About | Contact | News Releases | Store | Donate | FAQs
Alliance Logo
 

Risk Management

Risk Management

What is risk management?
Risk management is a discipline for dealing with the possibility that some future event will cause harm. It provides strategies, techniques, and an approach to recognizing and confronting any threat faced by an organization in fulfilling its mission. Risk management may be as uncomplicated as asking and answering three basic questions:

What can go wrong?
What will we do (both to prevent the harm from occurring and in the aftermath of an "incident")?
If something happens, how will we pay for it?

Risk management in the nonprofit sector
Risk management in the charitable sector is fundamentally different from risk management practiced in the for-profit world. At the heart of the difference is the very reason most nonprofits exist in the first place: to help people. The goal of risk management for nonprofit organizations is not unlike the oath taken by new physicians: first do no harm. With that in mind, risk controlling activities and programs focus principally on preventing harm to the persons served by a nonprofit. In the business world, corporations may view risk management as a subset of finance. Managing risk involves calculating the probable cost to the company of injuries or missteps and factoring this cost in the pricing of products and services. For nonprofit organizations, avoiding accidents and missteps is preferable. Why? Because when things go wrong, the impact goes well beyond a financial transaction. The reverberations of an incident may damage irreparably a nonprofit's chances of survival, including its ability to recruit volunteers, maintain public credibility, and reach prospective clients.

In recent years we have witnessed many instances in which a large corporation has successfully "rebounded" following widespread publicity over poor safety procedures, unsafe products, and high rates of employee injury. Overall, nonprofits have a far more difficult time in the wake of revelations concerning client and staff injury or financial mismanagement. Sometimes, it may take an agency several years to rebuild. In other instances, the loss of public support may signal the end of the organization.

In many nonprofits the focus of the risk management effort is on:
Screening volunteers to protect clients from harm;
Checking motor vehicle records for all employees and volunteers driving on the nonprofit's behalf;
Developing board orientation and training materials;
Coordinating the development and consistent use of employment practices;
Negotiating the availability of bank credit and purchasing property and liability insurance to address the organization's principal exposures;
Addressing hazards associated with the organization's fundraising events; and
Recommending policies and procedures that insulate the organization from liability when it enters into relationships with partner or affiliate organizations.

What is risk?
Simply speaking, a risk is any uncertainty about a future event that threatens your organization's ability to accomplish its mission. Although your "fund balance" may be small, and equipment may be second generation, your nonprofit has vital assets at risk. Nonprofit assets fall into the following categories.
People -- board members, volunteers, employees, clients, donors, and the public.
Property -- buildings, facilities, equipment, materials, copyrights, and trademarks.
Income -- sales, grants, and contributions.
Goodwill -- reputation, stature in the community, and the ability to raise funds and appeal to prospective volunteers.

Developing a risk management program
Large organizations may have a risk management department responsible for answering the three basic questions. In addition, the department may manage litigation, coordinate product and plant safety programs, and undertake the complex analyses required to set monetary reserves for future claims. In many nonprofit organizations, a volunteer Risk Management Committee working in partnership with the executive director and finance officer oversees the risk management function.
For small to mid-size nonprofits, risk management need not be an expensive or highly technical process requiring vast resources. Instead, incorporating risk management into your operation is simply anticipating events, planning a response, and, wherever possible, providing adequate financing if something does go wrong. A critical element for the effective management of risk is the belief that by promoting safety, protecting clients, and conserving scarce resources, the agency frees up its resources to focus on mission-critical functions. The following steps are essential:

1. Establish the purpose of the risk management program. The first step is to decide your organization's purpose for creating a risk management program. Your purpose may be to reduce the costs of insurance or to reduce the number of program-related injuries to staff members. By determining its intention before initiating risk management planning, your agency can evaluate the results to determine its effectiveness. Typically, the executive director of a nonprofit, with the board of directors, sets the tone for the risk management program.

