Now more than ever before, nonprofit leaders must recognize the importance of risk management as an inherent part of organizational oversight and leadership. But what does proper risk management look like, and whose responsibility is it? Many nonprofit boards assume that the CEO and management have the “bases covered” and board involvement is often limited to reacting to flare-ups. Such an approach to risk management is problematic and dangerous for multiple reasons.
The members of management in a nonprofit organization are typically consumed with day-to-day operating activities and decisions – the “tyranny of the urgent.” As a result, they frequently do not have or take the time to step back and proactively assess organizational risks and address them proactively. If that is the case, and the board is operating under the assumption that management “has it covered,” the organization may be a ticking time-bomb for obvious reasons.
A collaborative approach involving both the board and management
A key area of responsibility for the board is to ensure that the organization maintains an adequate approach to risk management in carrying out its programs. While the actual conduct of risk management activities is the responsibility of management under the authority of the CEO, the board should evaluate the organization’s risk management strategy since the board has ultimate responsibility for oversight.
An effective risk management plan is a holistic one – one that addresses risk in all aspects of the organization’s activities. The risk management plan should also be proactive rather than reactive – identifying risks before they become liabilities and taking appropriate steps to mitigate them.
In order to effectively carry out its responsibilities, the board may wish to establish a standing committee to oversee the organization’s risk management strategy and to provide reports and recommendations to the full board – a “risk management committee.”
The board or risk management committee should work with the CEO to ensure that:
- Risks are identified and assessed as to likelihood of occurrence and severity;
- Risks are prioritized;
- Management has determined the extent to which identified risks have been mitigated; and
- Appropriate steps are taken to reduce identified risks to acceptable levels.
Reducing risk by implementing preventive measures is, of course, different from insuring against such risks.
In addition to overseeing the adequacy of risk mitigation, the board should ensure that the organization maintains adequate insurance coverage with respect to applicable risk areas.
Areas of risk to consider
In addressing the organization’s overall risks, some key risk areas that warrant attention include, but are not limited to:
- Corporate structure (e.g., whether the organization’s activities and assets should all be in one legal entity or perhaps separated to insulate from excessive liability);
- Governing documents (e.g., whether the articles of incorporation and bylaws contain all appropriate provisions and whether the organization’s actual governance practices conform to the governing documents);
- Policies and policy manuals (should be addressed for the same reasons that apply to the governing documents);
- Tax-exempt status and compliance;
- Financial condition and financial controls;
- Adequacy of insurance coverage;
- Human resources (personnel);
- Child molestation (for organizations that serve children, as further described below);
- Key operational areas;
- Public relations;
- Physical safety; and
- Leadership succession.
Child molestation risk
For organizations that serve children, child molestation risk warrants special attention due to the severity of the damages that can occur. In recent years, an increasing number of high-liability claims have been made against nonprofit organizations that serve children due to actual or alleged child molestation. Claims of that type can be devastating not only to the victims but also to an organization and its leadership, both reputationally and financially. Multiple Catholic dioceses in the United States have filed for bankruptcy protection in connection with child molestation claims and many other types of organizations have experienced major claims. The board of a nonprofit organization serving children should carefully evaluate the nature of the risks as well as prevention strategies and insurance coverage maintained by the organization. A variety of very good published resources are available on this topic.
Board members are not expected to be experts in the various risk areas listed above. Rather, the board should ensure that all relevant risk areas are adequately addressed by management under the leadership of the CEO. The organization may engage experts in various disciplines (legal counsel, tax advisors, insurance agents, physical safety experts, etc.) to assist in addressing each area as needed.
One significant aspect of risk management includes ensuring that the organization has adequate insurance coverage for its significant risks. The evaluation of insurance coverage should include consultation with both legal counsel and highly experienced insurance agents. Specific coverage types to evaluate should include, but not be limited to:
- Property and casualty (for fire, theft, flood, vandalism, etc.);
- Employee theft;
- General liability;
- Sexual misconduct (including child molestation for organizations that serve children);
- Director and officer liability;
- Employment practices (for claims of discrimination, wrongful termination, sexual harassment, and other such matters related to employment practices);
- Fiduciary liability (for claims by employees related to the administration of employee benefit plans, particularly retirement plans); and
- “Key man” life or disability (for financial remuneration to the organization in the event of the death or disability of a key leader – useful where the organization could be adversely affected financially in the event of such an occurrence).
Additional resources for addressing risk management
Some additional sources of information that may be helpful to organizations addressing overall risk management include:
Nonprofit Risk Management Center
Reducing the Risk (Child Safety Resources)