risk management best practices for...

Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management

11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766

Risk Management

Best Practices for

Non-Profits

2

Welcome! Important Web Seminar Notes

• You may download a copy of today’s presentation under the Presentation Assets box on the left side of your screen.

• Following the presentation we’ll have a Q&A session. We encourage you to ask text questions throughout the presentation. Please type your inquiry into the “Ask A Question box” and click submit.

• If you should need any technical assistance during today’s event, please type your inquiry into the “Ask A Question” box on the left side of your screen.

• If you are disconnected from the webcast, you can log on again, using the login instructions provided to you.

• If you cannot log back on with these instructions, please call Technical Support at 866.271.7592.

3

To Receive CPE Credit

• Polling question:

- Click on appropriate radio button to answer the polling question

• Active participation:

- NASBA requires that we monitor your participation

- You must answer 75% of all polling questions offered per hour to get credit for that hour

• Half credits may be awarded after the first hour, as appropriate

- Your interactions will be tracked through the system

• For groups, the proctor’s polling answers will be tracked

- Your computer connection will be tracked through the system

• You must be connected at least 50 minutes to receive 1 credit

• Each 25 minutes after the first hour is worth ½ credit

4

To Receive Group CPE Credit

• Group participation:

- Groups should download the Group Sign-in sheet from the Presentation Assets box located on left side of the screen

- The group proctor must be the person logged into the streaming platform and must answer the CPE polling questions

- Group proctors should enter all participant information and sign off at the top of the group sign-in sheet

• Include actual time in and time out of all participants

• Verify active participation of all group members - Submit via email within 3 days

*Failure to follow this policy will result in NO CPE credit for everyone in the group

Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management

11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766

Risk Management

Best Practices for

Non-Profits

6

Polling Question #1

Which best describes your organization type:

A. Professional/membership/trade association

B. Charitable organization

C.Social Services (e.g. United Way, Red Cross, Salvation Army, etc.)

D.Health care organization

E. Educational institution

F. Museum/cultural organization

G.Other

7

Today’s presenters

Jeffrey D. Wallop, CIC

Vice President

PSA Insurance & Financial Services

jeffw@psafinancial.com

443.798.7379

Lisa Chanzit, FCAS, MAAA, ARM

Senior Actuarial Consultant

Risk & Regulatory Consulting, LLC

lisa.chanzit@mcgladrey.com

855.246.0815

8

Agenda

▪ How cyber liability is increasingly becoming

a threat

▪ The importance of utilizing effective

employee handbooks

▪ Why the need for directors and officers

liability protection

▪ Insuring against financial fraud

9

What is Cyber Liability?

Cyber Liability is the risk posed by conducting

business over the internet, over other networks

or using electronic storage technology.

Two types of breaches

▪ First Party

▪ Third Party

10

First Party VS Third Party

▪ First Party Cyber Liability – occurs when your own

information is breached or compromised.

▪ Third Party Cyber Liability – occurs when customer or

partner information your organization has promised to

keep safe is compromised.

▪ First Party Cyber Liabilities can threaten a company’s

competitiveness, but third party cyber liabilities can

ruin reputations, open the door to expensive law

suits and trigger statutory fines.

11

Breaches

▪ Who? Unauthorized Access by:

– Hackers

– Employees, Faculty, Students

– Outsourced and third party vendors

▪ What? What are they accessing?

– Laptops

– Computer networks/wireless networks

– PDAs/Cell Phones

– Paper Files

– Websites

12

Why do I need Cyber Liability?

▪ Cyber Liability exposures are excluded from a General

Liability Policy.

▪ Cyber Liability Policies cover the costs of theft,

destruction or unauthorized use of electronic data

through computer viruses and network intrusions.

13

Private Information

What are the exposures

▪ Credit card information

▪ Social Security numbers

▪ Patient health information, medical claims and records

▪ Date of birth information

▪ Customer user name and passwords

▪ Customer or employee contact information

▪ Financial records and account information

▪ Drivers’ license number

▪ Biometric information

Failure to protect private information from Cyber threats can result in losses to:

▪ Company reputation

▪ Financial loss

▪ Customer satisfaction

▪ Business opportunities

▪ Intellectual properties

▪ Possible litigation

14

How vulnerable is your business?

