Nonprofit risk management



Similar documents
Crisis Management Guide

INSURANCE FOR VOLUNTARY ORGANIZATIONS ARE YOUR VOLUNTEERS AND CLIENTS COVERED?

ASAE s Job Task Analysis Strategic Level Competencies

How to Assess Legal Risk Management Practices

Competency Requirements for Executive Director Candidates

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

Board Development. Roles and Responsibilities of Not-for-Profit Boards. The Governing Board of a Not-for-Profit Society

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

An Insurance Overview for New Jersey Non-Profits

What are the main liability policies you should consider for your commercial business?

How To Protect Your Credit Card Information From Being Stolen

EQT GP HOLDINGS, LP (EQT GP Services, LLC) Corporate Governance Guidelines. (Adopted by the Board on April 30, 2015)

THE OPPORTUNITY AND THE ROLE

A Comparison. Safety and Health Management Systems and Joint Commission Standards. Sources for Comparison

Crisis Communications Plan

Hanover Human Services Advantage. Professional Liability, General Liability, and Abuse & Molestation Coverage

What A Nonprofit Organization Needs To Know About Insurance. Susan R. Smith. Beehive Insurance Agency, Inc.

OCC 98-3 OCC BULLETIN

Credit Union Liability with Third-Party Processors

Charities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Anti-Money Laundering Program and Suspicious Activity Reporting Requirements For Insurance Companies. Frequently Asked Questions

Business Continuity Business Continuity Management Policy

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Business Continuity Plan

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

What are the legal responsibilities of, and risks to, the directors and officers of a non-profit board?

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Enterprise risk management: A pragmatic, four-phase implementation plan

nonprofit advisor TUTORIAL

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Developing a Risk Management Plan. New Partners Initiative Technical Assistance Project (NuPITA)

GUIDANCE FOR MANAGING THIRD-PARTY RISK

June 2010 HEALTH, SAFETY, AND ENVIRONMENT MANAGEMENT SYSTEM (HSEMS)

Insurance basics for nonprofit organizations

Risk Options. Avoid Assume Mitigate Transfer Prevent?

Shepway District Council Risk Management Policy

RISK MITIGATION SERVICES. Take-and-Use Guidelines for Chubb Crime Insurance Customers

Why Crisis Response and Business Continuity Plans Fail

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Table II:9 Overview of the Management System of a Nonprofit Organization

Health Management Annual Compliance Training

SERVICES. Designing, deploying and supporting world class communications solutions.

Worldwide Anti-Corruption Policy

Board Governance and Best Practice Checklist

RIGHT FROM THE START: RESPONSIBILITIES of DIRECTORS of N0T-FOR-PROFIT CORPORATIONS

Cyber Risks in the Boardroom

Cutting through the insurance jargon!

Guidelines for conducting tabletop exercises Penn Mission Continuity Program (MCP)

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

PRIORITIZING CYBERSECURITY

Risk Management of Outsourced Technology Services. November 28, 2000

Information Technology Security Review April 16, 2012

RISK APPETITE IN THE WORLD FOOD PROGRAMME

Small Business Insurance Basics

E-Learning Courses. Course Category

SOCIAL MEDIA GUIDELINES

Breaking Down the Borders Operating Charitable or Tax Exempt Organizations Across the Canada/US Border

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Chapter I: Fundamentals of Business Continuity Management

Online Training. Training Categories: Page 2. Workplace Wellness (6 videos) Health and Safety (17 videos) Page 3. Page 6. Leadership (7 videos) Page 7

cyber invasions cyber risk insurance AFP Exchange

Olsen-Sottile Insurance Brokers Inc. Human Resources Policy Manual

Overview. Here to serve, Cedarville University Marketing Department Tyler 212 Suite cedarville.edu/marketing

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

IFAD Policy on Enterprise Risk Management

JOB DESCRIPTION DIRECTOR, HUMAN RESOURCES & COMMUNICATIONS. LOCATION: Vancouver Native Housing Society Head Office, Vancouver

HORIZON OIL LIMITED (ABN: )

Health and Safety Policy

Directors' & Officers' Liability

Learning and Development Hiring Manager Guide For Onboarding A New Manager

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Proposed Code of Ethical Principles for Professional Valuers

