The Role of Enterprise Risk Management and the Audit Committee in Nonprofit Governance

Introduction

Good governance is not only a critical component for nonprofits but also for for-profit organizations. While the ultimate goals of these two sectors may differ—nonprofits focus on fulfilling a mission, and for-profits on generating returns—strong governance ensures that both types of organizations operate responsibly, ethically, and transparently.

For-Profit Legislation

For for-profits, governance is guided by various pieces of legislation, including:

• The Sarbanes-Oxley Act of 2002: Enacted in response to corporate scandals like Enron, this law requires public companies to establish independent audit committees, ensure the accuracy of financial disclosures, and implement strong internal controls.

• The Dodd-Frank Act of 2010: This law introduced additional financial regulations for corporations, including executive compensation oversight and expanded disclosure requirements related to governance and risk management.

• The Corporate Transparency Act (CTA) of 2024: This act, part of the broader Anti-Money Laundering Act of 2020, requires both for-profits and nonprofits to disclose their beneficial owners (for for-profits) or key officers and board members (for nonprofits). This disclosure must be filed with the Financial Crimes Enforcement Network (FinCEN) and aims to prevent fraud and financial crimes, ensuring organizations are run by accountable individuals.

These laws establish the foundation for sound governance practices, ensuring that both for-profit and nonprofit boards are held accountable for ethical decision-making, transparency in financial reporting, and oversight of risk management.

The Importance of Strong Nonprofit Governance

In the nonprofit sector, strong governance is just as important. Many stakeholders—including donors and partners—are increasingly demanding transparency and accountability. Good governance helps nonprofits:

• Achieve their mission more effectively,

• Meet the heightened expectations of donors, partners, and the public,

• Attract quality board members,

• Minimize exposure to liability,

• Reduce the risk of public scandals.

Central to nonprofit governance is Enterprise Risk Management (ERM) and the role of an organization’s audit committee.

Understanding Risk in a Nonprofit Context

Risk is broadly defined as exposure to possible loss or injury. For nonprofits, risk management covers various areas, including:

• Financial risk (e.g., budget shortfalls or fraud),

• Programmatic risk (e.g., failure of key programs to meet objectives),

• Human capital risk (e.g., staff turnover or volunteer safety),

• Reputational risk (e.g., negative media coverage),

• Operational risk (e.g., data breaches or business interruption),

• Legal risk (e.g., noncompliance with regulations, lawsuits, failure to disclose conflicts of interest, or violation of contracts).

Legal risk is particularly important for nonprofits, as they must comply with various regulations, such as tax-exempt status rules, employment laws, and new transparency requirements like the Corporate Transparency Act. Noncompliance can result in penalties, loss of funding, or even legal action.

Why Conduct a Risk Assessment?

A risk assessment allows nonprofits to:

• Identify, analyze, and prioritize risks specific to their operations and culture,

• Develop mitigation strategies to manage and control risks,

• Benchmark future assessments to track progress and adapt as needed.

The Risk Management and Control Framework

To properly manage risks, nonprofits need a comprehensive framework that includes:

• Strategy and Planning: Align risk management with organizational goals.

• Risk Assessment and Response: Identify risks, analyze their impact, and select the appropriate response (e.g., avoiding, accepting, reducing, or sharing risks).

• Internal Environment: Set the tone for risk management by fostering a culture that values ethical behavior and competent governance.

• Control Activities: Implement policies and procedures that ensure risks are managed (e.g., approvals, verifications, and segregation of duties).

• Information and Communication: Ensure that risk management controls are communicated clearly across the organization.

• Monitoring and Improvement: Continuously assess the effectiveness of risk management strategies and make improvements where necessary.

The Importance of the Audit Committee

While risk management is everyone’s responsibility, the audit committee plays a critical role in overseeing these efforts. The audit committee ensures the organization’s financial reporting, internal controls, and risk management systems are working effectively. A well-functioning audit committee helps a nonprofit:

• Monitor how business risks are managed,

• Oversee internal controls and compliance functions,

• Promote good financial stewardship,

• Ensure the integrity of financial reporting.

Audit Committee vs. Finance Committee

It’s considered best practice to have the audit committee and the finance committee as separate entities. This separation provides essential checks and balances within the organization. The finance committee focuses on approving and monitoring the budget and financial results, while the audit committee is responsible for ensuring financial reporting, internal control, and risk management processes are functioning properly.

If an organization lacks board members with the necessary expertise for the audit committee, it is acceptable to seek support from non-board members who can provide valuable expertise in this area.

Best Practices for Risk Management and Audit Oversight

To ensure effective risk management, nonprofits should:

• Conduct regular risk assessments and develop mitigation strategies,

• Empower the audit committee to oversee risk management activities,

• Foster a culture where staff understand and take risk seriously,

• Continuously monitor and refine risk management practices to keep up with changes in the organization or its external environment,

• Comply with the 2024 Corporate Transparency Act.

What the Corporate Transparency Act Requires of Nonprofits

Specifically for nonprofit organizations, the Corporate Transparency Act (CTA) requires the following:

• Disclosure of Board Members: Nonprofits must disclose the names and personal details of all board members, directors, and key officers. This information must be filed with the Financial Crimes Enforcement Network (FinCEN), providing federal oversight of nonprofit leadership. The goal is to prevent the misuse of nonprofits for illicit activities such as money laundering and fraud.

• Reporting Changes in Leadership: Nonprofits must keep their board and leadership information up-to-date. Any changes to the board of directors or key officers must be reported promptly to FinCEN.

• Fines and Penalties: Nonprofits that fail to comply with the CTA’s disclosure requirements can face penalties of up to $10,000 and potential criminal charges for willfully failing to disclose or update board member information.

By making nonprofit board member information publicly available, the CTA increases accountability and transparency. It assures donors, funders, and other stakeholders that nonprofits are governed by responsible and qualified individuals. It also helps prevent conflicts of interest or improper motives from influencing nonprofit governance.

Final Thoughts

For nonprofits, managing risk effectively is not just a best practice—it’s a necessity. By conducting regular risk assessments, empowering a proactive audit committee, and complying with the Corporate Transparency Act, nonprofits can ensure they are prepared to navigate uncertainties while staying true to their mission.