▪ 77% of employees leave their computers

unattended

▪ 65% of small businesses say their organizations

sensitive information is not encrypted

▪ 56% of employees frequently store sensitive data

on their laptop or mobile device

▪ 62% of small businesses don’t routinely back up

data

*TrendMicro & Ponemon Institute 2012

15

Potential Claims Expenses

▪ Expenses to notify affected parties

▪ Business income and extra expense

▪ Extortion payments

▪ Crisis management expenses

▪ Credit monitoring costs

▪ Negligence

▪ Invasion of customer’s right to privacy

▪ Defense and damages

▪ Media / intellectual property

16

Methods of Attack

▪ Denial of service

▪ Loss of critical infrastructure

▪ Theft of information

▪ Fraud

▪ Corruption of data

▪ Insider exploitation

17

Cyber Liability Risk Management

▪ Segregate and restrict access to sensitive data

▪ Establish user control password protection procedures

▪ Review security/access to network and server

▪ Encryption of private data on database, laptops, mobile

▪ Implement and maintain firewall

▪ Apply intrusion detection software systems

18

Vulnerability of a Not-Profit

▪ Financial constraints

▪ Type and number of records stored

19

Cloud Risk Considerations

▪ Who owns the data once it resides on the cloud?

▪ Does your cloud provider guarantee the security

and privacy of your data?

▪ Will you be alerted if there is a breach of your data

within the cloud?

▪ Will you have the right to investigate the breach?

▪ Who will be responsible for notifying your

customers of a breach incident?

20

Underwriting Issues

▪ Nature of business

▪ Revenues

▪ Total number of records at risk

▪ Types of records at risk

▪ Written policies and procedures

▪ Risk management procedures

▪ Security and protection

▪ Breach/claim history

21

The Employee Handbook

22

Purpose of Employee Handbooks

▪ Maintains uniformity in the application of policies

and procedures

▪ Legal compliance and protection

▪ Communicate company policies

▪ Useful resource and guideline for managers and

supervisors responsible for resolving employee

complaints

▪ Enhance the credibility of decisions based on

policies

23

Potential Downsides

▪ Guidance demonstrating entity’s failure to

comply with their own internal policies and

procedures

▪ Can reduce flexibility needed to handle issues

as they arise if the policies are not well drafted

▪ Poorly prepared handbooks can result in liability

24

Essential Handbook Policies

▪ Introduction Provisions/Disclaimer

▪ EEO Statement

▪ Sexual Harassment policy

▪ Non-Harassment policy

▪ Problem Solving Procedure

25

Components

Disclaimer

▪ The primary way to minimize the likelihood that a court

will find that handbook provisions amount to an implied

contract is to include an unambiguous prominent

disclaimer, on the first page of the handbook, stating

that the handbook or related documents do not create

any contractual rights, and that the employment

relationship is “At Will.”

▪ At-Will Statement: “Employer or employee may

terminate the employment relationship at any time,

without notice and for any reason.”

26

Components

EEO Statement

▪ Non-discrimination provisions

▪ Summary of protected categories

▪ Reasonable accommodation language

▪ Welcome employee participation in the interactive

process

27

Components

Anti-Harassment Policy

▪ Commitment

▪ Identification

▪ Complaint Procedure

▪ Investigative Procedure

▪ Anti-retaliation

▪ Helps employer avoid liability where employee

fails to utilize these channels

28

Components

Problem Solving Procedures

▪ Importance

▪ Define “Problem”

▪ Procedure

29

Components

Safe Harbor Policy

▪ Classifications of employees

▪ Addressing paycheck mistakes

▪ Exempt status protection

▪ Reporting procedures

30

5 Things That Should Never Appear in an Employee Handbook

▪ “Permanent”

▪ “We do not pay overtime”

▪ “The name of or reference to”

▪ “And after the third violation”

▪ “Confidentiality is assured”

31

5 Things That Should Never Appear in an Employee Handbook

“Permanent”

The word “permanent” appears in handbook to distinguish employees who have completed a probationary period.

