Risk Management Resolutions

Easier than a diet; good for the health of your nonprofit

By Melanie Lockwood Herman

Were you one of thousands of Americans who received a gym membership gift tucked neatly in a card from a loved one? Across the country millions of Americans are jotting down resolutions, most of which have something to do with the three Cs: calories, cardio-workouts, or carcinogens.

Resolutions about the three health-inducing Cs are awfully tough to keep, as are risk management resolutions that could change the health of your nonprofit. Does the organization you serve have a mission worth preserving? Are there any risks lurking in your nonprofit's future that could spell significant set-back or disaster? Are you losing any sleep about risks related to HR, financial management, fundraising, reputation, or staff/participant injuries?

This article offers some simple but important Risk Management Resolutions for 2005. The resolutions can be easily adapted to reflect the circumstances and resources of your nonprofit. And best of all, they don't require the equivalent of giving up dessert or enrolling in a spinning class.

Remember that the Nonprofit Risk Management Center exists to help nonprofits address risk management challenges. We're here to take your phone calls and e-mails on any imaginable risk management topic. We offer frank risk management advice and point you to resources and materials that will help you better understand the dilemma you're facing and the solution we recommend. To access this free service, click here. Or give us a call at (202) 785-3891.

Peter Bernstein's Big Ideas

This sidebar is reprinted with permission from Risk Management Reports, the monthly commentary on risk management issues written and published by H. Felix Kloman. For more information on this informative and thought-provoking publication, visit www.riskreports.com.

My favorite guru, the octogenarian Peter Bernstein, the author of Against the Gods: The Remarkable Story of Risk, was the subject of an interview with Jason Zweig in the November 2004 issue of Money magazine. Zweig called him "patience personified," a characterization to which I subscribe. But the best part of this article was Zweig's synopsis of Peter's four "Big Ideas."

  1. Anything can happen. We do not and cannot know the future.
  2. Whether you should take a risk depends not just on the probability that you are right but also on the consequences if you are wrong.
  3. The riskiest moment is when you are right.
  4. If you're comfortable with all you own, you're not diversified.
  5. Diversification is an explicit recognition of your ignorance.

Marvelous words with which to start the new year!

Resolution #1: Blow the dust off your policies

Throughout the year the Nonprofit Risk Management Center receives phone calls from chief financial officers, executive directors, program managers and board members who ask various forms of the same question: "How will I know if my nonprofit is adequately insured?" During the conversation that follows, a staff member of the Center often asks, "Have you read your insurance policies?"

Most callers quickly admit to having never actually read the insurance policies purchased by their nonprofits. Most callers can name the insurance agent or broker who sold them the coverage, and a small percentage have a clear idea of the exposures the policies address. Yet only a scant number of these professionals responsible for managing their nonprofit's insurance program have taken the first and perhaps most fundamental step necessary to discharging this fiduciary duty.

Reading an insurance policy is not an easy nor necessarily enjoyable task. But doing so almost always opens the reader's eyes with regard to how the coverage works. See the sidebar on page 7 for steps to reading your policies.

Resolution #2: Establish goals for your risk management program

It is not uncommon for risk management activities to arise in a nonprofit even prior to a conscious decision on the part of the organization's leaders to embrace the discipline. For example, many nonprofit leaders who report that their organizations have negligible risk management activities later admit to the existence of a rigorous screening program, periodic training for supervisors, safety training for volunteers and a long history of purchasing insurance to finance certain exposures. The elements of a risk management program do indeed exist, but the elements are not linked or effectively organized into a risk management effort that looks backwards and projects into the future.

The process of formalizing risk management in a nonprofit begins with a goal-setting exercise: What do you hope to accomplish by stepping up your risk management efforts in 2005? What are your top risk management goals in light of past losses, current concerns, and changes looming on the horizon? An organization's risk management goals will also depend on the number of losses it has incurred and whether it changes minimally from year to year or expects to grow exponentially in the year ahead. They also depend on its risk management appetite. An organization with a hearty appetite for risk-taking may vow to gain greater control over its risk financing strategy by shifting to self-insurance. Another nonprofit may choose to focus its energies on avoiding recurring losses while a third organization may identify forecasting catastrophic losses as a top concern.

Another aspect of goal setting concerns the role of risk management in the organization. Some nonprofits aspire to involve personnel throughout the organization in risk management activities, from managers to line staff to volunteers and participants. Other organizations aim to consolidate risk management responsibility under one person or as a department.

No single set of risk management goals will work for every nonprofit, nor is there an ideal structure or framework that meets the needs of a single type of nonprofit or all nonprofits.

