The Audit Committee’s Role in Managing Nonprofit Risk
The audit committee role has been required for companies listed on the New York Stock Exchange since 1978. The governance standards for nonprofit companies somewhat follow the governance standards for listed and non-listed companies. Understanding, monitoring, and managing risks are a fundamental part of running any operation.
As with listed companies, the focus of the audit committee role for a nonprofit organization is financial reporting and risk assessment. Many nonprofits tend to weigh heavier on their role in financial reporting than on risk management, but it’s just as important.
Nonprofits face essentially the same range of risks as public companies. Among the risks that nonprofits should be considering are environmental, financial, legal, operational, strategic, technological, and regulatory.
Where Does the Audit Committee’s Responsibility Lie with Risk Management?
Another way that nonprofits can model after public companies is that there is no generally accepted way for audit committees to be involved with risk management. All organizations have to navigate their own best path towards the audit committee’s duties and level of responsibility.
Audit committees can’t monitor all risks alone. It generally takes some involvement by several other board committees. Risk management generally begins with some collaboration between management and audit committees where they determine risk. Normally, they document this in some type of risk register.
From there, both parties need to determine how to mitigate risks at an acceptable level. Internal controls, which is another important area for audit committees, should be set up so that the board has assurance that risk assessment and mitigation is being handled with due diligence.
As a word of caution, boards sometimes mistakenly believe that because they’re receiving regular presentations on risk management that internal controls are automatically occurring, which may not be the case at all. Audit committees need to review and monitor the intersection between risk management and internal controls.
Opportunities Carry Risks
Nonprofits will have to take some risks in order to take advantage of opportunities. Nonprofit boards often focus too much on how to avoid risks and not enough on connecting risks with strategic planning so that they’re making wise decisions.
A Deloitte report called, “Taking Aim at Value: Avoid Overconfidence and Take a Look at Risk” recommends that organizations should begin to take a stronger approach towards value creation and risk.
The report states that nearly 90% of boards recognize that risk management should focus on value creation and not just avoiding risks. At the same time, slightly less than one in five boards are changing their approach to opportunities and risks.
Defining a Board’s Approach to Risk Management
Boards have several options when it comes to how to cover all aspects of risk management. The audit committee, the board, the executive committee, and the external audit committee (if there is one) all have roles in risk management. The question that boards have to answer is deciding with duties and responsibilities to assign to each group and being clear about how they expect each group to carry out their roles. In particular, boards need to delineate duties and tasks between operational and strategic issues.
Before they can make these decisions, they need to decide what training, qualifications, and experience they feel are best for audit committees to have because of the wide range of risks that the board needs to be sure are being managed.
It’s pretty much a given that the audit committee role takes the lead role in risk management over financial risks. Boards will also need to decide how much responsibility their audit committees should have over non-financial risks.
Nonprofit organizations don’t always have separate risk committees. As they grow in size, it will be important to consider at what point they’ll need to form a separate risk committee that reports directly to the board.Under all circumstances, boards need to ensure that they’re set up so that they won’t be overlooking any significant risks.
Setting Up Internal Controls
A sound system of internal controls provides protection for the stakeholders, clients, and volunteers for nonprofit organizations. Boards should ensure that their system of internal controls are strong enough to help them fulfill their goals and objectives.
Internal controls should be comprised of the policies processes, tasks, and other aspects of the organization that collectively facilitate effective and efficient operation so that it can respond appropriately to the various risks that they may encounter on the path to achieving the company’s objectives.
Nonprofit boards should especially be vigilant about potential losses due to fraud and risks generated by employees or volunteers either intentionally or unintentionally. A modern board management system like BoardEffect allows nonprofit organizations to maintain the proper records and processes that transfer information between internal committees and external stakeholders.
Perhaps more importantly, the BoardEffect board management system is highly secure which means that the various committees that are involved in risk management and internal controls can share files and documents and send messages securely without creating an unintentional risk. The board management system is also the perfect place to record all the details of the nonprofit’s risk management plan so that there’s no misunderstanding about where the responsibilities lie for identifying risks, managing risks, and overseeing risks.
Final Thoughts on the Audit Committee’s Role in Managing Risk
Risk management is a highly important board activity. Boards need to give risk management more thought and attention than just checking boxes related to where the responsibilities lie. Managers should be as engaged in risk management as they possibly can be. Boards need to revisit their risk management plans periodically to ensure that their system design is working as they intended it to. The nonprofit climate is sure to change over time. Changes in society will occur over time. Boards will need to be forward-thinking so that risk management plans are appropriate for the organization’s future needs as they progress in their efforts. On a positive note, boards have the necessary flexibility to make changes in their infrastructure to accommodate a customized risk management plan.