Risk Options. Avoid Assume Mitigate Transfer Prevent?

(1)

Non Profit Risk

Management

Presented by:

Markham F. Rollins III, CEO

Erica Martinson, Director Risk

Management Services

The Rollins Agency, Inc.

William Abram, President

Pragmatix

(2)

Reputation

“It takes twenty years to build a reputation

and five minutes to destroy it”

(3)

Understanding & Managing Risk

Risk Management

Anticipating what could happen tomorrow

Risk Defined

Risk Defined –

– “future issues that can be

“future issues that can be

avoided or mitigated”

avoided or mitigated” Wikipedia

Risk – Options

Avoid

Assume

Mitigate

Transfer

Prevent ?

(4)

12 Hallmarks

Takes More Risks Than It Avoids

Heralds A Risk Management Champion

Guided By Reality, In Addition To Scary Headlines

Is Bold But Smart

Cultivates a ‘Can

Cultivates a ‘Can--Do’ Attitude Among Paid and Volunteer Staff

Do’ Attitude Among Paid and Volunteer Staff

Sees The Whole Iceberg Not Just The Tip

Understands That Hindsight Isn’t 20:20, But It’s Better Than A

Blindfold

Tells It Like It Is

Is Transparent With Insurance Partners

Values The Journey, Not Just The Destination

(5)

Culture vs. Process

Culture

Process

Effort

Time

(6)

Organizational Threats

Operational

Human Capital

Physical Hazard

Reputation High turnover Disaster recovery Financial performance Bad hires Automobile Growth Productivity Ergonomics

Donor funding Training EE working at home Loss of contract Background checks Business interruption Board governance HR compliance Cyber liability

Contract review Culture Loss of residential facility Data theft Wellness Emergency evacuation Accusations of alleged action Youth protection Special events

Social media Employee injury Power outage Increased compliance requirements Volunteer injury Bed bugs Employee theft Wrongful termination Fire

(7)

Why Have a Plan?

Time

$

C

o

s

t

o

f

R

is

k

No Plan High Frequency High Severity High Expense High Exposure No Controls Reactive Management With a Plan Low Frequency Low Severity Low Expense Low Exposure High Level of Controls Proactive Management

1) Do Nothing – Take your chances as to where you end up on

the higher band

2) Take Control – Proactively position yourself at the bottom of

the lower band

Advantages of Having a Risk Management

Plan

X

Driving down cost of risk using a plan

(8)

Workshop

Questions so far?

(9)

Best Practices

Best Practices -- Workshop

Workshop

Risk Management Topics

1.

1. Risk Management Committee

Risk Management Committee

2.

2. Contract Reviews

Contract Reviews

3.

3. Certificate of Insurance Management

Certificate of Insurance Management

4.

4. Volunteers

Volunteers

5.

5. Special Events

Special Events

6.

6. Crisis Management

Crisis Management

7.

7. Emergency Evacuation

Emergency Evacuation

8.

8. Disaster Recovery Planning

Disaster Recovery Planning

9.

9. Business Continuity Planning

Business Continuity Planning

10.

10. Claims Management

Claims Management

11.

11. IT Disaster Recovery

IT Disaster Recovery

12.

12. Social Media

Social Media

13.

13. Board Governance

Board Governance

14.

14. Collaboration

Collaboration

15.

(10)

Workshop

Progress not Perfection

Zip Code 89410

(11)

Risk Management Committee

Strategy 1-10 Who 1st_Actions

Committee in place and made up of representatives from all areas (vertical) and levels (horizontal) of the organization

1.

2.

3.

Regularly scheduled meetings with agendas and minutes (regular reports from

subcommittees such as safety, personnel, etc)

1.

2.

3.

Formal processes for sub-committee to review all accidents & near misses, perform inspections, special projects, etc.)

1.

2.

3.

Committee engages in outside-the-box thinking about risk to the organization and gets board involvement

1.

2.

(12)

Contract Reviews

Develop standardized contracts and require sign-off before they can be deviated from. Suppliers and contractors.

1.

2.

3.

Send all non-standard contracts to legal and insurance advisors for review

1.

2.

