top 10 risks for associations - aronson llc · the enterprise risk management (erm) line of defense...
TRANSCRIPT
TOP 10 RISKS FOR ASSOCIATIONS
ASSOCIATION RISKS THAT SHOULD BE DISCUSSED IN YOUR BOARD ROOMS
Aronson’s ERM Initiativehttp://www.aronsonllc.com/ | Call Us: 301.231.6200
Connect with us via a selection of popular social media, networks and other platforms.
LINKING STRATEGY WITH RISK
Top 10 Risks for Associations
TABLE OF CONTENTS
Enterprise Risk Management (ERM) | Top 10 Risks for Associations
1. Innovation and Large Scale Transformation Risk
2. Privacy Please! Does GDPR apply to you?
3. Culture and Conduct Risk
4. Third-Party Risk
5. Cybersecurity Risk
6. Tax Law Changes
7. International Tax Risk
8. Revenue Recognition
9. Fraud Risk
10. New Presentation of Liquidity Information in Financial Statements
Associations Driving Value with ERM | Call to Action
About Aronson
Appendix: Example ERM RFP
1
1
2
3
5
6
7
8
10
11
13
14
15
16
ENTERPRISE RISK MANAGEMENT (ERM) Top 10 Risks for Associations
Innovation and Large Scale Transformation Risks
In all our client engagements, we partner with organizations to understand their needs and design services to support the strategic mission and add value to the organization. Below our team of experts have highlighted emerging risks that span across an association’s risk universe that boards should keep on their radar.
New products, services and technologies can enable amazing growth, but these innovations can carry signifi cant risks. The main reasons for innovation failure can be summed up as:
• Inappropriately trained teams not devoted to the initiative• Infl exible or ineffective project management
Transformation affects the people, processes and culture of your organization. The culture of innovation needs to not only be at the executive level, but all the way down to the execution teams. One of the key factors in successful transformation is having executive management “sponsor” the transformation initiative. Doing this promotes the following:
• Gives the project teams the authority they needs to promote organizational culturechange effectively.
• Provides effective oversight that can keep the teams’ work aligned with theorganization’s strategy and objectives.
• Allows for legitimacy within the organization as it fosters an effective and trusted approach.
How to know if your project was offi cially a success or failure? Based on input from executive management, the project should be considered a complete success when the following are true:
• The project satisfi ed the requirements defi ned by the organization.• Successful project delivery meets or exceeds schedule and budget targets.• Project participants have pride of ownership and feel good about their work.• The customer/stakeholder requirements are met and are measurable. • Strategic objectives are now supported.• Project results instill confi dence in the process.• Measures are in place for continual monitoring and evaluation.
1
1
When starting your transformations, prepare your team to succeed by considering the following:
• Align – your strategic plan to your project mission and objectives.• Sponsorship – identify someone at the executive level to sponsor the project.• Gap Analysis – map your transformation plan to your existing environment.• Communicate – ensure the project stakeholders understand the benefi ts and challenges of
the initiative.• Monitor – during the transformation initiative, ensure the project management teams have
appropriate approvals for changes to the plan.
Privacy Please! Does GDPR apply to you?
Are you ready for the General Data Protection Regulation (GDPR)? Taking effect May 25, 2018, GDPR is the most important change in privacy in 20 years.
Why was this legislation enacted?
In the wake of scandals such as Target and Equifax, data privacy is now top of mind for regulators to protect individuals “fundamental rights” to personal data. GDPR lays out requirements that organizations must comply with when collecting personal data of European Union (EU) residents. In a brief overview, you must get consent from the individual that you are allowed to process their personal data. The consent must be explicit and cannot be a pre-selected box. Organizations will need to keep a record of the consent and also inform people of their right to withdraw consent. At any point they may request erasure of their data, and or ask for a break out of their data. GDPR also requires 72 hours for an organization to report a breach. You can see the other main aspects of the legislation at https://www.eugdpr.org/eugdpr.org.html
Who must comply?
