CHAPTER 14
MANAGING RISK, LEGAL ISSUES, AND HUMAN RESOURCES

  1. 14.1 WHAT IS RISK MANAGEMENT?
    1. (a) Who Is Responsible for Managing Risk in the Nonprofit Organization?
    2. (b) Communicate Risk Management Policy
  2. 14.2 IDENTIFYING RISK
  3. 14.3 PRIMARY FINANCIAL RISK: ILLIQUIDITY
  4. 14.4 LEGAL ENVIRONMENT
    1. (a) Sarbanes-Oxley in the Nonprofit Sector
    2. (b) Ethical Considerations
    3. (c) Relevant Agency and Regulatory Rules
  5. 14.5 SAFEGUARDING PEOPLE
    1. (a) Tools for Effective Human Resource Management
    2. (b) Physical and Emotional Safety
    3. (c) Protecting the Organization from Lawsuits and Grievances
    4. (d) Dealing with Difficult or Problem Employees
    5. (e) Grounds for Immediate Termination
    6. (f) Compensation
    7. (g) Personal Use of Organizational Resources
    8. (h) Conflict of Interest
    9. (i) Getting the Most “Bang for Your Buck”
    10. (j) Staff and Volunteers – What Motivates Them?
    11. (k) What Qualities Should Leadership Possess?
  6. 14.6 DIRECTORS’ AND OFFICERS’ LIABILITY
    1. (a) Methods by Which Boards Can Protect Themselves
    2. (b) Conflicts of Interest
    3. (c) Executive Pay
    4. (d) Duties of Care, Loyalty, and Obedience
  7. 14.7 SAFEGUARDING YOUR FINANCIAL AND PHYSICAL ASSETS
    1. (a) Insurance
    2. (b) Risk Retention Versus Risk Transfer
    3. (c) Internal Controls
    4. (d) Fundraising
    5. (e) How to Begin the Financial Assessment Process
  8. 14.8 RISK MANAGEMENT AND HUMAN RESOURCE MANAGEMENT PRACTICES
  9. APPENDIX 14A: DERIVATIVES CHECKLIST
  10. APPENDIX 14B: CASE STUDY OF ASSOCIATION’S FOREIGN EXCHANGE RISK MANAGEMENT

14.1 WHAT IS RISK MANAGEMENT?

Is your organization planning on growing, and if so, what is the biggest challenge you face related to risk management? Nonprofit executives who were asked that question spoke about quality control, financial controls, untrained staff, inadequate resources, overreliance on grants or government contracts, contract compliance with a multitude of contracts, contingency planning necessitated by shifting governmental priorities, and board member lack of understanding of risk management (see Exhibit 14.1). Regarding risk management, 51 percent of respondents said that growth would make their organization's ability to manage risk somewhat harder, and another 11 percent said it would make their risk management ability much harder.1 The challenges voiced were grounded in building “capacity for a number of risk management activities, such as creating contingency plans for future funding uncertainty, maintaining compliance with funding requirements, actively assessing internal controls, and training employees.”2 Fraud risk is also in view here: When asked if growth opened up their organization to a greater potential for fraud or accusations of fraud, 4 percent said “Yes, very much,” 29 percent said “Yes, somewhat,” 27 percent said “Yes, only a little,” and the other 40 percent said either “No, not at all” (34 percent) or “I don't know” (6 percent).3 Interestingly, almost all (98 percent) of those surveyed said that growth is at least somewhat important for their organization, with almost half saying it is extremely important. Four out of five of those surveyed expected their organizations to grow in the next 12–18 months.4

Effective risk management is the process of evaluating and guarding against potential losses to the organization. Risk is defined as “the possibility that events will occur and affect the achievement of strategy and business objectives.”5 The chief financial officer (CFO) of a nonprofit organization should be very concerned about risk management issues because they directly affect the use of financial and other resources. Effective risk management can save significant resources, which ultimately translates into money and resourcing the mission. In the corporate world, treasury staff are being given greater responsibility in the area of risk management, and a new and broader approach to risk management is becoming more common: enterprise risk management (ERM).6 ERM involves “identifying, assessing, quantifying, and mitigating the broad range of strategic, operational, financial and other risks confronting the [organization].”7 Another definition is “the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”8 Put in practical terms, this approach to risk management brings financial risks (price risk, interest rate risk, foreign exchange risk) together with nonfinancial risks (business risk, insurance, operating risk, contingency planning) in one framework for one group within the organization to oversee. The possible downside to a too-narrow view of risk is identified by consultant Stephen Baird of Treasury Strategies, Inc.:

While risk compliance is a process of identifying, tracking and mitigating risk … strategic risk management is a process of applying a high-level analytical framework to understand the composition of a company's risk. The former is a tactical approach that misses the connections between risks, addresses risks individually and overlooks some risks entirely. The end result of a successful execution of the latter can be determining the most value-added strategies for accepting, transferring or mitigating risks for an entire enterprise. Treasurers are better equipped than anyone in the organization to develop and apply these frameworks….9

We concur with this view. The ERM framework (Enterprise Risk Management – Integrated Framework) recommended by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), while not mandatory for any business or nonprofit organization, provides new impetus to take a broader view of risk and to integrate it into the strategic management process.10 Treasury Strategies survey data indicates that the most common arrangement for corporate ERM reporting responsibility is to have it housed in the treasury function.

Risk management has two major components:

  1. Loss prevention
  2. Loss control (reduction of loss)

Many nonprofit leaders and managers fail to understand that risk management involves matters of risk associated with their assets. An asset is “the entire property of a person, association, corporation, or estate applicable or subject to the payment of debts.”11 In financial terms, assets are things owned by the organization and reported on the organization's balance sheet. In more general terms, assets are resources or anything that provides value to the organization, whether tangible or intangible. The major types of assets include:

  1. People (employees, members, volunteers, independent contractors, board members)
  2. Property and equipment (monies, property, equipment, technology, trade secrets, goodwill)

When viewing assets in this way, initiatives such as an employee retention program – to retain key employees – become a vital piece to the organization's overall risk management program. Risks include many areas, including property, income, liability, people, reputation and mission, volunteers, governance and fiduciary considerations, client relationships, and collaborations. Researchers who study nonprofit fraud reports, including Archambeault, Webber, and Greenlee, find that fraud incidents and the associated losses negatively impact “the organization's reputation, future funding, and ability to advance its mission.”12 In fact, charity watchdog agency Charity Watch explicitly factors in a nonprofit's “disclosures of material diversion of assets” in its rankings.13 Bear in mind that although disclosure is required as part of the affected nonprofit's Form 990 (Part VI, Question #5), compliance is voluntary and in fact often overlooked.

Exhibit 14.2 presents a checklist for setting up a risk management program. In order to be effective, your organization's risk management program must be proactive. Proactive steps include:

Exhibit 14.2 Checklist for Setting up a Risk Management Program

  1. Acknowledge the critical importance of risk management at the highest level.
  2. Define risk management roles and responsibilities.
  3. Delegate or assign risk management responsibilities and accountabilities.
  4. Incorporate a regular inspection where losses could occur.
  5. Review the organization's risk management program in detail regularly.
  6. Communicate that risk management issues must be considered when evaluating the cost of doing business, including the review of existing and new programs.

