Risk Management Best Practices for Non-Profits
Upcoming SlideShare
Loading in...5

Like this? Share it with your network

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 107

http://www.psafinancial.com 107

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management Risk Management Best Practices for Non-Profits 11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766
  • 2. About PSA’s Non-Profit Group Our non-profit group works with hundreds of organizations – helping groups just like yours with all of their insurance, healthcare benefits and retirement plan needs. If your organization is like most we work with, you’ll appreciate the efficiency and time savings of working with one trusted partner that understands your industry and is dedicated to helping you fulfill your mission. PROGRAM HIGHLIGHTS ▪ Sexual Abuse & Molestation Policies and Procedures ▪ Loss Prevention Consulting ▪ Risk Management Guide ▪ Claims Management Assistance ▪ Key Employee Replacement Expense Coverage ▪ Employment Practices Guidelines NON-PROFIT CATEGORIES WE SERVE  Child Development Programs  Counseling Centers  Developmental Disabilities Programs  Hospice Organizations  Mental Health Agencies  Senior Services  Special Needs Day Schools  ARCs; Family Service Agencies  Head Start Programs; Meals on Wheels  United Cerebral Palsy Association  Private Schools  Trade Associations All content contained in this document is the property of PSA Insurance & Financial Services. 2
  • 3. Topics Covered Risk Management Best Practices for Non-profits: ▪ Cyber Liability ▪ Employee handbook “Do’s and Don’ts” ▪ D&O Insurance ▪ Fraud 3
  • 4. What is Cyber Liability? Cyber Liability is the risk posed by conducting business over the internet, over other networks or using electronic storage technology. Two types of breaches ▪ First Party ▪ Third Party 4
  • 5. First Party VS Third Party ▪ First Party Cyber Liability – occurs when your own information is breached or compromised. ▪ Third Party Cyber Liability – occurs when customer or partner information your organization has promised to keep safe is compromised. ▪ First Party Cyber Liabilities can threaten a company’s competitiveness, but third party cyber liabilities can ruin reputations, open the door to expensive law suits and trigger statutory fines. 5
  • 6. Breaches ▪ Who? Unauthorized Access by: – Hackers – Employees, Faculty, Students – Outsourced and third party vendors ▪ What? What are they accessing? – – – – – Laptops Computer networks/wireless networks PDAs/Cell Phones Paper Files Websites 6
  • 7. Why do I need Cyber Liability? ▪ Cyber Liability exposures are excluded from a General Liability Policy. ▪ Cyber Liability Policies cover the costs of theft, destruction or unauthorized use of electronic data through computer viruses and network intrusions. 7
  • 8. Private Information What are the exposures ▪ Credit card information ▪ Social Security numbers ▪ Patient health information, medical claims and records ▪ Date of birth information ▪ Customer user name and passwords ▪ Customer or employee contact information ▪ Financial records and account information ▪ Drivers’ license number ▪ Biometric information Failure to protect private information from Cyber threats can result in losses to: ▪ Company reputation ▪ Financial loss ▪ Customer satisfaction ▪ Business opportunities ▪ Intellectual properties ▪ Possible litigation 8
  • 9. How vulnerable is your business? ▪ 77% of employees leave their computers unattended ▪ 65% of small businesses say their organizations sensitive information is not encrypted ▪ 56% of employees frequently store sensitive data on their laptop or mobile device ▪ 62% of small businesses don’t routinely back up data *TrendMicro & Ponemon Institute 2012 9
  • 10. Potential Claims Expenses ▪ Expenses to notify affected parties ▪ Business income and extra expense ▪ Extortion payments ▪ Crisis management expenses ▪ Credit monitoring costs ▪ Negligence ▪ Invasion of customer’s right to privacy ▪ Defense and damages ▪ Media / intellectual property 10
  • 11. Methods of Attack ▪ Denial of service ▪ Loss of critical infrastructure ▪ Theft of information ▪ Fraud ▪ Corruption of data ▪ Insider exploitation 11
  • 12. Cyber Liability Risk Management ▪ Segregate and restrict access to sensitive data ▪ Establish user control password protection procedures ▪ Review security/access to network and server ▪ Encryption of private data on database, laptops, mobile ▪ Implement and maintain firewall ▪ Apply intrusion detection software systems 12
