We have heard a lot recently about the cyber breaches that have impacted leading retailers such as Target and Walmart. Even the federal government is not immune to hackers wishing to access confidential information. You may recall the breach of Office of Personnel Management computer systems earlier this year. That cyber-attack may have compromised the records of up to four million current and former federal employees. More recently, the IRS conceded that 334,000 taxpayers may have had their information stolen by hackers, not the 114,000 reported in May 2015.
“While almost 90% of survey respondents told us that they had implemented key governance initiatives, about 40% of the organizations said that they are either “somewhat confident” or “not confident” in their governance practices.”
As breaches and other security threats continue to rise, more and more organizations are evaluating their risk management and governance programs. This includes many not-for-profit organizations including philanthropic, cultural, and arts institutions. Since these organizations often solicit donations online, process credit card transactions, and collect personal data, they may become a prime target for unscrupulous hackers.
Managing Risk in a Riskier World
CohnReznick recently published the results of our second annual Not-for-Profit Governance Survey. Entitled “Managing Risk in a Riskier World,” 470 not-for-profit executives responded to 38 questions about their organizations. Roughly one-third of these questions were focused on governance and risk management practices. The types of institutions taking part in the survey fell into five categories: social service and other broad-based charities (36%), educational (20%), health care (14%), professional associations (11%) and other (19%).
What We Learned
While almost 90% of survey respondents told us that they had implemented key governance initiatives, about 40% of the organizations said that they are either “somewhat confident” or “not confident” in their governance practices. With the proliferation of high profile security breaches such as those mentioned earlier, we were not surprised by this. Many not-for-profit organizations still have doubts surrounding their governance and risk management programs.
Just under one-third of survey respondents said that their organization had conducted an enterprise risk management assessment. This low percentage may certainly be one of the more significant factors in the large number of respondents saying that they are either somewhat or not confident in their governance practices. Additionally, while nearly three quarters of survey respondents said that their annual board meetings include an educational component, only about half said that governance issues were discussed in board meetings. Less than 20% said that risk management was covered and about 25% said that regulatory concerns were discussed in these meetings.
Cybersecurity ranked among the top ten risk issues for just under 60% of the surveyed organizations and among the top three risk issues for one in four organizations. Again, this did not surprise us. In fact, we believe that cybersecurity will become a growing area of concern for not-for-profits as high profile breaches continue to make the headlines.
What Not-for-Profit Organizations Can Do
Now that cyber threats and other risk issues have become commonplace, how should not-for-profit organizations respond? The leaders from CohnReznick’s Not-for-Profit and Education Industry practice recommend the following four best practices:
1. A committee of the board should be dedicated to overseeing risk management. Audit committees usually handle this responsibility as these committees often include directors with risk management skills.
2. A committee of the board should be charged with monitoring IT. Whether it’s the finance, executive, or audit committee, the committee should include experienced IT professionals with clearly established objectives and monitoring responsibilities.
3. Not-for-profit organizations should consider conducting three critical assessments relative to their overall governance practices. These include (1) An assessment of the organization’s risk management and cybersecurity policies and procedures, (2) An assessment designed to ensure that the organization’s governance practices comply with current laws within their state and known best governance practices, and (3) A board self-assessment at least every three years.
4. Include risk management and cybersecurity in the educational topics discussed during board meetings. This will help to ensure that management and board members are aware of the latest developments and are apprised of any potential threats to their organization.
We believe that cyber breaches and other security threats will become more pervasive in the future. As such, organizations should take definitive action in updating and improving their governance policies and risk management programs.