John E. Craig
J. E. Craig, High-Performing Foundations: The Role of Risk Management, The Commonwealth Fund, February 2008.
With the collapse of Enron in 2000, the subsequent unexpected corporate failures and accounting scandals, and, most recently, the financial crisis induced by the breakdown of the subprime mortgage market, risk management has become a major focus of boardroom attention. The Sarbanes-Oxley Act of 2002, sparked by the Enron and Tyco scandals, has spurred the reorganization of audit and compliance committees to better inform corporate boards of the risks companies face, and to assist management in dealing with them.
While few of the Sarbanes-Oxley measures apply directly to nonprofit organizations, the legislation occurred at a time of elevated attention to best governance and operating practices within the nonprofit sector. The sector's heightened concern about best practices arose from media attention to examples of misconduct in some nonprofits in the early 2000s, followed by the Senate Finance Committee's exploration of how best to address issues of their performance and accountability. The vigorous response by the Independent Sector, through its own Panel on the Nonprofit Sector, culminated in this year's publication of Principles for Good Governance and Ethical Practice: A Guide for Charities and Foundations, which provides a framework for addressing many of the recognized needs for self-regulation by nonprofits.
While "risk" is not quite the four-letter word in the nonprofit sector that it has become in the corporate world, many of the principles advanced by the Panel on the Nonprofit Sector implicitly address it—for example, ensuring effective governance, annually reviewing the chief executive's performance, maintaining appropriate separation of duties for key functions, undertaking periodic reviews of board performance, providing strong financial oversight, having plans in place for protecting assets, complying with all applicable federal laws and regulations, and managing conflicts of interest.
It is possible, even, that the principles do not go far enough in acknowledging that risk management is as important in the nonprofit world as in the corporate sector, and deserves conscious and concerted attention—with respect not only to avoiding harm to institutions, but also to controlling risks so as to be able to seize opportunities. As Melanie Herman and colleagues at the Nonprofit Risk Management Center note, "[the nonprofit risk-management literature] often describes minimizing or avoiding risk as the ideal without paying any attention to the inherent and desirable risks that nonprofits must take to accomplish their missions. An organization that designs its risk-management activities solely around the goal of minimizing or avoiding risk will miss out on opportunities…. Risk taking is inherently positive." Harvard Business School professor Robert Simmons elaborates on the constructive role that risk management plays in achieving organizational stability and strong performance as follows: "Taking risks is not in itself a problem—but ignorance of the potential consequences is an entirely different matter…. If managers are aware of the nature and magnitude [of risks], they can take appropriate steps to avoid the hidden dangers."
On the face of it, private foundations—in contrast to other nonprofits and corporations—operate in a relatively low-risk zone: effectively managed, their endowments free them from the need to generate revenues through the sale of products and services or to access capital markets to fund growth or shore up balance sheets; with rare exceptions, foundations do not compete for clients; except when self-initiated or in extreme cases of misconduct, they receive little media attention; and they are not accountable to any electorate. Ironically, however, the very set of circumstances that protect foundations from market, media, and political forces expose them to fundamental risks. As noted in a Booz Allen Hamilton study of enduring institutions including the Rockefeller Foundation, a "negative effect of the robust risk-management system that endowments represent is that they can become insulating and shield the [foundation] from criticism and the pressure to perform well. Without a market test, the [foundation] must be motivated by loyalty and commitment to mission rather than by pressures from outside the organization. This can place a burden on the foundation to engage in constant and regular self-assessment."
In the wake of Sarbanes-Oxley, a blue ribbon commission of the National Association of Corporate Directors published guidelines for audit committees that identified risk assessment and management processes as one of the three core responsibilities of these committees, along with financial reporting processes and the audit function. In bringing their governance and oversight structures up to date in recent years, many foundations, including The Commonwealth Fund, have charged their audit and compliance committees with an annual review, together with management and the independent auditor, of significant operational and financial risk exposures and the steps management has taken to monitor and control such exposures, and with a similar review of the quality and adequacy of management's risk-management policies and procedures and its other internal controls.
In July 2006, the Fund's Audit and Compliance Committee initiated a process for formally assuring fulfillment of these charges, using the framework summarized in this report. Because the literature on risk management in nonprofits is very sparse, and that on foundations all but nonexistent, we thought the Fund's approach would be of interest to other foundations and the legislative and regulatory bodies that oversee them.
Download a PDF of the entire essay.