Transcription:

Nonprofit risk management Mary Mancuso Nonprofit organizations face unique risk management challenges. They are often held to the same standards as for-profit organizations but do not have the same resources and knowledge to understand their risks and how to mitigate them. Legal and financial requirements may determine some of the risks your organization faces. For example, you must be compliant with tax reporting regulations. If you are not, there may be financial and legal repercussions. Heightened public scrutiny on nonprofit organizations has also created a new risk for nonprofit organizations: reputational risk. Controversial actions or decisions can create bad publicity and alienate supporters, effectively preventing nonprofits from receiving the funding or volunteer base needed to achieve goals. Mary Mancuso is Branch Manager at Cowan Insurance Group, Stratford Office, 804 Ontario St., Stratford, on n5a 3k1. She is also a Commercial Account Executive specializing in the not-for-profit industry sector. Email: Mary.Mancuso@cowangroup.ca All nonprofits should address risk management, regardless of the size of the organization. Organizations without the processes and people in place to manage risk exposure are vulnerable to devastating losses if a crisis situation occurs. Addressing risk management before a problem arises decreases your nonprofits risk exposure and the potential for damages or liability. Best practice dictates that risk management be addressed when an organization is established and reviewed annually, at a minimum, to ensure that all risks are understood and accounted for. If your organization does not have a risk management policy, every practice, event or action by the organization, its employees or volunteers increases exposure to liability. What is risk management? Risk management is the process of identifying your legal, financial, and reputational risks and taking steps to avoid exposure to them. If your nonprofit s financial assets were compromised, how would you respond? If your organization had a public relations crisis, how would you protect your reputation? If your facility was damaged, could your organization continue operating? A well-developed risk management policy helps you respond to an emergency quickly and minimizes the effect on your operations. It s vital that your risk management policy be supported and championed at the executive and leadership levels. Initiating a risk management culture at these levels helps that culture grow to reach all members of your organization. Because nonprofits depend heavily on all their employees and volunteers to contribute to the success of the organization, organization-wide knowledge of how risk management protects the organization is a vital part of mitigating your risks. Mancuso / Nonprofit / 2012 risk / volume management 24 3 191

While risk management must start at the leadership level, it cannot be managed without the input of people from all areas of your organization. A successful risk management culture invites and welcomes involvement from people across all levels of the organization. Members of the board of directors, leadership teams, management, operations staff, and volunteers each bring a unique knowledge and understanding of the type of risks they face on a day-to-day basis. Understanding those risks and working together to mitigate them is part of your nonprofit s due diligence and responsibility to all parties involved in your organization. Risk management planning Risk management requires time and dedication. You must understand your organization and the risks it faces before you invest in risk mitigation strategies. Failure to do so increases the likelihood of overlooking potential risks and leaving your organization unprotected. Your risk management policy should help your organization act in accordance with its values while mitigating legal, financial, and ethical risks. It should be documented and easily available for anyone in your organization to review. It can be used if you are required to defend your risk management practices and to train staff and employees on proper risk management strategies. Your policy should: 1. Identify the risks your nonprofit faces. 2. Assess the effect experiencing each risk would have on your organization. 3. Offer ways to prevent such risks from occurring. 4. Outline risk response strategies in the event of an unpreventable crisis. Identifying your risks Before you can identify your risks, you must define what a risk is. For most organizations, a risk is the potential for your organization s actions or decisions to produce an undesired result. It can also be the potential for the actions or decisions of someone outside your organization to produce an undesirable result that may be attributed to your organization. You may face physical risks, legal risks, reputation risks and financial risks, to name a few. It is impossible to mitigate all risks, but knowing what risks your organization faces can help you develop strategies to reduce or eliminate them. Nonprofits face a wide range of risks and often lack the resources or knowledge to fully understand them all. In addition to seeking input from all members of your organization, you should seek expertise from insurance, legal, and financial professionals to fully mitigate your risk exposure. Some risk areas to review include: Financial risks: Do you know who is responsible for verifying and auditing your organization s finances? Are your financial records up-to-date? Do you have the checks and 192 Mancuso / Nonprofit risk management

