Risk management: Exercising your due diligence

About this article

Text Size: A A

All of life is the management of risk, not its elimination - Frederick Wilcox.

For the past three months, we've offered CharityVillage visitors tips and tools for managing risks inherent in not-for-profit organizations.

In the first article, we defined risk management as "an approach that incorporates strategies for recognizing and confronting any threat or danger that may cause harm and hinder an organization from fulfilling its mission." We proposed a way to determine an organization's risk appetite and risk tolerance position. We focused on the wide range of fiscal risks that can be prevented or mitigated through planning.

In the second article, terms of reference for a risk management committee were shared. Different types of risks were examined (e.g. board, volunteer, staff, customer, and government risks).

In the third article, we looked into technological and intellectual property risks and offered a guide on how to set up an asset protection plan. We also provided advice on how to develop a risk management strategy and plan, and shared a risk management workshop agenda.

In this final article, we offer suggestions on preventing regulatory risks and offer you a crisis management plan template.

Before we begin, let us discuss insurance as a risk management tool. Insurance policies that provide compensation for loss can minimize the negative impact of such a situation. Types of insurance to consider include:

  • General liability insurance
  • Property insurance
  • Automobile insurance
  • Crime insurance
  • Directors and Officers' liability insurance
  • Event cancellation insurance

A new insurance product, Key Man Insurance, provides financial compensation to an organization in the event of the loss of their chief staff person. This allows the organization to buy interim services and assess their needs before replacing that position.

Regulatory risks involve unmet commitments to government. Examples include failing to remit payroll deductions, annual filing documents (updated list of the board of directors), GST collected, and bylaw revisions. Municipal, provincial, regional and federal governments promulgate a number of regulations and legislation that require compliance and not-for-profit organizations, while exempt from paying profit taxes, need to understand and record their obligations. These compliance schedules should be monitored by a senior staff person, and back-up provisions need to be in place in the event that the person responsible is not able to fulfil their duties.

High performance organizations have a crisis management plan that guides activities in the event of a crisis. Crisis could include:

  • Fire
  • Burglary/theft
  • Inclement weather
  • Death or serious injury of a co-worker or volunteer
  • Event cancellation
  • Blow to reputation
  • Scandal
  • Workplace violence

The following is a template for developing your plan:

1. Identify response teams - list (by position) who is authorized and obligated to take what actions and provide full contact information for each person (including home phone number and address, cell phone number, personal e-mail). Different "teams" should be assigned to a long list of predictable crisis in your plan.

Key contact information (phone, address, e-mail, persons to contact etc.) should also be listed in your plan; they could include:

  • Police
  • Fire station
  • Hospital
  • Ambulance
  • Government
  • Insurance
  • Credit card companies
  • Equipment leasing
  • Board members
  • Employee emergency contact person

2. Identify response procedures - List recommended procedures for responding to each predictable crisis. Remember to include instructions on what the receptionist and staff should say to outsiders inquiring.

3. Identify emergency procedures - Emergencies would include a health crisis (e.g. heart attack), workplace violence (e.g. threats, assaults) or forces of nature (e.g. storm, flooding, and fire). Emergency phone numbers should be printed on the front and back covers of your crisis management plan and posted throughout your place of business for easy access.

4. Identify communication guidelines - Knowing people involved in a crisis are usually in an emotional state, it is very important to provide step by step instructions on what information is communicated to whom in each predictable situation. Your plan should also identify counselling services and the circumstances under which they are brought in (and who decides).

5. Identify evaluation components and timing - When developing a crisis management plan, ask for input from all levels of staff, volunteers, and situational experts. Then, assign a cross-section of such individuals to regularly review and revise your plan. Make your plan a "living" document.

Your plan should also contain resources (e.g. fire drill procedures and first aid procedures). Ensure employees and volunteers know where to find the plan and require that senior management is well-versed in its instructions.

A final note on incorporating risk management in your organization - how much should you spend? Your cost will depend on your risk tolerance and the scope of risks your organization attracts. One way to reduce costs is to avoid risk "overload". Using the risk likelihood template offered in the first article, you can plot which risks have a high likelihood and would have a high impact and focus resources on those first. To demonstrate diligence, you may want to show your risk management expenses as a budget line item. It has been estimated that between five and ten percent of senior management's time will be required during the first year to work with the board to assess risks, align them with overall strategy, develop new performance reports, and keep staff informed throughout the process.

While risk management is a board responsibility, staff involvement and implementation of the crisis management plan make it a joint effort requiring everyone's support.

If you have questions or additional suggestions about ways to prevent and mitigate risks in not-for-profit organizations, please send them to the author.

Paulette Vinette, CAE, is the co-author of Risk Management - A primer for directors of not-for-profit organizations, which was recently published by the Canadian Society of Association Executives in 2005 (ISBN 0-921998-01-5). Paulette in President of Solution Studio Inc., a consulting practice that serves the not-for-profit association community. She can be reached at 1-877-787-7714 or Paulette@solutionstudioinc.com.

Go To Top