Risk management is as critical in the not-for-profit sector as it is in the for-profit world. The more common definition of risk is the chance that events prevent an organization from achieving its objectives. In reality, risk is the possibility that events will affect the achievement of objectives. The effect of these events may be negative. But they may also be positive and provide new or better opportunities. Nonetheless, the word “risk” is often associated with adverse outcomes.
Charities and other not-for-profits face increasingly complex environments, including issues related to cybersecurity, anti-money laundering, anti-bribery and anti-corruption, anti-terrorism, remote work, virtual meetings, preserving charitable status, lobbying, fundraising, workplace violence and harassment, health and safety and employment standards law, and other matters.
Like for-profit entities, not-for-profits had to face the risks associated with the pandemic, including the risk of funding loss, high staff absenteeism, and various other pressures on reserves. There are ongoing risks from conflicts of interest and ethical violations or perceived violations by directors and officers—some brought on by pandemic issues (see First Reference Talks blog entitled “What should charities do if they find out that a board member donated to the Freedom Convoy?”
Like for-profit entities, not-for-profits must keep abreast of changes in the laws that may affect their operations, for instance, tax, lobbying, cryptocurrency (maybe), privacy, business incorporation, or intellectual property laws.
Risks increase as not-for-profits get larger or more complex in structure or other variables. For instance, moving from an unincorporated not-for-profit to a registered charity structure creates exposure to a wide range of risks, including compliance with provisions of the Income Tax Act and Canada Revenue Agency policies and procedures
Not-for-profits face a double-edged sword in that they face many of the same risks as for-profit entities but often have considerably less resources to manage those risks. Additionally, in many cases, the public, regulators and others have much higher expectations of not-for-profits. Consequently, when a risk crystallizes into an actual adverse outcome, the reputational or other damage can be catastrophic for the not-for-profit.
A robust enterprise risk management (ERM) system is essential for not-for-profits. An ERM is an organized and systematic approach to identifying, evaluating, and managing risks. The starting point is risk assessment or identifying the organization’s exposure to risks—in other words, identifying the risk profile.
In short, risk management consists of eight activities, which may, in turn, be divided between those associated with risk assessment and the management of those risks.
Risk assessment is the identification and understanding phase. It involves the following steps:
- Identify major risks, both internal and external
- Judge their likelihood
- Understand the nature and scope of the impact of the risk
- Understand the benefits of taking the risk
Risk management is the decision and response phase. It involves the following steps:
- Select a response to the risk
- Design and maintain control activities
- Communicate information about controls and risk responses internally and externally
- Monitor developments around the risks and continuously improve risk response systems
Meeting your duty of care
Implement a robust ERM system to identify major risks, both internal and external; judge their likelihood of occurring; understand the nature and scope of impact of the risks; and understand the benefits of taking the risks. Then, select appropriate responses to the risks; design and maintain procedures to control risks; communicate information about controls and risk responses throughout the organization or externally; monitor developments related to the risks; and continuously improve ERM systems. Log in to Not-for-Profit PolicyPro and see SPP NP 2.05 – Risk Management for detailed guidance. Not a subscriber? Request a free 30-day trial of Not-for-Profit PolicyPro here.