Opinion: Why nonprofits should pursue data-driven risk management

Recent news about New York City contracting, including Department of Investigation findings  and reports of conflicts of interest, highlight extreme examples of vendor management risks that historically lead to a “misguided over-reaction of additional regulations.” In the human services sector this means more delays in payments and increases in administrative expenses. 

As the city reflects on how to manage contracting and vendor risks, the human services sector is long overdue for review and reform. Rather than more administrative activities, however, there are three data-driven approaches that can offer more effective and earlier risk detection, more timely payment and operating efficiencies across the city’s $19.9 billion human services annual contracting portfolio.

A Breadth of Data Collection and Vendor Information

The city collects voluminous data on contracts and contractors. Nonprofit organizations submit operating policies and integrity disclosures, including sanctions, findings of non-responsibility, contract suspensions, license revocations and conflicts of interest. Through the proposal process, agencies can ask questions about an organization’s experience, staff, conflicts and financial management. Performance evaluations illuminate competency of workforce, program impact, contract compliance and operational strength. Agencies conduct vendor background checks and the public can share concerns through public hearings. Financial management concerns are addressed through the budgeting, invoicing and audit processes. Oversight agencies also review and approve contract awards before they are final and registered. 

Most of this data is centrally collected and stored through the electronic PASSPort procurement system. It’s time to start using this data to manage human services contracting.

Use The Data To Manage Contracting

The city’s human services contracting portfolio is too large and critically important to manage through a reactive lens. Using data on-hand to identify “contracts [and organizations] that pose greater risk of waste, fraud or abuse” is a proactive and sensible risk management strategy. It is also the most efficient since “the vast majority of these organizations focus on providing high-quality services and use their best efforts to administer public funds responsibly,” as noted in the DOI November 2021 report.

For starters, the city has sufficient information to establish risk management indicators. Illustratively, the centralized financial management data in PASSPort can identify the median percent of budget modifications and the median number of invoice revisions per contract. Organizations that significantly deviate above or below could indicate poor financial management, vulnerable accounting systems or questionable transactions. A targeted review of the organizations with these high risk indicators would appropriately allocate city resources where they are needed most and allow the majority of the portfolio to move forward and get paid more quickly. 

An October 2024 DOI report raises concerns around incomplete invoices and highlights the need for more invoice oversight and review which can slow down payments to nonprofits. With years of invoicing data available online, the city can pull and analyze information on-hand to determine whether this concern is a reliable marker for fraud, waste or conflicts. With a quick data analysis, any necessary new policies can be developed and implemented that target actual risks in the system.

Existing data can also be used to evaluate the efficacy of current financial management policies, including the January 2021 Standard Health and Human Service Invoice Review Policy.  Does a comparative analysis show that the policy is managing financial risk better? Does the data show the need for different controls? Is the policy slowing down payment for most vendors? Too many times effort is expended on establishing a policy, but validation and maintenance are not considered. With centralized contracting data, these activities are easier than ever to perform and hallmarks of good governance and an effective risk management practice.

Access to contracting data is very easy with PASSPort. The Mayor’s Office of Contract Services can create customized contracting and vendor reports that can be downloaded with real-time information across the whole portfolio. While centralized data reports were the norm when PASSPort was first launched, agencies have reported a recent return to siloed and paper-based systems. A risk management system that leans into the efficiency and accuracy of PASSPort’s centralized, digital data is the most equitable and transparent approach.  Moreover, it keeps agency staff focused on contract and payment processing, rather than administrative activities. 

Centralized, Independent and Data-Driven Audit Management

Every human service provider and hundreds of contracts are audited every year. However, there is no consistency in data collection, reporting and management – each agency, and each audit firm has its own approach and timing. 

The city’s decentralized audit practice is excessively delayed – sometimes occurring two or three years after the contract ends. The utility of audit findings and information have essentially expired by the time an audit report is completed. Additionally, there is a heavy burden on the nonprofit contractor to identify and produce documents that may be years old and/or from a prior leadership team. While the city has an audit timeline outlined in the April 2019 City of New York Standard Audit Process Guide (Standard Audit Guide), centralized performance management would ensure that data collection is timely, yielding information that can actually be used. Moreover, this team could lead a review and updates to the audit process which is more than five years old and pre-dates the introduction of PASSPort.

An independent, centralized team will have visibility across the portfolio and expertise to inform and establish risk management indicators for individual contractors, as well as the portfolio at large. With core indicators, a standard audit report can be designed which will enable agency staff to more easily identify, evaluate and use audit findings as risk management and vendor evaluation tools. Equally important, a standard audit report would offer nonprofit leadership greater clarity on where to focus capacity building efforts to support healthy, sustainable organizations. 

A centralized human services audit practice is a new approach to audit management, but not to New York City.  Centralized human services financial and communications management was critical during COVID. Success with this model requires input from city agencies, oversights and nonprofit providers. Illustratively, in conversations with providers, they have identified where auditors are going down rabbit holes with no relevance and missing mine fields that could be loaded with information. There is an existing structure that can be reactivated and empowered by the city to move this forward.

Holistic approach to data-driven risk management

A holistic review of data collection and data analyses from pre-solicitation to post-contract is overdue. Stepping back to map the information journey and assess the quality, utility and sequencing of current information requests is essential. 

As identified by DOI in its 2021 report, a review of and update to disclosure questions could offer better data to assess and mitigate vendor risks. The same is true for performance evaluations, which are limited and brief in PASSPort. Responsibility determinations – essentially background checks – should also be reviewed.  The activity takes place after a vendor is selected and is often viewed as a “check the box” task on the way to getting a contract finalized and signed. 

Many questions asked during pre-solicitation are repeated in requests for proposals and the Standard Audit Guide, with further duplication happening during the contracting phase. In 2021, during the transition of the human services Prequalification Application to PASSPort, approximately two-thirds of the questions were eliminated for these reasons. The city had a streamlining opportunity earlier this year during the migration of human services financial management to PASSPort. It's not too late to start now.  

Evaluating and revamping the contracting process has the potential to bring more contractors, innovation and impact to the city, as well.  With the current approach to data collection and vendor analysis, city agencies often find it is easier to renew and extend existing contracts or just continue to do business with the organizations that they already know.  This practice shuts out new partners and creates another set of complacency risks for the city.

While recent reporting may suggest adding more data collection and review are necessary, there are opportunities to strengthen contracting risk management using the data currently on-hand. Establishing key risk indicators, creating a centralized, independent audit practice and re-engineering the collection and review of information can go a long way to create a proactive risk management practice, get nonprofits paid on time and establish a more efficient contracting system for city agencies and nonprofit staff.