2. Assign responsibility for the risk management plan. The second step is to designate an individual or team (typically a risk management committee) responsible for developing and implementing your organization's risk management program. While the team is principally responsible for the risk management plan, a successful program requires the integration of risk management within all levels of your organization. Operations staff and board members should help the risk management committee in identifying risks and developing suitable loss control and intervention strategies.

3. Acknowledge and identify risk. Every nonprofit's operation involves some degree of risk or uncertainty about future events. An important step in managing those risks is to identify them. Some risks are generic and inherent to all organizations -- the possibility of a visitor slipping on a wet floor, an employee embezzling the agency's funds, or a former employee alleging violation of his civil rights. Other risks are unique to your organization -- injury at a special event, embezzlement of funds by your contract accountant, or negative publicity following the launch of a strategic alliance with a controversial business. No matter how improbable a risk may seem, if you can envision it happening in your organization, you should list it during this stage of the risk management process.

4. Evaluate and prioritize risk. Under this step, the risk management committee assesses the probability of each risk becoming reality and estimates its possible effect and cost to the agency. An organization should look at its past accidents and near misses and check with similar nonprofits in developing probability and cost estimates. Also, consider the possible public reaction to an adverse event. Priority areas of concern will include those risks that are most likely to occur and are expensive when they do happen -- such as an accident or injury at a community pool. Lower priority risks are those that seldom occur and are not likely to cost as much when they do happen -- such as a fall in the agency's well-maintained offices.

5. Decide how to manage your risks, using risk management strategies. The risk management committee's next task is to develop a written plan. The plan outlines how the agency will manage its major risks and describes the suggested strategy, or combination of strategies that the nonprofit will employ. The four basic strategies for controlling risk are:
X Avoidance. Do not offer or cease to provide a service or conduct an activity considered too risky.
X Modification. Change the activity so that the chance of harm occurring and impact of potential damage are within acceptable limits.
X Retention. Accept all or part of the risk, and prepare for the consequences.
X Sharing. Consider sharing the risk with another organization. Examples of risk sharing include mutual aid agreements with other nonprofits, purchasing insurance, and sharing responsibility for a risk with another service provider through a contractual arrangement.
X Traditional risk management texts categorize the purchase of insurance and use of contractual arrangements to allocate risk as methods of "risk transfer." This term is misleading, however, as transferring risk is virtually impossible for a nonprofit. For example, when a nonprofit purchases a general liability policy, the insurance carrier agrees to defend and pay for losses incurred by the nonprofit for certain causes of loss. The insured nonprofit, however, retains the potential loss of its reputation in the community and reductions in the pool of volunteers available to serve the organization. No currently available contract of insurance will restore a damaged reputation or replenish a pool of capable and enthusiastic volunteers.

6. Implement your risk management plan. Once the appropriate governing body or management personnel has reviewed the plan, the agency should formally adopt and implement it. A risk management plan placed on a shelf in the executive director's office is a waste of time. Implementation begins with the risk management committee distributing and explaining the plan to everyone affected by it. While every staff member should have the opportunity to comment on the plan and its implementation, they may require some special training. Certain employees and volunteers may need training to enable them to meet their specific risk management responsibilities.

7. Review and revise the plan as needed. Nonprofits are dynamic organizations that must adapt -- on an ongoing basis -- to new client needs, funding constraints, and service delivery challenges. The dynamic nature of your organization requires that the risk management committee revisit its strategies at least annually. The committee should evaluate the risk management plan to ensure its continued relevancy, comprehensiveness, and effectiveness. Have your risks changed due to the addition of new services or curtailment of programming? Are greater or fewer resources available for controlling risks? Having a risk management committee that meets periodically can help ensure that the issue of risk management receives ongoing attention. The risk management committee also needs to evaluate the strategies it sets up. Have the risk management techniques had the desired affect? Were injuries or accidents reduced? Did insurance premiums go up or down at renewal? Is the plan having the desired impact or do you need to make some revisions?

