ERM for NFPs – Part 2

ERM Methods

In continuation of Part 1 of the ERM for NFPs post, here is a general guideline for the different stages of ERM. Depending on the framework used or referenced and the context of your organization, these stages could be in slightly different order. However, generally, ERM methods are in the following order: 

Stages/phases of ERM:

(i)  Establishing common definitions/language for risk components,

ERM COSO and ISO 31000 provide good definitions for various aspects within ERM such as definitions for risk, likelihood, impact, inherent risk, and residual risk

(ii)  Risk assessment,

–   a structured methodology of considering, assessing and rating the risks faced by the organization

–   provides information to the organization to proactively consider implication of risks

–   helps management prioritize use of limited resources to manage risks

–   top-down vs. bottom-up methods to risk assessment

Top-down – high level, strategic, less time consuming

Bottom-up – highly detailed, tactical and operational, highly time consuming

Both methods are equally valid and might eventually get you to the same answers. However, the efforts involved in the bottom-up methods does provide detailed scenarios that would be helpful when assessing controls and management decisions specific to management of the risk. Regardless of the method chosen, a broad cross-section of the organization should be consulted for input to ensure that key operations and support functions of the organization are considered.

(iii)   Bucketing or organization of risk into meaningful categories (e.g. hazard risk, reputation risk, operational risk, financial risk, etc)

(iv)  Measurement of risk

–  quantitative and/or qualitative measurement of risks (likelihood, impact, velocity)

–  consider weighting different categories of risk (e.g. reputation risk for many NFPs is paramount)

(v)  Risk appetite and risk tolerance (what level of risk is acceptable to the org),

–  According to COSO in ‘Strengthening Enterprise Risk Management for Strategic Advantage’ , risk appetite is a broad-based description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”

–  The Londonbased Instituteof Risk Management has recently released draft guidance aimed at helping organizations to determine, quantify and communicate how willing they are to take risks. The guidance explains how an organization can determine its risk appetite and what role its board of directors should play in the process

(vi)  Risk management

–  Once risks have been appropriately analyzed, management responds by deciding on how risks should be managed. Common responses are to mitigate, transfer or accept the risks.

(vii) Risk reporting

–  Risk reporting is a continual process

–  Deloitte has published some good guidance that can be used to facilitate risk management conversations with a CFO


Some things to keep in mind

– Sr. Management support and buy-in is a must.

– Understand the current risk management efforts that are already taking place in the organization. This would be a good place to start the conversation.

– No one size fits all.

– The culture and context of the organization is a critical consideration.

– The organization must be ready for ERM, so it is better to start slow and ease the organization into the process

– To be effective managers and employees must value risk information. This requires a mind set change, so a healthy risk communication culture can take hold.

– To be effective within an organization, risk management should be an integrated part of the organization’s overall governance, management, reporting processes, policies, philosophy and culture.




0 Responses to “ERM for NFPs – Part 2”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


May 2011
« Apr   Jun »



Online Accounting Degree blog feature

%d bloggers like this: