August 3, 2022

Enterprise risk management is becoming more common in the not-for-profit sector, but recent research finds that risk management practices are not keeping pace with the increased complexity of risks for nonprofits.

On July 12, 2022, the Enterprise Risk Management (ERM) Initiative at NC State University published the 13th edition of its annual State of Risk Oversight report in partnership with the American Institute of Certified Public Accountants (AICPA). This report presents benchmarking data on 40 aspects of risk management practices and processes. The data was collected from 560 survey respondents; 156 of which represented not-for-profit organizations, which includes nonprofits, universities, and government agencies.

Key takeaways include:

  • The number and complexity of risks are both increasing. Not surprising given economic and geopolitical challenges, including the great resignation, supply-chain blocks, increasing cyber threats, and upcoming elections, the report finds that the volume and complexity of risks all organizations face remain significantly higher than pre-COVID levels. This is most pronounced for not-for-profit organizations, whose survey respondents reported the largest increase in risk volume and complexity over the past five years (from 55% to 76%). The figure remained higher in 2021 for not-for-profits than for-profit companies (71% vs. 63%).
  • Operational surprises are more frequent. Responses on operational surprises provide further evidence that the operating environment is more challenging for not-for-profits compared to for-profit companies. Nearly all not-for-profit respondents reported experiencing a significant operational surprise within the last five years (90% not-for-profit vs. 78% for-profit). This is a reversal from 2017’s results, when not-for-profits were less likely than for-profits to experience a significant surprise (60% vs. 67%).
  • Risk oversight is insufficient given not-for-profits’ level of risk aversion. Sixty-two percent of not-for-profits describe themselves as “risk averse” or “strongly risk averse” yet only 23% describe their risk management oversight as “mature” or “robust.” This gap indicates a disconnect between desirable and actual risk management capabilities. Furthermore, risk oversight at not-for-profits has improved only slightly since 2017 (18%). The most cited barriers to effective ERM are competing priorities (50%) and insufficient resources (52%).
  • Quarterly management risk committee meetings are common, but metrics are rare. More than half of not-for-profits (56%) have management-level risk committees (compared to 63% of for-profit companies). It is most common for these groups to meet quarterly (48%), but many meet monthly (28%). It is encouraging that most management teams are regularly discussing risks, but results indicate room for improvement in monitoring risks using key risk indicators (KRIs), forward-looking metrics to identify trends and emerging risks. Only 29% of not-for-profits are “mostly satisfied” or “very satisfied” with their KRIs.
  • Not-for-profits commonly update risk inventories at least annually. Forty-one percent of not-for-profits respondents indicated that they have a dedicated process to update their key risk inventories annually and 32% update them semi-annually, quarterly, or monthly. The remaining 28% currently lack a process to update their key risk inventories. Slightly more than one-third of not-for-profit respondents reported that their organizations provide guidelines for assessing probability and impact.
  • Not-for-profits may be missing strategic and emerging external risks. The goal of ERM is identify, manage, and monitor risks that affect the organization’s mission and strategic objectives. However, nonprofits tend to focus more on traditional areas of risk such as internal operations and compliance than strategic risks. The categories of risk not-for-profits consider “mostly” or “extensively” are information technology system risks (61%), legal/regulatory/compliance risks (56%), reputational/political risks (53%), financing/investing/financial reporting risks (49%), operational/supply chain/process risks (42%), and finally, emerging strategic/market/industry risks (37%).
  • The percentage of not-for-profits reporting risks to boards is static. Risk oversight is a fundamental aspect of a board’s governance responsibilities, yet only 57% of not-for-profit organizations provide a formal report of top risks to their board of directors at least annually (32% annually, 19% quarterly, and 6% every meeting). This figure has not changed since 2017. Reports to boards tend to prioritize only the most important risks, with 47% of not-for-profits reporting fewer than five risks, 31% between five and nine risks, and 22% more than 10 risks. When not-for-profits delegate responsibility for risk oversight, it tends to be to the audit committee (62%). Only 21% of not-for-profits report having a risk committee.

GRF Can Help

GRF’s Risk & Advisory services include insight and advice on Enterprise Risk Management, including Getting Started with Enterprise Risk Management: A Guide for Nonprofits and many other resources.  We specialize in serving nonprofits, schools, and associations so we understand how to develop and adapt ERM policies, processes, and resources to help our clients to maximize the benefits of ERM while keeping cost and staff time requirements to a minimum.

Contact Us

Contact Melissa Musser for a complimentary consultation.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services