Risk Management From a Board Perspective
When an organization has proper risk controls, operations shift from headaches to peace of mind. Without risk controls, the symptoms within an organization become clear - but the way forward is not.
Is Your Organization Experiencing Any of The Following Symptoms?
- Material weaknesses or Significant Deficiency audit findings
- Regulatory scrutiny – inquiries, audits, and more
- Delayed payments form grantors
- Reduced donor funding
- Burnout of leadership team
- High employee turnover in programs and/or accounting
- Lack of engagement from employees or volunteers
- Out of scope programs
- Decreased or lack of resources
- Difficulty recruiting quality board members
- Accounting issues? Can’t seem to close the books timely, struggle completing the audit, lack of insight into “profitability” of individual programs
All of these items can be troublesome on their own, but once they start combining - it can be drastically hinder an organization's effectiveness.
Where does the Board Fit in?
- Duty of Care: Take care of the non-profit by ensuring prudent use of all assets, including facility, people, and good will.
- Duty of Loyalty: Ensure that the non-profits activities and transactions are, first and foremost, advancing its mission; recognize and disclose conflicts of interest; Make decisions that are in the best interest of the individual board member (or any other individual or for-profit entity).
- Duty of Obedience: Ensure that the non-profit obeys applicable laws and regulations; follows its own bylaws; and that the non-profit adheres to its stated corporate purposes/mission.
Our Internal Audit practice helps organizations audit their risks, understand where they are vulnerable, and form a plan to move forward and reduce areas of trouble.
7 Step Risk Process
Step 1: Identify the Risk
- List the categories that risk may fall into:
Step 2: Analyze the Risk
- What is the likelihood that the risk will happen?
- Ranges between rare and certain
- What would the impact be on the organization if the risk occurred?
- Ranges between Low to Significant
- The combination of likelihood and significance determines “focus”
Step 3: Prioritize the Risk
- Don’t expect to manage every risk. This step, prioritizing risk, will show you what to focus on most heavily and to establish important priorities
- Board discussion on this step will focus on what steps they’re willing to take to mitigate risk versus accepting the risk on its face.
Step 4: Determine Appetite for Risk – Every Organization is Different
- Consider the following when assessing risk:
- Experience & capabilities of team
- Current status of organization
- Is the risk in an area of strength?
- Are you exposing yourself to unnecessary risk?
Step 5: Reduce and Control the Risks
- Make a final determination as to whether risks are acceptable, too high or too low.
- The board may decide not to take action on risks that fall in the acceptable level.
- Board directors should be taking a more in-depth look at risks that fall into the high-risk category and making decisions about how to further reduce the risk or stopping the activities that lead to the risk
Step 6: Give Assurance
- Boards are responsible for oversight of the operations
- The step requires board directors to ensure that the risk controls are performing as they expect them to
- Board directors may ask internal auditors or external advisors to provide
Step 7: Monitor & Review Risks – Circumstances Around Risk May Change Continually
- Risks come and go
- The impact of risks can change as other circumstances change
- Implement some plan for monitoring and reviewing risks on a regular basis