August 19, 2024

Association board member meetingEffective association risk management is critical in today’s dynamic and unpredictable environment. In fact, with the growing complexity of operations and changing stakeholder expectations, it is necessary for organizations of all sizes to be more deliberate and structured in their approach to managing risks. As part of their oversight role, association board members have a fiduciary duty to administer the association’s risk management practices and ensure robust governance and risk oversight. Using Enterprise Risk Management (ERM) methodologies facilitate risk management, guide important decisions, and provide association board members and stakeholders with peace of mind.

Enterprise Risk Management (ERM) Frameworks

Enterprise Risk Management (ERM) frameworks are frequently adopted to address these needs, offering a comprehensive approach that integrates all potential risks into a unified framework. ERM enhances strategic decision-making, resilience, governance, accountability, and stakeholder confidence. It focuses on proactive risk mitigation, identifying and addressing risks before they escalate. Essential components of an ERM framework include culture and leadership, strategy and objective setting, risk identification, risk assessment, risk response, and monitoring and communication. Implementing a customized ERM Playbook, tailored to the association’s needs, helps ensure the effective management of risks and supports the association’s strategic goals.

Graphic of ERM roles and responsibilitiesThe Role of the Board in Risk Oversight

Effective risk oversight is a critical responsibility of an association’s board of directors, playing a vital role in setting the tone for risk management, establishing the association’s risk appetite, and ensuring appropriate practices are in place. The board is responsible for approving a risk governance framework, defining risk appetite and tolerance levels, monitoring, and assessing risks, and aligning risk management with the association’s strategic planning. Individual association board members should actively participate in risk discussions, understand the association’s risk profile, review risk management policies, and monitor the effectiveness of risk mitigation strategies. To support effective risk management, associations should consider establishing board-level committees, such as a dedicated risk committee or an audit committee with risk oversight responsibilities.

Identifying and Documenting Risks

Understanding and documenting an association’s risk universe is critical in the ERM process. This involves systematically identifying potential risks across various categories, such as Strategic, Financial, Operational, Technology, Compliance, and Reputation. Collaboration with the internal audit function, which often conducts continuous risk assessments, is valuable for holistic risk identification. Techniques for identifying risks include objectives-based approaches, brainstorming sessions, Strengths, Weaknesses, Opportunities, and Threats (SWOT) and Political, Economic, Social, Technological, Environmental, Legal/Regulatory (PESTEL) analyses, process mapping, scenario analysis, and surveys. Developing a risk register helps in capturing and documenting identified risks, facilitating continuous tracking of risk status, and mitigation efforts.

Developing Risk Response Plans

After the risks have been identified and assessed, developing risk response plans for top-ranked risks is a crucial next step. This process involves creating strategies to reduce the likelihood or impact of these risks. Best practices include assigning a single “risk owner” from the management-level risk committee to ensure accountability and clear reporting on the status of the risk response plan. Risk response strategies may involve risk transfer, avoidance, reduction, or acceptance, chosen based on feasibility, effectiveness, and cost-benefit considerations. Keep in mind that certain risks may present for growth or competitive advantage.

Establishing Key Risk Indicators (KRIs)

Establishing Key Risk Indicators (KRIs) is essential for effectively managing risks. KRIs are specific metrics that provide early warning signs of potential risk events. For example, tracking the Membership Growth Rate can indicate the need to reassess engagement strategies if a decline is noted, while measuring System Downtime can highlight issues in IT infrastructure reliability. The process of establishing KRIs includes identifying risk drivers, defining risk thresholds, and selecting relevant, measurable, and actionable KRIs that align with the association’s objectives. Risk monitoring techniques include regular risk reviews, incident reporting and analysis, and ongoing communication.

Board-Level Reporting and Engagement

Association board members need timely and relevant information, which can be delivered through regular risk reporting, executive summaries, and ad hoc reports. To facilitate a focus on the critical risks driving strategy, present risk-related information concisely using visual dashboards and standardized templates. These practices ensure that the board remains aware of the association’s risk landscape and can make informed decisions to oversee risk management effectively. Continuous risk identification and assessment should be conducted regularly, maintaining a risk register.

Graphic of key components of an ERM FrameworkCreating a Risk Aware Culture

Association boards are responsible for risk oversight, providing leadership and setting the tone for risk management within the organization. The board should ensure that the association is integrating risk management into strategic planning and decision-making. Regularly reviewing and updating the ERM framework, and conducting independent audits for improvement, ensures the ERM process remains effective. Together these activities foster a risk-aware culture and contribute to greater alignment between risk and strategy.

GRF Can Help

ERM Handbook for Association Board MembersAn ERM checklist is a useful tool to guide an association’s board through establishing a risk management framework, defining risk appetite and tolerance, and developing an ERM playbook. Download the ERM Handbook for Association Board Members for insights and tools board members need to effectively navigate the complexities of risk oversight.

 

This was prepared and written in collaboration with Joseph M. Pugh, CCEP, CFE, RIMS-CRMP, CRMA, CDPSE, who is Senior Director of ERM at AARP. We appreciate his insights based on his experience. His ideas and the information shared do not represent those of his employer.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services

Email Call

Susan Colladay, CPA

Partner, Audit

Email Call