This is the second in a series of four articles on risk management ideas for not-for-profit organization leaders and volunteers. In the first article, readers were invited to consider how to determine an organization's risk appetite and risk tolerance position. Fiscal risks such as property loss, asset loss/damage/theft, misappropriation of funds and event mishaps were examined with a view to adopting prevention strategies. In this article, we focus on risk management prevention strategies to avert human resource-related risks.
The first line of defence is to appoint a Risk Management Committee. Larger organizations may assign risk management work to their Audit Committee or create a Risk Management sub-committee. Whatever your governance model, it is important that the following circumstances exist.
1. Ensure that individuals with related risk management competencies serve on the body that oversees your risk management activities. This refers to staff, volunteers, and external counsel (e.g. auditor, insurer or lawyer). Risk management competencies could include proficiency in finance, accounting and/or auditing; operational control mechanisms; development of policies and procedures; governance and law.
2. Establish Terms of Reference for those authorized to work on risk management. The following is an example:
Risk Management Committee Proposed Terms of Reference
Purpose: The role of the Risk Management Committee is to support and advise the Board of Directors on the implementation and monitoring of the risk management strategy. The Committee coordinates and prioritizes risk management work.
Accountability: The Chair of the Committee reports to the Board of Directors twice a year.
Authority: The Committee has the authority, within guidelines established by the Board of Directors, to:
- Identify and evaluate key risks that threaten achievement of the organization's objectives. Maintain a register of these risks.
- Set clear responsibilities for the coordination of risk management.
- Establish and maintain an ongoing program of risk identification, analysis and control throughout the organization.
- Develop, implement and communicate incident reporting systems.
- Ensure responsive incident and accident investigation procedures are in place.
- Ensure all staff are aware of their duty to report incidents and near misses.
- Be a central point of analysis, tracking and trending of adverse incidents.
- Be a central point for the dissemination of relevant information to all directors, managers and staff.
- Ensure there is a system for receiving risk management-related data from the complaints process, and monitor the effectiveness and efficiency of that system.
- Monitor activities to meet risk management standards, according to various health authorities.
- Ensure risk management induction, training and education programs, targeted appropriately for all levels of staff, are established and implemented.
- Review and ensure development of risk management documentation.
- Ensure an appropriate library of risk management literature is available.
- Address such other matters related to risk as may arise from time to time.
- Committee Chair: Board of Directors' Vice Chair
- Senior staff officer
- Two non-Board of Director members
- The staff person who manages human resources files
- If possible, a community member who brings relevant expertise.
Term of Office: Committee members are appointed for two 2-year terms, renewable for two consecutive terms. Staff are eligible to serve indefinitely.
3. Look out for "management override", where a supervisor instructs a lower-ranking person to "override" the right way of reporting or recording information. This applies to a volunteer instructing staff as well.
4. Regularly update detailed policies and procedures that apply to staff as well as volunteers.
There are a number of tools that your Risk Management Committee can develop to manage and monitor risks; they include:
- An Asset Protection Plan - a list of all assets complete with serial numbers, insurance policy details and contingency plans for replacement.
- A Crisis Management Plan - step by step guidelines on who does what in the event of various predictable crisis scenarios.
- A Communication Plan - details on who communicates what to whom when and how.
- A Risk Management Strategy - guidelines on how to manage risk using such tools as insurance, monitoring, external auditing and policies and procedures.
Now that you have the right people working on risk management and prevention, let's consider the breadth of risks involving people that you could experience.
1. Board risks
If Board members lack commitment or required skills, poor and self-interest-based decisions can results. Develop criteria to ensure you always have a good mix of Board members and provide them with Board orientation, job descriptions, policies and procedures, conflict of interest guidelines and development training. It is recommended that Board performance evaluation also occur annually; Board self-evaluation tools may suit your organization.
To ensure that your Board adequately and appropriately communicates, have a communication plan that spells out the level and frequency of all communications.
Many not-for-profit organizations purchase Directors and Officers Liability Insurance to protect against financial vulnerability in the event of a claim. You should explore the wide range of insurance products that cover other risks.
2. Other volunteer risks
Provide volunteers with job descriptions, conflict of interest guidelines, evaluation tools and a Volunteer Policies and Procedures Manual that addresses potential volunteer issues and opportunities.
A difficult risk to manage is the death or terminal illness diagnosis of a key volunteer or staff member. Your crisis management plan should outline how to manage such circumstances and how to communicate them.
3. Staff risks
Starting from the beginning of a staff cycle, it is prudent to have well-thought out hiring practices that should be reviewed and regularly revised by an HR professional. Complex training is best reserved for when an employee has successfully completed the probation period. However, a detailed orientation is a way to minimize risks that could arise because your new staff person is not adequately trained.
Emergency, health and safety (EHS) procedures are a must for all people working for your organization (this includes volunteers). It is recommended that an EHS Manual be developed or the content included in your policies and procedures material.
If staff travel for you, risks should be identified and mitigation strategies outlined in comprehensive travel policies, which can be part of your Policies and Procedures manual.
Staff who have access to key assets should be monitored by a comprehensive "checks and balances" confidential strategy. For example, staff working with large sums of money should be required to take annual vacations so that any well-concealed fraud or misappropriation may be uncovered through their absence.
4. Customer risks
Anyone who uses a product or service your organization offers, or attends an event you organize can be described as a "customer". It is imperative that you have adequate insurance coverage to protect your organization from a law suit or worse, a criminal negligence charge.
At the commencement of any meeting or event, you should always announce exit procedures in the event of a problem. Consider purchasing cancellation insurance for events that, if cancelled, would cause a significant financial loss to your organization.
5. Government risks
The most obvious risk involving government is that staff forget to file remittances; the penalties can be stiff. However, government changing policies or regulations that could negatively impact your members and indirectly your organization are also risks that can be anticipated. It is important to gather intelligence about government policy reviews to enable you to mitigate potential risks and identify coping strategies.
Whenever people are involved, risks are predictable. The tragedies of 9/11, ice storms, floods and other disasters remind us that the most primitive prevention strategies should be studied - getting and keeping your employees or participants safely out of danger must always be a top priority. To ensure a safe execution of such risk management strategies, it is important to bring as many people together as you can to predict, prevent, and mitigate risks.
Next time, we will focus our attention on technology and intellectual property risk and explore how to develop a risk management strategy. Please send your questions or comments to the author.
Paulette Vinette, CAE, is the co-author of Risk Management - A primer for directors of not-for-profit organizations, which was recently published by the Canadian Society of Association Executives in 2005 (ISBN 0-921998-01-5). Paulette in President of Solution Studio Inc., a consulting practice that serves the not-for-profit association community. She can be reached at 1-877-787-7714 or Paulette@solutionstudioinc.com.