For more on these measures, see Herman, Head, Jackson, and Fogarty's Managing Risk in Nonprofit Organizations.14 The CFO has an additional responsibility, one which we give great emphasis to:

  1. Communicate illiquidity risk, the primary financial risk, regularly, accurately, and in terms that staff can understand.

This ongoing focus on illiquidity risk is embedded in the “post-loss goals” of risk management, which include survival, growth, stability of operations, and required financial results.15

The advantages of proactive, enterprise-wide risk management are profiled in Exhibit 14.3. In your involvement in financial decision making, use these to spur strategic, holistic thinking. These items will also bolster your advocacy for integration of risk management in the strategic management process.16 You may wish to set up a risk management board committee or relabel your finance committee to be the finance and risk management committee.

Source: Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework Executive Summary (September 2004).

Exhibit 14.3 Advantages of Proactive Enterprise Risk Management

Motivation to do the hard work of risk management comes from the five “whys” of risk management, as identified by Herman, Head, Jackson, and Fogarty:

  1. Asset stewardship. Your organization gains from a stewardship focus a stronger position from which to avert erosion of core assets (property, income, liquid assets, goodwill, human resources).
  2. Achieving public accountability. Every facet of nonprofit management is enhanced when the organization earns a reputation of trust and fidelity as well as prudence in its risk management.
  3. Attracting stakeholders. If an organization is seen as careless or uncaring, it loses support from volunteers, staff, donors and other funders, and the community.
  4. Freeing up resources for mission. Accidental or intentional losses are costly, often more so than preventive measures, and absorb valuable staff time.
  5. Staying true to mission. Any time harm results from a nonprofit's operations or activities, the fallout is detrimental to staff or volunteer focus on mission as well as to the mission-accomplishment image of the organization.17

Finally, Lewis and Cummings enumerate six critical factors to consider as you implement and maintain your organization's ERM system:18

  1. Have a risk management governance structure that includes your organization's risk appetite and a risk policy statement. This should spell out management roles and responsibilities.
  2. Follow a framework (e.g., COSO,19 ISO 3100020), making sure to include a focus on “strategic” risks and objective setting, event identification, and risk response.
  3. Continuously identify risk and the risk event universe through creation of a “risk register.” You can do this by using risk surveys, interviews of board members and management team members; brainstorming; comparing your organization's risks to lists compiled by similar organizations; and focusing on material and realistic risk events;
  4. Develop a risk profile, which includes your organization's risk tolerance, the numerical and/or dollar impact of risk events and which of those take a higher priority for management and board attention, and for each significant risk event, identification of that risk's trigger, consequence, and indicator(s).
  5. Establish risk responses, which includes whether you will accept, share, or avoid the risk; controls and procedures you will implement to mitigate the impact of the risk; a plan for implementing certain response actions; a “what to do in case of emergency” pre-risk event communication plan; another communication plan regarding implementing a risk response; and an external communications plan using social media and public relations as you respond to the risk event in a way that reduces reputational harm.
  6. Develop a risk monitoring and reporting process which includes key risk indicators (KRIs), key performance indicators (KPIs, and reports related to these), and how you will use internal audit (where available) to monitor the risk and its effect on KRIs and KPIs and then report these out to the board, with this whole process done at appropriate time intervals (which are a function of the risk environment in which your organization operates).

(a) WHO IS RESPONSIBLE FOR MANAGING RISK IN THE NONPROFIT ORGANIZATION?  The board of trustees is responsible for setting policy and assigning responsibility for risk management functions in the nonprofit organization. In the event of a loss and subsequent legal exposure resulting from this loss, it is likely that the board could be held accountable for losses if appropriate policies and procedures do not exist. Risk management issues are broad and pertain to paid staff and volunteers as well as to the general public who may be involved with the organization. Risk management is part of the cost of doing business and should not be ignored by the board of trustees.

(i) Board Duties. As responsible leaders, board members:

  • Know the rules in the organization, including by-laws,21 policies, and procedures
  • Understand the risk management process
  • See that organizational policies are communicated and implemented
  • Stay informed about issues such as law (and the two provisions of the Sarbanes-Oxley Act that apply to nonprofits: see below and the discussion in Chapter 5),22 litigation, compliance, ethics, and disclosure

We note particularly the whistleblower provisions of the Sarbanes-Oxley Act, which became law in 2002. Many allegations against nonprofits, mostly related to excessive compensation, self-dealing, and ineffective governance, have come from whistleblower disclosures.23 This fact suggests that your organization, at a minimum, should adopt a whistleblower policy and protection program with these five action points: (1) provide employees multiple avenues to report concerns; (2) establish an ombudsman program; (3) most important, adopt a policy prohibiting retaliation; (4) train managers and supervisors; and (5) take disciplinary action against those who engage in retaliation.24

Sarbanes-Oxley also has record-keeping and official proceedings obstruction provisions that apply to nonprofits:25

Record-keeping:

Section 802 of the Act makes it a crime to knowingly alter, destroy, mutilate, conceal, cover up, falsify or make a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any federal department or agency or any case filed under the federal bankruptcy code. Violators may be fined and/or imprisoned for up to 20 years.

Section 1102 of the Act makes it a crime to “corruptly” alter, destroy, mutilate, or conceal a record, document or other object, or attempt to do so, with the intent to impair the object's integrity or availability for use in an official proceeding. The Act does not define the term “corruptly.” Violators may be fined and/or imprisoned for up to 20 years.

Official proceedings:

Section 1102 of the Act also makes it a crime to otherwise obstruct, influence or impede any official proceeding or attempt to do so. Violators may be fined and/or imprisoned for up to 20 years.

The Independent Sector (IS) modified its Principles for Good Governance and Ethical Practice: A Guide for Charities and Foundations (based on extensive work by the 2014 Independent Sector Ethics and Accountability Advisory Committee) to more carefully address risk management in today's technologically sophisticated environment. Building on our presentation of technology issues in Chapter 13, the additional IS board responsibility regarding “Risk Tolerance & Mitigation in Response to Technology Advances” is stated:26

It is the board's responsibility to decide the level of risk that the organization is comfortable with, including risk regarding its finances, its operations, and its reputation, although there are other areas in which staff are also involved. Updated principles recognize the importance of protecting an organization's data along with its business records, property, program content, integrity, and reputation (Principles #5, 6, & 21). To mitigate risk, an organization should maintain emergency preparedness and disaster response plans; secure and back up data and electronic files; protect against outside manipulation of data; have clear and explicit privacy policies that indicate how data will be used and kept secure; and seek permission to use all individual identifying information (photographs, fingerprints, biometric data, social security numbers, etc.).

(ii) Leadership Sets the Tone. Control cues are the written and unwritten messages sent to an organization by its leadership, management, and staff on what is expected of the entire workforce to safeguard its resources. These messages continually communicate by word and action that the workforce is responsible and accountable for protecting and preserving the organization's assets so that they are available to carry out its mission.

(b) COMMUNICATE RISK MANAGEMENT POLICY.  In order to be meaningful and effective, risk management policies must be communicated to all who have a reasonable need to know or a role to play in adherence to the policy. Traditionally a policy and procedures manual is developed and distributed to accomplish this task. The manual must be kept updated to maintain its relevance and effectiveness. However, a policy and procedures manual is not the only way to effectively communicate policies, roles and responsibilities, and expectations. Another method of communicating that works effectively for the organization is acceptable.

14.2 IDENTIFYING RISK

Your organization's people and property invite and cause risks in several distinct areas. Exhibit 14.4 summarizes some major areas of risk with specific examples.

Exhibit 14.4 Major Areas of Risk

14.3 PRIMARY FINANCIAL RISK: ILLIQUIDITY

We have emphasized throughout this book that managing your organization's liquidity is paramount in your financial management. Further evidence of the effects of your organization's primary financial risk, a situation called “illiquidity” – that of not having enough liquidity – is provided by the New York City Nonprofit Executive Outlook Survey (see Exhibit 14.5), which dealt with organization responses in the first few years of the new millennium. Quoting the study's authors, Jack Krauskopf and Gregg Van Ryzin: “More than 60 percent of the [surveyed] agencies have had to close programs, and nearly as many have laid off staff. Overwhelmingly, these reductions are due to financial stress, rather than to strategic choices they have made.”27 Poor cash flow management and underfunded agencies are more characteristic of the nonprofit sector than many recognize.

Illustration of financial problems and the effects on mission achievement.

Note: The question asked was “In the past few years has your organization …”

Source: Jack Krauskopf and Gregg Van Ryzin, New York City Nonprofit Executive Outlook Survey (New York: Baruch College, School of Public Affairs Nonprofit Group and Survey Research Unit, Spring 2005). Used by permission.

Exhibit 14.5 Financial Problems and Effects on Mission Achievement

By regularly communicating the need for a liquidity target, degree of achievement of the target, and how achievement or maintenance of that target strengthens the organization, the CFO or board treasurer enables a greater degree of understanding and buy-in for this objective. Furthermore, nonprofits are beginning to use derivatives to better manage interest expense and the risk of higher interest expense as well as price risk and foreign currency risk. See Appendix 14A for a derivatives checklist, and Appendix 14B for a case study on how to handle foreign currency risk without the use of derivatives.

14.4 LEGAL ENVIRONMENT

(a) SARBANES-OXLEY IN THE NONPROFIT SECTOR.  Elsewhere, we have noted that Sarbanes-Oxley legislation has brought new impetus to governance and control issues. We simply note there that 97 percent of surveyed nonprofits believe corporate governance reforms have impacted their organizations already and that many of these organizations are already implementing such reforms in advance of possible federal or state extensions of such reforms to the nonprofit sector.28

(b) ETHICAL CONSIDERATIONS.  At a minimum, your organization should have a code of ethics that is known by appropriate parties, emphasized by the executive director/chief executive officer (ED/CEO) and the board, and enforced by top management and the board. A model that some organizations have used is the Financial Executives' Institute Code of Ethics, shown in Exhibit 14.6. Refer back to Chapter 4, Section 4.4, for more on ethics.

Source: Financial Executives Institute (FEI). Available online at: https://www.financialexecutives.org/getattachment/Become-a-Member/join/FEI-Code-of-Ethics.pdf.aspx. Accessed: 8/1/17. Used by permission.

Exhibit 14.6 FEI Code of Ethics

(c) RELEVANT AGENCY AND REGULATORY RULES.  One agency you will definitely want to stay on good terms with is the IRS. Unless specifically exempted due to size29 or religious nature, your organization will want to stay up-to-date regarding your annual “information” return as well as unrelated business income tax, if relevant.30 Furthermore, your organization will be responsible to remit taxes if it has employees.31 Remitting employee withholding tax on wages and salaries paid is a serious matter with punitive consequences if overlooked.32 Correctly classifying your employees (whether they are truly employees or independent contractors) has potential tax withholding and payment ramifications.33

Another item sometimes overlooked by nonprofits is the relevant federal, state, and local regulatory or agency requirement for a particular process. Minimum wages, overtime pay, and whether your organization would be expected to pay an intern34 are all examples of potential landmines. Another example: If you are doing business with the federal government, be aware of the raft of regulations related to cash management.35

At the state level, there also may be requirements regarding having outside audits or reviews done of your financial statements. At the time of this writing, 18 states “require a charitable organization that solicits contributions in the state to submit a copy of an independent audit report or a certified review of financial reports annually if it meets certain financial criteria. The budget thresholds for audit requirements vary substantially.”36

14.5 SAFEGUARDING PEOPLE

A nonprofit organization's most valuable asset is the people who contribute resources (service and monies) in support of its mission. The staff and volunteers in your organization perform these needed activities and tasks, and both groups use and develop resources.

First and foremost, you must provide a safe working environment for your staff and volunteers, regardless of whether work is performed onsite, at your organization's offices, in the field, in a donor's home, or in the staff or volunteer's residence or place of business. While you cannot completely safeguard your staff and volunteers outside your organization's place of business, you may be at risk if you are aware of a potential hazard and do not take action to protect the individual from harm.

(a) TOOLS FOR EFFECTIVE HUMAN RESOURCE MANAGEMENT.  An ongoing trend regarding liability for nonprofit organizations is related to employment practices liability.37 Job descriptions, background checks, and notification that bonding is required for finance-related positions are all helpful in reducing the potential for litigation and unfavorable judgments.

(i) Job Descriptions. Job descriptions include the tasks, duties, and responsibilities of a job, along with the minimum education, experience, and skills necessary for the job. They also include the job title, location, whether exempt or nonexempt (for Fair Labor Standards Act classification purposes, with overtime pay implications), position summary, and working conditions (including hazards). Be prepared to defend any education, experience, abilities, and skill requirements you have included.

(ii) Background Checks. More and more organizations are conducting background checks for employees and even volunteers. One form of background check is a criminal history record check. Not only are criminal checks being done as a screening device for positions having significant direct contact with children or clients who might be considered vulnerable38 (often checked by a third party, with prior consent by the potential employee or volunteer), but for financial positions a credit record check is often conducted as well. Applicants should have an opportunity to challenge the accuracy of information you receive, in that errors may occur in criminal history records and credit histories. Also, do not misuse or negligently handle (e.g., be careful to not accidentally disclose negative items) any information you receive, as you and/or your organization could then be susceptible to civil or criminal penalties.

(iii) Bonding. Bonding is a precaution that a nonprofit organization should consider in its corporate stewardship. Bonding buys insurance on those handling money for the organization and ensures to its constituency that the finances are being handled properly.

Some nonprofit organizations are reluctant to bond money handlers, in the belief that it questions the integrity of the people involved. Unfortunately, irregularities in the handling of money in nonprofits occur often enough that this potential cannot be ignored. Whether or not the money handlers are bonded, the organization should safeguard its money and money handlers by engaging an auditor to conduct an annual audit. There is a wide variety of bonding patterns. In some instances the individual is bonded; in others the position is bonded, so that a change in personnel does not affect coverage. Group bonds cover everyone who handles the money.

Costs of bonding vary widely, depending on the number of individuals involved and the amount of money handled. The insurance carrier for the organization is the best source to begin the process of determining how to meet its bonding needs. We believe that the cost is very reasonable relative to the protection such as policy provides. In some nonprofit arenas, specialized providers offer tailored policies at attractive rates.

(b) PHYSICAL AND EMOTIONAL SAFETY

  1. Your facilities (electrical, plumbing, fire sprinklers, etc.) should comply with standard codes for your region. Adherence to Americans with Disabilities Act (ADA) regulations regarding handicap access is vitally important.
  2. Doorways and fire exits should be kept clear and accessible.
  3. If crime (e.g., assault or theft) is prevalent in your locale, doors should be locked after hours, and individuals should be escorted to parking structures or accompanied to their transportation sites.
  4. Emergency service numbers, such as 911 stickers, should be placed on telephones.
  5. Basic safety procedures, such as what to do in an emergency, should be included in your staff and volunteer orientation materials.
  6. If staff or volunteers use vehicles to conduct work (other than traveling to and from their work site), you need to ensure that they have a good driving record, have up-to-date insurance coverage, and understand their responsibilities with respect to chauffeuring others in their own or company vehicles.
  7. If staff or volunteers need to move heavy items, such as furniture, inventory, or stock, these individuals need to be provided with safe lifting instructions, lift belts, and proper tools, such as ladders and hand trucks.

With regard to emotional safety:

  1. Employee workplace guidelines specific to sexual harassment should be distributed to all individuals and supervisors, and managers should receive training on how to recognize a potential harassment situation and what steps or actions to take if it does occur. Employees should sign documents indicating what training was received and when it was received. (The latter documents are vital in any case in which the organization is sued in determining whether it is liable.)
  2. Staff and volunteers should be instructed on how and to whom to report a potentially harmful situation if a supervisor or manager creates unnecessary stress for their subordinates.
  3. When considering expansion, growth, or organizational changes of any kind, the risk, stress, or burden on the staff and volunteers should be appropriately evaluated as one of the costs of the change.

(c) PROTECTING THE ORGANIZATION FROM LAWSUITS AND GRIEVANCES.  The most obvious way to prevent lawsuits and employee grievances is to comply with all laws, regulations, and policies that pertain to your region and organization. In addition to protecting the organization from lawsuits and grievances, you need to ensure that your staff and volunteers are protected. Going beyond the letter of the law to ensure ethical behavior is only wise.

(d) DEALING WITH DIFFICULT OR PROBLEM EMPLOYEES.  Regardless of how careful the organization may be in the selection process for hiring new employees (“hire hard, manage easy” is a sound approach for recruitment and selection), eventually it may be faced with terminating a problem employee who does not perform up to standard. To avoid financial risk to the organization, these actions should be taken:

  1. Each employee has an up-to-date and accurate job description detailing his or her work assignments and responsibilities.
  2. Periodic evaluations should be performed, using only the tasks and assignments on the job description as criteria for evaluating employee performance.
  3. Once a problem employee is identified, the supervisor must document in writing all conversations, meetings, job complaints, assignments, errors, omissions, or violations of policy; discuss them with the employee and have the employee sign them; and maintain copies of these documents in the employee's personnel file.
  4. The first step to termination is a counseling session to notify the employee that his or her performance is not satisfactory. Reasonable steps to provide additional assistance or training, areas to improve, and other specific information should be discussed with the employee, and a written document detailing the discussion – signed by the employee – should be given to him or her, with a copy maintained in the personnel file. If termination appears to be imminent, a time period (or deadline) within which the employee's performance must be up to standard should be predetermined and discussed with him or her. Interim sessions to monitor progress, or lack of progress, should be conducted and documented.
  5. The decision on whether to terminate or ask the employee to resign should be evaluated carefully. Very often problem employees are willing to resign if offered an attractive severance package. The costs of the severance package should be evaluated and compared against the potential risk of lawsuit or grievance, as well as the increase in state unemployment insurance (or reimbursement to the state fund if the nonprofit does not participate in the state program) if the employee is terminated. Often tensions become high when an employee needs to be separated from the organization. The decision to fire someone may seem warranted but may not be the most appropriate action for the organization. In many cases, there will be less of a financial burden and risk to the organization if the employee is willing to resign as opposed to being terminated.
  6. Employees can be terminated (fired) only for cause. Separating an employee for lack of work, lack of funds, or change in mission or responsibilities is not considered “termination for cause.” This is generally referred to as a “layoff” and will have a financial impact in the form of workers' compensation increases. When a layoff is performed, the only criteria that may be used are seniority, job title or description, employee skills, and how critical the person's job or responsibilities are to the organization. Performance or specific salary level cannot be used as the reason for selecting one employee over another for layoff. If an employee is laid off out of order of seniority, it is critical that you document legitimate and legal reasons for performing a layoff in this manner.

(e) GROUNDS FOR IMMEDIATE TERMINATION.  There are instances where it is necessary to remove an employee immediately. Labor relations laws vary from state to state, and a lawyer specializing in human resources issues should be consulted regarding the legality of the termination before any decision is finalized. Generally, the following are grounds for immediate termination when the employee places the organization, its staff, or its volunteers at substantial risk:

  1. Theft or fraud
  2. Threatening or lewd behavior (sexual harassment) in the workplace
  3. Lying about use of sick leave
  4. Racial, ethnic, gender, age, or religious discrimination
  5. Using illegal drugs or other illegal substances in the workplace
  6. Bringing weapons and other dangerous or hazardous items into the workplace

Even with the severity of the examples just listed and the assumption that “everyone should know they cannot do this stuff at work,” it is important to document in your personnel policies those behaviors or actions that will warrant immediate termination. It is essential that all new employees receive training on what constitutes sexual harassment and sign a document indicating that they have received this training. Employees in supervisory and recruitment or selection roles should also receive training on ADA-related issues.

Many companies place employees on “investigatory leave” (leave without pay) if allegations of any of the listed activities are suspected. This benefits the organization by removing the employee from the workplace immediately and providing it with time to investigate and confirm the allegations prior to the completion of the actual separation. If it is determined later that the employee was falsely accused, back wages can be paid and the employee can be restored to his or her position. Again, policies and procedures for placing employees on investigatory leave should be documented in the organization's personnel policies, with copies provided to all employees when hired.

