Skip to content

Many not-for-profit organizations gamble with risk by failing to implement enterprise risk management (ERM) strategies. The nonprofit ERM process involves identifying internal and external risks, assessing these potential risks, and creating controls to mitigate them.

Identifying Risks

Begin by selecting an ERM team to identify all possible threats and dangers: from internal and external fraud to potential natural disasters, regulatory non-compliance, civil and criminal litigation, and economic and competitive forces.

Assessing Risks

Once the not-for-profit’s risks are identified, evaluate and prioritize them. Ask how likely these risks are to happen and what the consequences would be if they occurred.

  1. Internal Risks: For example, a restaurant operated by a university generates income from food sales unrelated to the university’s exempt purpose – education. This income must be reported as unrelated business income (UBI) to the IRS. If UBI is not reported or becomes so substantial that the university is no longer operating primarily for tax-exempt purposes, its tax-exempt status may be revoked.
  2. External Risks: Mother Nature can’t be controlled, but the risk of related damages can be mitigated. If a nonprofit is located in a flood zone with the possibility of major floods every few years, the risk of costly property damage is high. Even worse is the likelihood of operational interruptions during the rebuilding period.
  3. Developing Risk Responses

After the ERM team has assessed the organization’s risks, a response plan can be developed. Some questions to pose include:

  • Can the risk be avoided? Using the possible flooding example above, the ERM team will likely conclude that the risk is unavoidable.
  • Can the risk by shared? “Sharing risk” usually implies having adequate insurance — this is a factor the organization can control. Purchasing flood insurance can offer protection that makes the risk acceptable.
  • Can the risk be reduced through policies and procedures? In the UBI example above, implementing procedures to track and report food sales can reduce risk. Assigning an employee to gather the information and report the results to a manager for review is another procedure that further reduces risk.
  • Can the risk be accepted by taking no action? Sometimes the risk is so minimal — or the consequences so minor — that the ERM team may decide to accept a risk and take no action.

Creating Controls to Mitigate Risk

Controls — in the form of policies, procedures, and other safeguards — can help contain risks. For example, the area surrounding the organization has been experiencing an increase in thefts. The nonprofit ERM team determines there is a risk of staff and volunteers becoming victims of crime as they go to and from the parking lot. The ERM team implements a buddy system requiring two people to walk to the parking lot together during business hours. After hours, a security guard will be on the premises to offer escorts.

Monitoring and Reporting Controls

It’s critical to monitor the controls in the nonprofit ERM program on an ongoing basis. Designating employees to review controls regularly helps ensure compliance.

Consider an internal control assessment to help evaluate whether the control procedures are being followed and identify any additional risks. The results of all monitoring activities should be reported back to the ERM team.

Nonprofit ERM

CRI’s not-for-profit professionals can help your organization throughout the ERM process, including implementing controls to deter fraud. Contact your CRI advisor to discuss the specific needs of your organization today.

Implementing Nonprofit ERM Strategies

Jun 15, 2019

Many not-for-profit organizations gamble with risk by failing to implement enterprise risk management (ERM) strategies. The nonprofit ERM process involves identifying internal and external risks, assessing these potential risks, and creating controls to mitigate them.

Identifying Risks

Begin by selecting an ERM team to identify all possible threats and dangers: from internal and external fraud to potential natural disasters, regulatory non-compliance, civil and criminal litigation, and economic and competitive forces.

Assessing Risks

Once the not-for-profit’s risks are identified, evaluate and prioritize them. Ask how likely these risks are to happen and what the consequences would be if they occurred.

  1. Internal Risks: For example, a restaurant operated by a university generates income from food sales unrelated to the university’s exempt purpose – education. This income must be reported as unrelated business income (UBI) to the IRS. If UBI is not reported or becomes so substantial that the university is no longer operating primarily for tax-exempt purposes, its tax-exempt status may be revoked.
  2. External Risks: Mother Nature can’t be controlled, but the risk of related damages can be mitigated. If a nonprofit is located in a flood zone with the possibility of major floods every few years, the risk of costly property damage is high. Even worse is the likelihood of operational interruptions during the rebuilding period.
  3. Developing Risk Responses

After the ERM team has assessed the organization’s risks, a response plan can be developed. Some questions to pose include:

  • Can the risk be avoided? Using the possible flooding example above, the ERM team will likely conclude that the risk is unavoidable.
  • Can the risk by shared? “Sharing risk” usually implies having adequate insurance — this is a factor the organization can control. Purchasing flood insurance can offer protection that makes the risk acceptable.
  • Can the risk be reduced through policies and procedures? In the UBI example above, implementing procedures to track and report food sales can reduce risk. Assigning an employee to gather the information and report the results to a manager for review is another procedure that further reduces risk.
  • Can the risk be accepted by taking no action? Sometimes the risk is so minimal — or the consequences so minor — that the ERM team may decide to accept a risk and take no action.

Creating Controls to Mitigate Risk

Controls — in the form of policies, procedures, and other safeguards — can help contain risks. For example, the area surrounding the organization has been experiencing an increase in thefts. The nonprofit ERM team determines there is a risk of staff and volunteers becoming victims of crime as they go to and from the parking lot. The ERM team implements a buddy system requiring two people to walk to the parking lot together during business hours. After hours, a security guard will be on the premises to offer escorts.

Monitoring and Reporting Controls

It’s critical to monitor the controls in the nonprofit ERM program on an ongoing basis. Designating employees to review controls regularly helps ensure compliance.

Consider an internal control assessment to help evaluate whether the control procedures are being followed and identify any additional risks. The results of all monitoring activities should be reported back to the ERM team.

Nonprofit ERM

CRI’s not-for-profit professionals can help your organization throughout the ERM process, including implementing controls to deter fraud. Contact your CRI advisor to discuss the specific needs of your organization today.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

By proceeding, you are agreeing to the terms and conditions in the Carr, Riggs and Ingram LLC Privacy Policy.

This field is for validation purposes and should be left unchanged.