However, the term should never appear in a handbook because it weakens the important doctrine of “at-will employment.”

The term “regular” is more appropriate.

“We do not pay overtime”

This phrase suggests a non-profit’s intent to violate the wage and hour laws. If a non-exempt employee works overtime he

or she must be paid premium pay.

“Reference to another organization”

It is surprising the number of organizations that copy another organization’s handbook and just substitute in their name.

Policies that are suitable for one non-profit may not be suitable for yours.

“And after the third violation”

Your handbook should not contain overtly prescriptive disciplinary measures. The best handbooks afford management

maximum discretion in determining the discipline that should apply in a given instance. Statements such as “violation of this

policy could result in discipline, up to and including termination” give management the ability to determine the appropriate

measures.

“Confidentiality is assured”

It is never appropriate to provide outright assurances of confidentiality when the nature of the matter may require that

person within the organization be informed of the allegations or status of an investigation. A more appropriate statement

may be “all complaints will be investigated promptly and as confidentiality as possible.”

32

Handbook Receipt

▪ Right to modify without notice

▪ Acknowledgement of receipt and obligation to

read, understand and adhere to policies and

procedures

▪ At-will status/employment contract disclaimer

33

Distributing Handbooks

▪ Provide employees with verbal summary of major

policies and/or change upon distribution

▪ Provide opportunity for employees to ask

questions and voice concerns freely

▪ Always require receipt of handbook be signed and

turned in promptly to managers of HR department

34

What to Say and How to Say It

▪ Be consistent with company culture

▪ Write clearly and concisely

▪ Avoid making promises

▪ Avoid “shall” and “will”

▪ Maximize flexibility using “may” and “usually”

▪ Eliminate reference to management procedures

▪ Comply with applicable local, state and federal

law

35

D&O Insurance

36

Respondents Reporting D & O Claims in the Past 10 Years

36%

64%

0%

10%

20%

30%

40%

50%

60%

70%

All Respondents Non Profit Respondents

Respondents Reporting D & O Claims in the Past 10 Years

Source: Towers Watson 2012 Directors and Officers Liability Survey

37

Polling Question #2

What is the most frequent type of D&O claim

faced by non-profit organizations?

A. Fiduciary

B. Donor

C. Employment Practices

D. Regulatory

E. Other

38

Types of D & O Claims in the Past 10 Years

0%

20%

40%

60%

80%

100%

Direct Investor Suit

Derivative Investor Suit

Employment Related

Regulatory Fiduciary Other

Types of D & O Claims in the Past 10 Years

All Respondents

Non Profit Respondents

Source: Towers Watson 2012 Directors and Officers Liability Survey

39

Why do Non-Profits need D&O Insurance?

▪ Exposures: Driven by what the organization does

▪ Personal Liability

▪ Duties of Directors (care, loyalty, obedience)

▪ Volunteer Protection

▪ Indemnification

▪ D&O insurance does not replace responsible

governance

40

Claims Overview

▪ Almost triple the number of non-profits reported having

a D&O claim in 2010 (35%) vs. 2008 (13%)

▪ 67% of claims filed under non-profits D&O policies were

EPLI related

▪ Significant % of all loss dollars are for defense costs as

opposed to damages/settlement

▪ 35% of non-profits have D&O claims – compared to

29% for publicly traded and 26% for privately held

▪ Claimants can be employees, volunteers, donors,

members, competitors, creditors, regulators,

governmental bodies, beneficiaries of service

41

Allegations?

▪ Breach of fiduciary duty

▪ Negligent supervision

▪ Mismanagement of assets

▪ Conflict of interest

▪ Misrepresentation

▪ Tortious interference

42

Who and what are covered?

Covers directors and officers plus…

▪ Employees, volunteers and committee members

▪ Full entity coverage

▪ Includes Employment Practices Liability Coverage

▪ Third party liability extension

43

Policy Overview

▪ Duty to defend

▪ Aggregate limit

▪ Defense costs either inside/outside limit

▪ Exclusions

44

Insuring Claims

▪ Clause 1 or Side A

– Covers insured persons for loss which they are

not indemnified for by their non-profit

▪ Clause 2 or Side B

– Covers loss for which the non-profit is lawfully

permitted or required to indemnify its insured

person

▪ Clause 3 or Entity Coverage

– Covers the non-profit itself

45

What constitutes a loss?

