Like any other business sector, nonprofit organizations face a host of risks that can threaten the bottom line and ultimately prevent them from carrying out their mission. However, many nonprofits lack programs to help mitigate such risks. For some it can be a question of awareness, but more often, it is a question of resources and funding. Money is usually limited, so any available resources are usually funneled into programs that serve their stakeholders and the community. Risk management is typically not a priority. In fact, according to a survey from insurance broker Crystal and Company, only 22% of nonprofit organizations have a dedicated risk manager on staff. As a result, many nonprofits are not properly protected.
We spoke to Jamie Crystal, executive vice president of Crystal & Company, to get a better look at the challenges nonprofits face and what they can do to improve their risk management efforts.
RM: What is it about the risk profile of nonprofit organizations that sets them apart from other sectors?
Jamie Crystal: Nonprofit organizations tend to operate on a fixed budget. For most, their goal is to spend as much of their operating budget on their mission or their purpose [as possible]. Often there’s nothing left over at the end of the day. So if they do not adequately protect themselves, if they do not properly insure some of their risks, they can find themselves in a situation where they don’t have that buffer, that cushion to support unexpected losses.
Where most large for-profit companies might take a large deductible, for example, to help manage insurance costs, it’s very difficult for a nonprofit organization to do that when they’re on a fixed budget, particularly for those organizations that are in the social services space where a substantial portion of the revenues are funded by the city, state or federal government. You can’t go back to those governments and say, “I had a fire, I’m $100,000 short. Can you give me another $100,000?” They’re getting a fixed amount of funding and they don’t have the margin for error to support unexpected losses.
What is a common factor almost universally in the nonprofit space is that they’re putting their money into the programming so they often don’t have the depth of resources available for them to manage risks. So where most companies of a certain size might employ a full-time risk manager or have a person dedicated to the risk management function, very often for nonprofit organizations, it falls to the CFO or the controller or the general counsel or some subset of that group. And they don’t have the time, skills or resources to do that.
RM: What were some of the issues uncovered by Crystal’s survey of nonprofit risk management programs?
Crystal: One of the main areas of concern that nonprofits raised is that they’re trying to look for more ways to raise funds because of the diminishing support from the city, state and federal governments. Many organizations are starting to utilize online methods for raising money. Yet when we look at the way they’re managing the risks, media liability, network security and privacy liability insurance products are in the lowest categories in terms of their presence in their insurance portfolio.
So here they are saying, “We’re really focused in this area,” yet you look at their insurance program and they haven’t connected the dots to say, “We’re going into new territory. This is a new risk for our organization. How are we managing this risk?” In many cases there are some very strong insurance solutions to help them manage that risk, and yet there’s a sense that they have the same insurance program they had 10 years ago.
RM: What are some things nonprofits can do to improve their risk management programs? Is it just a question of insurance or are there other measures they can take to address this deficiency?
Crystal: I think the focus should come back to risk management. Insurance is a great tool to try and help manage some of the risk, but there are strong risk mitigation efforts that can be done. A lot of times it’s in-house so there’s a tremendous opportunity for organizations to reduce their risk through training. It’s not always a capital expenditure. For example, if you have a large fleet of shuttle buses, there can be some safe-driving training. If you are working with the elderly, it’s proper lifting techniques. If you’re dealing with children, it’s how to operate a secure environment and how to interact with children in an appropriate manner. It’s not a budget cost item. It’s just having the awareness.
There’s also a great sense of camaraderie in the nonprofit sector. It’s not the competitive environment in business where I’m not going to help my competitor. In the nonprofit environment, there is a sense of community and organizations have developed best practices and can share those best practices with each other to create safer work environments for their employees and better practices for managing some of the risks.
RM: Are their certain common mistakes that nonprofits should avoid when it comes to risk management?
Crystal: There is a philosophy of nonprofit organizations to want to do more. Particularly, they will get opportunities to provide programs that might be different from their core competency. So if you’re working with children and providing psychological work, maybe you now see there’s a government program out there that says you can [provide] psychological support for war veterans. They say, “We can do that.” They might even have some of the skills to provide those services. But it completely changes the risk profile of the organization, and they might not have those risk management procedures in place.
It’s tied in with their altruistic desire to do good in their community that makes them want to take on new programming, but they really need to step back and say, “Do we have the core competency to do that? And then secondarily do we have the practices and procedures in place to do this in a low-risk, safe way?”
When organizations get themselves in trouble, it’s usually when they’re getting into areas where they don’t have that expertise and they’re doing new things without taking the time to understand the risks associated with that