Protecting your organization from common areas of exposure
Nonprofit organizations, like all businesses, face their share of risks. Whether the risks concern the potential for financial loss or damage to reputations, they can compromise the integrity of an organization’s resources and its ability to fulfill its mission. Nonprofits need to learn risk management best practices to help them avoid situations that could leave the organization and its reputation exposed and vulnerable.
The following best practices around risk management were recently discussed on a webcast held on November 20, 2013. Listen to Risk management best practices for nonprofits to learn more about the topics discussed here.
Addressing the threat of cyberliability
Cyberliabilities, also known as information breaches, are the risks posed when conducting business over the Internet or other networks, or by using electronic storage technology. It would be hard to find an organization not using any of these technologies – and, as a result, risk the exposures that come with them.
Typically, there are two types of information breaches:
- First party – Occurs when your own information, such as employee data, is breached or compromised.
- Third party – Occurs when customer or partner information your organization has promised to keep safe, such as data from donors, students, clients or consumers, is compromised. Litigation is more common with this type of breach.
Outside hackers account for much of these breaches, but employees account for almost 20 percent of unauthorized access breaches. Often, these hackers access laptops, desktop computers and their networks, cell phones and websites. Attacks can include insider exploitation, fraud, corruption of data, and loss of critical infrastructure. While first party breaches can threaten an organization’s competitiveness, third party breaches can ruin reputations, open the door to expensive lawsuits and trigger statutory fines.
How vulnerable is a typical business? According to a recent survey, 65 percent of small businesses say their organizations’ sensitive information is not encrypted, and 56 percent of employees frequently store sensitive data on their laptops.
Nonprofits are particularly vulnerable because they operate on minimal budgets and may not have the resources necessary to address expenses associated with information breaches.
Contrary to popular belief, operating in the cloud does not provide protection. Organizations need to ask their cloud server providers critical questions regarding who owns the data once it resides in the cloud; are the security and privacy of the data guaranteed? Will you be notified regarding any breaches? Will you have the right to investigate any breach? Typically, unless the breach is due to gross negligence on the part of the provider, the organization, rather than the provider, is fully liable.
To mitigate the risks associated with using technologies, organizations need to implement cyberliability risk management programs. Elements of such programs include segregating access to sensitive data, establishing password protection procedures, encrypting private data and applying intrusion detection software systems.
Notably, cyberliability exposures are excluded from a general liability policy, which only cover the loss of tangible property. The costs of theft, destruction or unauthorized use of electronic data through computer viruses and network intrusions are covered by policies designed specifically to cover cyberliability.
Mitigating risks through effective employee handbook
Handbooks can be effective tools for maintaining uniformity in the application of policies and procedures. They can also serve as useful guides for managers and supervisors to resolve complaints, and they enhance the credibility of decisions based on the policies they contain.
But a poorly prepared handbook, or a corporate culture where the policies aren’t followed, can result in liability for the organization as easily as not having a handbook or policies at all.
Essential handbook components that can protect both employers and employees should include:
- Provisions and disclaimers clearly showing that the handbook is not a contract with any inherent rights
- An equal employment opportunity statement outlining nondiscrimination provisions and protections
- Sexual harassment and anti-harassment policies, along with complaint and investigative procedures
- Problem-defining policies and the procedures for solving them
- Safe harbor policies for the private information of all employees
Five words or phrases that should never appear in an employee handbook:
- “Permanent” weakens the doctrine of “at-will employment.”
- “We do not pay overtime,” suggests the nonprofit’s intent to violate wage and hour laws.
- The name of or reference to another organization’s handbook, whose policies may not be interchangeable.
- “And after the third violation…” or the like suggest overly prescriptive disciplinary policies which do not allow management flexibility and discretion.
- “Confidentiality is assured,” while an admirable goal, may not be appropriate depending on the nature of the matter at hand.
Verbal summaries and forums for questions by employees should be provided. Receipt of the handbook by the employee is critical to enforcement and protection of the organization.
Directors and officers liability protection
Because the term directors and officers liability (D&O) may imply a for-profit exposure, some nonprofits may assume it doesn’t apply to them. But according to a 2012 survey, 64 percent of nonprofit respondents made at least one D&O claim in the previous 10 years. The most frequent type of D&O claim faced by a nonprofit organization was employment related. In fact, the percentage of nonprofits reporting at least one D&O claim has almost tripled to 35 percent of nonprofits in 2010, up from 13 percent in 2008. Most claims concerned employment practices liability, such as compensation disputes, followed by regulatory issues. Allegations may also be due to breach of fiduciary duty, negligent supervision, mismanagement of assets, or conflicts of interest.
Typically, a significant percentage of dollars lost in such claims are due to defense costs as opposed to damages or settlement costs.
This type of liability requires protection for the personal liability of board members. It does not, however, replace responsible governance. Coverage also includes employees, volunteers and committee members, as well as the entity itself. Third parties may also be covered through a policy extension. It is important to read the policy and understand how the carrier defines a wrongful act. Be sure to report claims to the carrier in a timely manner.
Insuring against fraud
Since 2008, significant “diversions of assets” – that is, theft, fraud and embezzlement – by nonprofits have risen; at least, the disclosure of these diversions that is now required by nonprofits makes it appear that awareness (if not actual incidents) are on the rise. These diversions occur throughout the United States and the District of Columbia most often with charitable and, to a lesser extent, educational organizations. Anecdotally, it appears that the financial damage occurs in nonprofit organizations of all sizes.
As a formal definition, occupational fraud is the use of an occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. Nonprofits are not immune to this activity and the damage to assets, revenues and resources can be significant.
One unsettling aspect of fraud activity at nonprofits is that it can take two years or more before it is detected. During that time, a major amount of money can be misappropriated; the median loss for nonprofits is about $109,000, not to mention the damage to public trust and employee morale.
While background checks of potential employees are important, only about 7 percent of fraud perpetrators had prior convictions. These activities – whether it’s the misappropriation of incoming or outgoing funds – were most often committed by accounting staff or upper management and are often due to personal difficulties, rationalization and opportunity.
When it comes to risk management and prevention, the segregation of duties regarding transactions – recording, authorizing, custody and execution – is of primary importance. This can be difficult in nonprofits because there may not be enough staff to segregate duties. Employee assistance programs can also be helpful to mitigate the personal difficulties that may lead to fraud. Even required vacations, which can force organizations to rotate responsibilities, offer opportunities for reviews of operations. Finally, a strong, effective board can help track how and where money is being spent.
Ultimately, commercial crime coverage – also known as employee dishonesty coverage or fidelity bonds – can be purchased to cover losses.