▪ Loss – covered damages, settlements and

defense costs

▪ Typically excludes, taxes, fines, penalties, costs to

comply with injunctive relief, amounts due under

breached contract

▪ Includes front pay, back pay, salary and benefits

components in employment context

46

What is a wrongful act?

A wrongful act means:

▪ Any error, misstatement, misleading statement,

act, omission, neglect, breach of duty or

committed, attempted or allegedly committed or

attempted by an insured person in his or her

insured capacity or by the organization, or

▪ Any other matter claimed against an insured

person solely by reason of his or her serving in an

insured capacity

47

What is a claim?

A claim means:

▪ A written demand for monetary damages or non-monetary relief

▪ A civil proceeding commenced by the service of a complaint or similar

pleading

▪ A criminal proceeding commenced by the return of an indictment, or

▪ A formal civil administrative or civil regulatory proceeding commenced

by the filing of a notice of charges or similar document, or by the entry

of a formal order of investigation or similar document

48

D&O

▪ Importance of reporting claims

▪ Timely reporting

▪ Who chooses counsel can be an issue

49

Endorsements to Consider

▪ Defense outside limit of liability

▪ Outside directorship

▪ Wage and hour

▪ Fiduciary

▪ HIPAA

50

51

Polling Question #3

Only larger nonprofit organizations need to be

concerned about the diversion of funds.

▪ True

▪ False

52

Significant Diversions of Nonprofits’ Assets Since 2008

0

50

100

150

200

250

300

350

400

450

Tax Year 2008 Tax Year 2009 Tax Year 2010 Tax Year 2011

Significant Diversions of Nonprofits' Assets by Tax Year

Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post

53

Significant Diversions of Nonprofits’ Assets by Organization Type

664

152

353

Significant Diversions of Nonprofits' Assets by Organization Type

Charitable Organizations

Educational Organizations

Other

Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post

54

Significant Diversions of Nonprofits’ Assets by Revenue

0

50

100

150

200

250

300

350

400

$0 or less $1-$250k $250k-$500k $500k-$1mill $1mill-$10mill $10mill +

Significant Diversions of Nonprofits' Assets by Revenue

Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post

55

What is fraud?

▪ Deceit, trickery or breach of confidence,

perpetrated for profit or to gain some unfair or

dishonest advantage

- Dictionary.com

▪ Occupational Fraud: The use of one’s

occupation for personal enrichment through the

deliberate misuse or misapplication of the

employing organization’s resources or assets - Association of Certified Fraud Examiners

56

Occupational Fraud Elements

▪ Effort to obscure from detection

▪ Violates perpetrator’s fiduciary duties to the

organization

▪ Committed to benefit perpetrator,

organization or both

▪ Costs victim organization assets, revenues

or resources

57

Fraud or Abuse?

▪ Stealing incoming or outgoing cash

▪ Stealing assets

▪ Padding an expense report

▪ Using the non-profit’s equipment for

personal reasons

▪ Using sick leave or personal leave

▪ Spending work hours on personal business

58

Fraud Stats and Facts: Non-Profits

▪ Median duration of fraud for non-profits – 24

months

▪ Lack of balance between funding for stated

mission of the organization and protection

of the organization’s assets

▪ Inordinate emphasis on ineffective controls

59

Fraud Stats and Facts

▪ Estimated to impact 7% of all organization revenues in

U.S. = $99 billion per year

▪ Median duration of fraud is 18-24 months

▪ Only 7% of perpetrators had prior convictions

▪ Fraud was most often committed by accounting staff

or upper management.

- Source: Association of Certified Fraud Examiners

60

Polling Question #4

What is the median cost of a fraud loss for a

nonprofit organization?

