MacArthur Vice President and General Counsel Joshua Mintz outlines a framework for not-for-profit risk assessment by describing process goals, identifying the nature of broad risks facing organizations, and suggesting steps to address them.
Many for-profit companies consider a comprehensive risk assessment to be a critical part of their overall risk management process. Regrettably, many not-for-profit organizations do not take the time to perform a risk assessment for a variety of reasons: they do not understand or appreciate the benefits of such an exercise; they believe they adequately understand their risk profile; or they may feel they lack the resources to adequately perform the job.
This article provides a framework that all not for profit organizations can use as a starting point to implement a periodic risk assessment.(1) It describes the goals of a risk assessment, identifies the nature of the broad risks facing many organizations, suggests a proposed approach, and offers suggested steps to mitigate and control the risks. While the mechanics of a risk assessment may be undertaken by staff or consultants, the role of an organization's Board of Directors in understanding, evaluating, and assessing risk cannot be understated. Executive leadership and the Board must set the appropriate tone, understand the dynamics of risk for any given organization, and articulate a clear philosophy on an organization’s approach to risk.
Not-for-profit organizations face different types of risks than for profit companies, but the goals of a risk assessment should be similar:
- To identify, analyze and prioritize legal/ethical misconduct and compliance risks specific to the operations and culture of the organization
- To provide a basis for possible compliance, training and ethics programs
- To refine or develop risk mitigation and monitoring strategies
- To identify areas where deeper internal reviews would be warranted
- To develop a benchmark for ongoing risk assessment and measurement of the effectiveness of mitigation steps that may be taken.
Who Should Undertake the Risk Assessment
A comprehensive risk assessment can be done by competent staff or by outside consultants such as a law or accounting firm. Even if staff is capable of performing the risk assessment, there is value to having outsiders perform this task occasionally. An external assessment assures a fresh perspective is brought to risk evaluation and allows all parts of the organization to be evaluated without any potential staff members' self-interest to color the assessment. These benefits must be weighed against the additional costs of an outside review. A useful compromise is to have an outside reviewer evaluate the work of staff at the end of the process or consult during the process. Some outside firms will undertake a risk assessment pro bono, while others may discount fees.
One Methodology For In-House Risk Assessment
A risk assessment should identify a broad parameter of risks within specific categories, analyze the probability of occurrence and the severity of impact, identify mitigating factors to various risks, and suggest a process for tracking or monitoring risk. All of these steps require the exercise of judgment based on the knowledge of the organization and in general are as much art as science.
Step one is to carefully consider the types of risks faced by the organization. Think broadly and do not constrain yourself to solely legal risks. Risks can be broadly conceptualized into two categories: risks an organization should usually seek to avoid (what I will refer to as “threat risks”); and the type of risks an organization may choose to embrace ("risks of failure"). Threat risks can result in fines, penalties, liabilities or even loss of tax exemption and can be operational, legal, financial, or related to the investments of the organization.
Risks of failure include the risk that an underlying program objective or strategy may not succeed or that investment or financial performance necessary to sustain the organization cannot be achieved. For many not-for-profit organizations, particularly foundations, failing to embrace risk in their programs or grants may result in a cautious, unimaginative organization. Foundations, in particular, have the freedom to take risks that other types of organizations or government may be unable or unwilling to take. An organization may wish to adopt a risk philosophy that articulates how it views the risks it will embrace and how it approaches threat risks.
This article focuses primarily on threat risks. It is important, however, for an organization conducting a risk assessment to recognize the different types of risks and their attendant consequences. Ultimately, in assessing any action or inaction that carries risk, an organization must balance costs and benefits. An organization may also consider adopting a risk management philosophy that would entail, among other things, defining the risk appetite of the organization, determining how to implement a comprehensive risk management process, and building the process into the many facets of the organization. Incorporating an agreed-upon framework regarding risk management into the DNA of an organization helps align the balance between risk and reward, reduces the potential for unwelcome surprises, permits better planning and response time, enhances the ability to take advantage of opportunities, and more effectively allows the organization to decide how and where to use scarce resources.
