Embarking on a program for compliance and risk management can be intimidating. NFPs often wonder where to start and how to maintain such a complex, yet mission-critical endeavor. A comprehensive compliance and risk management program entails evaluating myriad factors, from laws and regulations to operational policies and ethical behavior. Perhaps the biggest risk of all is what you don’t know!
NFPs are expected to operate in accordance with numerous federal, state, and local laws and regulations, including those pertaining to labor and employment, federal grants, contracts and awards, charitable contribution solicitation, licenses, privacy, document retention, and more. Beyond compliance with laws and regulations, NFPs face financial, strategic, operational, and reputational risks. Formalizing an enterprise risk management plan can help an NFP meet these compliance challenges by informing strategic direction, improving decision making and resource allocation, and promoting a focus on risk as an opportunity.
Approaching risk assessment is a systematic task. After appointing a risk champion, the first step is to collectively identify potential risks that may affect the achievement of the NFP’s mission. Risk is assessed according to the likelihood of an event occurring and the ultimate potential impact on the NFP. Interviews with staff and board members, SWOT analysis, questionnaires, and surveys are all ways to help identify risks. Involving individuals from across the organization will help identify risks in all areas.
Once identified, the NFP can assign the probability and impact of each risk to determine how to address each one. A risk can be addressed in one of four ways:
- Avoid: remove the cause of the risk or operate differently
- Transfer: find another party who is willing to take on the liability and responsibility
- Mitigate: reduce the probability and/or impact of the risk to an acceptable level
- Accept: when not possible or practical to respond to the risk by one of the other strategies, or a response is not warranted by the importance of the risk
Once the NFP’s risk management plan is in place, the organization can explore technology to support it. There are numerous risk management software programs available that focus on legal, operational, and reputational risks. These are typically best suited for larger organizations and can meet specific functionality, user volume, and deployment needs.
It is important to note there is no one right way to implement an enterprise risk management plan. The key is to create a framework that works best for the NFP, review and update it at least every three years, and integrate risk management into operational decision making.