark of Good Nonprofit Stewardship
The notion of performing a comprehensive risk assessment may seem daunting to many organizations, but it is an integral part of the responsibility of the stewards of any charitable organization. Each organization should undertake an assessment that fits its size, sophistication, and needs. Hopefully, this article offers guidance to allow any organization to initiate, continue, or improve its own risk assessment process.
Joshua Mintz is the vice president and general counsel of the John D. and Catherine T. MacArthur Foundation. The views expressed herein are his own and not necessarily the views of the MacArthur Foundation.
[i] There are many resources and proposed approaches for risk assessment in the for-profit corporate context. These are not so easily transferable to nonprofits in many cases. An organization will have to adapt proposed approaches to its particular circumstances.
[ii] See “Framework For Conducting Effective Compliance and Ethics Risk Assessments” (Association of Corporate Counsel / Corpedia, Inc. 2008). This is a useful reference and methodology for approaching a risk assessment.