Academic journal article Journal of Accountancy

Not-for-Profits Delve into Risk Management

Academic journal article Journal of Accountancy

Not-for-Profits Delve into Risk Management

Article excerpt

Many not-for-profits lack the resources to implement a holistic approach to risk across the enterprise. So it's no surprise that they often lag behind public companies in implementing enterprise risk management (ERM).

Just 13% of not-for-profits responding to a recent survey said they have complete formal enterprisewide risk management processes in place. By comparison, 52% of public companies participating in the Current State of Enterprise Risk Oversight survey performed by North Carolina State University's ERM Initiative for the AICPA have formal enterprisewide risk management processes.

Meanwhile, 24% of not-for-profits have no enterprise wide risk management in place, compared with just 6% of public companies. But experts say not-for-profits are paying much more attention to risk.

"Some of them are doing that [risk management] kind of on the back of the envelope because they don't want to pay a consultant $25,000 to come in and say, 'I'll take the inventory for you,'" said Mike Burns, CPA, who is based in Boston and heads the not-for-profit and education practice for CBIZ & Mayer Hoffman McCann.

Some not-for-profits are turning to ERM as a marketing tool to attract discerning donors who are concerned about good stewardship of their contributions, said Bob Cummings, CPA, consulting partner at WeiserMazars in New Jersey, who helps businesses implement ERM.

"The different online sources that people can go to and investigate where their money is going, they're going to start asking for this," he said. "Because if you look at the donors, they often come from successful public companies. So they want to see that their money is being well-spent."

Six factors are critical for organizations in implementing and maintaining ERM, according to a presentation Cummings helped give at the AICPA Not-for-Profit Industry Conference in June. They are:

* Have a risk management governance structure. The structure should be aligned with organizational strategy and goals, with clear management roles and responsibilities. Organizations can define a risk appetite and maintain a risk policy statement to ensure clarity.

* Follow a risk management framework. The 2004 ERM Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, which includes the AICPA) is one such framework. The International Organization for Standardization's ISO 31000 is another. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.