balances in place to prevent fraud? Are you compliant with tax regulations? Managing your non-profit s financial risks involves knowing the status of your financial situation and taking steps to protect it. Property risks: Do you have any physical security measures in place to protect your physical property? Video monitoring, alarm systems, safety and security processes, and security personnel can protect your organization from property risks such as theft or vandalism. Fire suppression systems, including smoke detectors, sprinklers and fire extinguishers, can prevent or limit fire damage. Personal safety risks: Are your employees and volunteers safe while working for your organization? Have they been adequately trained for the jobs they are performing? Are there processes in place to deal with health and safety accidents? Is your organization liable for any accidents or injuries that occur on your property or at your events? Reputational risks: Who manages your organization s brand and reputation? Who is responsible for reviewing content and messaging before it is presented to the public? How do you ensure that the information your organization creates or promotes, the events it sponsors and the people it associates with match your corporate goals, mission, and values? Who responds to media inquiries and publicity requests? Liability risks: Your organization may be held responsible for the actions of your partners, contractors, employees, and volunteers even if they have signed contracts releasing you from liability and responsibility. Do you have the proper legal contracts in place with landlords, contractors, service providers, and event sponsors detailing the legal responsibilities of each party? Do you have adequate liability insurance to protect your organization? Are all employees and volunteers properly screened, hired, trained, and supervised when providing services to the public? This is just a sampling of the risks your organization may face. To fully protect yourself, your organization and its assets, you should contact your insurance, legal and financial experts. Assessing your risks After you have identified all the risks your organization faces, examine each one to determine what effect it would have on your operations. Each risk will affect your organization differently. Understanding the consequences will help you develop successful prevention plans and response strategies. When completing your risk assessment, consider the following questions too. Why is the organization susceptible to this risk? What is the likelihood of experiencing this risk? What consequences will the organization face if it experiences this risk? For example, let s assess some of the risks associated with using social media. Social media has changed how organizations communicate with clients, donors, and the general public, demanding that organizations interact with their audience. It creates opportuni- Mancuso / Nonprofit risk management 193

ties to engage the audience, and to gather information and feedback from them, allowing your organization to better position itself for success. These benefits have compelled many nonprofit organizations to use social media as a market research and promotion tool. It has also exposed them to a variety of new risks, including Defamation: Any organization may be held responsible for something an employee has written or said on behalf of the organization on any social media supported by the organization. Copyright: Reusing third-party content in a blog, tweet, or any other social media interaction without giving the proper credit may leave your organization liable to copyright infringement. Reputation management: Participating in social media means you are inviting comments and criticism from your audience. Negative publicity can spread quickly and be difficult to control. To assess the effect these social media risks could have on your organization, ask each of the questions above about each risk. Is your organization susceptible to defamation risks? What is the likelihood that you will experience that risk? What are the consequences if you do? To answer those questions, you will need to research your social media practices. Understanding your current practices and past experiences will help you accurately gage the effect a risk factor will have on your organization. Talk to social media experts, brand managers, and legal counsel to determine if your organization is at risk. Research the issue to understand what other organizations similar to yours are experiencing and doing to mitigate their risks. Your answers will help you develop a risk prevention policy that will decrease or eliminate your risks. Risk prevention After you have identified and assessed your organization s risk factors, your next step is developing a comprehensive risk prevention plan. Your risk prevention plan should address each risk factor identified and offer strategies to negate the risk or decrease the probability of the risk occurring. The type of risk prevention strategy required depends on the type of risk, the probability of it occurring and the severity of the consequences if it does occur. Risks that have little probability of occurring and little consequence can be dealt with through simple prevention strategies. Risks that are very probably to occur or that could have devastating or long-term consequences require more stringent prevention planning. A successful risk prevention plan investigates two questions: What steps can you take to eliminate the risk? When a risk occurs, what steps can you take to mitigate it? 194 Mancuso / Nonprofit risk management