Any organization that offers goods or services to, or monitors the behavior of, EU persons must comply with GDPR. It applies to all organizations processing and holding the personal data of individuals residing in the EU, regardless of the organization’s location. So for U.S. based associations, if you are targeting EU residents to become members, converting your marketing materials into EU languages, or processing data of an EU resident it is likely you must comply.
What are the penalties?
Failure to comply with certain articles of GDPR may result in signifi cant fi nes of up to 4% of global annual revenue.
2
2
How to prepare?
• Read through the GDPR and answer vital questions.• Conduct a GDPR risk review to see the scope and applicability to your association.• Perform an initial gap analysis to identify key areas of noncompliance.
In the future, aspects of the European GDPR are likely to fi nd their way into other regulations as well.Organizations should start to prepare their policies and procedures for this change. It is therefore important to keep a list of:
• Which data you process,• For which purpose data is processed,• Where you received the data, and• With whom you share data.
Culture and Conduct Risk
Headlines speak for themselves from sexual harassment to bribery, reputation damage can be the one thing an organization cannot recover. Below are some culture and conduct risk best practices to benchmark your association against.
Tone from the Top
Senior management and the board should ensure cultural values are refl ected in the organization’s strategy, risk appetite, and compliance frameworks. Consider annual board retreats where the strategic plan is updated and implement enterprise risk management initiatives. Hold annual townhall gatherings to ensure proper tone is conveyed from strategic plan to employee.
Assurance - Three Lines of Defense
Senior management and the board should ensure the risk management frameworks are in place, monitored and enforced.
The Operational Management Line of Defense has ownership, responsibility and accountability for maintaining effective internal controls and for executing control procedures on a day-to-day basis. There are several frameworks (e.g. COSO, NIST, ISO, COBIT) operational management can leverage.
The Enterprise Risk Management (ERM) Line of Defense monitors and facilitates effective risk management practices and reports risk related information. The responsibilities of these functions vary, but can include:
• Providing an evaluation of top risk reporting to the governing body.• Identifying known and emerging issues, holding risk workshops and facilitating risk surveys
of entity wide operations.• Assisting management in developing processes and controls to manage risks and
known issues.• Providing training on policy and procedures, and controls compliance.
The Internal Audit Line of Defense provides independent assurance on the effectiveness of the fi rst and second lines of defense to the organization’s governance and senior management. In some organizationsthe role of internal audit is combined with elements from the fi rst two lines of defense as follows:
• Facilitating the organization’s ERM program.• Assisting with monitoring procedures for handling whistleblower hotline complaints, including
the related procedures for confi dential, anonymous submission of concerns.
The establishment of an ERM and internal audit function need not be a major investment and can be internal, out-sourced or co-sourced.
3
3
“It takes 20 years to build a reputation, and fi ve minutes to ruin it. If you think about that, you’ll do things differently.” - Warren Buffett
Consider adding to your employee onboarding checklist the following:
Mission and Values Statement
Ethical Conduct including Confl ict of Interest and signed certifi cation
Training
Security
Sexual Harassment
Diversity and Inclusion
Ethics
Training should be provided to new managers in the following areas:
• Basic Employment Law • Interviewing Skills• Performance Reviews• Sexual Harassment• Supervisory Skills • Diversity and Inclusion
All employees should be given training and refresher courses that provide the opportunity for improvement and to keep them informed of new policies and procedures. Individual and group training needs should be analyzed and training plans should be developed accordingly.
Training
Senior management and the board should ensure training is available to maintain employee knowledge about the organization’s values and behaviors expected of employees. Mandatory trainings should ensure new hires, new managers and all employees are provided the required trainings on an ongoing basis. Training content should be reviewed annually to confi rm its adequacy and relevance. Attendance should be tracked and documented.
Incentives and Pressures
Senior management and the board should also ensure that the organization’s incentives and internal promotions are linked to good conduct. Consider reviewing your organizations employee performance policies and procures to ensure of appropriate internal practices.
Governance and Effective Communication
Senior management and the board should promote a culture of open communication and effective challenge to allow current practices to be tested. It’s important that there is direct access to the board and leadership team and that there is a process in place for reporting to the board on culture, conduct and compliance issues.