  • 13. Vulnerability of a Not-Profit ▪ Financial constraints ▪ Type and number of records stored 13
  • 14. Cloud Risk Considerations ▪ Who owns the data once it resides on the cloud? ▪ Does your cloud provider guarantee the security and privacy of your data? ▪ Will you be alerted if there is a breach of your data within the cloud? ▪ Will you have the right to investigate the breach? ▪ Who will be responsible for notifying your customers of a breach incident? 14
  • 15. Underwriting Issues ▪ Nature of business ▪ Revenues ▪ Total number of records at risk ▪ Types of records at risk ▪ Written policies and procedures ▪ Risk management procedures ▪ Security and protection ▪ Breach/claim history 15
  • 16. The Employee Handbook 16
  • 17. Purpose of Employee Handbooks ▪ Maintains uniformity in the application of policies and procedures ▪ Legal compliance and protection ▪ Communicate company policies ▪ Useful resource and guideline for managers and supervisors responsible for resolving employee complaints ▪ Enhance the credibility of decisions based on policies 17
  • 18. Potential Downsides ▪ Guidance demonstrating entity’s failure to comply with their own internal policies and procedures ▪ Can reduce flexibility needed to handle issues as they arise if the policies are not well drafted ▪ Poorly prepared handbooks can result in liability 18
  • 19. Essential Handbook Policies ▪ Introduction Provisions/Disclaimer ▪ EEO Statement ▪ Sexual Harassment policy ▪ Non-Harassment policy ▪ Problem Solving Procedure 19
  • 20. Components Disclaimer ▪ The primary way to minimize the likelihood that a court will find that handbook provisions amount to an implied contract is to include an unambiguous prominent disclaimer, on the first page of the handbook. ▪ At-Will Statement: “Employer or employee may terminate the employment relationship at any time, without notice and for any reason.” 20
  • 21. Components EEO Statement ▪ Non-discrimination provisions ▪ Summary of protected categories ▪ Reasonable accommodation language ▪ Welcome employee participation in the interactive process 21
  • 22. Components Anti-Harassment Policy ▪ Commitment ▪ Identification ▪ Complaint Procedure ▪ Investigative Procedure ▪ Anti-retaliation ▪ Helps employer avoid liability where employee fails to utilize these channels 22
  • 23. Components Problem Solving Procedures ▪ Importance ▪ Define “Problem” ▪ Procedure 23
  • 24. Components Safe Harbor Policy ▪ Classifications of employees ▪ Addressing paycheck mistakes ▪ Exempt status protection ▪ Reporting procedures 24
  • 25. 5 Things That Should Never Appear in an Employee Handbook ▪ “Permanent” ▪ “We do not pay overtime” ▪ “The name of or reference to” ▪ “And after the third violation” ▪ “Confidentiality is assured” 25
  • 26. 5 Things That Should Never Appear in an Employee Handbook “Permanent” The word “permanent” appears in handbook to distinguish employees who have completed a probationary period. However, the term should never appear in a handbook because it weakens the important doctrine of “at-will employment.” The term “regular” is more appropriate. “We do not pay overtime” This phrase suggests a non-profit’s intent to violate the wage and hour laws. If a non-exempt employee works overtime he or she must be paid premium pay. “Reference to another organization” It is surprising the number of organizations that copy another organization’s handbook and just substitute in their name. Policies that are suitable for one non-profit may not be suitable for yours. “And after the third violation” Your handbook should not contain overtly prescriptive disciplinary measures. The best handbooks afford management maximum discretion in determining the discipline that should apply in a given instance. Statements such as “violation of this policy could result in discipline, up to and including termination” give management the ability to determine the appropriate measures. “Confidentiality is assured” It is never appropriate to provide outright assurances of confidentiality when the nature of the matter may require that person within the organization be informed of the allegations or status of an investigation. A more appropriate statement may be “all complaints will be investigated promptly and as confidentiality as possible.” 26
  • 27. Handbook Receipt ▪ Right to modify without notice ▪ Acknowledgement of receipt and obligation to read, understand and adhere to policies and procedures ▪ At-will status/employment contract disclaimer 27
