Nonprofit organizations face unique risk management challenges. They are often held to the same standards as for-profit organizations but do not have the same resources and knowledge to understand their risks and how to mitigate them. Legal and financial requirements may determine some of the risks your organization faces. For example, you must be compliant with tax reporting regulations. If you are not, there may be financial and legal repercussions. Heightened public scrutiny on nonprofit organizations has also created a new risk for nonprofit organizations: reputational risk. Controversial actions or decisions can create bad publicity and alienate supporters, effectively preventing nonprofits from receiving the funding or volunteer base needed to achieve goals.
All nonprofits should address risk management, regardless of the size of the organization. Organizations without the processes and people in place to manage risk exposure are vulnerable to devastating losses if a crisis situation occurs. Addressing risk management before a problem arises decreases your nonprofits risk exposure and the potential for damages or liability.
Best practice dictates that risk management be addressed when an organization is established and reviewed annually, at a minimum, to ensure that all risks are understood and accounted for. If your organization does not have a risk management policy, every practice, event or action by the organization, its employees or volunteers increases exposure to liability.
What is risk management?
Risk management is the process of identifying your legal, financial, and reputational risks and taking steps to avoid exposure to them. If your nonprofit’s financial assets were compromised, how would you respond? If your organization had a public relations crisis, how would you protect your reputation? If your facility was damaged, could your organization continue operating? A well-developed risk management policy helps you respond to an emergency quickly and minimizes the effect on your operations.
It’s vital that your risk management policy be supported and championed at the executive and leadership levels. Initiating a risk management culture at these levels helps that culture grow to reach all members of your organization. Because nonprofits depend heavily on all their employees and volunteers to contribute to the success of the organization, organization-wide knowledge of how risk management protects the organization is a vital part of mitigating your risks.
While risk management must start at the leadership level, it cannot be managed without the input of people from all areas of your organization. A successful risk management culture invites and welcomes involvement from people across all levels of the organization. Members of the board of directors, leadership teams, management, operations staff, and volunteers each bring a unique knowledge and understanding of the type of risks they face on a day-to-day basis. Understanding those risks and working together to mitigate them is part of your nonprofit’s due diligence and responsibility to all parties involved in your organization.
Risk management planning
Risk management requires time and dedication. You must understand your organization and the risks it faces before you invest in risk mitigation strategies. Failure to do so increases the likelihood of overlooking potential risks and leaving your organization unprotected.
Your risk management policy should help your organization act in accordance with its values while mitigating legal, financial, and ethical risks. It should be documented and easily available for anyone in your organization to review. It can be used if you are required to defend your risk management practices and to train staff and employees on proper risk management strategies.
Your policy should:
1. Identify the risks your nonprofit faces.
2. Assess the effect experiencing each risk would have on your organization.
3. Offer ways to prevent such risks from occurring.
4. Outline risk response strategies in the event of an unpreventable crisis.
Identifying your risks
Before you can identify your risks, you must define what a risk is. For most organizations, a risk is the potential for your organization’s actions or decisions to produce an undesired result. It can also be the potential for the actions or decisions of someone outside your organization to produce an undesirable result that may be attributed to your organization. You may face physical risks, legal risks, reputation risks and financial risks, to name a few.
It is impossible to mitigate all risks, but knowing what risks your organization faces can help you develop strategies to reduce or eliminate them. Nonprofits face a wide range of risks and often lack the resources or knowledge to fully understand them all. In addition to seeking input from all members of your organization, you should seek expertise from insurance, legal, and financial professionals to fully mitigate your risk exposure.
Some risk areas to review include:
financial risks: Do you know who is responsible for verifying and auditing your organization’s finances? Are your financial records up-to-date? Do you have the checks and balances in place to prevent fraud? Are you compliant with tax regulations? Managing your non-profit’s financial risks involves knowing the status of your financial situation and taking steps to protect it.
property risks: Do you have any physical security measures in place to protect your physical property? Video monitoring, alarm systems, safety and security processes, and security personnel can protect your organization from property risks such as theft or vandalism. Fire suppression systems, including smoke detectors, sprinklers and fire extinguishers, can prevent or limit fire damage.
personal safety risks: Are your employees and volunteers safe while working for your organization? Have they been adequately trained for the jobs they are performing? Are there processes in place to deal with health and safety accidents? Is your organization liable for any accidents or injuries that occur on your property or at your events?
Reputational risks: Who manages your organization’s brand and reputation? Who is responsible for reviewing content and messaging before it is presented to the public? How do you ensure that the information your organization creates or promotes, the events it sponsors and the people it associates with match your corporate goals, mission, and values? Who responds to media inquiries and publicity requests?
Liability risks: Your organization may be held responsible for the actions of your partners, contractors, employees, and volunteers even if they have signed contracts releasing you from liability and responsibility. Do you have the proper legal contracts in place with landlords, contractors, service providers, and event sponsors detailing the legal responsibilities of each party? Do you have adequate liability insurance to protect your organization? Are all employees and volunteers properly screened, hired, trained, and supervised when providing services to the public?
This is just a sampling of the risks your organization may face. To fully protect yourself, your organization and its assets, you should contact your insurance, legal and financial experts.
Assessing your risks
After you have identified all the risks your organization faces, examine each one to determine what effect it would have on your operations. Each risk will affect your organization differently. Understanding the consequences will help you develop successful prevention plans and response strategies.
When completing your risk assessment, consider the following questions too.
• Why is the organization susceptible to this risk?
• What is the likelihood of experiencing this risk?
• What consequences will the organization face if it experiences this risk?
For example, let’s assess some of the risks associated with using social media. Social media has changed how organizations communicate with clients, donors, and the general public, demanding that organizations interact with their audience. It creates opportunities to engage the audience, and to gather information and feedback from them, allowing your organization to better position itself for success. These benefits have compelled many nonprofit organizations to use social media as a market research and promotion tool. It has also exposed them to a variety of new risks, including
Defamation: Any organization may be held responsible for something an employee has written or said on behalf of the organization on any social media supported by the organization.
Copyright: Reusing third-party content in a blog, tweet, or any other social media interaction without giving the proper credit may leave your organization liable to copyright infringement.
reputation management: Participating in social media means you are inviting comments and criticism from your audience. Negative publicity can spread quickly and be difficult to control.
To assess the effect these social media risks could have on your organization, ask each of the questions above about each risk. Is your organization susceptible to defamation risks? What is the likelihood that you will experience that risk? What are the consequences if you do?
To answer those questions, you will need to research your social media practices. Understanding your current practices and past experiences will help you accurately gage the effect a risk factor will have on your organization. Talk to social media experts, brand managers, and legal counsel to determine if your organization is at risk. Research the issue to understand what other organizations similar to yours are experiencing and doing to mitigate their risks. Your answers will help you develop a risk prevention policy that will decrease or eliminate your risks.
After you have identified and assessed your organization’s risk factors, your next step is developing a comprehensive risk prevention plan. Your risk prevention plan should address each risk factor identified and offer strategies to negate the risk or decrease the probability of the risk occurring.
The type of risk prevention strategy required depends on the type of risk, the probability of it occurring and the severity of the consequences if it does occur. Risks that have little probability of occurring and little consequence can be dealt with through simple prevention strategies. Risks that are very probably to occur or that could have devastating or long-term consequences require more stringent prevention planning.
A successful risk prevention plan investigates two questions:
• What steps can you take to eliminate the risk?
• When a risk occurs, what steps can you take to mitigate it?
Use these two questions to evaluate each risk you identified. You will not be able to eliminate all risks, but you should be able to find ways to mitigate each one. Mitigation strategies can include
• Insurance coverages
• Volunteer screening plans
• Volunteer and employee training and orientation programs
• Financial procedures and reporting
• Reputation management planning
• Workplace health and safety standards
• Technology failure and cyber risk prevention
Depending on the nature of your operations, you may require other risk prevention strategies to protect your organization. Consult volunteer, charity, financial, legal, and insurance experts when creating your risk management plans. They can provide insight on the severity of each risk and the consequences you will face if exposed to it. They can also guide you to effective risk mitigation procedures.