Form 990, the annual information return form fi led by associations, asks exempt organizations to state whether the organization has adopted a whistleblower policy. Consider creating a policy or reviewing your existing one for adequacy. Whistleblower policies can give the organization’s senior management and board opportunities to learn of unethical or unlawful practices directly from their employees and volunteers rather than from the media or law enforcement!
Culture can be one of your associations most important intangible assets. Your board should be educated on the value of linking culture risk to its fi nancial and sustainable performance.
4
Third-Party Risk
A third-party vendor is an ancillary process outside the control of your organization that performs a function or provides a service, for example, a payroll processing company or an IT provider. Although your organization may rely on third-party service providers, your management team carries the ultimate responsibility for maintaining an effective internal control system. Taking ownership of this third-party responsibility has become one of the biggest hurdles for organizations as more and more processes move to third-party providers! No one remembers the name of the HVAC vendor that lead to the Target hack. Your organization holds the bag when there is a breach of data or material misstatements on your books occur.
Your association should understand the type of data being shared with third-parties, the level of access they have into your environment and the controls around ensuring the information is complete and accurate when fl owing into your fi nancial reporting system. For relationships where private data is shared, IT access is provided or signifi cant operations rely on the third-party vendor, management should implement a third-party risk management (TPRM) review process on these vendors. For example:
• Tier 1 – Critical vendors (10%) – private data + critical systems• Tier 2 – Major vendors (40%) – private data OR critical systems• Tier 3 – Vendors (50%) – commodities/low risk purchases
Your association will want to develop a TPRM process that identifi es what procedures will be performedfor each assessed tier of risks. For tier 1 vendors you will likely want to include the following in yourvendor assessments:
1. Overall risk assessment2. Financial projections3. Insurance review4. Background check5. Legal contract review
Having a TPRM program helps reduce the likelihood and impact of data breach costs, operational failures, vendor bankruptcy, and reputation damage. Don’t have a TPRM program yet? Below are some suggestions on how to implement TPRM controls now:
• When engaging vendors, ensure your evaluation process and/or request forproposals (RFP) includes consideration for meeting your organization’s baseline internal controls standards.
• Periodically evaluate key performance indicators (KPIs) of service providers with respect to service requirements indicated in the service level agreements (SLA’s).
• Request and review a Service Organization Control (SOC) reports and determine whether follow-up actions are necessary.
• For third-parties that interface with your accounting system, ensure there are adequate controls around batch processing to review for synchronization errors that may occur.
Final take away, don’t decide on a vendor too early in the process, best price does not equal best vendor. Associations should be focused on meeting their baseline control requirements. Employ your internal audit department or outside consultant to audit your TPRM process. This is not just a one-time event…you must audit this critical process again, and again to guarentee compliance with your program and evolve the design in this rapidly changing environment.
4
5
Cybersecurity Risk
As we move further into the year, we can rest assured that cybersecurity will continue to be a topic of interest for organizations of all types and sizes. In particular, those organizations who have regulatory mandates and those tasked with protecting sensitive internal and customer data have information security risks on their radar as the threat landscapes continue to shift. Although by all means not a comprehensive list, below we discuss some of the key cybersecurity risks, and how organizations are tackling the risk mitigation process.
Migrating to the Cloud:
Associations are migrating, or partially migrating, to cloud systems given the ease of use in transitioning systems, the eased burden of managing IT infrastructure, and the availability for support around the clock. Many of the key cloud service providers are well known for their robust security practices, with many of the key players having obtained compliance with industry regulations such as ISO 27001, SOC2/3, and FedRAMP; however there appears to be a gap when it comes to providing oversight for our key cloud providers. Organizations may assume that once their information has been successfully migrated to the cloud, there is no reason to provide additional vendor oversight. However, organizations need to implement formal processes as they relate to vendor oversight, in particular those for company’s that manage sensitive data. Reputable cloud service providers will provide clients a SOC1 or SOC2 report at their request, which provides an overview of security controls in place to protect the service provider’s systems. It is IT and management’s responsibility to periodically request and review these reports, ensuring that the security controls in place at a third party meet the internal requirements of your organization.
