Lessons in financial risk management: Risky tales from a retired nonnprofit auditor

September 2021 Update: IntegralOrg has developed trainings for nonprofits. Embracing Risk: Building Blocks of Risk Management provides your nonprofit with the building blocks for a comprehensive and effective risk management plan, customized for your organization and its unique risk profile.  Upcoming training: October 13 and 27, 9am-12pm. Details and Registration. Our Risk Management Toolkit  including quizzes to assess your organization's capacity to manage risk plus a customized risk management dashboard will launch in October 2021.

Nonprofit organizations will be familiar with the annual audit during which an auditor looks at all relevant risks in your organization with a focus on financial risk.

All those documents that auditors request of your organization during the external audit are used to determine the level of risk so that the auditor can provide an opinion on whether the audited financial statements are fairly stated in all material respects at a particular point in time. One of the documents that is usually requested by the auditor is your organization’s risk management plan. Unfortunately, many organizations do not have a plan.

Thus, as well as providing you with information on your organization’s financial health, an audit is an excellent opportunity to become aware of your organization’s risk profile.

From my years of being an auditor for many nonprofits, there are numerous tales of organizations that exposed themselves to unnecessary risks, at times with disastrous consequences. I offer a few of them to you as a way of helping you evaluate the risk profile in your nonprofit.

Risky Tale #1:  A treasurer was on the board of two different nonprofits, unbeknownst to either organization. Both organizations were thrilled that they had such a dedicated treasurer who always had the financial statements up to date and kept everything else “financial” in order. Both organizations trusted him to look after all financial dealings including having cheque signing authority on all bank accounts, authority to invest, doing bookkeeping and providing information for the board including monthly financial statements. The treasurer also, very helpfully, looked after the audit process including all communications with the auditor.

One day the chairperson of one of the boards was contacted by their bank about a significant overdraft in their account. The chairperson was of course very uneasy and requested the bank to show him recent bank transactions. Meanwhile, the second organization noted anomalies in their accounts as well.

And so the story began to unfold. It turned out that the treasurer had been moving money between the bank accounts of the two organizations to have it look like each had enough funds in the bank. He had gone on vacation, was delayed getting home and was not back in time to cover his tracks with the most recent transactions. The treasurer had been taking money for himself from both organizations.

A question that arises is “What about the auditor? Why didn’t they figure this all out?” Well, guess who was doing the audit? The treasurer. (He did end up in jail.)

The question I have for you is: What steps should the board have taken to mitigate the risk of this happening?

Risky Tale #2: It was budget time again and this organization, like many others, used the previous year’s budget (with a small top up to expenses) and then added an amount for future fundraising activities to balance the budget. The board approved the budget for the year in spite of the fact that there was no fundraising plan. The organization left the fundraising planning and activities for mid-year and in the meantime used their grants and other financial resources to fund the organization.    

The year was 2008, and by mid-year the organization was caught up in the financial crisis and fundraising was not viable. Luckily, the organization did have some individual donors that were able to step up to help and their bank provided a line of credit.  

The organization made it through but at great cost. This example prompts us to consider: What risk plans should have been in place while the organization developed their budget?  

Risky Tale #3:  An organization received a government grant to use for leasehold improvement costs in a new space. Being short of cash, the organization used the cash funds from the grant for operational costs while they waited for their fundraising to kick in after their move, fully anticipating that they would be able to cover the funds. Contractors were hired and the project proceeded. The contract required payments at certain points in the project but payments did not come through as they should have; so the work stopped. The construction company contacted the government to put pressure on the organization to fulfill their contracted obligations. Unfortunately, the fundraising did not materialize, and the organization could not pay the contractor bills.  

This is a case where the risky activities proved disastrous.  Each board member received a notice that they needed to personally pay approximately $50,000 in damages. The executive director was charged and convicted and the organization ceased to exist.  

While consequences of this magnitude are not common, they do occur and we need to ask ourselves: How could this disaster have been averted from a risk perspective? 

Risky Tale #4:  An organization received dedicated funding to be used for a specific program over a specific time period. The organization had a number of funders across various programs, but they did not take care to track each program according to funder requirements.  

Despite some hiccups with their accounting from a time when their bookkeeper had departed, the executive director and the board were happy come the end of the year as the organization appeared to have a surplus. While the audit was in process, the auditor questioned the executive director about the funder contracts and the programs. It came to light that the dedicated funding had not been fully utilized on the specific program. Without a process in place for tracking each funder and program it was difficult to determine if all the funder requirements were met.  

The lack of tracking appropriate use of funds had significant consequences for the organization. Most funders were comfortable that their programs had been carried out as per their requirements. However, the organization was not able to satisfy the funder who had provided dedicated funding that they had used all the funds as designated. The organization was asked to pay back funds to that funder. Now, instead of a surplus, the organization was in deficit. Their bank provided a loan so that they could make the payment, however, it took five years to pay back the loan.  

What are the steps and processes with financial reporting that could have prevented this from happening?  

So often, we assume or hope that the appropriate financial measures and controls have been put in place to protect our organization and its stakeholders and we assign trust without asking the hard questions. Hopefully, these tales have provided some food for thought as you consider the financial risks in your organization.  

Note from the author: All of these tales are based on real situations. Some details have been left out for brevity.  

If you want to make sure that your organization has appropriate financial measures and controls in place, why not book a free clinic with IntegralOrg. A clinic is a no-charge problem-solving session with IntegralOrg experts about a question or issue that your organization has. Our experienced team each has more than 35 years of experience helping nonprofit organizations with governance, legal compliance, financial management, strategic planning, change management, and risk management. Find out more about the advantages of a clinic and how to book. 

With funding from The Calgary Foundation, IntegralOrg will be supporting nonprofits in the development of effective and sustainable risk management systems through creating a suite of tools, resources, and training programs. Our goal is to help organizations of all sizes understand and engage in risk management in an accessible, ongoing, and dynamic manner. We want organizations to start thinking critically and proactively about risk; we will provide the resources and support you’ll need to integrate risk management into your decision-making and planning processes.  We hope you will join in the conversation – follow us on social media, subscribe to our newsletter and stay tuned for more information on upcoming training, resources, and tools.  

Betty Thompson FCPA, FCGA, is a chartered professional accountant and is co-founder of IntegralOrg. She has over 10 years of experience as an entrepreneur and 30 years of experience serving the nonprofit sector.   Betty has a practical understanding of the opportunities and difficulties that nonprofits face in today`s economic climate. Through IntegralOrg, Betty assists nonprofits and charities with governance, policy development, and financial management.   In 2020, Betty received a CPA Alberta Lifetime Achievement Award which is given to those whose continual commitment to the betterment of their profession, their communities, and the organizations they have served is unparalleled.