Once you have developed a thorough risk management strategy, turn your focus to implementing your strategies and procedures. Prioritize implementation by addressing high probability and high consequence risks first. Assign risk management tasks and make people accountable for implementing prevention strategies by a deadline. When you feel confident that your organization has addressed those risks, you can move on to tackling lower probability and lower consequence risks.
Risk response strategies
It is impossible to mitigate all risks. That’s why it is critical to develop risk response strategies to compliment your risk prevention planning. Risk response strategies outline the steps your organization will take a risk occurs. You should plan a response strategy for each risk factor you identified.
The key objectives of a successful risk management strategy are:
a) to enable your organization to operate under normal conditions, or
b) to outline the procedures required if operations must be altered or stopped.
Your strategy should give a detailed description of the steps required to achieve scenario a or b for each risk you identified. It should also list who is accountable for each step. It should be easy to use and to find. Everyone with a risk response strategy accountability should be familiar with the plan and their responsibilities.
Common risk response information includes
• A list of emergency contacts.
• A process for notifying and updating emergency personnel, executives, insurance companies, and key stakeholders of any risk exposure situation.
• Communications strategies to notify employees, media, volunteers, and other stakeholders about the situation and alternate operating conditions.
• Operational contingency plans such as moving to an alternate location or working via remote access.
• The location of copies of all your business and financial paperwork. If your primary location is inaccessible, you will need access to these documents to continue operating.
Your organization will change over time. You may change your operating model, your practices, or your goals. New technologies, strategies, employees, or events can introduce new risks. To ensure you are fully prepared, review and revise your risk management policy on an annual basis, after any changes in your operations or organizational structure and after experiencing a risk.
Annual reviews allow you to accommodate for changes that do not warrant a complete risk management review when the change occurs. Larger changes may introduce new high probability or high consequence risks that require immediate attention. Deal with these risks as they arise so they are not forgotten. Finally, no risk management plan is perfect. If your nonprofit experiences a risk situation, you will undoubtedly learn how you could respond more effectively. Apply this knowledge to all areas of your risk management policy to prepare your organization for future risks.
Are you prepared?
Use the following questions to determine the state of your organization’s risk management readiness.
Do You Have A Risk Management Policy In Place?
If no, begin the process to develop a risk management policy.
Did You Consult Subject Matter Experts And Representatives From All Areas Of Your Organization To Develop The Risk Management Policy?
If not, your risk management policy is likely incomplete. No one person can understand all the areas of your organization. Rely on the expertise of others to ensure your policy is comprehensive and complete.
Have You Documented Your Policy And All The Procedures And Training You Have In Place?
If no, begin the process to document your organization’s risk management policy. This document can be used to train future employees and volunteers. A documented risk management policy may also be useful as evidence of due diligence if a claim is filed against your organization.
Do You Review Your Risk Management Policy Annually/after Organizational Changes/ After Experiencing A Risk?
If no, you should begin the process of reviewing your policy. Changes in technology, staff, legal obligations, or legislation may alter your risk management requirements. Annual reviews help ensure your policy is up-to-date.
Have You Trained Your Staff, Volunteers, And Third-party Collaborators On Your Risk Management Policy?
A risk management policy is useless if it is not understood and applied. Training staff, volunteers, and any third-party collaborators you deal with ensures they understand and know how to apply your risk mitigation strategies. Training is also part of your organization’s due diligence.
Do You Track The Full Name Of Each Employee/volunteer Who Attends Risk Management Training, Along With The Date And Time The Training Occurred?
This information helps your organization be accountable if your risk management policy is questioned or used in a legal context.
Do Employees Follow Your Policies And Procedures?
A risk management policy is only effective if it is carried out. Frequent review of the implementation of your policy ensures it is being followed. If it is not, investigate why. Is it difficult to understand? It is hard to carry out during day-to-day activities? Is it outdated and no longer applicable? If so, adjust your strategies and procedures to match your organization’s daily operations.
Mary Mancuso is Branch Manager at Cowan Insurance Group, Stratford Office, 804 Ontario St., Stratford, on n5a 3k1. She is also a Commercial Account Executive specializing in the not-for-profit industry sector. Email: Mary.Mancuso@cowangroup.ca