Management of Devices and the Internet of Things:
As more and more electronic devices and systems have been designed with built-in communication systems, the internet of things (IoT) has exploded over the last decade. With the ever-growing supply of these devices and systems entering our personal world, there is no question that they will be present in the association world as well. Many organizations place a lot of effort in managing media and devices on their networks, leveraging dedicated tools to enforce only appropriate devices access information systems. Others have a much more manual process and rely strong cybersecurity practices organization-wide to reduce the risk of inappropriate device access. Both organization types need to be cognizant of any and all devices that may enter the network, whether it be a new fridge in the employee breakroom or the new Nest thermostat in the maintenance closet. Management should determine as part of their Information Security Policies whether to permit ‘Smart’ devices onto the association network, or how they should be segmented (or put altogether on a different carrier network) away from regular association systems. Hackers are always looking for ways to get their foot in the door; properly review your policies and procedures and ensure all devices from the IoT are accounted for, managed, and have appropriate oversight.
Appropriate Maintenance of System:
We’ve all read the stories, a data breach is announced, and three days later the news comes out that the exploited systems did not have the proper patches in place. This will continue to be the case unless organizations ensure that they have strong patch and vulnerability management processes in place to protect all of their information systems. IT and management must ensure that processes are formalized in determining latest available patches and security updates, and whether they require implementation immediately vs at a later date. Systems identifi ed as being out of date related to security patches, or having been identifi ed as containing an existing vulnerability, must be reviewed and updated in a timely manner. A smooth-running maintenance process requires documented policies and procedures to communicate the expectations required of employees, as well as providing an overview of the different roles and responsibilities that need to come together in order to ensure organizational information systems stay up to date and protected against the latest threats.
5
6
Tax Law Changes
Our team of experts have highlighted emerging risks related to the new Tax Cuts and Jobs Act that may affect associations:
Unrelated business income calculated separately for each activity
If your exempt organization has more than one unrelated trade or business activity, the losses from one unrelated trade or business can no longer be used to offset the net income derived from another. Each activity will be calculated and taxed individually. Losses can be carried forward from one activity and be used to offset income in future years from the same activity. Any net operating loss carryforwards from before January 1, 2018, are not changed by this law. UBTI will be subject to the new corporate tax rate of 21%.
Transportation fringe benefi ts increase unrelated business income
The new law includes a provision that a tax exempt organization must include in unrelated business income any amount expended for any qualifi ed transportation fringe under code section 274, including commuter transportation, transit passes, qualifi ed parking and qualifi ed bicycle commuting reimbursement. This includes amounts for a parking facility used in connection with a qualifi ed transportation fringe benefi t. These amounts would not increase unrelated business income if employees are taxed on the benefi ts.
Excise tax imposed on excess compensation
The new tax law imposes an excise tax on covered employees whose compensation exceeds $1 million, which includes parachute and severance payments. The tax applies to all exempt organizations under section 501(a) of the tax code, including political organizations under code section 527. The excise tax is equal to the new corporate tax rate, 21%, and is applied to the organization. A covered employee is a current or former employee who is one of the top fi ve highest compensated employees for the current year, or was a covered employee in any of the past fi ve years, beginning after December 31, 2016. Compensation is wages, not including Roth designated contributions, and deferred compensation under code section 457(f). It also includes compensation for services performed at a related organization. The tax in the case of related organizations is calculated on the whole, and allocated pro rata back to each organization. Compensation for determining who is a covered employee does not take into account payments to a licensed professional in the medical or veterinary fi elds, although if these individuals receive compensation for administrative services, that compensation would count toward the covered employee designation. The effective date of this excise tax is for tax years beginning after December 31, 2017.
7
6
International Tax RiskThe following are some typical cross-border activities of a U.S. exempt organization that may implicate international tax issues.
• Grants made in a foreign country and employees travel to foreign country to assess effectiveness of the grant.
• Attendance of U.S. offi cers, employees, or consultants at conferences, meetings, and seminars in a foreign country.
• U.S. expatriate employees or foreign national employees work in an offi ce, fi xed place of business, or from home in a foreign country.
• Investments in investment funds with either direct or indirect ownership in foreigncompanies including foreign corporations, passive foreign investment companies (PFICs),and foreign partnerships.
