Many nonprofit organizations use an upcoming audit as a time to consider risks within their organization, not only to potentially get ahead of an internal control review, but to make the audit process smoother for their team. However, instead of the usual scramble to find risks and patch them before the auditors begin their work, successful organizations tend to consider approaching risk from an ongoing perspective, including building a culture of risk identification, using technology to create better processes and internal controls, and creating a long-term plan for risk management. Below, we’ll examine how nonprofits sit in a unique risk landscape and how teams can effectively navigate risk in the present and for years to come.
The Unique Nature of Risk in Nonprofits
The nonprofits’ mission focus and company culture is what makes them unique. However, these qualities also are what makes unmitigated risks of greater concern.
Unlike for-profit organizations, nonprofits are built around mission-driven work that positively affects a specific audience. More than reducing costs or protecting against fraud, risks in a nonprofit can compromise the organization’s ability to meet its mission. Nonprofit organizations need safeguards to help ensure they’re gathering data and documentation to prove they’re meeting program outcomes so they can continue their work into the future.
It’s also important to consider that employees in nonprofits often wear a variety of hats. While it would be ideal for nonprofit organizations to have well-defined departments and departmental roles, the reality is that most employees are doing anything they can to meet the organization’s goals. This increases risk exposure because employees simply don’t have the bandwidth to constantly monitor for and mitigate risk. It’s much easier to “do what we’ve always done” than to change processes and update procedures to avoid risk.
You may be thinking, “How exactly do we mitigate risks in our organization if we don’t have the resources to do it?” The reality is taking the time to put processes and procedures in place to help mitigate risks now can save nonprofit teams hours of time in the future, not only during an audit, but also in the organization’s daily operations. Nonprofit organizations can use the following road map to take steps to reduce risk while increasing efficiencies.
Size Up Your Organization for Risk
The first step in looking for risk is to talk to your people. Because nonprofit employees are often individually involved in various areas of the organization, they may be aware of risks present both within the finance team and across departments. It also builds a sense of inclusion in the risk process, which will be crucial as the organization moves to lessen risks.
The second step in considering risk is to talk to your auditor. Nonprofit auditors should know the ins and outs of internal control best practices and can identify where your organization may be susceptible to risks and present suggestions for improvement. Don’t wait until the actual audit; keep an open dialogue with your audit team to discuss any risks or areas where the organization needs to focus on mitigation tactics.
These two steps should give nonprofits a preliminary, yet robust, list of risk areas in the organization. This list can then be scrutinized to see if there are areas that are higher priority than others, or where there is opportunity to potentially reduce several risks or risk areas at once.
Build a Solutions-Based Approach to Help Mitigate Risks
Before jumping into finding remedies for various risks, it’s a good idea to create an internal risk team or committee responsible for championing internal control changes. This should be a cross-functional team within the organization that has a strong internal network. Changes tend to work best when they come from trusted sources; it’s important this group is enthusiastic about the changes and can create interest in change throughout the organization.
Once a risk team is formed, it’s time to start building a solutions-based approach. This can be developed through best practice research, talking with your auditors, interviewing key staff, and looking over current processes and procedures. This research can help the organization identify gaps between what should be happening and what is currently happening and create a foundation for a solutions-based approach regarding risk.
The next step is to build processes and procedures around new internal controls meant to mitigate risk. Try to make this step as interactive as possible; the risk team should spearhead building the processes and procedures with input from the people who must adhere to them. This enables an organization to obtain end-user input while creating buy-in to controls since they’re built by the people who must utilize them.
This also is a great opportunity to see if there are ways to streamline existing processes while simultaneously mitigating risk. Are you performing manual bank reconciliations that are prone to error? Is documentation running through email without a clear audit trail? Is there a manual approval process for grant applications? There may be opportunities to leverage new technologies to not only reduce risk but increase efficiencies, create better data gathering and interpretation processes, and build job satisfaction within the organization.
Gauge Risk Mitigation Resources
Now that your organization has spent time and resources to create more robust internal controls and processes and procedures to help mitigate risk, it’s time to see if they work. However, before jumping into any evaluation techniques, the risk team needs to create a plan to provide training and reinforcement on the new tools and processes in place. Processes and procedures only work if they are adopted, and spending some time making sure employees are utilizing the new way of doing things is essential for risks to actually be mitigated.
Once there is a high level of adoption within the organization, you can start testing risk areas. If you retest a risk area and there doesn’t seem to be improvement, i.e., if employees continue to do things the old way, it’s important to take corrective action through additional training or awareness. It also may be that the risk wasn’t mitigated through the processes and procedures put in place. If so, it should be reconsidered by the risk team to see if other remedies exist.
It can seem like a heavy lift, but putting resources into building a strong culture of risk awareness, mitigating current risks, and creating an ongoing road map for developing resources is well worth the time and effort. Your nonprofit will reap the benefits through more efficiencies, better job satisfaction, and a stronger ability to meet the organization’s core missions going forward. If you have any questions or need assistance, please contact a professional at Forvis Mazars.