5 ways not-for-profit audit committees can use ERM


Not-for-profit organizations are facing a growing number of new and complex risks, magnifying the importance of implementing a comprehensive enterprise risk management (ERM) program.


ERM can help organizations go beyond reactive measures to proactively improve their resiliency and “risk intelligence.” An organization’s audit committee is perfectly positioned to support management as they identify, assess, monitor and respond to key risks and opportunities.




5 activities for the audit committee


To support a robust ERM program, a not-for-profit’s audit committee can perform these five activities:


  1. Oversee an ERM program.
    The mantra that “management does; the board oversees” applies here, as with certain other audit committee responsibilities. Management should “own” the ERM program. However, the role of the audit committee is to provide oversight and guidance as management reviews, inventories and evaluates key risks and opportunities. The audit committee should also recommend ways to mitigate top risks — or, to take advantage of opportunities in alignment with risk appetite, furthering strategic objectives and mission achievement that the organization may otherwise forego due to being too conservative. As part of its risk oversight, the audit committee is responsible to support — and often challenge — management as leaders to identify, evaluate and prioritize potential risks and opportunities along with their organizational impacts.

  2. Provide input on organizational risk appetite and thresholds.
    It’s important to document the risk appetite and foster alignment among leaders. The audit committee should help management establish and periodically review its ERM framework,(including risk scoring criteria. This involves defining the organization’s risk appetite, and establishing key risk indicators, such as metrics that may help predict the future occurrence of risks. This process helps to appropriately calibrate mitigations and measure the remaining level of risk.

    An organization’s risk appetite often changes over time and by risk area. For example, an organization might be willing to accept a reasonable level of financial risk while having a low tolerance for risks that endanger its reputation. Having a strident voice at the table to provide input on risk tolerance, or even introduce the concept, is an important role for the audit committee.

  3. Review the risks identified by management.
    The role of reviewing the top organizational risks identified by management and evaluating risk response strategies, is another important responsibility for the audit committee. Then, to ensure management is accountable for implementing risk mitigation tools and processes, the audit committee should monitor the action item(s) within established timelines and help ensure that all action items are properly resourced.

    Leading organizations often include ERM as a recurring audit committee agenda item. They use various approaches to keep the dialogue fresh, including status updates on top risks, deep-dive conversations on risk topics (with risk owners) and discussions focused on nascent and emerging risks. By varying the structure, topics and presenters, the audit committee can help promote engagement and discussion, as well as ensure that top risks are identified and routinely evaluated.

  4. Evaluate the effectiveness of ERM activities.
    The audit committee plays an essential role in evaluating the effectiveness of the organization’s risk management program. This includes periodically reviewing the organization’s risk assessment, monitoring, remediation and reporting processes. Increasingly, not-for-profits are engaging third parties to work alongside management in implementing ERM programs or evaluating and refreshing existing ERM programs. This practice can help ensure that the ERM program aligns with leading practices in identifying, assessing and mitigating the key emerging risks.

  5. Act as a forward-thinking partner for management.
    Audit committee members are often selected for their unique expertise, skill sets and capabilities that the organization can use to its benefit. Their fresh and objective perspectives enhance the organization’s risk intelligence and provide additional insights to management. These discussions encourage leadership to broaden their perspectives about the changing world and the technology that supports them.



It’s about your mission


In light of today’s economic and operational uncertainty, not-for-profit organizations are leveraging their ERM programs to improve their resilience, mitigate risks and take advantage of opportunities that support strategy and mission achievement.


The audit committee’s role in providing oversight, input, feedback and engagement for an organization’s ERM program is perhaps more important than ever. Engaging management in new ways can elicit new and valuable perspectives about key risks and opportunities that help maintain focus, remove barriers and prioritize investments in your mission.




Related resources















Dennis J. Morrone

Dennis Morrone is the National Managing Partner of Grant Thornton's Not-for-Profit & Higher Education Practices.

Iselin, New Jersey

  • Not-for-profit & higher education
Service Experience
  • Advisory
  • Operations and performance
  • Audit & Assurance
  • Finance Transformation
  • Accounting advisory
  • Employee Benefit Plan Audits
  • Lease accounting
  • Transaction advisory

Our not-for-profit and higher education featured industry insights