These are some steps that a U.S. exempt organization may follow to plan for foreign activities. Unplanned activities in a foreign country may result in the activities below happening in a different order which can create risk and exposure:
• Evaluate enabling conditions in a foreign country.• Create policies upon condition of approval.• Obtain leadership approval.• Establish infrastructure in a foreign country.• Make grant in a foreign country.• Send people to a foreign country to evaluate grant effectiveness or engage in other activities.• Deploy resources in a foreign country.
It is important to be aware of the following foreign tax and business registration requirements:
• Business registration requirements to operate in a foreign country.• Business license and registration fi ling.• Foreign tax-exempt organization status.• Formation of a foreign entity or organization.• Foreign employment tax withholding and payroll reporting for U.S. expatriate individuals or foreign
nationals working for U.S. exempt organization in a foreign country.• U.S. income tax treaty considerations for dependent and independent personal services• U.S. Social Security Totalization Agreements.• Foreign corporate income tax compliance requirements.• U.S. income tax treaty considerations for taxable presence in a foreign country through a
permanent establishment.• Taxable presence in a foreign country without a U.S. income tax treaty in effect Foreign Value Added Tax requirements.
8
7
The following penalties could apply if the U.S. exempt organization does not complywith U.S. international information return reporting requirements.
• FBAR - $10,000 civil penalty for nonwillful failure to fi le on time.
• FBAR – greater of $100,000 or 50% of the account balance for willful or intentionalfailure to fi le.
• FBAR – Criminal prosecution with possible imprisonment for willful or intentionalfailure to fi le.
• Forms 5471, 8865, 8858 - $10,000 penalty for the failure to fi le on time.
• Form 5471, 8865, 8858 – Additional $10,000 penalties up to $50,000 maximum foreach month that delinquency continues after IRS sends notice.
• Forms 5471, 8865, 8858, 926 – Statute of limitations stays open on entire U.S.Federal tax return until complete and accurate form is fi led.
• Form 926 – Penalty is 10% of FMV of property transferred to foreign corporationand some types of transfers may result in a taxable sale or exchange.
• Form 5713 – Penalty is $25,000 or up to one year imprisonment for the willfulfailure to fi le.
• Forms 1042 and 1042-S – Penalties can be up to 50% of the tax liability for thefailure to fi le and pay the U.S. nonresident tax on time.
9
The following U.S. international information return reporting and disclosure requirements couldapply to a U.S. exempt organization with cross-border activities.
• FinCEN Form 114 Foreign Bank Account Report
• Form 926 transfers to foreign corporation
• Form 5471 ownership of foreign corporation
• Form 8865 ownership of foreign partnership
• Form 8858 ownership of foreign disregarded entity
• Form 8621 ownership of a PFIC
• Form 5713 international boycott report
• Forms 1042 and 1042-S U.S. nonresident withholding tax
Revenue Recognition8
10
Is Your Association Prepared for the Converged Standard on Revenue Recognition?
In September 2016, the Financial Accounting Standards Board (FASB) warned organizations that many will need to accelerate their preparation in order to be ready by the revenue standard’s effective date. Published in May 2014 as FASB Accounting Standards Update (ASU) No. 2014-09, Revenue from Contracts with Customers (Topic 606), with related additional ASUs subsequently providing guidance on narrower elements, the standards collectively are the result of more than a decade of debate about how organizations should report revenue. The standard offers principles to determine how and when to record revenue, unlike the rules-based guidance U.S.-based entities are accustomed to applying. The effective date of this ASU for associations is fi scal years beginning after December 15, 2018.
The core principle of the update is to recognize revenue when control of the goods or services transfers to the “customer/member”, as opposed to recognizing revenue when the risks and rewards transfer to the “customer/member”under the existing revenue guidance. The changes may present complexity for associations that offer bundled goods and services. Major sources of revenue of associations can include membership dues, convention and seminar fees, publications, testing and examination services, certifi cation, and merchandise sales.