- Internal or external fraud
- Misuse of assets
- Inadequate monitoring or understanding of investments
- Incomplete, unreliable, or improperly reported information
- Damage to reputation caused by a variety of potential factors
- Violation or failure to comply With legal requirements
- Government investigations or audits
Rating the Risk: Assessing Likelihood and the Severity of Impact
- Your organization’s culture and ethics
- Ongoing compliance
- Internal controls
- Workforce awareness and knowledge
- Employee intent
There are different methodologies and charts that can be used to present the risk assessment and which one you choose is dependent on your organization’s needs, culture, and sophistication. Appendix 1 is an example of one chart.
|Almost Certain||Highly likely; this event is expected to occur.|
|Likely||Strong possibility that an event will occur and there is sufficient historical evidence to support it.|
|Possible||Event may occur at some point – typically, there is history to support it.|
|Unlikely||Not expected but there is a slight possibility it may occur.|
|Rare||Highly unlikely, but it may occur in unique circumstances.|
The severity of a potential risk's impact might be classified as minor, moderate or severe, or some combination thereof. In assessing the severity of a particular risk, the following factors might be considered:
- Possible fines and civil or criminal penalties
- Impact on the manner and ability of the organization to continue to operate
- Impact on the reputation of the organization
- Impact on employees and possible loss of employees
- Costs of compliance.
Steps to Address or Mitigate Risk
For each of the risks there are steps any organization, regardless of its size or sophistication, can take to address or mitigate the risks. These include the following:
Segregation of duties
It is important that duties regarding oversight of assets, reporting, and payments be segregated so there are sufficient checks and balances to protect against one party or department orchestrating a fraud or misusing assets. For example, a department that orders purchases, whether computer equipment or other goods, should not control all aspects of the procurement. There should be an independent department or person checking the purchase and making the payment in accordance with policies and controls instituted by the organization. For many smaller organizations this can be a challenge, as they might feel they lack the people power to differentiate functions. Nevertheless, establishing segregation of duties to some degree, even if that means using outside resources, is critical to the prevention of fraud.
Due diligence and legal review
With respect to most transactions, contracts or investments, an organization must perform adequate due diligence and ensure there has been legal review of contracts or other agreements. Whether the organization is a grant-making organization, a provider of services, or has varying levels of investments, each organization should have agreed-upon protocols in place for what they believe is an adequate level of due diligence and legal review. Due diligence checklists for investments, grants and vendors may be obtained from this article's author.
Payment controls are the first cousin of segregation of duties. The greatest mischief or fraud often arises from a lack of adequate payment controls where one party or document has the ability to shield payments from other departments or parties. Adequate payment controls might include requiring two signatures on checks to an appropriate reconciliation process. Accounting firms can be helpful in suggesting the appropriate controls for a specific organization. What might be appropriate for a large private foundation with a robust finance department may not be practical for a small not-for-profit organization. Yet in each case there should be thoughtful consideration of an appropriate control over payments, accounting for inventory, reimbursements for travel and expenses, and similar matters.
Audits (external and internal)
In addition to an annual audit of financial statements, even the best set of controls or processes should be subject to periodic review and audit. The use of an independent outside firm to perform periodic audits on specific processes or controls is advised, but even an internal review is better than nothing.
Implement and follow strong internal policies
An ad hoc approach to risk management is almost always doomed to fail. A well-governed institution should have at least the following policies, as well as a process in place to periodically review compliance with thm: conflict of interest, whistle blower, payment controls, code of ethics, and zero tolerance for sexual or other harassment.
Board and Executive Oversight: the tone at the top
No risk control environment can succeed in the long run if the leaders of the organization, senior staff, and the Board, do not reflect high ethical and professional behavior. The board of an organization must maintain vigilant oversight of the organization directly or through committees with specific roles and responsibilities. Committee charters should be strongly considered for clarity about roles and responsibilities.
For most organizations, compliance and risk management starts at the top, with the executive and the Board. The tone set by top management and the board will permeate the organization. If the president or Board do not show respect for the law, compliance, and risk management through their actions and words, a culture of compliance and strong ethical practices will not grow.
Even well-run organizations need to avoid complacency and the notion that bad things only happen to other organizations. Period risk assessments are one way for boards and upper management to walk the walk of risk management and to avoid complacency no matter the size of the organization. If your organization hasn’t done one recently or at all, now is the time to implement one. Hopefully this article and related resources will give you the tools to begin the process.
The notion of performing a comprehensive risk assessment may seem daunting to many organizations, but it is an integral part of the responsibility of the stewards of any charitable organization, large or small. Each organization should undertake an assessment that fits its size, sophistication, and needs. Hopefully, this article offers guidance to allow any organization to initiate, continue, or improve its own risk assessment process.
1 - There are many resources and proposed approaches for risk assessment in the for profit corporate context. These are not so easily transferable to not for profits in many cases. An organization will have to adapt proposed approaches to its particular circumstances.
2 - See Framework For Conducting Effective Compliance and Ethics Risk Assessments (Association of Corporate Counsel / Corpedia 2008). This is a useful reference and methodology for approaching a risk assessment.