(f) COMPENSATION.  The intangible rewards of working in a nonprofit environment enable organizations to hire qualified individuals who are dedicated to the mission of the organization at wages below the industry or local average for the region. Taking advantage of this situation can greatly aid the organization in keeping its employee compensation rates down; however, there may be hidden costs in using this practice recklessly or assuming that employees will work indefinitely for low wages. These costs include:

  1. Eventually, even the most dedicated employee will succumb to offers for better wages. High employee turnover reduces productivity and creates an unstable image in the eyes of donors and a general sense of unease and instability with other staff and volunteers.
  2. Ineffective or unqualified staff or volunteers use resources. Often one highly qualified individual can perform the task of several underqualified staff and lower the overall cost to the organization. In addition, productive staff and volunteers may lose morale if unproductive staff and volunteers are allowed to remain with the organization.
  3. A low-paid development staff or director may be less effective at raising money than a higher-paid individual. The net effect to the organization will be a decrease in overall resources: “Penny wise and pound foolish.”
  4. Specifically in the financial arena, a highly qualified individual may be able to forecast and manipulate resources in a way that greatly benefits the organization and protects it from loss, while a lesser-qualified individual may be careless and less savvy in managing resources. We note that reliance for financial management on someone with training only in accounting leaves important treasury management and risk management issues undermanaged.
  5. You may wish to consider pay for performance, a practice that is spreading to many nonprofit organizations. This merit-based pay is seen as more fair by productive employees, who are discouraged when seeing less productive employees get the same pay or pay raise as they get.

(g) PERSONAL USE OF ORGANIZATIONAL RESOURCES.  Unless there are specific policies and active monitoring of resource use in your organization, a substantial loss can result from the personal use of resources by volunteers or staff in the following ways:

  • Phone/smartphone
  • Photocopying equipment
  • Tablet, laptop, desktop computers (much time theft due to browsing the Internet)
  • Office supplies (paper, pens, etc.)

While all of us at one time or another have accidentally placed a pen or pencil belonging to another in our purse or pocket, this practice is theft if done consciously. If your organization has a policy prohibiting its resources from being used for personal use, then staff and volunteers need to be reprimanded when minor infractions, such as those listed, occur. Many organizations adopt a policy that allows staff and volunteers to use organizational resources as long as it does not become excessive (e.g., using the phone to call home, the copier to copy an occasional legal document, the fax machine to send an important document). The difficulty of this type of policy is the definition of excessive may vary for each individual. One employee who lives close to his or her worksite and calls home during breaks may not incur a significant cost in long distance charges to the organization; however, another employee who lives much farther away and does the same may result, over time, in a significant cost to the organization. It is important for limits to be established that do not discriminate from one employee to the next. If a policy places a $5 maximum on personal telephone calls per month as opposed to a time limit for personal use, it may be interpreted as unfairly penalizing one employee. It is important to remember that the organization is not required to allow any of its resources to be used for personal use.

(h) CONFLICT OF INTEREST.  A conflict of interest may exist when a decision is made that may personally benefit a board member, an employee, or a volunteer. For example, a staff member may have a spouse who works for a travel agency. Using that particular travel agency may be viewed by potential donors or auditors as unfair. However, if the travel agent agreed to reduce travel expenses by 5 percent, the decision to use this particular vendor might be the most financially advantageous to the organization. Similar scenarios may occur when a board member, staff member, or nonboard volunteer is related to a banker, investment agent, insurance agent, or lawyer.

A potential conflict of interest does not mean that the organization cannot do business with friends or family of its staff or volunteers. It is critical in these circumstances to have full disclosure of the connection to this particular individual and to have someone or a committee other than the individual who may benefit make the final determination. The committee member with the conflict of interest may “recuse” himself/herself from the deliberations and vote involving purchasing, borrowing, or placement of funds.

Development of and compliance with a carefully drafted conflict-of-interest policy will lessen the financial risk to the organization as well as reduce the appearance of impropriety with respect to donors. Refer to Chapter 5 regarding such a policy.

(i) GETTING THE MOST “BANG FOR YOUR BUCK”.  If the organization is not utilizing a resource to its fullest potential or purpose, the organization is actually wasting it. If staff or volunteers have special skills and abilities that are not being utilized, if they are not mentored properly to work to their fullest potential, or if they are not trained or given sufficient flexibility to perform their tasks or responsibilities, your organization is wasting resources. In addition, if staff or volunteers are performing unsatisfactorily, they are consuming resources. Your organization should also consider the human resource management function itself: Should some or all of it be outsourced? Benefits administration, payroll administration, and selection/recruitment are commonly outsourced by organizations of many sizes.39 Some surveyed nonprofits prefer to limit outsourcing to payroll and bookkeeping and perhaps IT.40

(j) STAFF AND VOLUNTEERS – WHAT MOTIVATES THEM?  Three qualities of all productive staff and volunteers are listed in Exhibit 14.7. We would add, in the commitment section, that a spiritual commitment is typically seen in employees and volunteers in faith-based organizations.

  1. Commitment
    • To their work
    • To their constituents
    • To their customers
    • To their community
    • To themselves
  2. Competence
    • In their work
    • In their relationships with other staff and volunteers
    • In dealing with donors
  3. Clarity
    • About their roles and responsibilities
    • About the purpose of the organization and its mission

As discussed earlier, salaries paid to employees in nonprofit organizations are often below for-profit levels. This means that individuals accept positions with nonprofits because there are motivating factors beyond income. One expert, David Mason, calls nonprofits “values-expressive organizations,” and economist Estelle James has documented that workers take below-market wages to dedicate themselves to cause-related nonprofits. This commitment to the organization should be recognized and, wherever possible, acknowledged and rewarded in nonfinancial ways. Exhibit 14.8 demonstrates that pay issues were the single most significant problem faced by most New York City nonprofits. Respondents were asked: “How much of a problem if at all are the following human resource issues for your organization?”

Bar chart for major human resources issues faced by NYC nonprofits.

Source: Jack Krauskopf and Gregg Van Ryzin, New York City Nonprofit Executive Outlook Survey (New York: Baruch College, School of Public Affairs Nonprofit Group and Survey Research Unit, Spring 2005). Used by permission.

Exhibit 14.8 Major Human Resources Issues Faced by NYC Nonprofits

On the negative side, it is also reasonable to assume that some individuals will gravitate toward positions with nonprofits that pay lower wages because they believe the workload and expectations will be lower, commensurate with the pay scales. Thus, an individual's commitment to the organization should be evaluated on a case-by-case basis. It should never be assumed that a willingness to work for lower pay constitutes a high degree of commitment to the organization.

Paying someone below-market wages does not necessarily mean that you will have substandard employees. If wages were the only motivating factor in a person's decision to accept or remain in a position, individuals would change jobs much more frequently, as offers for higher pay were offered. In each position, a staff or volunteer also evaluates the intangible rewards:

  • Sense of community, relationships with coworkers and friends
  • The mission and goals of the organization
  • Logistical factors (e.g., proximity from home to workplace)
  • Educational or learning opportunities
  • Working hours
  • Access to other individuals and community (e.g., a museum attracting aspiring artists or a library attracting aspiring writers)
  • Feeling of pride and receipt of praise and attention for their efforts
  • Flextime
  • Telecommuting

Beyond the intangible rewards, individuals also evaluate the tangible rewards that nonprofits can offer:

  • Benefits (vacation, sick leave, health insurance)
  • Discounts or “freebies” (e.g., educational discounts; mentoring opportunities; ability to attend performances, screenings, or presentations at little or no cost)

It is important to remember that each individual has his or her own set of motivators for doing good work:

  • Praise
  • Recognition
  • Promotion of a valued cause or belief system
  • Flexibility
  • Autonomy
  • Criticism
  • Consistency
  • Personal growth
  • Benefits
  • Money
  • Safety
  • Proximity to home or family/children

(k) WHAT QUALITIES SHOULD LEADERSHIP POSSESS?  Supervisors, managers, and board members must have the qualities, motivators, and skills of all staff and volunteers, as well as concern and connectivity.

(i) Concern. Managers and board members should show concern for the staff and volunteers, donors, community, the integrity of the workplace, and the success and failure of the organization.

(ii) Connectivity. To the infrastructure of the community (global and local), both nontechnological and technological, it is the responsibility of leadership to:

  1. Set vision
  2. Establish goals and priorities, including financial objectives
  3. Motivate and mentor staff, volunteers, donors, and community
  4. Establish a personality/culture for the workplace
  5. Foster integrity
  6. Demonstrate support for ethical standards, rules, laws, fiduciary responsibility, and compliance

14.6 DIRECTORS' AND OFFICERS' LIABILITY

A major concern of nonprofit boards is the unprecedented liability exposure faced by their directors and officers. A significant rise in the number of liability suits and in insurance costs has made it increasingly difficult for officers and directors to protect themselves. This situation affects the quality of governance and leadership that nonprofit organizations can attract.41

(a) METHODS BY WHICH BOARDS CAN PROTECT THEMSELVES.  These are the main risk areas boards face:

  1. Not exercising due diligence when recruiting/selecting board members
  2. Not enforcing term limits (if they exist)
  3. Not properly recording board actions/decisions in the board minutes
  4. Not giving comprehensive new board member orientations
  5. Not requiring or enforcing board member performance expectations (e.g., attending a specific number of meetings over a particular period of time)
  6. Not providing board members with the requisite data and background information for informed decisions42

It is critical for the nonprofit organization to review its liability coverage for directors and officers and make the required adjustments, if the organization is underprotected. One caution: Insurance companies have very specialized directors and officers (“D&O”) policies, so check them carefully to see that they include (1) a requirement to advance defense costs, (2) a broad definition of who is insured (including the organization itself along with any natural person who “was, is or becomes a director, trustee, officer, employee, committee member, or volunteer” in the organization), and (3) broad coverage of employment practices liability (including harassment wrongful termination, and discrimination related to state law and federal laws including Title VII and the Americans with Disabilities Act).43 Along with obtaining and acting on the liability insurance information, a board can take other actions to protect itself and limit its liability and risk. They include:

  1. Ensure board minutes are complete and accurate.
  2. Engage paid legal counsel.
  3. Expand management information.
  4. Review organizational policies.
  5. Formulate conflict-of-interest policy.
  6. Add and/or recruit new board members to include specific expertise.
  7. Form new board committees.
  8. Bring in outside experts.
  9. Strengthen the finance committee.
  10. Strengthen legal expertise.
  11. Strengthen insurance expertise.
  12. Strengthen audit and accounting expertise.44

(b) CONFLICTS OF INTEREST.  Consider various professionals who may hold membership on your board. A banker who tries to steer the organization's lending to his or her organization, a lawyer who insists that his or her law firm do all the organization's legal work, an insurance agent getting all of the organization's insurance business without any other agency getting to bid, and similar situations all comprise potential conflicts of interest. It is essential to have arm's-length transactions, to have a carefully spelled-out conflict-of-interest policy, and to make sure that any apparent conflicts of interest are approved by the full board with adequate disclosure regarding the precautions taken and reasoning behind the decisions made.

(c) EXECUTIVE PAY.  Excessive compensation is another hot-button issue to be wary about in your organization. Make sure you find out comparable pay for an ED/CEO in like organizations, and include these data in your board discussions and minutes.45

(d) DUTIES OF CARE, LOYALTY, AND OBEDIENCE.  The three duties that a board should always exercise are care (conducting organizational affairs with competence), loyalty (putting organizational interests above selfish interests), and obedience (adherence to the organization's mission and values in decision making). Prudence, careful decision making, gathering and using facts and data, and paying attention to the organization's financial situation are ways in which these duties are exercised.

14.7 SAFEGUARDING YOUR FINANCIAL AND PHYSICAL ASSETS

(a) INSURANCE.  Insurance does not mitigate all risk management issues in your organization. Some of the reasons are:

  1. Insurance does not cover every risk.
  2. Coverage may be limited.
  3. Claims today may raise premiums tomorrow.
  4. Claims may be rejected if negligence is discovered by the insurance company.

In recent years, insurance premiums have made insurance less affordable for many nonprofits. The New York City Nonprofit Executive Outlook Survey quoted earlier found that some of the biggest cost increases incurred by nonprofits were in the area of insurance, as noted in Exhibit 14.9.

Illustration of five-year price changes experienced by NYC nonprofits.

Source: Jack Krauskopf and Gregg Van Ryzin, New York City Nonprofit Executive Outlook Survey (New York: Baruch College, School of Public Affairs Nonprofit Group and Survey Research Unit, Spring 2005). Used by permission.

Exhibit 14.9 Five-Year Price Changes Experienced by NYC Nonprofits

Risks to an organization can be reduced, but they cannot be eliminated. Fires, floods, thefts, property damage, and earthquakes will occur despite the best efforts of your organization in the area of risk management.

Know what the insurance choices are and why the organization has made them. Exhibit 14.10 presents a checklist of factors to consider when choosing insurance.

Exhibit 14.10 Checklist of Factors to Consider When Choosing Insurance

In general, you should know the limitations and exclusions of policies and perform periodic reviews of coverage to verify that they are up-to-date for claims and losses in your region.

Trends for nonprofit liability insurance include: higher limits purchased by some nonprofits ($2 million or more), and coverage for:

  1. Punitive damages
  2. Defense expenses beyond policy limits
  3. Independent contractor claims
  4. Third party or leased employee claims
  5. Fiduciary duties
  6. Employee Retirement Income Security Act of 1974 (ERISA) compliance-related claims
  7. Excess benefits claims46

Also, consider pooled insurance groups, such as the of Nonprofits Insurance Alliance Group (insurancefornonprofits.org), which at the time of this writing serves over 16,000 nonprofits and operates in 32 states and the District of Columbia.

(b) RISK RETENTION VERSUS RISK TRANSFER.  Risk retention means just what it says: Your organization either pays a certain portion of each loss or for specific types of losses. This may be done with “funded loss reserves,” which are established based on likelihood of future losses. Risk transfer involves either having insurers bear some of the financial results from losses or having other parties absorb losses (as in hold-harmless agreements and indemnification agreements).47 Your organization must determine to what degree it can retain losses and how it will finance those losses, or transfer the risks it faces. Even if you transfer risk to an insurer, will you purchase as much insurance as you can afford, or merely have catastrophic exposures and losses covered by the policy?