Use these two questions to evaluate each risk you identified. You will not be able to eliminate all risks, but you should be able to find ways to mitigate each one. Mitigation strategies can include Insurance coverages Volunteer screening plans Volunteer and employee training and orientation programs Financial procedures and reporting Reputation management planning Workplace health and safety standards Technology failure and cyber risk prevention Depending on the nature of your operations, you may require other risk prevention strategies to protect your organization. Consult volunteer, charity, financial, legal, and insurance experts when creating your risk management plans. They can provide insight on the severity of each risk and the consequences you will face if exposed to it. They can also guide you to effective risk mitigation procedures. Once you have developed a thorough risk management strategy, turn your focus to implementing your strategies and procedures. Prioritize implementation by addressing high probability and high consequence risks first. Assign risk management tasks and make people accountable for implementing prevention strategies by a deadline. When you feel confident that your organization has addressed those risks, you can move on to tackling lower probability and lower consequence risks. Risk response strategies It is impossible to mitigate all risks. That s why it is critical to develop risk response strategies to compliment your risk prevention planning. Risk response strategies outline the steps your organization will take a risk occurs. You should plan a response strategy for each risk factor you identified. The key objectives of a successful risk management strategy are: a) to enable your organization to operate under normal conditions, or b) to outline the procedures required if operations must be altered or stopped. Your strategy should give a detailed description of the steps required to achieve scenario a or b for each risk you identified. It should also list who is accountable for each step. It should be easy to use and to find. Everyone with a risk response strategy accountability should be familiar with the plan and their responsibilities. Common risk response information includes A list of emergency contacts. A process for notifying and updating emergency personnel, executives, insurance companies, and key stakeholders of any risk exposure situation. Communications strategies to notify employees, media, volunteers, and other stakeholders about the situation and alternate operating conditions. Mancuso / Nonprofit risk management 195

Operational contingency plans such as moving to an alternate location or working via remote access. The location of copies of all your business and financial paperwork. If your primary location is inaccessible, you will need access to these documents to continue operating. Evaluation Your organization will change over time. You may change your operating model, your practices, or your goals. New technologies, strategies, employees, or events can introduce new risks. To ensure you are fully prepared, review and revise your risk management policy on an annual basis, after any changes in your operations or organizational structure and after experiencing a risk. Annual reviews allow you to accommodate for changes that do not warrant a complete risk management review when the change occurs. Larger changes may introduce new high probability or high consequence risks that require immediate attention. Deal with these risks as they arise so they are not forgotten. Finally, no risk management plan is perfect. If your nonprofit experiences a risk situation, you will undoubtedly learn how you could respond more effectively. Apply this knowledge to all areas of your risk management policy to prepare your organization for future risks. Are you prepared? Use the following questions to determine the state of your organization s risk management readiness. Do you have a risk management policy in place? If no, begin the process to develop a risk management policy. Did you consult subject matter experts and representatives from all areas of your organization to develop the risk management policy? If not, your risk management policy is likely incomplete. No one person can understand all the areas of your organization. Rely on the expertise of others to ensure your policy is comprehensive and complete. Have you documented your policy and all the procedures and training you have in place? If no, begin the process to document your organization s risk management policy. This document can be used to train future employees and volunteers. A documented risk management policy may also be useful as evidence of due diligence if a claim is filed against your organization. 196 Mancuso / Nonprofit risk management

Do you review your risk management policy annually/after organizational changes/ after experiencing a risk? If no, you should begin the process of reviewing your policy. Changes in technology, staff, legal obligations, or legislation may alter your risk management requirements. Annual reviews help ensure your policy is up-to-date. Have you trained your staff, volunteers, and third-party collaborators on your risk management policy? A risk management policy is useless if it is not understood and applied. Training staff, volunteers, and any third-party collaborators you deal with ensures they understand and know how to apply your risk mitigation strategies. Training is also part of your organization s due diligence. Do you track the full name of each employee/volunteer who attends risk management training, along with the date and time the training occurred? This information helps your organization be accountable if your risk management policy is questioned or used in a legal context. Do employees follow your policies and procedures? A risk management policy is only effective if it is carried out. Frequent review of the implementation of your policy ensures it is being followed. If it is not, investigate why. Is it difficult to understand? It is hard to carry out during day-to-day activities? Is it outdated and no longer applicable? If so, adjust your strategies and procedures to match your organization s daily operations. Mancuso / Nonprofit risk management 197

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information