Make time for risk management
All organizations face risks,
but when bad things happen to not-for-profits the consequences can be especially
devastating - through the loss of public trust and goodwill, if not financially.
Because not-for-profits may have even more to lose than
for-profit entities, their executive directors and boards must make risk
management a priority. Good practices in this area signify an organization's
commitment to responsible operation.
A risk can be anything that might
occur that could jeopardize a not-for-profit's tangible or intangible
assets and threaten its ability to achieve its mission. Risks usually fall
into one of the following categories:
People — Will employees, volunteers
or clientele be harmed or cause harm?
Property — What are the risks to
facilities, equipment, proprietary information or intellectual property?
Income — What is the likelihood of losing significant
revenue from grants, contributions or other income?
Reputation and
stature — What might tarnish the organization's public image or endanger
its tax-exempt status?
Some examples of misfortune that could befall
a not-forprofit include:
- A volunteer bus driver under the influence
of drugs has an accident while transporting children,
- A fire breaks
out in an organization's office, destroying valuable equipment
and records, or
- Workers file a lawsuit alleging they were wrongly denied
overtime pay.
Because risks can arise in so many areas and without
warning, planning for them can be difficult. But in its simplest form,
risk management revolves around three basic questions:
- What can go
wrong?
- What can we do to lessen the possibility that something
will go wrong?
- How can we protect ourselves legally and financially
if something bad does happen?
Ranking risks
Effective risk management
begins with recognizing that not all risks are equal. Some risks, such
as employmentrelated claims or fraud committed by an employee, are
always a possibility, but most organizations also have certain vulnerabilities
related to the nature and scope of their work.
Identifying organizational risks requires input from
staff, volunteers and outside advisors, such as lawyers and accountants.
For instance, the volunteer coordinator could help identify volunteer-related
risks, and an auditor might evaluate adequacy of the organization's
internal controls.
Not only is this approach logical - those working
in the operational areas being reviewed have the best vantage point
for spotting risks - but it helps build buy-in for any later recommendations.
Although many people contribute their insights, an
individual or small group - often a risk management committee - should
take the lead in developing a plan to manage risks. The committee might
include volunteers, employees and possibly an outside advisor.
The
process of evaluating and ranking risks then begins. The goal should
be to focus first on probable risks with the potential for the greatest
negative impact. For instance, an organization that relies heavily
on volunteers to deliver services to children would concentrate much
of its risk prevention efforts on properly screening volunteers.
As you evaluate risks, review your policies and procedures
and develop or revise them to reduce highpriority risks. For instance,
an organization might add an extra layer of protection to the process
of screening volunteers or take steps to improve documentation in
this area. Some activities may even be deemed too risky to continue,
such as field trips for children to a community pool.
Documenting
policies
During your review, document everything, such as policies
pertaining to personnel, conflicts-of-interest, Internet usage,
financial management and internal controls.
Many organizations make
the mistake of assuming that having high ethical standards eliminates
the need for written policies, but policies are the backbone of
any compliance or risk management plan. They also play a role in training
and educating staff members and volunteers.
Organizations should continually monitor their risk
management practices to see how well they're working, with a comprehensive
review annually, if possible. Key performance indicators can be established
to function as an early warning system.
In the financial area, for
instance, an indicator might be a budget overrun. To address this,
review the monthly budget each time it is exceeded, to identify the
reason for the overrun and evaluate the importance of the underlying
problem. Another precaution might be to monitor volunteer and staff
turnover quarterly, to detect personnel problems requiring attention.
Even with sound practices in place, not-for-profits
should still prepare for worst-case scenarios. In addition to general
liability insurance, directors' and officers' insurance is often used
to enhance protection. (See "D & 0
insurance helps fill liability gaps" below)
Business continuity
planning also plays an important role in preparing for unforeseen
events that could jeopardize the ability to maintain normal operations.
An effective program
A risk management program doesn't
have to be elaborate to be effective. Its complexity should reflect
a not-for-profit's specific risks and the resources available to
minimize them. What's critical is that organizations make time to identify
probable risks, use a system to evaluate and rank them, and put strategies
in place to lessen them.
D&O insurance helps fill liability gaps
Even not-for-profits
that practice sound risk management and carry general liability
insurance can be harmed by lawsuits. Liability can also extend
to staff members and volunteers who act on an organization's
behalf.
Most not-for-profits have indemnification
policies that protect board members by agreeing to cover legal
or other expenses that could result from their service. In
addition, state laws and the federal Volunteer Protection Act
(VPA) shield volunteers to some degree for liability in cases
of "simple negligence." But both
of these mechanisms merely limit rather than eliminate volunteer
liability.
For example, the VPA does not cover harm caused by willful,
criminal or reckless conduct, gross negligence, or operation
of a motor vehicle. Coverage also requires that volunteers act
within the scope of their responsibilities, and discriminatory
acts are not covered. Additional risks result from breaches of
contract, copyright violations and financial failures or improprieties.
That's why most organizations will want coverage that extends
beyond that offered by indemnification policies and existing
laws. Many purchase a commercial general liability policy to
supplement their protection and that of their directors, employees
and volunteers. A general liability policy covers claims arising
from bodily injury and property damage, even in cases of negligence.
Directors' and officers' (D&O)
liability insurance is another key piece in a comprehensive effort
to manage risk. D&O policies take up where general liability policies
leave off. They generally insure against "wrongful acts" by the
organization and its representatives, including breaches of duty.
Some policies also cover "prior acts" by an organization or its
representatives.
In addition, D&O insurance offers broad
coverage for employment-related claims, something that most
general liability policies do not cover. This is an important
benefit since most claims against not-for-profits are employment-related,
including discrimination, harassment or wrongful termination.
Even when
not-for-profits employ multiple approaches to liability protection,
they still face significant uninsurable risks, such as the
loss of goodwill, donor support or tax-exempt status. Only a
strong commitment to risk awareness and prevention can provide
a hedge against these potentially devastating risks. |
These publications are distributed with the understanding
that the author, publisher and distributor are not rendering legal,
accounting or other professional advice or opinions on specific facts
or matters, and, accordingly, assume no liability whatsoever in connection
to its use.