The role of insurance
For most nonprofits, insurance is a valuable risk financing tool. Few agencies have the reserves or funds necessary for complete self insurance of their exposures. Purchasing insurance, however, is not synonymous with risk management. In the nonprofit sector, practicing risk management is living the commitment to prevent harm. In addition, risk management addresses many risks that are not insurable -- such as, the potential loss of tax exempt status, public goodwill, and continuing donor support.

What are the most common risks facing nonprofit organizations?
Defining Risk
Risk is any uncertainty about a future event that threatens your organization's ability to accomplish its mission. Viable threats endanger your organization's core assets and thereby limit your ability to provide critical services. Although your "fund balance" may be minimal, and equipment may be second generation, your agency has vital assets at risk. Generally, nonprofit assets fall into the following categories.
People -- Board members, volunteers, employees, clients, donors, and the public.
Property -- Buildings, facilities, equipment, materials, copyrights, and trademarks.
Income -- Sales, grants, and contributions.
Goodwill -- Reputation, stature in the community, and the ability to raise funds and appeal to prospective volunteers.

The Most Common Risks
An organization can evaluate the risks facing it by the magnitude of the threat to its core assets. The likelihood and potential consequences of a risk materializing determine whether it is a high priority risk requiring immediate attention. The risks most common to nonprofit organizations include:

Injuries to Clients, Employees, Volunteers, and the Public
The nonprofit's major risk or exposure is the possibility of someone getting hurt. The injury may be the result of the organization's negligence or a non-fault accident. Every nonprofit, when serving clients or raising funds for its programs, must exercise a level of care necessary to protect people from harm. Injuries may arise from an automobile accident, workplace hazards, client participation in a regular program, or the sponsorship of a special event.

Nonprofit managers must understand the important concepts of liability and negligence to assess and prioritize risks. An organization is liable when it is financially responsible for its actions or failure to act. Claims made against nonprofit organizations frequently allege negligence, or the failure to act as a reasonable person would under similar circumstances. To prevail, a party alleging negligence must prove that:

1. A duty exists -- An organization cannot be found negligent unless it first had a duty to exercise care.
2. The duty is breached -- An organization that does not meet its duty of care may be found negligent.
3. An injury occurs -- Negligence will not be found unless someone is hurt or something is damaged.
4. The breach of duty caused the injury -- In order for an organization to be found negligent, the injury must be tied directly to the entity's breach of its duty of care.

If the four elements exist in a given situation, a court may hold an organization liable for an injury or damages. One of the greatest risks facing a nonprofit is the failure to provide the requisite level of care required under the circumstances. The required standard of care, however, varies with the situation, the people involved, and the community in which the incident takes place. Nonprofits serving children or other vulnerable populations must exercise a higher level of care than if the agency serves adults.

Damage to Property
Every organization owns some property even if it is antiquated office furniture and computers. The damage or destruction of the nonprofit's property could impair the organization's ability to continue operations. A fire, tornado, flood, wind, explosion, vandalism, theft or electrical malfunctions can cause damage to the organization's property. The need to abandon or temporarily vacate unusable offices would severely impact the operations of most if not all nonprofits. The organization could face substantial costs to locate and establish temporary or new offices. A property loss has both operational and financial consequences.
An organization's property can be more than its office furniture and equipment. Many nonprofits own automobiles, mobile equipment (cellular phones, two-way radios, tools), boats, and lawn or maintenance equipment. What would the impact of a major property loss be on your organization?
Many nonprofits do not consider the risk of damage to property that it has borrowed or rented. Most property rental agreements assign responsibility for damage to the property to the lessee (the organization). Even if you borrow equipment without a contract, the owner may expect restitution if your organization lost or damaged the property.
A word of caution: many organizations assume that a general liability policy will cover damage to another's property. However, most general liability policies exclude damage to property owned by or in the care, custody, and control of the insured.

