Has your board been talking about risks? The conversations about risks and ERM (enterprise risk management) have been continuing. No matter where you are on the ERM journey this session will help you learn about the process to identify, prioritize, and remediate the major strategic risks your organization is facing.
Our approach helps your organization not only respond appropriately to risks from increasing complexity, financial assistance programs, information technology – but also to explore possibilities and see opportunities it can’t afford to miss.
ERM, like continual improvement, is an ongoing process. We welcome you to join us for this one hour session for Board Members, Presidents, Executive Directors, and Financial Executives of non-profit organizations and educational institutions!
Christine DiMenna and Marcus Harwood from the firm blumshapiro, a local CPA and consulting firm, gave a presentation on Enterprise Risk Management. (ERM) As a principal in blumshapiro’ s Accounting and Auditing department and a part of the firm’s non-profit group, Christine DiMenna provides audit and risk assessment services to colleges, universities, independent schools and healthcare organizations. Marcus Harwood is a partner and industry leader of Blum’s Educational Institutions Group, has extensive experience serving educational institutions. He interacts with school business managers, audit committees and boards of trustees and is responsible for audit planning, fieldwork and supervising staff.
Has your board been talking about risks? ERM, like continual improvement, is an ongoing process. No matter where you are on the ERM journey, it is important to learn about the process to identify, prioritize, and remediate the major strategic risks your organization is facing. You need to adopt an approach that helps your organization not only respond appropriately to risks from increasing complexity, financial assistance programs, information technology – but also to explore possibilities and see opportunities it can’t afford to miss.
Enterprise Risk Management is a strategic tool that assists agency management and boards evaluate risks that might impact the organization’s long term strategic success and helps to identify, assess, and prepare for issues that my interfere with tan agency’s overall operations. ERM is not just about what “can go bad,” it is about what prevents your agency from getting where it needs to go. It is inextricably linked to your strategic plan and mission. Any ERM plan needs to be a team project including management and the Board. It is not a stand-alone process.
Blumshapiro has broken down the ERM process into four phases. Steps one and two go hand in hand. Phase 1 is identify members of the ERM committee and to document the ERM process and approach. Phase 2 is to identify risk and to prioritize them. Members of the ERM committee (risk owners) should conduct risk interviews with management, the Board, and key staff personnel. The committee should send out a memo with the questions ahead of time and indicate that participation is expected. Some sample questions can include the following. What are some of the major agency risks? What work issues keep you up at night? What stands in the way of you doing your job? The interviewer should ask for information about the participant’s department and view of the agency as a whole. You should encourage participants to open up- comments will not be attributed to names. Next the ERM committee should meet to consolidate the identified risk into one list and then vet the list with management and the board. The next step is to prioritize the risks on the list, through some sort of vote or survey tool. It is important to share feedback with those who participated in the process. The top ten risks should be ranked on the final list and then plotted on a heat map. An executive summary should be prepared.
Phase three is to develop risk mitigation work plans Identify which risks to work on first and then assign a person in charge of that plan. Come up with a mitigation plan and then test it to assess to see if it covers everything involved. The final phase is risk monitoring and tracking. You need to establish an ongoing system to monitor the work plan due dates, to monitor risks, and to review results. Risk mitigation plans can expose previously unidentified risks and/or opportunities in such areas as information technology, human resources, and data and analytics.
To summarize ERM, the following steps should be part of the process.
- Demonstrate the benefit of ERM
- Define risks
- Establish ownership
- Determine the appropriate approach
- Identify and quantify risks
- Prioritize risks
- Develop mitigation plans
- Implement mitigation work plans
- Report back on risks
- Maintain the ERM process