Melissa Musser
Melissa Musser, CPA, CITP, CISA, is a principal at GRF CPAs & Advisors in Bethesda, Maryland.
For years, associations have taken a siloed approach to risk management, focusing on areas like cybersecurity. More are now widening their nets, using ERM to ensure unexpected dangers don’t derail their association.
When it comes to risk management, some may think of areas like IT, investment risk management, or risk events that can be covered by insurance, but these are just silos, or pockets, of risk.
An increasing number of associations have embraced enterprise risk management (ERM), which is a structured and continuous process designed to provide an organization’s board and senior leaders a strategic perspective of risks so that they can be managed proactively.
Short- and long-term benefits to implementing ERM include prioritizing limited resources, making timely decisions, accomplishing strategic objectives, integrating varying views of risk management (i.e., eliminate silos), increasing member and stakeholder confidence, enhancing governance, and aligning strategy and culture.
In ERM, associations conduct a risk-rating analysis, where they identify and evaluate all risks to achieving the association’s objectives. This builds a “risk universe.” To facilitate the risk evaluation process, associations can use risk surveys, risk workshops, interviews, past risk events, and industry risk events.
To implement ERM, associations should begin by securing buy-in and approval from the board and then designating a champion or committee dedicated to and responsible for risk mitigation. Logically, a growing number of chief financial officers are leading ERM initiatives for their associations since most have already been designated to oversee financial, IT, and HR risks. Many organizations are also instituting internal risk councils consisting of executive management and “risk owners,” such as representatives from HR, IT, marketing, and so forth.
With ERM, the risks with the highest 'likelihood' and 'impact' score are those the board should be monitoring. This helps the organization focus on the risks that truly impact the organization rather than a single stakeholder’s view of priorities.
Although managing risk is a serious endeavor, there is no right or wrong way to formalize ERM. Associations should educate the board, management, and staff on ERM goals and objectives and begin with what makes the most sense within their organization. You can start simply with an assessment of risks and progress to more sophisticated models of risk management as your organization grows and evolves.
The association should determine who leads and participates in the risk assessments, what action steps to include, how best to resolve conflicts, and what documentation and reporting are preferred. Incorporating technical experts and consultants in the process helps develop sound ERM procedures, mitigation plans, and effective board reporting tools. For guidance, consult frameworks such as the Committee of Sponsoring Organizations (COSO) ERM – Integrated Framework and the International Organization for Standardization (ISO 31000) ERM.
The best ERM programs keep risk management simple by focusing on the following:
With ERM, the risks with the highest “likelihood” and “impact” score are ones the board should be monitoring, for example in the chart anything in red or orange color coding. This helps the organization focus on the risks that truly affect the organization, rather than a single stakeholder’s view of priorities. Ultimately, ERM is based on board and management’s expectations regarding acceptable levels of risk (i.e., the organization’s risk appetite) for those that directly affect the organization’s strategic goals and objectives.
The ERM process provides the board with the top enterprise-wide risks for strategic planning purposes, but the association actually benefits in many other ways. By performing these exercises to gather and assess risks, the organization is also creating a culture developed around risk-aware and risk-conscious decision making. ERM changes the culture, and culture eats strategy for breakfast.