ERM for NFPs – Part 1


The thought of risk management and its applicability might make you think of the insurance industry with their actuarial and mathematical models used to analyze risks, to plan for reserves and in consideration of other future liabilities. Similarly, the financial services sector might come to mind in their analysis of complex financial investments and instruments and the risks inherent in those vehicles. Through increased regulation, publicly traded companies are being required more and more to disclose their risks and risk management practices. Proxy statement disclosure requirements implemented in 2010 highlight the critical role of risk management, as well as the critical responsibility of working with and across the Board. The rules mandate that Boards describe how they discharge their responsibility for risk oversight. Because of this Boards are looking for a better understanding of the processes management has in place for identifying, managing and addressing risk under uncertain economic conditions.

The discipline of risk management is not limited to large corporations and publicly traded companies. As we know, regulation of publicly traded companies typically leads to creation of additional regulations, compliance requirements or best practices for private companies and nonprofit organizations. The Sarbanes-Oxley Act of 2002 requirement of establishment of an integrity hotline and the requirement for record retention policies trickled down to nonprofits through State regulations and IRS required disclosure through the Form 990.

The discipline of risk management is very relevant to nonprofits as they increasingly face greater amount of scrutiny and calls for increased disclosure and transparency. The IRS required disclosures in the Form 990 went through major revisions in the last few years to include greater focus on issues of governance and accountability. Additionally, multiple charitable rating agencies heavily scrutinize and have their own methods for ranking the quality of charities.



Risk management is the identification, assessment and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management is defined by ISO 31000 in the following way:

“Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. These objectives can related to a range of the organization’s activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of strategic, operational, financial and reputational outcomes and impacts. All activities of an organization involve risks. Risk management aids decision making by taking account of uncertainty and its effect on achieving objectives and assessing the need for any actions. Risk management process involves applying logical and systematic methods for: (i) communication and consultation throughout the process, (ii) establishing the context, (iii) identifying, analyzing, evaluating and treating risk associated with any activity, process, function, project, product, service or asset, (iv) monitoring and reviewing risk, and (v) recording and reporting the results appropriately.”

Enterpriserisk management (ERM) is the discipline of risk management applied at the enterprise level. In other words, ERM is a risk based approach to managing an enterprise by identifying threats to: (i) Strategic objectives, (ii) Operations Management, and (iii) Internal controls. ERM enables management to effectively deal with uncertainty and the associated risk and opportunity, enhancing the capacity to build value. The Executive Summary to the COSO ERM framework defines ERM in the following way:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

“The underlying premise of ERM is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”



There are several Enterprise Risk Management Frameworks that are widely used. Among the most recognized are the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000 – Risk Management: Principles and Guidelines on Implementation. Additionally, here is a link to a prior blog post that does an excellent job at comparing the different internal control frameworks that are widely used.


1 Response to “ERM for NFPs – Part 1”

  1. May 12, 2011 at 11:11 pm

    Check out the link below – I just came across this frame by frame comparison of COSO ERM, ISO 31000 and other risk management frameworks via a Twitter feed. How timely! – http://www.duffandphelps.com/…/Sorting_Through_the_Risk_Guidance_Frame_By_Frame_Keith_Keller_published_in_AFP.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


May 2011
« Apr   Jun »



Online Accounting Degree blog feature

%d bloggers like this: