Who is responsible for monitoring and mitigating potential risks inside your association?

That's a question that came up at a recent audit committee meeting that I attended. The association's senior management team is not only responsible for identifying risks and developing processes to mitigate the occurrence of risks, but they're also responsible for educating their board of directors on the risk-monitoring process.

Although it may be debatable which committee is best equipped to monitor and review an association's risk-assessment process, it's critical that this responsibility is clearly assigned and executed as an element of a good governance structure. But even before this responsibility can be assigned, the association's senior management team must know how to define and classify risk.

What Is Risk?

Risk is defined as the potential for gaining or losing something of value. Something of value can be gained or lost by an association that takes, or fails to take, certain actions. Every action has the potential to affect the association's reputation in the community, as well as its members and constituents. Reputational risk is a common element shared by all other risks, as shown in this diagram:

Figure 1: Risk Categories

 

Risks cover the following broad categories, but any one risk can cross several categories:

1. Operational risks impede an association's ability to conduct business and accomplish its program objectives. Some of these risks include the absence of a tested business continuity plan; lack of a good succession plan for key executives; outdated policies, procedures, and personnel manuals; and insufficient insurance coverage.

2. Financial risks jeopardize the security of an association's assets and can include insufficient internal controls over high-risk areas, such as expense reports and corporate credit cards, bank reconciliations, contracting and vendor relationships, wire transfers, and other cash disbursements. Inadequate financial reserves, the lack of available lines of credit, and outdated investment policies are circumstances that create additional financial risks for an association.

3. Compliance risks affect an association's nonprofit status and can result in governmental inquiries. These include engaging in activities that may be contrary to your tax-exempt status, inaccurately or failing to report unrelated business income, and not complying with the Department of Labor's rules and regulations around employee benefit plans.

4. Strategic risks are present when members or constituents don't see the value proposition in your programs or activities, which can erode an association's relevance, or when programs are ineffective and operating at a significant financial deficit. Competition, as well as political and social influences, can also present strategic risks to an association.

5. Legal risks can distract an association and its leadership from executing on mission, and they can also result in substantial costs to the association. These risks include an outdated employee manual or lack of enforcement for whistleblower protection policies or a code of ethics. In addition, loss of personal data, discrimination claims, antitrust activity, and breach-of-contract terms are additional areas of legal risk.

6. Information technology risks include a lack of enforced policies on data backups, failure to replace and update system hardware and software, and an absence of controls over access to your financial and operational systems. Other common risks covered within this category: failing to require complex passwords, as well as the periodic changing of passwords, neglecting to update software patches, and failing to train staff on the appropriate use of email.

The Responsibility to Monitor Risk

An association's risk-assessment process should involve the identification, classification, and reporting of all potential risks. Although there are numerous ways to accumulate and report on this data, one commonly used method is the "stop light" method.

Management's goal with this report is to provide a transparent view of the association's current evaluation of risk to the board of directors, who are the responsible for reviewing and/or challenging it.

Once a risk is identified, its disposition—mitigate, accept, transfer—must be determined through an action plan. For example, the action plan may include the following steps:

• Increasing the use of specialized consultants in the areas of IT, HR, legal, accounting, and/or tax
• Implementing enhanced internal controls over contracting, cash disbursements, credit card transactions, and payroll
• Refreshing the association's strategic plan to adapt and adjust to a changing social, political, and economic environment
• Instituting a standard process for reviewing and updating job descriptions, personnel manuals, accounting policies, and procedures manuals
• Establishing a semi-annual schedule to review and test your association's business-continuity plan
• Ensuring an annual review of your insurance coverage is performed and that your coverage is aligned with current risks, for example cyber liability coverage

After the action plan is executed, the residual risk is concluded to be:

• Green: Risk has been substantially transferred and mitigated (by insurance or contract, for example). Minimal risk remains.
• Yellow: Risk has been partially transferred and mitigated, but an acceptable level of business risk remains.
• Red: An unacceptable level of risk remains after all actions have been executed, and immediate attention is needed to address this high-risk area.

Management's goal with this report is to provide a transparent view of the association's current evaluation of risk to the board of directors, who are the responsible for reviewing and/or challenging it.

Some associations have the entire board review the report, while others may create a risk or compliance committee or make risk review and mitigation a part of the finance or audit committee's charter.

Regardless of who is charged with monitoring risk, it's critical that a healthy discussion ensues on the risks, management's mitigation plan, and resulting residual risk conclusion. In addition, the composition of the committee should include those individuals who have experience in assessing risk. This team may also include business owners, financial executives, and other members in and outside of your industry.

Each risk assessment should occur on a predetermined basis throughout the year and be updated as association- and world-related events occur. Leveraging the collective experience of your leadership team is important to developing a comprehensive risk response that has buy-in from both management and the board.