Non Profit Risk Management Presented by: Markham F. Rollins III, CEO Erica Martinson, Director Risk Management Services The Rollins Agency, Inc. William Abram, President Pragmatix, Inc. 1
Reputation It takes twenty years to build a reputation and five minutes to destroy it - Warren Buffett 2
Understanding & Managing Risk Risk Management Anticipating what could happen tomorrow Risk Defined future issues that can be avoided or mitigated Wikipedia Risk Options Avoid Assume Mitigate Transfer Prevent? 3
12 Hallmarks Takes More Risks Than It Avoids Heralds A Risk Management Champion Guided By Reality, In Addition To Scary Headlines Is Bold But Smart Cultivates a Can-Do Attitude Among Paid and Volunteer Staff Sees The Whole Iceberg Not Just The Tip Understands That Hindsight Isn t 20:20, But It s Better Than A Blindfold Tells It Like It Is Is Transparent With Insurance Partners Values The Journey, Not Just The Destination Engages The Board In Battle Looks At Risk From Everyone s Perspective 12 Hallmarks Courtesy of Nonprofit Risk Management Center. www.nonpofitrisk.org 4
Culture vs. Process Effort Culture Process Time 5
Organizational Threats Operational Human Capital Physical Hazard Reputation High turnover Disaster recovery Financial performance Bad hires Automobile Growth Productivity Ergonomics Donor funding Training EE working at home Loss of contract Background checks Business interruption Board governance HR compliance Cyber liability Contract review Culture Loss of residential facility Data theft Wellness Emergency evacuation Accusations of alleged action Youth protection Special events Social media Employee injury Power outage Increased compliance requirements Volunteer injury Bed bugs Employee theft Wrongful termination Fire Joint venture failure Claims management Severe weather Certificate of insurance management Safety committee Lack of strategic plan Sexual harassment Fraud Loss of IT equipment 6
Why Have a Plan? $ Cost of Risk X Advantages of Having a Risk Management Plan Driving down cost of risk using a plan Time 1) Do Nothing Take your chances as to where you end up on the higher band 2) Take Control Proactively position yourself at the bottom of the lower band No Plan High Frequency High Severity High Expense High Exposure No Controls Reactive Management With a Plan Low Frequency Low Severity Low Expense Low Exposure High Level of Controls Proactive Management 7
Workshop Questions so far? 8
Best Practices - Workshop Risk Management Topics Risk Management Committee Contract Reviews Certificate of Insurance Management 4. Volunteers 5. Special Events 6. Crisis Management 7. Emergency Evacuation 8. Disaster Recovery Planning 9. Business Continuity Planning 10. Claims Management 1 IT Disaster Recovery 1 Social Media 1 Board Governance 14. Collaboration 15. Auto/Fleet Policy 9
Workshop Progress not Perfection Zip Code 89410 Tools 10
Risk Management Committee Strategy 1-10 Who 1 st Actions Committee in place and made up of representatives from all areas (vertical) and levels (horizontal) of the organization Regularly scheduled meetings with agendas and minutes (regular reports from subcommittees such as safety, personnel, etc) Formal processes for subcommittee to review all accidents & near misses, perform inspections, special projects, etc.) Committee engages in outsidethe-box thinking about risk to the organization and gets board involvement 11
Contract Reviews Strategy 1-10 Who 1 st Actions Develop standardized contracts and require sign-off before they can be deviated from. Suppliers and contractors. Send all non-standard contracts to legal and insurance advisors for review Negotiate for best contract provisions, and to ensure they you can comply with ins. requirements Centralize storage of all contracts and ensure there are backups 12
Certificate of Insurance Management Strategy 1-10 Who 1 st Actions Require all vendors, independent contractors, etc to carry insurance & provide certificates. Additional named insured provision is key! Establish & communicate minimum insurance requirements (boilerplate) Implement a system for requesting certificates, checking for compliance and filing Implement a diary system for expiring certificates and following up to obtain renewals 13
Volunteer Risk Management Strategy 1-10 Who 1 st Actions Formal written policy regarding recruitment, screening and selection is in place. Verification of all credentials and licenses is part of screening process Training, supervising and disciplining volunteers is established. Signed waivers from all volunteers is non optional! Job Description for each position. Responsibilities, authority, reporting relationships and performance expectations. Volunteer handbook is ideal Process to solicit feedback and uncover any negatives. Post event surveys if applicable 14
Special Events Strategy 1-10 Who 1 st Actions The use of a planning checklist and safety checklist is used for all events. From planning to day of event, clean up and first aid. Staffing considerations are in place for all areas. The use of staff, volunteers, board and others is clear with levels of authority Legal considerations are in place and all the necessary forms are in place. Lease, Hold Harmless Agreements, waivers of subrogation, participant waivers Certificates of insurance are in place for all vendors, suppliers, sub contractors 15
Crisis Management Strategy 1-10 Who 1 st Actions You have looked at all scenarios and possibilities to best of your ability and know what could happen You have a comprehensive directory of all staff, board and key volunteers and you have complete backup of key data You have a licensed attorney and PR firm that you call upon for advice that has experience in this matter There is a clear communication strategy in place. Who will speak, how you describe your mission, what strategy you have to contact everyone and who is involved in the plan The plan has been tested and prepared to use 16
Emergency Evacuation Risk Management Strategy 1-10 Who 1 st Actions Establish emergency evacuation & shelter for all sites including means of egress and alternate shelter locations Distribute plan to staff & train in emergency evacuation & shelter in place procedures Unannounced drills held at least 2X year and results reviewed All alarms and safety equipment tested & serviced on a regular basis 17
