Risk Management Know-How

By: Susan Gurevitz

Associations large and small can benefit from the elements of enterprise risk management. Learn how your organization can make it work. (Titled "Why It's Risky Not to Manage Risk" in print version.)

It's pretty unlikely that enterprise risk management (ERM) would be the topic of a lively discussion at a cocktail party during a professional conference—even with an open bar. In fact, it's even more unlikely that the process would be discussed at most any association meeting.

"Because ERM is relatively new, I'd suspect associations with risk managers are more likely to have some kind of ERM," says Ann H. Franke, president of Wise Results, who consults on policy issues for nonprofits. But the majority of associations, especially those with a small staff, usually don't even have a risk manager on staff or someone handling those responsibilities, let alone an ERM program. "The vast majority have no onsite risk management, "says Leslie T. White, president of Croydon Consulting, who works with associations to help manage their risks. "Risk management is perceived as really something for large associations, "she says.

In that same vein, Mathew Allen, head of ERM Solutions and Services at insurance broker and risk-consulting firm Marsh, says, "I would never encourage an association to introduce a full-blown ERM program." But there's absolutely no reason for an association not to combine some of the ERM strategies that work for them, because those efforts will help reduce the number of claims and size of losses. As the old dictum reminds us, "Anytime money is involved, there's going to be risk."

What Is ERM?

The first broad-based, official framework for ERM was introduced in 2004, when the Committee of Sponsoring Organizations of the Treadway Commission expanded on an earlier report on internal controls. But the hefty report was overwhelming for most companies, except those that were willing to wade through the analysis and develop risk-management assessments that fit their needs. Called "Enterprise Risk Management—Integrated Framework," this original model contained eight components:  internal environment, objective setting, event identification, risk assessment, risk response, control activities, information, and communication and monitoring. For many organizations, it was like trying to shove a square peg into a round hole.

After years of operating within the standard silo structure, associations found that ERM—and the variations that have emerged recently—turned that model on its head and took a holistic strategic approach, pulling all departments together so you can see how component "A" might affect component "B" and identify department structural risks. "It's a structural approach to decision making that's highly adaptable," says Franke. And as part of the holistic framework, you're in a better position to control and improve internal operations.

Tom Burtner, managing director at RSM McGladrey, tells a story about how a lack of financial controls and monitoring can really hurt you. It happened in an accounting department in a trade organization where there were no controls set up to monitor the financial system.  "Everyone was using the same log-in to access the system," says Burtner. "This means there was no segregation of duties or the ability to see, after the fact, who did what," he adds.

The organization had always used one particular vendor, and no one was monitoring the audit trails, leaving the door open for an accounting-department employee to generate fake vendor invoices that she then paid to her own account in the Bahamas.  Eventually, an audit uncovered her fraud, but not until after she had already embezzled $800,000. She didn't really expect to be caught due to the existing system. A risk program probably would have prevented that from happening.

What Does It Mean for Associations?

Fortunately, the ERM concept, framework, and structure have evolved, making the process more understandable and allowing risk people to pick and choose the elements that they believe are pertinent to their associations. "ERM is not this big, hairy, scary process like it sounds," says White. In fact, when she gives presentations on the ERM framework, she doesn't even call it ERM, so audience members won't run for the door.

Like White, many risk leaders have given ERM a different label, such as institutional risk management, and have broken down the framework to include the more manageable components, such as a strategic methodology, an operational approach, and financial compliance.  Still, no matter what you call it, the holistic ERM adopters have pretty much chosen the elements that work for them (i.e., risk assessment, objective setting, internal controls, information and communication monitoring) and have fashioned their own structures and format. Probably the most important factor is to just begin the process.

"As stewards of an association, don't we have the responsibility to ensure that we're thinking of the associations with the capital that flows through them?" asks Allen. Unlike crisis-management plans, which are more common and kick in as a response to some kind of crisis, ERM and its variations are a proactive tactic that compel you to identify risks that you might otherwise not know about.

That's why risk assessment is probably the most important enterprise component, bringing staff together so each operation knows what the others are doing. At her seminars, White says she's frequently asked, "Why do I need to talk to people in different departments, like IT?" Her standard response:  "Every change you make will have an impact on every department."

How to Get Started

But certainly one person can't orchestrate this process alone. For risk-management programs to really exist, the leaders of the association—this includes the board—need to be the heroes for the risk-management efforts. Leadership must embrace the process in order to invite the cooperation of staff. So, typically, organizations set up a group of organization senior staffers—or those who really want to work on the process—to act as a permanent, working task force. The group members should represent all operational aspects of the organization. And then you go to work identifying your risks—those you know about and those that are still hidden. Some of the hidden risks could turn out to be pretty expensive.

"The real challenge for small organizations is the segregation of duties and monitoring of internal controls," says Burtner. That might mean that every staff member (and board member) would be notified of changes in the accounting methods the association uses. For example, Burtner refers to the IRS Form 990, which was redesigned at the end of 2007. These alterations, according to an RSM McGladrey report, "represented the most significant revision to this tax-exempt financial reporting document in over 25 years." For example, among the IRS stipulations is a requirement that organizations check "yes" or "no" about whether specific policies are in place, including whistleblower, conflict-of-interest, and record-retention policies.

Those issues alone should give you pause and send you searching the association's accounting system. And that's also why experts stress the importance of communication among the departments. As a nonprofit, you certainly don't want to give the IRS a reason to mess with your tax-exempt status. "Underlying ERM should be some version of active communication of risk to the stakeholders of the organization, including the membership and leadership," says Allen. However, even after you've taken some ERM steps, the culture of the organization may dictate how far you can go with your efforts.

But let's assume that your staff members are willing to work on your version of ERM. Some risks are easy to identify, such as reputation risk and credibility. White says most associations are "sensitive" to their reputations, but being aware of an issue and working on managing it are two very different matters. A company's reputation and credibility can easily be torn apart. Think Toyota. After years of building a reputation for quality, safety, and reliability, the company was slammed when it waited several days to finally disclose accelerator and brake problems and launch a recall. 

During your risk-identification process you might discover that reputation and credibility aren't necessarily your most dangerous risks. Allen recommends prioritizing your risks according to which ones are most likely to happen and cause the most damage and which risks are not as serious. You might label some risks as "high impact, high likelihood" or "low impact, low likelihood" and everywhere in between. "Associations need to have the prioritizing process to understand what their top risks are," he says. In addition to reputation, associations should consider the risks that might be associated with their brand, fiduciary responsibilities, and membership.

Managing risks also means you're managing your losses and keeping a handle on expensive claims. "You can manage your risks actively or passively," says Allen. "In theory you have an understanding of the value of your strategic goals, so you can identify what risks are associated with those strategies." You can also decide whether to take the steps to mitigate the risk or make the decision to just do nothing at all—the fix might cost more than the claim.

The methods for avoiding risk vary with the organization. Of course, adopting any type of risk process doesn't come free.  Think of the cost as an investment in the future of your association. Overall, the goal is to keep the number of claims down so you can control those costly losses. 

Susan Gurevitz is a freelance writer based in Pennsylvania. Email: [email protected]