(c) INTERNAL CONTROLS.  Occupational fraud strikes nonprofits in significant ways: In 2016, there were 52 cases of fraud with a median loss per incident of $82,000 in religious, charitable, or social service organizations, and check tampering, skimming, and expense reimbursement fraud schemes were seen in higher numbers by these organizations.48 Almost one-half of the nonprofit cases in one year's fraud schemes were billing schemes, which may be largely prevented or caught more quickly by having the proper internal controls. Board responsibility for internal controls in a nutshell includes: “Board members should establish clear policies to protect the organization's financial assets and ensure that the organization has strong internal controls that ensure no one person bears the sole responsibility for receiving, depositing, and spending its funds.”49

In the broadest sense, internal controls include a large number of systems and business practices combined that, when observed, protect the assets of the organization and thereby reduce the risks associated with loss of resources.

Six important elements of an internal control system are:

  1. Setting the tone through leadership (control cues)
  2. Communicating the policy
  3. Segregating the duties
  4. Keeping records
  5. Preparing and monitoring budgets
  6. Reporting to all stakeholders

Taken together, these policies outline the acceptable boundaries for fiscal decisions, govern the way resources are allocated, provide information for evaluation, and define the processes to be used in carrying out the organization's mission. The annual fraud study conducted by the Association of Certified Fraud Examiners finds: “The most prominent organizational weakness that contributed to the frauds in our study was a lack of internal controls, which was cited in 29.3% of cases, followed by an override of existing internal controls, which contributed to just over 20% of cases.”50 Smaller organizations were “especially vulnerable to check tampering, skimming, payroll, and cash larceny” – these schemes were twice as common in small organizations.51

(d) FUNDRAISING.

(i) Charitable Solicitations. Be careful not to take undue risk when raising money from donors. The Nonprofit Risk Management Center notes five risks:

  1. Aggravating a donor by violating his or her privacy
  2. Accepting a donation from an individual or organization you don't want associated with your charity, or returning/refusing a donation for the same reason
  3. Projecting donations during extreme fluctuations in the economy or stock market
  4. Valuing and handling bequests inappropriately
  5. Not conducting due diligence on donated property and valuing the benefits and costs of such donations52

Also, be aware of each state's charitable solicitations law, as well as all federal regulations.

(ii) Philosophy and Practice. Before delving into the philosophy and practice of fundraising, we note that in general, there are two types of funding:

  1. Unrestricted funds. These funds may be used at the discretion of the board (or a particular individual within the organization). Unrestricted funds are commonly received as a result of an annual campaign or other general fundraising effort. It is critical for a nonprofit to have a portion of its funding in unrestricted funds. This gives the board the flexibility to direct funds and efforts toward the greatest need.
  2. Restricted funds. These funds must be used for a specific purpose or project.

Much of restricted funds are received through government contracts or grants, but restricted funds may also be received from donors or foundations.

It is not uncommon for many funding types to fall somewhere between these two definitions. The key managerial requirement is to ensure that all restrictions are honored, whether time restrictions (such as “may not be used until” a certain year) or purpose restrictions. There are also ethical aspects to fundraising, as we noted in our Chapter 5 presentation on ethics. A fundraising philosophy or policy is helpful.53

(e) HOW TO BEGIN THE FINANCIAL ASSESSMENT PROCESS.  Your organization should have an annual financial audit, or if that is not cost-effective, at least a compilation or review (see Chapters 5 and 6). An organization with no history of having an external review of its financial records may want to begin with a compilation and move to a review and audit in the future. If the organization is unable to afford the costs associated with an external review of the entire financial program, it has the option to engage the external examination on important specific parts of the financial statement or program. Examples of specific external examinations to be considered, if a full examination is not possible, are:

  1. Review policies and procedures manual for completeness, accuracy, and availability
  2. Perform a proof of cash on one, some, or all of the bank accounts of the organization
  3. Scan canceled checks and debit entries accompanying the bank statement for any unusual payees or endorsements
  4. Confirm contributions made by donors
  5. Confirm loan balances with lenders
  6. Confirm all payments made during a specific period with some or all vendors
  7. Compare annual operating budget to operating expenses, and analyze variances
  8. Inquire as to how transactions are processed (e.g., deposits made, bills approved and paid) to ensure proper system of internal controls and detect errors
  9. Perform a financial or management review of a specific program
  10. Perform an examination to determine the accuracy of inventory
  11. Check for control of petty cash funds
  12. Check savings accounts for amounts, interest, and conditions
  13. Check to determine if designated (restricted) funds are used only for the purpose the board designated (donors contributed, grantors funded)
  14. Investigate checks or other debit entries outstanding for more than 30 days
  15. Review all bank account reconciliations for timeliness and accuracy
  16. Examine payroll records to ensure compliance with government regulations related to payroll, payroll taxes, income taxes, and so on
  17. Account for all checks used and all debit entries made to the account
  18. If purchasing cards or travel/entertainment cards are issued, review statements promptly and isolate and resolve questionable entries
  19. Ensure spending limits are not violated on debit or credit cards

(i) Due Diligence – Compliance with Policies, Procedures, and Guidelines. Documenting your policies and procedures is the first step in managing your risks and establishing a willingness to follow proper business practices. The next step is to verify that, at all times, policies and procedures are being followed.

During an audit of your financial statements, the benchmark used (beyond that of acceptable business practices) is the organization's own policies. Failure to comply with existing organizational rules can cause the most harm.

In the event of a lawsuit or a dispute, the organization's proof of compliance and an opinion by the courts are arbitrators of whether the company showed due diligence with respect to laws, guidelines, regulations, policies, and procedures. To verify that adherence to these documents, a periodic internal review of procedures should be conducted, and the resulting reports or documentation should be presented for review to the board of trustees.

(ii) Solutions: To Reduce Risk and Stay Out of Court.

  1. Education
    • New resources
  2. Training
  3. Adequate insurance coverage
  4. Loss-prevention programming
    • Videos (including Web-based clips)
    • Books
    • Consultants
  5. Conflict resolution
  6. Training
  7. Arbitration

(iii) Disaster Preparedness and Business Continuity Planning. Is the organization prepared in the event of a disaster? Business continuity planning helps an organization to “develop and document the policies, procedures, activities and protocols necessary to resume essential business operations immediately following a business interruption, no matter the cause.”54 A classic example of such planning is the ability of a charitable foundation that had an office in the World Trade Center to restart operations following the terrorist attacks in 2001.55 Regardless of whether the organization has liability coverage for such disasters, important documents, records, and other properties need to be protected. While an insurance company may pay for the cost of computers and other office equipment lost in a fire, it cannot restore the data or other vital informational assets lost during the disaster. Liability insurance will not provide the protection from loss of trade secrets, data, contacts, or other business information used by the organization on a day-to-day basis.

