Not-for-profit enterprises (NFPs) are often galvanised around delivering on a clear and compelling mission. The biggest obstacle to delivering that mission is often money, leading to non-critical functions being run as leanly as possible. Among the functions perceived as non-critical is often risk management.
This article identifies key risks for NFPs and suggests why they differ from key risks in other sectors.
NFP Board members are often not remunerated and are not subject to regulation such as the Financial Accountability Regime, as are their counterparts in financial services.
The combination of these factors means that risk management in NFPs can receive less focus than is needed.
What are the key risks for NFPs?
In the digital age, everyone is exposed to cyber risk. NFPs often store large volumes of confidential, personal, and sensitive information about both their clients (for example medical information about vulnerable people) and their donors. So, the combination of cyber risk and privacy risk can be a major concern.
Many NFPs need a greater focus on their data risk. What data is being collected? And shared with which third parties? How well is the data protected? But also, how complete and accurate is the data? How well is it understood, along with data-driven insights? And what are the legal and ethical responsibilities that go alongside the collection, storage and analysis of data?
When NFPs run non-critical functions as efficiently as possible, they often outsource a lot of these functions to third parties, which leads to a significant third and fourth party risk.
Interactions with third parties leads to more risks than just outsourcing. NFPs are often very trusting environments, with staff, donors, volunteers and beneficiaries all united around the common mission. This can lead to a heightened fraud risk, from either internal or external parties, who find ways to abuse that trust to achieve personal gain (including, for example through money laundering).
There is a temptation for NFPs to hold minimal capital as a demonstration of efficiency, but a hold-up in cash inflow then compromises their ability to keep providing services so liquidity risk or even ongoing viability becomes an issue.
NFPs, like all enterprises, should actively manage their strategic risk. How sustainable is their mission? How well is the NFP set up to deliver on its purpose? Vibrant NFPs often have a suite of projects underway, which brings with it a focus on project risk.
If money is the major obstacle to NFPs in delivering on their mission, then people are often the biggest facilitator to achieving that mission. People risk in NFPs can take a different guise than in commercial institutions. Most NFPs don’t link remuneration with performance which can make it difficult to both recruit and retain people. The non-financial motivation to work for, or volunteer, at an NFP can ebb and flow, needing frequent monitoring.
Over a longer horizon, NFPs tend to be exposed to ESG risk. Whether it be environmental, social or governance-related, NFPs usually have a leaning towards delivering on an ESG purpose, but might not be fully up to speed in measuring, monitoring, and managing their ESG risks.
NFPs include some of the most trusted brand-names, which makes them extra-exposed to reputation risk. Social media can both build and destroy reputations. Slip-ups in any of the aforementioned risk areas can lead to reputational impacts if not managed carefully.
Case Study
Guide Dogs NSW/ACT has a strategy to lead the charge towards an accessible and inclusive world by 2030. This requires some significant changes, so they brought in PFS to help manage the associated risks. The initial focus of risk discussions was at Board and Executive level, where PFS helped to refresh the risk appetite, and to uplift the enterprise risk register. These key elements of the risk management framework are now integral to business planning. Guide Dogs has been careful not to overspend on risk management activities, and has focused on the actions needed to operate within appetite. An increasingly mature approach to risk management has helped Board and management to communicate with confidence to both internal and external stakeholders.
So how should NFPs set themselves up to manage those risks
NFPs tend to deliver products and services to the extent that funds permit, rather than relying primarily on delivering on contracts, which is the norm in the for-profit sector. Therefore, the consequences when NFPs fail to deliver are not as severe which allows them to operate with a higher risk appetite.
A higher risk appetite means that NFPs can maintain a lighter-touch risk management framework than their for-profit peers, with less risk monitoring and control testing. A well-run NFP still needs to understand its risk profile, and to manage its risks to be within appetite. Building and maintaining a proportionate risk management framework can be a competitive advantage particularly when embedded in the strategic and business planning process.
Conclusions
Embedding fit-for-purpose risk management enables NFPs to focus their efforts on delivering on their mission, by clearing away the obstacles without applying heavy brakes.
Key risks for NFPs often include:
- Cyber
- Data
- Outsourcing
- Fraud
- Liquidity
- Privacy
- Strategic
- Project
- People
- ESG
- Reputational
- Third-party
