The 2015 CohnReznick Not-for-Profit Governance Survey was recently released and sheds light on the state of affairs of governance and risk management in the industry.
The results show that while governance and risk management are key concerns for not-for-profit organizations, further steps and monitoring still must be taken by the industry.
Who Was Surveyed?
Responses for this survey came from 470 not-for-profit executives spanning the full range of the industry, including associations, education, health care and social service agencies. In addition, these organizations reflect a wide variety in size, with annual revenues ranging from more than $100 million down to less than $1 million.
What's the Good News?
As noted, not-for-profit organizations understand the importance of having strong governance and risk management practices in place. Almost 90% of those surveyed have at least one key governance initiative in place, including a formal whistleblower policy, record retention policy and a conflict of interest policy. Almost two-thirds of respondents have audit committees that monitor these whistleblower policies and 94% obtain annual conflict of interest policies from their board members. Additionally, almost three quarters of respondents note that their board members have terms limits, with most limits consisting of three years, which is an industry best practice.
Not-for-profit organizations also understand the need for reviewing risk management. Anticipated spending on IT and data security is up and not-for-profits correctly view IT security as a high priority issue, with more than three quarters of respondents listing cyber security as one of their top 10 risks. The industry is getting the message that this is a key area of concern.
On the Other Hand
While not-for-profit organizations understand that these risks are out there, much still needs to be done to address these risks. While most organizations have a conflict of interest policy in place, only 51% reported that their audit committee monitors disclosed conflicts of interest. Furthermore, only 29% of respondents reported that they obtain conflict of interest statements from all employees, as opposed to 71% who only obtain these policies from senior management and board members.
It is recommended as a best practice that all employees should sign a conflict of interest policy statement annually, which should be actively monitored by the audit committee. Continuing with board recommendations, only 43% of respondents stated their board has conducted a self-assessment within the last three years. It is recommended that the board should prepare a self-assessment at least every three years. This self-assessment should verify that the organization's governance practices comply with the current laws within the organization's state and known best governance practices.
Not-for-profit organizations understand that IT security is of the utmost importance; however, many are still not taking adequate steps to monitor this critical area of need. While 80% of those surveyed said that cyber security is a top 10 concern, only 7% said they have a risk or IT committee. It is recommended that a committee of the board should be charged with monitoring IT, which includes an experienced IT professional. Additionally, only 20% of respondents said that risk management was a topic covered in board meetings. A best practice is to have risk management and IT security topics presented and discussed at board meetings. This will help to keep the board educated on these matters and how they may affect the organization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
