Five Ways to Improve Governance and Risk Management Practices
By Mike Burns
Effective nonprofit management is as much about managing risk as it is about fulfilling a mission, and adherence to best practices will help senior managers ensure the vitality and future of their organizations.
Consider the following:
1. Bring more focus to information technology risks Most boards do not have technology risks assigned to a specific board committee. Given the risks in this area, it is advisable to have this risk assigned to a board committee, likely as part of the audit committee charge. This would include over the longer term, adding someone with information technology expertise to your audit committee.
Many organizations may benefit from the periodic use of an outside consultant to help assess the state of affairs within IT. An outside consultant could help identify risks and suggest approaches to reduce said risks.
Larger entities might have the benefit of fresh perspective and new ideas, but many nonprofit organizations have smaller IT functions. Nonprofits with smaller IT departments might not be able to step back and assess risks and mitigations in a robust way to make sure that these matters are given some degree of priority and attention.
Given the influx of threats to data security, every IT department should have at least one employee whose primary duties include data protection.
2. Plug insurance considerations into the risk process One of the largest risk management investments organizations will make is in insurance coverage. Management often makes the decision for the insurance coverage for the organization. Leadership will meet with insurance brokers to discuss new developments and consider emerging risks and other circumstances that may lead them to modify their insurance coverage. Your audit committee should be included in the conversation at the point that management is ready to recommend a course of action.
You may want to invite insurance brokers to present to the audit committee every few years, as they will likely bring invaluable insights into changes and developments in the insurance market as well as perspective on what other similar organizations are doing.
3. Become more transparent relative to tax compliance Most organizations review the Form 990 filing with the audit committee and make the full document available to the board. Included in this review, if applicable, should be the Form 990-T, Exempt Organization Business Income Tax Return. Unrelated business income tax can be a large source of risk for your organization, given that your organization must decide what to report as unrelated and related income. You should invite your consultant to the audit committee meeting to review these forms.
For entities with state income tax exposures, there should be a more in-depth conversation relative to your jurisdictional filing judgments. The conversation should consider two elements: in which states do you file and why; and in which states do you not file and why.
Sometimes a matrix format can be used to illustrate positions and exposures by state. Some organizations may make the decision not to file in states with small exposures. If the audit committee understands the state income tax exposure dynamics, committee members may have a better grasp of the judgments management makes from time to time.
4. Ensure greater benefit plan oversight As the plan sponsor and fiduciary, your organization bears responsibility for the accuracy of its benefit plan. Your organization should consider enlisting your audit committee to assist in meeting the regulatory requirements involved in benefit plan financial reporting. Audit committees can help your organization address compliance concerns with the benefit plan by reviewing recent benefit plan audit reports, or at least by understanding a summary of the results of those audits.
An audit report will indicate which areas need to be improved. The report can also help guide future risk management efforts so there is clarity on the risk and conditions that are present in the benefit plan programs that might affect the sponsor.
5. Consider the risks of outsourced services Many organizations mistakenly believe that because a service is outsourced, it does not need internal controls. The responsibility for the service, regardless of who performs it, remains with your organization.
You need to ensure that you have adequate controls over outsourced services, including vendor performance or conformance when outsourcing. Your vendor contracts should include provisions that specifically address a vendors failure to perform. It should also address any security breaches that affect either your organization or the vendor.
Audit committees can help manage controls around outsourced services if they have a matrix of all outsourced activities that includes the key risks for that vendor and the organizations approach to monitoring that vendor. Your organization should also create a report card” for each outsourced area that details its key risk findings.
Other risk management practices to consider If your organization has the resources, you should consider establishing a chief compliance officer (CCO) position. Though often found in large organizations, CCOs are appearing in organizations that makes less than $100 million in revenue as well. CCOs often participate in the audit committee meetings and share their perspective and knowledge about risk management and potential exposures to litigations or claims. Additionally, creating a compliance position relieves the chief financial officer of your organization from some of his or her enterprise risk management responsibilities.
Your organization should also consult with your financial statement auditor. Your auditor may be able to share with you best practices noted in other organizations that might be of benefit to you. Auditors may also be able to divulge their perspectives on risks and results associated with areas of rotational emphasis that might add value and insight in terms of the risk management process.