Reading Your Insurance Policy

Remember to always review your nonprofit's insurance policies upon receipt. Before buying any new coverage, you can request and review sample policies. However, many people find it difficult to fully understand the scope of coverages without considering a specific loss. One approach is to identify the risks or types of losses an organization expects to experience — an office fire, windstorm, injury (suffered by an employee, volunteer or client), auto accident, theft, or other risks. Then, determine if the policies will cover these expected losses. Ask your insurance advisor to assist with the review process. Here are the steps:

1. Check for accuracy. Insurance companies are notorious for issuing incorrect policies. The policy may contain spelling errors, the wrong named insured, incorrect additional insureds, the wrong forms, or not include a purchased coverage. Refer any errors to the appropriate insurance agent or broker immediately. Remember that this is a contract. If an organization does not address an error, it can become a problem if a loss related to the error occurs.

2. Review the rating classifications and other schedules. Check to see what rating classifications the company assigned to your organization. The company calculates the premium charge based on certain rating classifications. There can be substantial differences in the rates among the classifications. One insurance company assigned a circus rating classification to a workers' compensation policy for a nonprofit sports organization. The circus rates were much higher than the appropriate classification of outside sales and did not reflect the insured's exposures. Ask your insurance advisor to explain any classifications that do not seem to describe the organization's operations.

3. Read each policy in turn and answer these questions. Does the insuring agreement cover each expected claim? Is there any exclusion or other provision that eliminates or restricts coverage? Are there any exclusion exceptions that restore coverage? What policy conditions must the organization comply with? Are the people or operations affected by the conditions aware of them? For example, if the policy requires that a burglar alarm always be operational, have you informed the office manager, maintenance staff, or other appropriate personnel? If the loss is covered, is there a deductible? How much is it? How much will the policy pay for each loss?

An insurance contract is a complex contract with conflicting and confusing provisions. You must read the entire contract to fully understand the coverages, the insurance company's responsibilities, and your obligations. Some insurance advisors recommend that buyers review the exclusions and the endorsements first. This makes the process of reading the main form easier by alerting the reader in advance to sections deleted or altered via policy exclusions or endorsements.

During litigation based on disputes over whether coverage applies, the courts have scrutinized a wide range of policies. Unfortunately, various courts have rendered conflicting interpretations. In contrast, most losses do not involve complex policy interpretations — the insurance company and insured quickly agree that the policy covers the loss. However, you must know your duties and responsibilities to qualify for coverage. Take the time to understand your policies. Your insurance advisor can help you with this task. But remember that you cannot and should not delegate responsibility for understanding your insurance program to someone outside your nonprofit.

Parts of Every Insurance Policy

  1. declarations,
  2. insuring agreements,
  3. definitions,
  4. exclusions,
  5. conditions and, sometimes,
  6. endorsements.

Consider your risk management goals. What do you hope to accomplish in 2005 with regard to:

  • Protecting assets (including reputation, and financial, property and people assets)
  • Planning for surprises
  • Forecasting trends
  • Financing risk
  • Managing key relationships
  • Working with outside advisors
  • Involving key personnel in risk management activities.

Resolution #3: Kick the template habit (or cutback your consumption)

The second most common call fielded by the experts at the Nonprofit Risk Management Center comes from a nonprofit leader seeking a "template" or "sample policy" that "I can use in my nonprofit." The desire to avoid costly legal expenses is understandable. And the goal of developing new policies efficiently and without delay is admirable. What gets too many nonprofits into trouble is the tendency to take another organization's template and simply change the name at the top of the page.

As risk management consultants, we have encountered numerous examples of employee handbooks and bylaws containing clearly inapplicable sections and provisions — most came directly from a borrowed template or sample.

When adopting a sample policy or template provided by another organization, make certain you review it carefully and ask the following questions:

  • What items need to be deleted, expanded or altered to reflect the unique nature of our operations or our special circumstances?
  • Does the wording of this document suit the culture of our organization, or does it contain archaic or other language that contrasts brightly with other policy documents?
  • What additional issues or concerns should be addressed in our version of this policy (e.g., the fact that we work with vulnerable clients or the fact that we're located in California and special rules apply)?
  • Who else should review this policy prior to its adoption to make certain it reflects our circumstances, is legally appropriate, and will be readily understood by all who must follow it?

