Good not-for-profit risk management will be rewarded

With the tendency to assume that things will turn out okay, “optimism bias” can get in the way of best-practice risk management.

People in organisations – at all levels – believe they won’t be involved in an accident, that their projects will run to time, and that they’ll keep a lid on costs.

This trait is so well established that in the construction industry, project managers account for the bias by adding as much as 50% to initial estimates of building costs, especially for out-of-the-ordinary designs. The related “planning fallacy” lures us into thinking that the project will be completed in a much shorter time.

Optimism bias can lead to overconfidence, cutting corners and unrealistic expectations.

The not-for-profit and charity sector ­– perhaps by necessity – is full of leaders who believe that they can achieve their mission in good time, against the odds, and with limited resources.

At the Institute of Community Directors Australia (ICDA) we share that enthusiasm for doing good, and on taking a punt on doing things better (after all, our parent organisation’s motto is “Ready, fire, aim”) but we’re also advocates of good planning.

All NFPs and all community leaders are exposed to risk from the activities they undertake. Whether in community services, disability support, aged care provision, sports, events, education, animal welfare, international aid, the arts, health work, or protecting the environment, every organisation faces different but inevitable risks.

The heavy reliance on volunteers – who may be untrained or inexperienced in the area they’re expected to work in – creates other vulnerabilities.

At ICDA, we realise that risk management is not about red tape but instead the process of thinking systematically about all the possible risks, problems and disasters before they happen and setting up procedures that will negate or reduce the risk, or minimise or manage its impact.

It is no accident that ICDA has compiled a large library of resources, webinars, help sheets and policies to help not-for-profits manage their risks. These resources range from basic tools and guidelines to sophisticated strategies.

Where do we start with risk management?

However complex the strategy, risk management boils down to three basic questions:

1. What could go wrong?
2. What will we do to prevent it?
3. What will we do if it happens?

A great place to start with understanding risk is this help sheet: Ten steps to a safer organisation. In short, the help sheet suggests the following:

• Take risk seriously: If you haven't identified risks and set up some protection against foreseeable problems in the future, chances are someone is going to get hurt.
• Become incorporated: The point about your organisation becoming incorporated is that it creates an entity that can be sued, and this has the effect of drawing fire away from members of the group as individuals.
• Put somebody in charge: Make sure that whoever is responsible for risk management knows they are responsible and is accountable for reporting back to the board on what's being done.
• Work out the likely hazards: Identify risks across various aspects of the organisation, including premises, financial procedures, equipment, and human relations practices.
• Evaluate and prioritise the risks: It can be tricky to estimate risks, but you still have to do it.
• Fix what you can fix: This can mean changes to systems, procedures and physical set-ups to mitigate identified hazards.
• Shift what you can shift: If risks cannot be eliminated, consider transferring the burden of risk to another party, through subcontracting, sharing responsibilities and possibly waivers.
• Insure what you can insure: Once you’ve minimised your risks, insurance can cover risks that cannot be avoided or mitigated.
• Get ready for the worst: Prepare for unexpected events with emergency and catastrophe management plans, first aid training and recovery plans.
• Build all this into a policy: Document risk management strategies in a policy, making it accessible to everyone in your organisation. Review it regularly.

Another one of our help sheets, The main areas of risk for not-for-profit organisations, expands on how leaders can “work out the likely hazards”.

These can include:

• Physical risks: which can involve animals, festivals and events, fire, food and drink, machines and vehicles.
• Professional risks: such as those affecting staff competence, working with children, volunteers, defamation law and complaints.
• Environmental risks: these risks can be quite wide-ranging, but may affect buildings, access, hazards, smoking, water, falls, trees, trip hazards, hazardous substances and security.
• Employee risks: relating to the protection of your staff and volunteers, this may include workplace safety, avoiding prejudice and harassment, and dealing with complaints.
• Financial risks: NFPs must consider the risks of fraud, unauthorised trading, uncontrolled spending, failing to meet employee entitlements, and insolvent trading.
• Crimes: Organisations must protect staff and volunteers, discourage crimes and accidents, and prevent theft.
• Regulations: NFPs are required to work within the law, which may affect the use of vehicles, as well as board decisions, constitutions, and funding agreements.

Are you ready to set up a risk management process?

If you’ve mastered the basics, your organisation is ready to consider developing a more detailed risk management process. ICDA can help with that too, with An introduction to the risk management process.

This help sheet describes a process comprising the following parts:

• establishing your risk context
• identifying risk
• analysing risk
• evaluating risks
• treating risks
• communicating risk management
• monitoring risks.

There are rewards for good risk management, which we summarise in another appropriately titled help sheet: Why implement a risk management program?

This explains how a good risk management framework will help you with the following:

• limiting your legal liability
• lowering your insurance premiums by reducing risk
• improving your reputation
• making better decisions
• managing and maintaining your assets better.

What are your risk management policies?

To help your organisation roll out that risk management program, ICDA has produced a template risk management policy, vetted by our legal partners Maddocks, which follows a similar pathway to the helpsheets referred to in this report.

While every organisation will need to tailor such a policy to its own needs, the policy template is a useful starting point.

ICDA resources also include a template risk management register, which your organisation can adapt to suit its needs.

What insurance does our organisation need anyway?

With more than 600,000 not-for-profits in Australia, it’s hard to say exactly what kind of insurance you’ll need. That’s partly a matter for your organisation’s risk appetite, the kind of risk management program you’ve developed, and also what insurance policies are available, and what they’ll cost.

In some cases, community organisations are automatically given insurance cover. For example, the Victorian Managed Insurance Authority (VMIA) provides cover to eligible community service organisations funded by state government departments.

While some organisations operate without insurance (see the earlier warning about optimism bias), it’s not something that ICDA or insurance experts recommend.

In our help sheet Types of insurance an organisation needs, we suggest the following:

“For most not-for-profit organisations, insurance is an essential component of risk management and a key way to manage losses. Even the most prudent and effective organisations can't foresee everything and prevent accidents from occurring.

“You want to make sure that the people who help you and are part of your organisation are covered for any potential liability, injury or loss. You also want to ensure that your equipment, materials and property are protected.

“A major reason why you need insurance is to ensure that you are not forced to close if you are exposed to a claim. While not all claims are enormous, the possibility of a multi-million-dollar claim does exist.”

The Institute of Community Directors Australia recently hosted the annual NFP Insurance Week in partnership with insurance brokers Aon, comprising a series of free webinars on a range of community-focused insurance matters, such as protecting volunteers and events, the types of insurance needed by NFPs, cyber insurance, and using prize indemnity insurance for fundraising.

Aon client director Gavin Deadman told delegates in a session on common risks faced by NFP boards and committees that insurance should be considered along with an effective risk management program.

Some risk can be transferred to insurers in areas such as:

• public and products liability
• professional indemnity
• directors and officers (D&O) coverage – which covers claims against directors and officers, including employment matters
• fraud (known as fidelity)
• travel
• workers compensation (compulsory)
• association liability, which comprises a bundle of cover
• volunteer workers personal accident
• child sexual abuse or molestation
• cyber security.

“It’s really important to make sure you’re protecting your directors, both paid and voluntary, your managers, the people who are running your offices and your volunteers.”

He urged organisations to be aware of exposure to risk in new and growing areas, especially cybercrime, which had grown rapidly as a threat to organisations in the past five years.

Mr Deadman said determining the level and type of insurance cover could be a complex process, and suggested each organisation should tailor that cover to ensure their organisations and stakeholders were properly protected. Organisations such as Aon were able to provide professional advice, he said.

The webinars and slides from the presentations are available for a limited time.