Employment Practices
Data supplied by several insurers indicates that employment-related matters represent the largest share of claims filed against nonprofits under directors' and officers' liability policies. Coregis, a large insurer of nonprofit D&O coverage, reports that employment-related allegations account for more than 75 percent of nonprofit claims. The Nonprofits' Insurance Alliance of California (NIAC) reports that lawsuits alleging wrongful termination represent 60 percent of all suits filed against nonprofit boards. Charges of sexual harassment and discrimination are the next leading causes of employment practices claims. Nonprofit managers and boards must carefully establish and follow employment policies and procedures to reduce the risk of employment practices claims.
Employment risks arise from the existence of extensive laws regulating the employer-employee relationship. The laws apply to all aspects of the employment relationship -- including the hiring, supervision, and termination of employees. Non-compliance can result in an employment claim and significant fees, fines or settlements.
The laws and regulations include federal, state and local requirements. Some of the issues addressed by the laws are sexual harassment, discrimination (based on sex, age, race, color, creed, national origin, disabilities, sexual orientation), wage and hour, fair labor standards, and benefit plans administration.

Fraud
Every nonprofit is vulnerable to fraud. The theft or misappropriation of funds can have severe consequences. A single major theft of funds or equipment could jeopardize seriously a nonprofit's viability. The organization may suffer a cash flow crunch, loss of donor confidence, reduction in services and a loss of jobs. The public reporting of a loss could be devastating as media reports affect donations, the availability of volunteers and public goodwill.
According to Robert Hailstone at Australia's Criminal Justice Commission, the true costs of workplace crime in Australia totaled $10 billion in 1996. Hailstone also reports that fraud accounts for two-thirds of all crime. A study estimated the 1996 U.S. cost of workplace crime at $300 billion. The lack of effective internal controls may enable the thief to be successful. Even a small nonprofit with very limited resources could lose it all if an employee or volunteer steals or squanders its money.

Legal Requirements
Nonprofit organizations, as holders of the public's trust, are subject to specific laws and regulations. Organizations must meet IRS requirements to maintain their tax-exempt status. The Internal Revenue Code addresses the organization's charitable mission, political and lobbying activities and proper accounting of income and expenses. Violations can lead to fines, loss of tax-exempt status or possible dissolution. Besides the IRS, every state has charitable solicitation and other laws applicable to nonprofit organizations.
In addition to laws regulating the operation of nonprofits, many organizations must follow operational rules and regulations. Medical clinics must follow hazardous waste handling procedures and meet state requirements for a medical facility. Organizations serving children must report suspected cases of child abuse and follow other health and safety regulations. If an organization fails to comply with these regulations, the regulatory authority may impose a fine, suspend its operating license or permanently close the operation. If the media reports the incident, the adverse publicity could also effect the organization's ability to function.
To manage the risks of legal compliance, every organization must research and keep current on the rules, regulations and statutes that apply to its operations. Noncompliance can both initiate governmental action and create the basis for a liability action against the organization.

What is a risk management committee?
Many businesses and large nonprofit agencies employ full-time, professional risk managers who coordinate the organization's loss control, claims reporting, insurance purchasing, safety programs and other functions. Other organizations use an outside advisor to review exposures and develop risk management strategies on an ongoing basis. While the roles vary by organization, these professionals generally provide leadership in identifying, controlling, and financing risk.

For many small and mid-size nonprofits or those that are volunteer driven, budget limitations preclude the hiring of a risk management professional. However, a Risk Management Committee is a highly effective method for addressing the organization's risk management needs. The Risk Management Committee can function as the organization's risk management department or be a valuable and supportive partner to the agency's risk manager.

A Risk Management Committee is the group responsible for the development and oversight of an organization's risk management program. The Committee's primary efforts are to identify, control and finance risks. In the nonprofit sector, a risk management committee typically includes both employees and volunteers. A diverse membership enables an organization to get a broad and unique perspective on its risks while encouraging creative problem solving.