A related but also serious habit is an untethered fixation on benchmarking information. Each year many nonprofit leaders (and a handful of student researchers as well!) call the Center to request detailed data on the "losses and insurance purchasing habits of nonprofits." Keep in mind that risk financing measures must always be designed with the operations, risk-taking appetite and special circumstances of a particular nonprofit. A $10 million limit for Directors' and Officers' liability insurance may be ideal for a neighboring nonprofit but excessive for your organization—even though your annual revenues and expenses are otherwise comparable. Learning from others is a valuable exercise (see Resolution #7), but focusing too much weight on what the Joneses are buying takes time away from developing a truly effective strategy that meets your risk financing needs and seizes on available opportunities.

Resolution #4: Conduct a risk assessment or risk management review

This resolution is probably the most difficult and time consuming item on our list, and you deserve a note of congratulations for even daring to add it to yours. Undertaking a risk assessment requires more than a change in philosophy or approach, it requires putting facts, figures and analysis on paper. A risk assessment is a thorough review of an organization's exposures and strategies for addressing those exposures. When the Nonprofit Risk Management Center conducts a risk assessment as part of our consulting work, the process generally includes an insurance coverage review, whereby we  match existing insurance coverage (or other risk financing measures) with exposures and offer an opinion about the adequacy of coverage.

There are two general approaches to conducting a risk assessment: (1) hire a third-party to undertake the review; or (2) design and implement your own strategy. In many ways the latter approach is best, because an added benefit of the process is your immersion in your nonprofit's risks and strategies. At the end of the process you will have a greater appreciation for the risks you face as well as the existing strategies in place to manage risk. You'll also have a keen understanding of what additional work needs to be done.

However, a growing number of nonprofits (particularly medium to large organizations) find that the complexity of their insurance programs and risk management efforts have outpaced the staffing of the risk management and insurance function, making it impossible for current staff to undertake the risk assessment. If this is true for your organization, obtaining help from an outside consultant is a sound strategy.

A word of caution: many nonprofits report that they have undergone a "risk assessment" conducted at no charge by their insurance agent or broker. While it is possible that your insurance professional has undertaken a review of your exposures, we have never seen a pro bono review that consisted of more than a cursory review of risk issues with the focus entirely on insurable risks. Furthermore, there is an inherent conflict of interest present when you ask your insurance professional to conduct the review — few, if any, will identify weaknesses in the assistance you are receiving from their firms or errors they have made in placing your coverage. Interestingly, mistakes made by a broker or agent frequently come to light when the review is conducted by a third-party consultant. The bottom line is that if your nonprofit seeks help conducting a risk assessment, obtain that help from a firm or individual unconnected to your current insurance program. At a minimum, the consultant should have no financial stake or interest in your insurance program. This ideal vantagepoint will allow them to provide candid and valuable feedback on your exposures and your coverage.

George Head's 2005 Risk Management To Do List

In lieu of Dr. Head's regular column, we offer a short but nonetheless ambitious "things to do" list for our readers.

  1. In each month of 2005, identify a new loss exposure that your organization did not face (or that was not nearly as significant), three years ago.
  2. Identify a member of your organization's senior management who is not a strong supporter of risk management, learn how he or she thinks, and convert him or her into a believer.
  3. Subscribe to a general business magazine that you do not read
    4. regularly, and identify in each issue two ideas or facts that would help you improve your organization's risk management efforts.
  4. To stimulate others' thinking and talking about risk management, encourage everyone in your organization to tell you how they think you could do your job better.

Resolution #5: Take a panoramic view

A panoramic view is invaluable as you fine-tune your risk management program. Unfortunately, too many nonprofits continue to view risk management narrowly as a discipline solely focused on insurance or other areas such as crisis management.

Organizations are well-advised to look beyond the traditional confines of the discipline and consider risks (threats and opportunities) in all areas of operations and activity. Keep in mind that the risks you face arise in traditional operations plus other areas such as fundraising, board service, client involvement, compliance with emerging accountability standards and stakeholder expectations.

Felix Kloman, a former board member of the Nonprofit Risk Management Center and highly-regarded visionary in the field of risk management offers the following advice about the opportunity for a wider view:

"Risk management, particularly its enterprise approach, is reaching a peak in organizational attention.... 2005 is therefore an opportunity to redefine the process of risk management within organizations, a time to adopt new ideas, try approaches and generate results....

Risk management is not just about compliance...buying insurance, or reducing personnel accidents, or quality control, or securing data, or protecting property or fairness to employees, or even contingency planning. It is all of these and more. It tries to recognize opportunities in risk as well as concentrations of downside outcomes and the correlations that reduce them. It looks at organizations as entire entities rather than the sum of individual parts.

That is why I've insisted that the goal of risk management is to enhance the flexibility and resilience of an organization so that it can build and maintain the confidence of... stakeholders in an uncertain future [emphasis added]."