  • 28. Distributing Handbooks ▪ Provide employees with verbal summary of major policies and/or change upon distribution ▪ Provide opportunity for employees to ask questions and voice concerns freely ▪ Always require receipt of handbook be signed and turned in promptly to managers of HR department 28
  • 29. What to Say and How to Say It ▪ Be consistent with company culture ▪ Write clearly and concisely ▪ Avoid making promises ▪ Avoid “shall” and “will” ▪ Maximize flexibility using “may” and “usually” ▪ Eliminate reference to management procedures ▪ Comply with applicable local, state and federal law 29
  • 30. D&O Insurance 30
  • 31. Why do Non-Profits need D&O Insurance? ▪ Exposures: Driven by what the organization does ▪ Personal Liability ▪ Duties of Directors (care, loyalty, obedience) ▪ Volunteer Protection ▪ Indemnification ▪ D&O insurance does not replace responsible governance 31
  • 32. Claims Overview ▪ Almost triple the number of non-profits reported having ▪ ▪ ▪ ▪ a D&O claim in 2010 (35%) vs. 2008 (13%) 67% of claims filed under non-profits D&O policies were EPLI related Significant % of all loss dollars are for defense costs as opposed to damages/settlement 35% of non-profits have D&O claims – compared to 29% for publicly traded and 26% for privately held Claimants can be employees, volunteers, donors, members, competitors, creditors, regulators, governmental bodies, beneficiaries of service 32
  • 33. Allegations? ▪ Breach of fiduciary duty ▪ Negligent supervision ▪ Mismanagement of assets ▪ Conflict of interest ▪ Misrepresentation ▪ Tortious interference 33
  • 34. Who and what are covered? Covers directors and officers plus… ▪ Employees, volunteers and committee members ▪ Full entity coverage ▪ Includes Employment Practices Liability Coverage ▪ Third party liability extension 34
  • 35. Policy Overview ▪ Duty to defend ▪ Aggregate limit ▪ Defense costs either inside/outside limit ▪ Exclusions 35
  • 36. Insuring Claims ▪ Clause 1 or Side A – Covers insured persons for loss which they are not indemnified for by their non-profit ▪ Clause 2 or Side B – Covers loss for which the non-profit is lawfully permitted or required to indemnify its insured person ▪ Clause 3 or Entity Coverage – Covers the non-profit itself 36
  • 37. What constitutes a loss? ▪ Loss – covered damages, settlements and defense costs ▪ Typically excludes, taxes, fines, penalties, costs to comply with injunctive relief, amounts due under breached contract ▪ Includes front pay, back pay, salary and benefits components in employment context 37
  • 38. What is a wrongful act? A wrongful act means: ▪ Any error, misstatement, misleading statement, act, omission, neglect, breach of duty or committed, attempted or allegedly committed or attempted by an insured person in his or her insured capacity or by the organization, or ▪ Any other matter claimed against an insured person solely by reason of his or her serving in an insured capacity 38
  • 39. What is a claim? A claim means: ▪ A written demand for monetary damages or non-monetary relief ▪ A civil proceeding commenced by the service of a complaint or similar pleading ▪ A criminal proceeding commenced by the return of an indictment, or ▪ A formal civil administrative or civil regulatory proceeding commenced by the filing of a notice of charges or similar document, or by the entry of a formal order of investigation or similar document 39
  • 40. D&O ▪ Importance of reporting claims ▪ Timely reporting ▪ Who chooses counsel can be an issue 40
  • 41. Endorsements to Consider ▪ Defense outside limit of liability ▪ Outside directorship ▪ Wage and hour ▪ Fiduciary ▪ HIPAA 41
  • 42. 42
  • 43. What is fraud? ▪ Deceit, trickery or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage - Dictionary.com ▪ Occupational Fraud: The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets - Association of Certified Fraud Examiners 43
  • 44. Occupational Fraud Elements ▪ Effort to obscure from detection ▪ Violates perpetrator’s fiduciary duties to the organization ▪ Committed to benefit perpetrator, organization or both ▪ Costs victim organization assets, revenues or resources 44
  • 45. Fraud or Abuse? ▪ Stealing incoming or outgoing cash ▪ Stealing assets ▪ Padding an expense report ▪ Using the non-profit’s equipment for personal reasons ▪ Inappropriate use of sick leave or personal leave ▪ Spending work hours on personal business 45