Disaster Recovery Planning - DRP Strategy 1-10 Who 1 st Actions Identify all possible threats to continuing operation of the organization (physical, health, economic, political, etc) Seeking input from all departments, create a formal written DRP laying out how to cope with each possible disaster. Roll out DRP to all managers, then to rest of staff, and train them in implementing it Test the plan by staging drills, and make any corrections. Communication plan is key to this. 18
Business Continuity Strategy 1-10 Who 1 st Actions Identify triggers that would interrupt each program s funding source s or revenue stream Refer to DRP and determine maximum time until operations can be restored and income resumes. Identify alternate locations, partnerships backup for IT (phone and internet) Calculate amount of business income and extra expense that would be needed for each. Insurance helps. Does not solve Test, verify & update elements of plan so it will be workable when you need to activate it 19
Claims Risk Management Strategy 1-10 Who 1 st Actions Meet regularly with insurance agent to review open & newly closed claims, identify trends. W/C, Auto, GL and Professional Liability Ensure that financial departments are aware of impact of specific claims on future insurance costs and deductibles Internal process for reviewing claims, accidents & near misses. Sub group of Risk Management Committee Analyze WC experience mod to project future costs and identify problems or trends 20
IT Disaster Avoidance/Recovery Strategy 1-10 Who First Steps Operational impact of IT system outages is understood and documented Financial impact of IT system outages is understood and documented Recovery Time and Recovery Point Objectives are documented IT disaster recovery/avoidance capabilities are assessed against recovery objectives and gaps or weaknesses identified Identify technologies (and budget) needed to fill gaps Create IT disaster recovery test plan and execute a test 21
Example: Operational Impact of a Disruption BUSINESS PROCESS & SYSTEMS INVOLVED Clinical Services Email Scheduling Med Records < 2 HOURS 2-24 HRS 1-3 DAYS > 3 DAYS Irritating Manageable Critical Devastating Fund Raising Email Accounting CRM Irritating Irritating Manageable Manageable Administration Email Manageable Critical Devastating Devastating 4. 5. 6. 22
Example: Financial Impact of a Disruption BUSINESS PROCESS < 2 HOURS 2-24 HRS 1-3 DAYS > 3 DAYS Clinical Services Labor $1K Labor $4K Revenue $10K Labor $12K Revenue $30K 4. 5. 6. 23
Recovery Objectives RTO Recovery Time Objective (RTO): What is the target time set for resumption of service delivery after an incident? In other words how quickly does this system or application need to be recovered? RPO Recovery Point Objective (RPO): What is the maximum tolerable period in which data might be lost? In other words, how many minutes or hours of data entry (or transactions) can we afford to lose? 24
Example: Establish Recovery Objectives SYSTEM OR APPLICATION RTO RPO Exchange Server 2 hrs 15 min Accounting S/W 2 day 1 day 4 5. 6. 25
Example: Assess Current State SYSTEM OR APPLICATION RTO RPO CURRENT STATE ASSESSMENT OK? Exchange Server 2 hrs 15 min Server hardware failure would be repaired next business day; nightly backup could mean some mail items would be lost; new mail would be queued at App River No Accounting 2 day 1 day Server hardware failure would be repaired next business day; nightly backup meets RPO Yes 4 5. 6. 26
Closing Comments & Questions 27
Resources 28
Nonprofit Risk Management Center 29
Nonprofit Risk Center Tools www.nonprofitrisk.org 30
12 Hallmarks 31
COA Tools www.coastandards.org 32
COA Tools 33
Tools www.wsdot.wa.gov/transit/training/vdg 34
Board Governance Strategy 1-10 Who 1 st Actions Training and orientation for new board members (board packet) including roles and responsibilities and such details as signed conflict of interest document. Ongoing training for board on various skills & topics including EPL/ Sexual Harassment Indemnification provisions in bylaws and D&O insurance purchased A Strategic Plan is in place and used as a living document to help guide the organization 35
Collaboration Risks Strategy 1-10 Who 1 st Actions Checklist including Confirm compatibility, understand motivations, due diligence, clarify expectations, put in writing Depending on the level of the collaboration, a written document is in place and reviewed by legal council. It may be as basic as a memorandum of understanding A thorough review of each parties insurance has been completed with certificates of insurance in place with all interested parties. Clear expectations are in place when collaborating with for profit organizations. They have different expectations 36
Social Media Strategy 1-10 Who 1 st Actions A central listing of all domains, social media sites including passwords. Someone has ownership and responsibility of this Someone responsible for listening on line. Checking for similar sites, bad comments, bad postings, etc Written social media policy in place and shared with all employees, Volunteers and board. Including use of company and personal computer for business use Outgoing communication Are you aware of Spam laws and do all your Advertisement emails have your address and opt out option? 37
Auto/Fleet Risks Strategy 1-10 Who 1 st Actions All drivers are vetted using an application and screening process. A formal written policy for driving agency vehicles or on agency business, incl. accident reporting is signed by all drivers Training for all drivers is non optional. Including refresher training. Determine what is an acceptable driving record (matrix) & run MVR s on all drivers at least annually Ensure that all vehicles are properly maintained & safely operated. Retain logs and other documentation for each vehicle A plan and training is in place in the event of an accident. All drivers have cell phones for emergency but not allowed to use otherwise 38
Contact Information The Rollins Agency, Inc. 914-337-1833 Markham F. Rollins III, CEO mrollins3@rollinsinsurance.com Erica Martinson emartinson@rollinsinsurance.com Pragmatix, Inc. 914-345-9444 William Abram, President billa@pragmatix.com 39