As seen in Crain's New York Business

For nearly three years, the only constant for not-for-profit entities has been change.

With the impacts of the pandemic, the return to work and migration to the new normal have challenged many organizations to pivot. Increasing costs, decreases in the supply of donors and volunteers, and now the potential for continued economic contraction have forced entities to adjust to the continuous waves of trials put before them. Not-for-profits are learning how to do more with less while remaining vigilant to emerging risks and new threats.

With so many internal, external and regulatory risks affecting not-for-profits, where do they begin in tackling risk?

ENTERPRISE RISK MANAGEMENT

You cannot address the risks that affect your organization without knowing what they are. When people hear the term “enterprise risk management,” they often think of a time and resource-intensive, overly complex process typically associated with larger for-profit private or public companies.

This is not necessarily the case.

Risk management is the process of identifying, assessing and controlling threats to an organization’s assets or goals. ERM is a holistic approach to risk management that considers risk across the entire organization.

An ERM plan should be a proactive, multidimensional process of identifying, assessing, documenting, and preparing for potential negative outcomes. Prioritizing between key events which are manageable, and those that could harm or bring down the organization are important elements. The goal of such an assessment should be to reduce business and reputational impacts and aid the organization in meeting its goals and mission.

Key elements of a successful ERM process include:

• Scheduling the appropriate people and time: As mentioned, this is a multidimensional process. Including key members of each department within the organization is important. Ample time to identify areas of concern, prioritizing the risks, discussing potential remedial activities to address them, and establishing the person team for each action are key.
• Identify all risks: Focus on risks that could negatively affect the organization’s operations, ability to raise funds or strategic direction. The initial discussion should put all risks on the table, regardless of how likely or unlikely they are to occur.
• Focus on most impactful risks: Once all the risks are identified, categorize and prioritize them to determine which could have the most negative impact on the organization and which are most likely to occur. Tools such as SWOT analyses, which look at strengths, weaknesses, opportunities and threats, and heat maps or risk registers are useful.
• Remediation: Discuss plans to address the identified risks and the person or team responsible for managing the resolution.

CYBERSECURITY RISK

One of the hottest areas of focus within an ERM program is cybersecurity risk. During the pandemic, hackers were picking up steam and taking advantage of already-strapped organizations that were trying to adjust to the new remote work environment and decentralization of people, processes and technology. Void of empathy and agnostic to industry, hackers used this opportunity to strike, morphing their traditional systems or hardware-based strategies to socially based tactics, focused on the weakest link of most organizations—their people.

The statistics tell the story of how rampant these attacks are as well as the repercussions should a data breach occur:

• Average cost of a data breach is $4.35 million
• Average number of days to detect and contain a data breach is 277 days
• 43% of cyberattacks target small organizations
• 82% of breaches involved a human element (phishing, misuse or error)
• 83% of organizations have had more than one breach

The following list of actions is a sampling of what an organization can do to harden its cybersecurity and reduce its chances of becoming the next victim.

• Cybersecurity risk assessments: If you do not know what data and assets you have or how well they are being defended, it is virtually impossible to protect your organization from cyberattacks. Completing a cybersecurity risk assessment will help you identify your most critical systems and data, recognize and prioritize gaps, and build a road map to a safer and more secure environment.
• Security awareness training: Since the genesis of more than 91% of data breaches is a spear phishing attack, it is imperative to train employees to identify and avoid this threat. Every employee, including those being newly onboarded, should be provided with the training needed to recognize and avoid these attacks. Simulated phishing emails should be considered to augment the training.
• Resilience: The testing of disaster recovery and incident response plans is an excellent way to accelerate the response and recovery process and minimize the damage caused by a cyberattack. In addition to developing these plans, acquiring a cyber insurance policy to help blunt the many costs associated with a cyberattack is critically important.

INTERNAL CONTROL RISKS

As mentioned earlier, not-for-profits are trying to maintain operations with fewer people wearing multiple hats. Finance departments, which were already strained to ensure proper segregation of duties, suddenly found themselves working remotely and performing duties that provide ample opportunity for error because of a lack of supervision or even fraud.

Organizations have several steps they can take to better protect themselves from the risks that deficient internal controls may bring:

• Perform an internal controls assessment: This is similar to a risk assessment in that you will not know you have an issue until you evaluate your processes and controls. Focus on processes that have access to cash or assets, that have cycles with significant amounts of change or that have one person doing many tasks.
• Implement positive pay: With increased check and wire fraud, what used to be a convenient feature offered by banks is now critical. Positive pay involves providing your bank with a list of all checks issued, so that only authorized checks are paid. Positive pay should be implemented for all significant disbursement accounts.
• Strengthen controls related to changes in customer or vendor master files: All changes requested by customers or vendors to their master files should be verified verbally via the phone number the organization has on file. Email requests should never be relied upon.
• Ensure proper segregation of duties: If any cash management functions are performed by the same person, restructuring should be considered or additional mitigating controls should be put into place.
• Perform timely completion of account reconciliations: Account reconciliations, especially for cash and other treasury accounts, should be performed timely after each period ends to detect unauthorized transactions.

The ability to navigate the ever-changing landscape of this post-pandemic world, which is filled with old and new risks and threats, needs to be top of mind for all not-for-profit organizations.

A proactive and continuous approach will aid in ensuring the long-term sustainability and financial health of your organization so that you can focus on what counts: your mission. For more information, contact John Eusanio at jeusanio@citrincooperman.com, Michael Camacho at mcamacho@citrincooperman.com, or Kevin Ricci at kricci@citrincooperman.com.