Taking a panoramic view requires that you seek the perspective of a diverse group of people as you work to identify and address threats and opportunities. Some nonprofits tackle risk management with great ambition, but fail to consider the viewpoint of linestaff, service volunteers or even the people receiving services from your agency. Participants can help provide a wide-angle view of potential problems and the need for thoughtful communication.

Resolution #6: Get to know your advisors

One of the insights that often results from a risk assessment is an updated view about the types of services available from the nonprofit's insurance professional (agent or broker). Or an organization may learn that it should be consulting legal counsel more regularly for advice concerning contracts with partner agencies, vendors or other matters of importance.

Unfortunately, too many organizations view the call for help to an advisor as a last resort. A better approach is to view your advisors as partners in your mission. Great advice can help keep your organization healthy and poised to meet its ambitious goals for the future. Failing to seek advice in a timely fashion can lead to unnecessary turmoil, expense and even disaster.

Most lawyers, CPAs and insurance professionals that work with nonprofits can readily share a horror story of the client who "didn't call me until it was too late for me to help."

Make certain your nonprofit has ready access to capable, experienced advisors who can assist you without delay and at a rate you can afford to pay. Remember to contact these advisors as the project develops and before a crisis erupts.

Resolution #7: Learn from your peers

Every nonprofit manager and board member has an existing or potential network of peers who have "been there" and "done that." Whether you're a manager who is handling an insurance renewal for the first time, a new CEO developing HR policies for your nonprofit or a board member charged with responding to damaging media coverage, remember that you're in good company. Colleagues throughout your community have struggled with similar issues and others may be grappling with similar tasks at this very moment. One of the most important tools at your disposal is advice from your peers. Here are a few suggestions for reaching out.

  • Consider whether you are part of a network of similar providers (e.g., Big Brothers Big Sisters of America, American Red Cross, YMCA, etc.) and ask whether a friend or colleague in this existing network has handled a similar matter.
  • Think about your professional peers—people who hold similar positions to you. Might any of the peers you've met at association events have words of wisdom to offer?
  • Consider similar providers in the vicinity, such as other groups that provide after-school tutoring to children, sports programs, social services agencies and the like. Most peers at similar organizations would be flattered to be asked for their professional insights, just as you would if the circumstances were reversed.

Resolution #8: Conquer the conflicts of interest

Some of the possible consequences of conflicts of interest came to the forefront in 2004 in the wake of the lawsuits filed by New York State Attorney General Eliot Spitzer. While the Spitzer suits and their aftermath addressed longstanding and too-long ignored conflicts in the insurance industry, nonprofit organizations must recognize actual and potential conflicts of interest in all areas of their operations. An important action item for every organization is the development and enforcement of a clearly worded conflict of interest policy. The policy must be supported by a culture that deems conflicts and the appearance of conflicts to be unacceptable. For example, many nonprofits continue to seek insurance and risk management advice from an insurance agent or broker who also serves as a member of the board. Organizations that find themselves in this position should add finding another insurance advisor to the top of their list of 2005 resolutions.

Resolution #9: Involve your board

If you're a member of a nonprofit board, you can't discharge your fiduciary duties to the organization you serve unless you are paying close attention to the organization's risks. For some reason nonprofits in the U.S. have been reluctant to involve their boards of directors in discussions of risks and corresponding risk management issues. Yet when loss prevention efforts fail and a nonprofit faces litigation, keeping the board up-to-date becomes a priority. We have alot to learn from our counterparts in Australia, where risk management is viewed as a critical issue for nonprofit boards. Whether you are motivated by the desire to keep an organization healthy or position your nonprofit to achieve its ambitious agenda, keeping the board apprised of critical risks and current strategies is key to fulfilling your responsibilities as an executive.

Resolution #10: Don't delay

Some readers may find it ironic that I've waited until the end of this piece to address the human tendency to procrastinate. Yet many good risk management intentions remain in such limbo. The most important message about improving, expanding or broadening your risk management efforts is to begin as soon as possible. Don't put off a measured but practical effort to involve others in risk management programs or to take a closer look at the insurance coverage you rely on. Don't wait until risks materialize before sharing your view of the risk management landscape with your board of directors. And don't wait to reach out to your peer network or professional organizations like the Nonprofit Risk Management Center for advice and assistance on risk management issues. Practical advice and meaningful support is available free of charge or at an affordable cost from a variety of sources.

Melanie Herman is executive director of the Nonprofit Risk Management Center. She welcomes your feedback or questions about any of the topics covered in this article. Melanie can be reached at (202) 785-3891 or via email.