Forward looking nonprofits are increasingly focusing on risk management and metrics in the strategic planning process led by a proactive CFO in collaboration with the audit committee. So what is risk management?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines enterprise risk management as:
“A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Risk Considerations for the Nonprofit:
- Does your strategic plan focus on risks, their identification and quantification?
- Are economic, environmental, political, social, and technological risks considered?
- Do the identified risks align with the board and management’s risk appetite? See chart.
Example: Does the strategy consider the types of cyber risks such as SaaS and cloud-based contracts, cyber insurance, and other non-technical factors that mitigate risk such as human resource policies, background and other hiring protocol?
Metrics and Data Management Considerations for the Nonprofit:
Many strategic plans sound more like a mission statement, devoid of timelines, accountabilities, and metrics.
- Does your strategic plan contain meaningful, measurable and actionable data?
- If such metrics are identified, can the data be extracted from the organization’s database (AMS, CRM or similar constituent database)?
- If the data can be extracted from the database, is it presented in a dashboard that tells a story – from strategy through execution?
We are seeing a rapid integration of risk management into strategic planning, with an intense emphasis on measurable outcomes and relevant data analytics. However, many nonprofits take a disaggregated approach where strategy setting is done in isolation by the board and CEO, without the CFO’s input or consideration of risk. Risk management should be an ongoing structured process undertaken at least annually or as major initiatives or investments are being planned.
By: Charles Tate, Managing Partner, Tate & Tryon