3.

Negotiate for best contract provisions, and to ensure they you can comply with ins.

requirements

1.

2.

3.

Centralize storage of all

contracts and ensure there are backups

1.

(13)

Certificate of Insurance Management

Require all vendors,

independent contractors, etc to carry insurance & provide

certificates. Additional named insured provision is key!

1.

2.

3.

Establish & communicate minimum insurance

requirements (boilerplate)

1.

2.

3.

Implement a system for

requesting certificates, checking for compliance and filing

1.

2.

3.

Implement a diary system for expiring certificates and

following up to obtain renewals

1.

2.

(14)

Volunteer Risk Management

Formal written policy regarding recruitment, screening and

selection is in place. Verification of all credentials and licenses is part of screening process

1.

2.

3.

Training, supervising and disciplining volunteers is established. Signed waivers from all volunteers is non optional!

1.

2.

3.

Job Description for each position. Responsibilities,

authority, reporting relationships and performance expectations. Volunteer handbook is ideal

1.

2.

3.

Process to solicit feedback and uncover any negatives. Post event surveys if applicable

1.

(15)

Special Events

The use of a planning checklist and safety checklist is used for all events. From planning to day of event , clean up and first aid.

1.

2.

3.

Staffing considerations are in place for all areas. The use of staff, volunteers, board and others is clear with levels of authority

1.

2.

3.

Legal considerations are in place and all the necessary forms are in place. Lease, Hold Harmless Agreements, waivers of subrogation, participant waivers

1.

2.

3.

Certificates of insurance are in place for all vendors, suppliers, sub contractors

1.

2.

(16)

Crisis Management

You have looked at all scenarios and possibilities to best of your ability and know what could happen

1.

2.

3.

You have a comprehensive directory of all staff, board and key volunteers and you have complete backup of key data

1.

2.

3.

You have a licensed attorney and PR firm that you call upon for advice that has experience in this matter

1.

2.

3.

There is a clear communication strategy in place. Who will speak, how you describe your mission, what strategy you have to contact everyone and who is involved in the plan

1.

2.

(17)

Emergency Evacuation Risk Management

Establish emergency evacuation & shelter for all sites including means of egress and alternate shelter locations

1.

2.

3.

Distribute plan to staff & train in emergency evacuation & shelter in place procedures

1.

2.

3.

Unannounced drills held at least 2X year and results reviewed

1.

2.

3.

All alarms and safety equipment tested & serviced on a regular basis

1.

2.

(18)

Disaster Recovery Planning - DRP

Identify all possible threats to continuing operation of the organization (physical, health, economic, political, etc)

1.

2.

3.

Seeking input from all

departments, create a formal written DRP laying out how to cope with each possible

disaster.

1.

2.

3.

Roll out DRP to all managers, then to rest of staff, and train them in implementing it

1.

2.

3.

Test the plan by staging drills, and make any corrections. Communication plan is key to

1.

(19)

Business Continuity

Identify triggers that would interrupt each program’s funding source’s or revenue stream

1.

2.

3.

Refer to DRP and determine maximum time until operations can be restored and income resumes. Identify alternate locations, partnerships backup for IT (phone and internet)

1.

2.

3.

Calculate amount of business income and extra expense that would be needed for each. Insurance helps. Does not solve

1.

2.

3.

Test, verify & update elements of plan so it will be workable when you need to activate it

1.

2.

(20)

Claims Risk Management

Meet regularly with insurance agent to review open & newly closed claims, identify trends. W/C, Auto, GL and Professional Liability

1.

2.

3.

Ensure that financial

departments are aware of impact of specific claims on future

insurance costs and deductibles

1.

2.

3.

Internal process for reviewing claims, accidents & near misses. Sub group of Risk Management Committee

1.

2.

3.

Analyze WC experience mod to project future costs and identify problems or trends

1.

2.