ASC 606 - REVENUE FROM CONTRACTS WITH CUSTOMERS SUMMARY
It is generally agreed that contributions are not within the scope of ASC 606,” Revenue from Contracts with Customers.” However, some transactions are part contribution and part exchange transaction or sometimes referred to as a bargain purchase or inherent contribution. The ASC glossary defi nes an inherent contribution as “a contribution that results if an entity voluntarily transfers assets (or net assets) or performs services for another entity in exchange for either no assets or for assets of substantially lower value, and unstated rights or privileges of a commensurate value are not involved.”
Examples of transactions that may be in part a contribution and is part an exchange transaction include the following:
• Membership dues • Grants, awards and sponsorships • Naming opportunities • Donor status• Gifts in kind
Fraud Risk9
The Association of Certifi ed Fraud Examiners (ACFE) is the largest organization dedicated to the study of fraud and how to prevent or detect it. Every other year they publish a “Global Fraud Study.” The numbers reported are staggering, with some interesting observations that could prove helpful in designing internal controls to prevent fraud:
• Asset misappropriation schemes made up 85% of reported frauds. • Reported frauds last approximately 18 months before detection. • Some 77% of frauds were committed by individuals in one of six departments: accounting,
operations, sales, executive/upper management, customer service, purchasing. • Fraud committed by owners/executives was for signifi cantly higher amounts than fraud
committed by others. • The median fraud loss for exempt organization cases reported was $108,000. • The most common red fl ags for fraud were someone living beyond their means or someone
with fi nancial diffi culties or addiction problems. Being too close with vendors or customers is another red fl ag, as is unwillingness to share duties.
• Most frauds are uncovered through tips from either employees or outsiders (42%).• The most frequent fraud schemes are check tampering, billing schemes, and expense
reimbursement padding.
Knowing common fraud schemes can help organizations begin to build a dialogue about warning signs and potential areas where internal controls can be improved.
Diverted Contributions | In this scheme, contributions intended for certain programs are directed elsewhere. This may include pocketing incoming contributions or making deposits to personally-controlled bank accounts.
Phantom Vendors | In this scheme, an employee establishes a fi ctitious vendor and submits false invoices for processing.
Other Disbursement Schemes | These can cover a wide range of territory, such as payroll schemes.
Collusion | This is defi ned as secret cooperation between people to do something illegal or underhanded. For example, a vendor receives preferred bidding status or pricing in exchange for a kickback.
Excessive Compensation | This is defi ned as compensation that is above the fair market value of the employment services actually being provided. This is an important concept because of possible intermediate sanctions, but also potentially a very subjective standard.
Fighting fraud requires elements of prevention, deterrence and detection.
• Prevention is controls designed to reduce the risk of fraud from the beginning, such as hiring the right people.
• Deterrence involves policies and procedures to deter someone from wanting to commit fraud. • Detection relates to fi nding something if it has occurred.
11
Examples of effective anti-fraud controls include:
• Employee background checks in hiring decisions • A code of conduct for employees and Board members • A review of computer security • Segregation of duties • Job rotation, mandatory vacations, cross-training of workforce, and fraud training • Proper employee dishonesty insurance • Monthly fi nancial statement preparation and review by different individuals • Budget to actual comparisons • Monthly reconciliation of accounts • A hotline or some way to receive tips on fraud (important since tips are number one source
of discovery of fraud) • Surprise internal audits • External audits
Conducting even an informal risk assessment periodically can be helpful in assessing what controls are in place and whether some should be added. It is not practical to have controls that would prevent all fraud as it would be too expensive, so it’s important to fi nd a happy medium. What should you do if you suspect fraud is occurring in your organization? Unfortunately, it requires some diffi cult decisions. In some cases, strong evidence surfaces early, allowing you to place the suspected employee on leave while a more thorough fraud investigation can be conducted. It is obviously more diffi cult if the person still is in the job and all you have are suspicions with no proof. While never easy to plan or implement, investigatory action must be taken to determine if there is a real threat.
If your investigation uncovers evidence of fraud, additional questions must be answered and actiontaken, including:
• Documenting the fraud for any insurance recovery.• Determining whether the fraud rises to the level of criminal action vs. private settlement. • Terminating or taking other action against the perpetrator. • Working with your board to decide the level of disclosure to donors and other constituents.