  • 46. Fraud Stats and Facts: Non-Profits ▪ Median duration of fraud for non-profits – 24 months ▪ Lack of balance between funding for stated mission of the organization and protection of the organization’s assets ▪ Inordinate emphasis on ineffective controls 46
  • 47. Fraud Stats and Facts ▪ Estimated to impact 7% of all organization revenues in U.S. = $99 billion per year ▪ Median duration of fraud is 18-24 months ▪ Only 7% of perpetrators had prior convictions ▪ Fraud was most often committed by accounting staff or upper management. - Source: Association of Certified Fraud Examiners 47
  • 48. Median Losses ▪ Private companies - $278,000 ▪ Public companies - $142,000 ▪ Non-profits - $109,000 ▪ Government Agencies - $100,000 48
  • 49. Impact/Consequences ▪ Bad PR ▪ Loss of public trust ▪ Increased oversight/scrutiny ▪ Increase of operating costs ▪ Damaged employee morale ▪ Loss/theft of funds and assets 49
  • 50. Fraud Triangle Opportunity 50
  • 51. Leg 1 “Pressure” ▪ Living beyond one’s means ▪ Financial difficulties ▪ Medical/health issues ▪ Grief/loss ▪ Post-traumatic stress disorder symptoms ▪ Addictions to gambling, alcohol, drugs ▪ Marital/relationship conflicts ▪ Unachievable goals set by self/organization ▪ Societal expectations for status and desires 51
  • 52. Leg 2 Rationalization ▪ Just “borrowing” and plan to give back ▪ Lack of adequate pay – includes volunteers ▪ Lack of career ladder ▪ Entitlement mentality ▪ Encouragement by “tone at the top” 52
  • 53. Leg 3 Opportunity ▪ Ease of access to funds and assets ▪ Relaxed control environment ▪ Low emphasis on support functions ▪ Repetitive processes without review/revision ▪ Lack of fear of detection 53
  • 54. Occupational Fraud ▪ Misappropriation of Assets – 89% of occupational fraud cases – Cash – larceny, skimming – Inventory – misuse, larceny ▪ Corruption (27%) – bribes, conflicts of interest ▪ Fraudulent statements (10%) low frequency, high severity - Statistics from ACFE Note: Total does not equal 100% since some fraud schemes reviewed comprised multiple classifications 54
  • 55. Common Fraud Schemes Misappropriation of assets: incoming funds ▪ Checks and cash ▪ Donated property ▪ May occur prior or after transaction recording Misappropriation of assets: outgoing funds ▪ Billing fraud – Phony vendors – Fraudulent payments (i.e. duplicate payments, overpayments, check tampering, refunds) – Conflict of interest/inappropriate vendor selection ▪ Travel and expense fraud 55
  • 56. Prevention ▪ ▪ ▪ ▪ ▪ ▪ ▪ Code of conduct, ethics policy, fraud policy Documented policies and procedures for core functions Employee assistance programs Background checks for employees Protect proprietary and confidential information Fraud hotline Segregation of duties – Record the transaction – Authorize the transaction – Custody of the transaction – Execute the transaction 56
  • 57. Prevention con’t ▪ Required vacation ▪ Rotate responsibilities and cross train ▪ Review key controls ▪ Trust but don’t over delegate ▪ Secure assets and document custody transfer ▪ Management review of financial statements ▪ Background checks – – – 67% of all resumes/applications contain material inaccuracies Periodically review position requirements and responsibilities to ensure continued relevance Reasonably verify disclosures ▪ ▪ ▪ ▪ ▪ Education Employment experience Professional references Credit background Criminal background 57
  • 58. Prevention con’t ▪ Protect vendor and proprietary information (i.e. donors) ▪ Strong board participation and ask difficult questions ▪ Audit committee involvement and external audit assurance ▪ Fraud risk assessment – Peer organization involvement – Top down approach and participation 58
  • 59. Sources of Fraud Detection ▪ Independent (external) audits ▪ Financial management or internal control ▪ Employee tips or complaints ▪ Accident – 19% ▪ Internal Audit – 19% ▪ Customer tip – 9% ▪ Vendor tip – 5% 59
  • 60. Special Fraud Challenges for Non-profits ▪ Sympathetic thief ▪ Fear of publicity ▪ Resources 60
  • 61. How do you protect the entity against fraud? Commercial crime coverage ▪ Employee dishonesty coverage or Fidelity Bonds 61
  • 62. Talk to our Non-Profit Specialist Jeffrey D. Wallop, CIC Vice President jeffw@psafinancial.com 443.798.7379 -- Or-- Click here to learn more about PSA’s Non-Profit Practice Baltimore Office 11311 McCormick Road Hunt Valley, MD 21031 Washington, DC Metro Office 2275 Research Blvd., Suite 500 Rockville, MD 20850 JW131125dmt 62