(21)

IT Disaster Avoidance/Recovery

Strategy 1-10 Who First Steps Operational impact of IT system

outages is understood and documented

Financial impact of IT system outages is understood and documented

Recovery Time and Recovery Point Objectives are documented

IT disaster recovery/avoidance capabilities are assessed against recovery objectives and gaps or weaknesses identified

Identify technologies (and budget) needed to fill gaps

Create IT disaster recovery test plan and execute a test

(22)

Example: Operational Impact of a Disruption

BUSINESS PROCESS & SYSTEMS INVOLVED

< 2 HOURS 2-24 HRS 1-3 DAYS > 3 DAYS

1. Clinical Services

• Email

• Scheduling

• Med Records

Irritating Manageable Critical Devastating

2. Fund Raising

• Email

• Accounting

• CRM

Irritating Irritating Manageable Manageable

3. Administration

• Email

Manageable Critical Devastating Devastating

(23)

Example: Financial Impact of a Disruption

BUSINESS PROCESS < 2 HOURS 2-24 HRS 1-3 DAYS > 3 DAYS

1. Clinical Services Labor $1K Labor $4K

Revenue $10K Labor $12K Revenue $30K 2. 3. 4. 5. 6.

(24)

Recovery Objectives

RTO Recovery Time Objective (RTO):

What

What is the target time set for resumption of service

is the target time set for resumption of service

delivery after an incident? In other words how

quickly does this system or application need to be

recovered?

RPO Recovery Point Objective (RPO):

What is

the maximum tolerable period in which data might

be lost? In other words, how many minutes or

hours of data entry (or transactions) can we afford

to lose?

(25)

Example: Establish Recovery Objectives

SYSTEM OR APPLICATION

RTO RPO

1. Exchange Server 2 hrs 15 min

2. Accounting S/W 2 day 1 day

3. 4 5. 6.

(26)

Example: Assess Current State

SYSTEM OR APPLICATION

RTO RPO CURRENT STATE ASSESSMENT OK?

1. Exchange Server 2 hrs 15 min Server hardware failure would be

repaired next business day; nightly backup could mean some mail items would be lost; new mail would be queued at App River

No

2. Accounting 2 day 1 day Server hardware failure would be

repaired next business day; nightly backup meets RPO

Yes

3. 4 5.

(27)

Closing Comments

&

Questions

(28)

Resources

(29)

Nonprofit Risk Management Center

(30)

Nonprofit Risk Center Tools

(31)

12 Hallmarks

(32)

COA Tools

(33)

COA Tools

(34)

Tools

(35)

Board Governance

Training and orientation for new board members (board packet) including roles and

responsibilities and such details as signed conflict of interest document.

1.

2.

3.

Ongoing training for board on various skills & topics including EPL/ Sexual Harassment

1.

2.

3.

Indemnification provisions in bylaws and D&O insurance purchased

1.

2.

3.

A Strategic Plan is in place and used as a living document to help guide the organization

1.

2.

(36)

Collaboration Risks

Checklist including – Confirm compatibility, understand motivations, due diligence, clarify expectations, put in writing

1.

2.

3.

Depending on the level of the collaboration, a written

document is in place and

reviewed by legal council. It may be as basic as a memorandum of understanding

1.

2.

3.

A thorough review of each parties insurance has been completed with certificates of insurance in place with all interested parties.

1.

2.

3.

Clear expectations are in place when collaborating with for

1.

(37)

Social Media

A central listing of all domains, social media sites including passwords. Someone has

ownership and responsibility of this

1.

2.

3.

Someone responsible for listening on line. Checking for similar sites, bad comments, bad postings, etc

1.

2.

3.

Written social media policy in place and shared with all employees, Volunteers and

board. Including use of company and personal computer for

business use

1.

2.

3.

Outgoing communication – Are you aware of Spam laws and do all your “Advertisement” emails have your address and opt out option?

1.

2.

(38)

Auto/Fleet Risks

All drivers are vetted using an application and screening

process. A formal written policy for driving agency vehicles or on agency business, incl. accident reporting is signed by all drivers

1.

2.

3.

Training for all drivers is non optional. Including refresher training. Determine what is an acceptable driving record (matrix) & run MVR’s on all drivers at least annually

1.

2.

3.

Ensure that all vehicles are properly maintained & safely operated. Retain logs and other documentation for each vehicle

1.

2.

3.

(39)