12
New Presentation of Liquidity Information in Financial Statements10
In August of 2016, the Financial Accounting Standards Board (FASB) issued an Accounting Standards Update: ASU 2016-14 Presentation of Financial Statements of Non-for-Profi t Entities. This is effective for fi scal years beginning after December 15, 2017. Exempt organizations should start working now with their internaland external accounting teams to prepare for the changes related to liquidity disclosures outlined in the standard.
According to FASB, the goal of ASU 2016-14 with respect to liquidity is to improve defi ciencies in the transparency and utility of information that is useful when assessing an entity’s liquidity, which can be caused by confusion about the term unrestricted net assets and how restrictions or limits imposed by donors, grantors, laws, contracts, and governing boards affect an entity’s liquidity, classes of net assets, and fi nancial performance. For the full ASU update, visit http://www.fasb.org/.
In addition, for the fi rst time, exempt organizations must include a footnote in their fi nancial reporting that shows how much of their fi nancial assets are truly available to meet cash needs for general expenditures within one-year from the balance sheet date. They must also provide qualitative information communicating how they manage their liquid resources available to meet cash needs for general expenditures within one year of the balance sheet date.
This will necessitate a hard look at an organization’s fi nancial assets to determine how much is truly free to pay general obligations. Amounts generally not available to meet general obligations that would be excluded from the calculation are:
• Purpose restricted by the donor for specifi c projects • Part of the endowment• Supporting annuity obligations• Designated by the Board for specifi c purposes • Limited to use by laws and contracts or some other form of restriction
Keep in mind that certain exempt organizations, who on the surface appear to have a large amount of fi nancial assets might actually have little accessible liquidity because their assets are restricted, designated, or set-aside for specifi c purposes as noted above. The now required disclosure may force organizations to allocate assets to a liquidity reserve to show members and stakeholders a positive liquidity position. Additionally, having to describe qualitatively how your organization manages liquidity should foster positive changes for internal and external stakeholders, as groups are forced to address the amount of fi nancial assets they have available.
Organizations should pay close attention to ASC 958-210-50-1, which provides information about disclosures required around liquidity, and ASC 958-210-55-5 through 55-8, and 958–205-55-21, which provide examples of the disclosure requirements.
13
ASSOCIATIONS DRIVING VALUE WITH ERM Linking Strategy with Risk
It’s time to talk to your board about risk to your strategy -- but what’s the best approach? Aronson has identifi ed key tips below for implementing ERM.
What should be presented to the board?
• Annually updated risk universe. Your organization’s risk model should be updated annually to refl ect your organization’s risk environment. This will be utilized as a framework to ensure that the full risk universe is considered during the risk discussions.
• Heatmap of top risk scenarios and remediation plans. Compiled risk scenarios should be ranked according to signifi cance and likelihood of occurrence. Items above the line are candidates for further investigation, workshops and mitigation plans.
What are some critical success factors for ERM?
• Develop Procedures. Create a procedure document for conducting the ERM framework and process, such as an ERM charter that answers the following questions: Who is responsible for initiating and conducting risk assessments? Who will participate? What steps will be followed? How will disagreements be handled and resolved? What approvals will be needed? How will the assessments be documented? How will they be maintained? To whom will the reports be provided?
• Create standard tools (such as questionnaires) and formalized reporting (such as heatmaps).
• Be sure to involve business and technical experts. Managers generally have the best understanding of the criticality and sensitivity of business operations, and of the systems and data that support these operations. Technical personnel—like IT, CPAs and Risk Advisory specialists—bring an understanding of vulnerabilities as well as knowledge of impacts, associated costs and the controls that are implemented.
• Formalize timing of risk reporting to your governing body. Set a standard for quarterly meeting topics and templates to be presented. Ensure it is on the meeting agenda for your governing body at least annually.
14
Suggested Risk Management Structure
ABOUT ARONSON
Aronson provides a comprehensive platform of solutions for today’s most active industry sectors and successful individuals. For more than 55 years, we have purposefully expanded our service offerings and deepened our industry specialties to better serve the needs of our clients, people, and community. We help our clients maximize opportunity, minimize risk, and unlock their full potential.