Forming A Risk Management Committee
The composition of a Risk Management Committee will vary depending on the organization's unique risks. A nonprofit health clinic's risk management committee may include medical personnel, an attorney, an insurance professional and a member of the administrative staff. In contrast, a nonprofit mentoring program serving at-risk youth may include the volunteer coordinator or intake professional, one or more of the volunteer mentors, an attorney, and an insurance professional on its committee. One key factor in selecting the committee's members is to identify individuals with a range of expertise and first hand knowledge of the organization's risks.

Nonprofit exposures or risks fall generally into the following categories:
Traditional business risks such as the loss of equipment due to fire or the filing of a wrongful termination claim;
Exposures unique to the nonprofit sector -- tax assessments from unrelated business income, contractual liability resulting from a volunteer's apparent authority, or liability from an auto accident involving a volunteer using his car to transport clients;
Service delivery-related risks -- exposures associated with the specific services that the organization delivers, such as abuse of vulnerable clients/members, or the negligent referral to an unqualified service provider.
An organization should select individuals familiar with traditional business/operating risks and people who know the details of an agency's operations. Therefore, the organization should include at least one employee on an otherwise all volunteer Risk Management Committee. The most effective committee will consist of people with knowledge of and experience with the nonprofit's operations, future programming plans, legal structure, and operating procedures.

The Core Responsibilities of a Risk Management Committee
Identify and evaluate exposures -- The Committee's responsibilities are similar to the duties of a risk manager. The first step in the process is to identify and measure the risks facing an agency. Some organizations may use an outside consultant for this effort. Here, the Committee supports the process by participating in interviews with the advisor and helping to identify the various risks facing the organization. If an agency decides to undertake the risk management process without outside help, the Committee's work begins with a brainstorming session. The members identify and discuss "what could go wrong" and the likelihood of each identified harm occurring.

Develop risk management strategies -- The Committee's job continues with the identification of practical, affordable loss control strategies to reduce the chance of harm occurring or minimize losses if the risk becomes real. A committee with broad experience and differing perspectives is important. The Committee should draw in additional employees and key volunteers to ensure that the its recommendations are practical and acceptable. In addition, the Committee answers the following questions. What risks should the organization avoid completely? What risks can be minimized through operational changes? What risks can be self-insured by reserving funds to pay anticipated losses? What risks require outside financing, such as the purchase of an insurance policy?

Implement the risk management plan -- For the next phase, the Committee develops a plan outlining the nonprofit's strategies for addressing its major risks. The plan identifies who is responsible for carrying out each facet of the plan. Additionally, the plan documents the steps required to carry it out. Include information on risk financing programs such as insurance policies, coverages, renewal dates, and claims reporting procedures.

Monitor and update the plan as needed -- In some respects, the Committee's work is never finished. Managing a nonprofit's risks requires an ongoing commitment to revisiting strategies, looking for emerging or changing exposures, and staying abreast of developments that effect the likelihood of harm. The activities and programs of most nonprofits vary considerably each year. The Risk Management Committee examines how each change affects its risk. Will the addition of a new service create a professional liability exposure? Another Committee responsibility is to submit reports to the nonprofit's board highlighting the committee's activities. The Committee must keep the board advised of any developments that may significantly affect the organization.

Other important tasks of a risk management committee may include:
Developing an organizational risk management policy that affirms the organization's commitment to safeguarding its assets and establishing its risk management goals (i.e. improving client safety);
Selecting an insurance advisor (a broker or agent) and negotiating insurance arrangements;
Communicating the agency's risk management plan and loss control procedures to affected parties, including employees, volunteers, the board of directors, clients and the public; and
Overseeing loss prevention activities.

The designation of a Risk Management Committee is often the starting point for a nonprofit's commitment to controlling risk. A committee structure offers invaluable support in the identification of exposures and the development of practical strategies for preventing losses and minimizing the impact of losses when they occur.