To be disaster-prepared, your organization needs to determine which items or information are needed to continue to be a viable operation after the disaster. These items should be replicated, copied, vaulted, or whatever action is necessary to assure that they will be available after a disaster. The manner in which these items and information are protected depends greatly on the type of disaster. The region may have specific types of natural disasters that are not common in other areas. For example, earthquakes are prevalent in the western United States. The aftereffects of earthquakes may include fire as well as access difficulties to the original premises. Offsite backups of items and information are necessary in earthquake regions. In the midwestern United States, floods, fires, and tornadoes are more threatening disasters. Storm shelters and fire- and flood-resistant vault storage are necessary to protect items in these regions (see Exhibit 14.11). Other causes of operation disruption are riots, police action, computer ransomware, virus or worm infestation (see Chapter 13), workplace violence, fire, loss of electrical power, corruption of financial or donor databases, loss of critical funding stream (hence the need for the liquidity reserve), bomb threat, and loss of key staff or executive team members.56 Put yourself in the shoes of staff, clients, and donors: How would they view your organization if it was closed for several weeks, and they had no way of contacting you or others at the organization?

Exhibit 14.11 Basic Disaster Preparedness

Your insurance company can be a valuable ally in disaster preparedness. Most insurance companies can provide general guidelines for dealing with and preparing for emergencies in your region.

14.8 RISK MANAGEMENT AND HUMAN RESOURCE MANAGEMENT PRACTICES

If your nonprofit is typical, it faces one or more of these common human resource management challenges: relatively small staff size (most nonprofits have six or fewer employees), employee turnover, and volunteer recruitment. These issues make it difficult to manage and conduct programming, and they also contribute to internal control challenges for our organizations.

Abila conducts finance studies each year, and in one of those studies it dialed down to fraud prevalence and vulnerability in nonprofits. The findings are based on a survey of over 400 nonprofit finance professionals. In Exhibit 14.12 we see several fascinating findings regarding internal controls in practice.

  1. 46 percent of all survey respondents indicate their organization would not be prepared if a key finance person was to leave the organization.
  2. 82 percent of survey respondents say their processes are well documented.
  3. Organizations are very aware of issues that lead to fraud, and implement measures that help reduce the likelihood of fraud: Fully 91 percent of organizations nearly always or usually separate financial duties (especially in larger organizations, and finance departments in particular), but concerning is the fact that 5 percent usually do not separate duties, 3 percent almost never separate duties, and 1 percent do not know if financial duties are separated.
  4. While 59 percent put “very much effort” into preventing fraud, 35 percent put “some effort,” 4 percent put “minor effort,” 1 percent put “no real effort,” and 1 percent do not know if any effort is put into preventing fraud at their organizations.
  5. Not shown in the graphic but of interest to us is why a few organizations “failed an audit”: the reasons given were “bad documentation,” “ignorance of requirements,” and “confusion/mistaken assumptions about requirements.”

Perhaps most disconcerting is the prevalence of insider fraud at nonprofits and businesses. Four common mistakes allow “insider fraud,” in which current or former employees perpetrate the fraud: no financial oversight, improper reconciliation controls, inadequate bank account management protocols, and easily obtained passwords. Insider fraud may account for one-third of the fraud committed against organizations. Too much power is given to the treasurer or financial officer, allowing this individual to siphon your organization's funds to his or her personal accounts and then forge or falsify documents to avoid detection. Four proactive measures have been found to help reduce the amount of insider fraud:57

  1. Begin or enhance financial oversight. Do not allow one person to initiative, approve, reconcile, or cancel payment-related activity. Have one employee initiate a payment and another employee approve it.
  2. Implement proper reconciliation controls. Avoid manual reconciliation processing, purchase reconciliation software if possible, have a third party reconcile accounts if possible (verifying transaction amounts and destinations), and avoid partial reconciliation of accounts or too-infrequent reconciliation of accounts (one school district waited 12 years to reconcile some its accounts, and lost $19 million in a multiyear fraud).
  3. Improve bank account management protocols. Especially for larger organizations that have multiple accounts and multiple signers, it is essential that the bank account management system be immediately updated when a signer leaves the organization (fraudsters such as someone currently working in your treasury area may use credentials of your former employees to wire transfer funds – and the fraudster could be the only one responsible for updating the system).
  4. Make sure passwords are not easily obtained. Fraudsters can often access the authorized employees' passwords when they are in a file cabinet, under a PC keyboard, or in a notebook on their desk; there may be a nearby, easily found USB or key fob that is used to access the payment system. Instead, have the authorized employees store these in their phones or in a locked file cabinet.

In the faith-based sector, ECFA's Nonprofit Financial Management Survey provides the following evidence on internal controls and its effectiveness:58

  1. Over 60 percent of the organizations formally review fraud prevention procedures and checklists at least annually.
  2. Almost 80 percent of the respondents have a written whistleblower policy.
  3. CFOs rated their effectiveness the highest on financial reports (4.24) and internal controls (4.23), on a scale of 1 to 5 (5 being the highest).

We have given much attention in this chapter to ERM; how are nonprofits faring in implementing this comprehensive approach to risk management, which goes well beyond internal controls? So far, the evidence is not favorable to nonprofits. Survey evidence finds that only 13 percent of nonprofits have complete, formal enterprise-wide risk management processes in place, compared to 52 percent of businesses. Furthermore, 24 percent have no enterprise-wide risk management in place, as compared to only 6 percent of businesses.59

What about nonprofit management of directors and officers (D&O) liability? Almost 70 percent of surveyed nonprofits do not purchase D&O liability insurance coverage and more than 40 percent did not know that directors' and officers' personal assets could be at risk if their nonprofit was sued.60 Another survey indicated that 63 percent of nonprofits reported a D&O claim in the past 10 years, indicating this is a significant risk to consider.61 The various sources of litigation include breach of duty, misuse of funds, waste of the organization's assets, failure to adhere to and carry out a nonprofit's mission, wrongful employment actions, infringement of trademark or copyright, personal injury, or contract breach.62

Insurance purchases are also an area to consider. Survey evidence from Crystal & Company gives a positive finding that most nonprofits having at least $20 million in revenues do consider the potential risks to their organizations and purchase insurance.63 About 80 percent of nonprofits had procured an independent assessment of their organization's risk and insurance program at least once in the most recent three years, 36 percent had done so within the past year, and nearly 7 percent had never done an independent assessment.64 Crystal & Company recommends that nonprofits move beyond buying insurance and implement a “more holistic approach that integrates risk management into an organization's daily operations.”65 The survey found that the top three risk management priorities were (1) “identifying and assessing current and future threats to the organization's assets,” (2) “reducing insurance premiums,” and (3) “business continuity planning.” The top three hazards these nonprofits identified were (1) “employment-related risks, including workplace injuries,” (2) “acts, errors or omissions in governance and management,” and (3) “acts, errors, or omissions in rendering professional services.”66 Crystal & Company notes that corporate risk and insurance oversight/responsibility is assigned to the finance area in most nonprofits, but this area may not have formal risk management experience (or training, we might add).67

Finally, based on its research, the Nonprofit Risk Management Center suggests that an effective risk management plan follows these six best practices:

  1. Reflects a wide range of views and perspectives in an organization
  2. Expresses the nonprofit's belief in and support of risk management
  3. States that personnel at all levels of the organization play a vital role in protecting the nonprofit's mission, reputation, and assets
  4. Incorporates the existing risk management policies of the organization
  5. Reflects the nonprofit's goals and aspirations for its risk management efforts
  6. Focuses on priority risks and considers secondary risks68

Notes