We offer specialized practices equivalent in expertise to the larger, national fi rms without the cumbersome bureaucracy or added cost of those names. With more than 250 professionals on staff in a single location servicing the Washington DC metropolitan area, Aronson has the ability to be more responsive, act more nimbly, and quickly scale to meet our clients’ needs.
Aronson’s team of professionals helps associations unlock value, strengthen decision-making,and prevent internal control failures.
Authors:
15
GREG PLOTTSPARTNER
301.231.6226
PAYAL VADHANIPARTNER OF TECHNOLOGY RISK
301.231.6259
ALISON DOUGHERTYDIRECTOR OF INTERNATIONAL
301.231.6290
KATHY CUDDAPAHDIRECTOR, TAX [email protected]
301.222.8206
MARK ROBINSSENIOR MANAGER
240.364.2645
ROB EBYPARTNER
301.231.6291
RENZO PORTELLAMANAGER, TECHNOLOGY RISK
301.231.6657
MELISSA MUSSERDIRECTOR OF RISK ADVISORY
240.364.2598
APPENDIX: EXAMPLE ERM RFP
Request for Proposal (RFP)
<Organization> is submitting an RFP for professional ERM advisory services and we invite your fi rm to submit a proposal for consideration. Following is a description of our organization, services requested and other pertinent information follows:
Background
<Provide background on your organization>
Contract Type
Time and materials or fi xed price.
Services Requested
Provide a methodology, tools, and knowledge transfer to assist <organization> performing a ERM assessment and/or in implementing an ERM program.
• Review existing risk assessments
• IT risk assessments
• Internal Audit risk assessment
• Compliance risk assessment
• Fraud risk assessment
• Strategy risk assessments
• Identify industry risks
• Analyze <organization> strategic plan for enterprise risks
• Incorporate risk assessments, industry risks, and strategic plan risks into a tracking list/database.
• Assist <organization> in the development of an ERM communications plan including materials
• Develop interview questions tailored by subject area to assess additional enterprise risks
• Conduct onsite facilitated risk discovery meetings with process owner/area responsible for each risk
• Consolidate similar risks
• In separate discussions/meetings assist the process owner/risk owner with identifying existing controls that mitigate risks
• Develop a survey of stakeholders for risks not identifi ed by above processes
• Provide a scoring methodology that accesses the likelihood and impact of identifi ed risks
• In conjunction with the <organization> ERM committee, conduct risk/existing control overview
• Assist with ERM training for stakeholders
• Assist in the development of risk discussion tools such as heatmaps, risk summaries, and risk mitigation plans
16
General Instructions
Your response to the RFP is expected to address, but are not limited to, the areas described below:
Executive Summary
In one page or less, please provide an executive summary of your fi rm’s response to the RFP solicitation.
Firm Background
Briefl y discuss your fi rm’s history, form of organization and nature/size of operations.
Key Staff and Hourly Rates
Include a list of key staff, area of expertise, and relevant qualifi cations. Please provide hourly rates for your staff and indicate the frequency of hourly rate changes.
Timeline
Provide a proposed timeline, and estimated numbers of hours to complete the project.
Accomplishments/Past Experience
List recent accomplishments and describe specifi c experience in providing services similar to those described in this RFP.
Work Approach
Provide a brief overview of your work approach.
References
Provide contact information of at least three references, describing the nature of services provided and the period of relationship. Your references should preferably be organizations that may be considered similar or peers to <organization> based on one of more factors e.g. size, industry, complexity, and nature of operations
Communication
In one page or less, please provide an executive summary of your fi rm’s response to the RFP solicitation.
<organization contact>
RFP Timeline
Issue RFP to fi rms < DATE>
Deadline for fi rms to request additional information <DATE>
Deadline to submit proposal <DATE>
Notifi cation by <organization> to RFP respondents No later than <DATE>
17
Visit our website at www.aronsonllc.com | View our blogs at blogs.aronsonllc.com/nonprofi t Serving the Washington, D.C. Metro Region
301.231.6200 | 301.231.7630 | [email protected]