Risk Management Best Practices for Nonprofits

Posted in: Risk Management Consulting

Image of a dial reading "risk" pointed to high on PSA Insurance and Financial Services' website

Are you aware of the exposures that may threaten your non-profit organization? I had the opportunity to speak on a webinar organized by the nonprofit team at McGladrey where we exposed commonly faced risks and shared best practices regarding risk management for nonprofits to help your organization avoid facing costly and disruptive issues. I’ve distilled down the main points into what I hope will be a helpful post for organizations looking to limit exposure to risk.

This post will cover four risk management best practices concerns for non-profit executives:

  • Cyber liability;
  • Employee handbook “Do’s and Don’ts”;
  • D&O Insurance;
  • Fraud.

How do you protect your non-profit from Cyber Liability?

If you’re not already familiar with cyber liability, it is the risk posed by conducting business over the internet, over other networks or using electronic storage technology. So if your organization has a website, a shared network or saved data in the cloud, then you are at risk. There are two types of breaches:

1) First party, which includes employee data, and occurs when your own information is breached or compromised, and

2) Third party, which includes former and current donors, clients, students and consumers, and occurs when their information that your organization has promised to keep safe, is compromised.

We find that third party breaches are more common than first party. And as a non-profit you are vulnerable due to financial constraints as well as the type and number of records you have stored.

So how should you protect yourself? Your property and crime policy only covers the loss of tangible property. Here’s a list of risk management best practices for nonprofits that you should consider:

  • Segregate and restrict access to sensitive data.
  • Establish user control password protection procedures.
  • Review security access to network and server.
  • Encrypt private data on database, laptops, mobile.
  • Implement and maintain a firewall.
  • Apply intrusion detection software systems.

Failure to protect could result in litigation, loss of business, and decreased client and donor satisfaction. Don’t be lulled into a false sense of security when saving information in the cloud. Make sure you are asking your cloud service provider the right questions such as:

  • Who owns the data once it resides in the cloud?
  • Does your cloud provider guarantee the security and privacy of your data?
  • Will you be alerted if there is a breach of your data within the cloud?
  • Will you have the right to investigate the breach?
  • Who will be responsible for notifying your customers of a breach incident?

What are the “Do’s and Don’ts” of your employee handbook?

If your organization chooses to have an employee handbook, it must be both effective and adhered to by the organization. A poorly written handbook can cause just as many issues as not having one.

Essential handbook policies to include are:

  • Introduction Provisions/Disclaimer
  • EEO Statement
  • Sexual Harassment Policy
  • Non-Harassment Policy
  • Problem Solving Procedure

When there has been a violation, it is vital that you define the problem and then follow those exact procedures as outlined in the handbook. Always have an attorney review your employee handbook before disseminating to employees.

Why do non-profits need D&O Insurance (Directors and Officers Insurance)?

Thirty-five percent of non-profits have D&O claims as compared to 29 percent for publicly traded companies and 26 percent for privately held companies. D&O Insurance does not replace responsible governance, however it is an essential part of risk management for nonprofits. It will protect you from exposures that are driven by the specific nature of what your organization does day to day, personal liability, your duties as a director, volunteer protection and indemnification. D&O Insurance will not only protect directors and officers but employees, volunteers and committee members as well. It also includes Employment Practices Liability Coverage and provides third party liability extension.

What is Occupational Fraud and how can it impact your non-profit?

Occupational fraud is the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. Eighty-nine percent of occupational fraud cases are the misappropriation of assets such as skimming cash or misusing inventory. Other types of occupational fraud include corruption such as bribes or conflicts of interest and fraudulent statements. The median duration of fraud is between 18 and 24 months and it is most often committed by accounting staff or upper management. Non-profits who have been victims of occupational fraud have seen a median loss of $109,000 per claim. Outside of the obvious financial consequences, fraud can also lead to bad PR, a loss of public trust, increased oversight and operating costs and damaged employee morale.

To help prevent occupational fraud:

  • Develop and implement a code of conduct, ethics policy and fraud policy.
  • Document policies and procedures for core functions.
  • Offer employee assistance programs.
  • Protect proprietary and confidential information.
  • Create a fraud hotline.
  • Rotate responsibilities and cross train.
  • Trust but don’t over delegate.
  • Perform background checks.
  • Protect vendor and proprietary information (i.e. donors).
  • Audit committee involvement and external audit assurance.
  • Secure assets and document custody transfer.
  • Segregate duties: record the transaction, authorize the transaction, custody of the transaction and execute the transaction.

Fraud can be detected from independent or external audits, financial management or internal control or employee tips or complaints.

For more detailed information on each of these risk management best practices, please click below to view the webinar in its entirety. Also, please feel free to contact me at jeffw@psafinancial.com with any questions concerning risk management for nonprofits and controlling your exposures.