A. $58,000

B. $76,000

C. $109,000

D. $157,000

61

Median Losses

▪ Private companies - $278,000

▪ Public companies - $142,000

▪ Non-profits - $109,000

▪ Government Agencies - $100,000

62

Impact/Consequences

▪ Bad PR

▪ Loss of public trust

▪ Increased oversight/scrutiny

▪ Increase of operating costs

▪ Damaged employee morale

▪ Loss/theft of funds and assets

63

Fraud

Triangle

Opportunity

64

Leg 1

“Pressure”

▪ Living beyond one’s means

▪ Financial difficulties

▪ Medical/health issues

▪ Grief/loss

▪ Post-traumatic stress disorder symptoms

▪ Addictions to gambling, alcohol, drugs

▪ Marital/relationship conflicts

▪ Unachievable goals set by self/organization

▪ Societal expectations for status and desires

65

Leg 2

Rationalization

▪ Just “borrowing” and plan to give back

▪ Lack of adequate pay – includes volunteers

▪ Lack of career ladder

▪ Entitlement mentality

▪ Encouragement by “tone at the top”

66

Leg 3

Opportunity

▪ Ease of access to funds and assets

▪ Relaxed control environment

▪ Low emphasis on support functions

▪ Repetitive processes without review/revision

▪ Lack of fear of detection

67

Occupational Fraud

▪ Misappropriation of Assets

– 89% of occupational fraud cases

– Cash – larceny, skimming

– Inventory – misuse, larceny

▪ Corruption (27%) – bribes, conflicts of interest

▪ Fraudulent statements (10%) low frequency, high

severity

- Statistics from ACFE

Note: Total does not equal 100% since some fraud schemes reviewed comprised multiple

classifications

68

Common Fraud Schemes

Misappropriation of assets: incoming funds

▪ Checks and cash

▪ Donated property

▪ May occur prior or after transaction recording

Misappropriation of assets: outgoing funds

▪ Billing fraud

– Phony vendors

– Fraudulent payments (i.e. duplicate payments,

overpayments, check tampering, refunds)

– Conflict of interest/inappropriate vendor selection

▪ Travel and expense fraud

69

Prevention

▪ Code of conduct, ethics policy, fraud policy

▪ Documented policies and procedures for core functions

▪ Employee assistance programs

▪ Background checks for employees

▪ Protect proprietary and confidential information

▪ Fraud hotline

▪ Segregation of duties

– Record the transaction

– Authorize the transaction

– Custody of the transaction

– Execute the transaction

70

Prevention con’t

▪ Required vacation

▪ Rotate responsibilities and cross train

▪ Review key controls

▪ Trust but don’t over delegate

▪ Secure assets and document custody transfer

▪ Management review of financial statements

▪ Background checks – 67% of all resumes/applications contain material inaccuracies

– Periodically review position requirements and responsibilities to ensure continued relevance

– Reasonably verify disclosures ▪ Education

▪ Employment experience

▪ Professional references

▪ Credit background

▪ Criminal background

71

Prevention con’t

▪ Protect vendor and proprietary information (i.e. donors)

▪ Strong board participation and ask difficult questions

▪ Audit committee involvement and external audit assurance

▪ Fraud risk assessment

– Peer organization involvement

– Top down approach and participation

72

Polling Question #5

What is the most common way financial fraud

cases are discovered?

A. Internal Audit

B. External Audit

C. Employee tips

D. By accident

73

Sources of Fraud Detection

▪ Independent (external) audits

▪ Financial management or internal control

▪ Employee tips or complaints

▪ Accident – 19%

▪ Internal Audit – 19%

▪ Customer tip – 9%

▪ Vendor tip – 5%

74

Special Fraud Challenges for Non-profits

▪ Sympathetic thief

▪ Fear of publicity

▪ Resources

75

How do you protect the entity against fraud?

Commercial crime coverage

▪ Employee dishonesty coverage or Fidelity

Bonds

76

Q & A

• It is now time for our Q&A session.

• Click the “Ask a Question” button, type your

question in the open area and click “Ask

Question” to submit.

77

Thank you for attending!

Reminder to obtain CPE credit

▪ Individuals: No further action is required

▪ Proctors on behalf of a group:

– The group proctor should be the same individual who logged in to the web and

teleconference lines

– Submit the group sign-in form within 3 days (available by clicking on the

Presentation Assets section on the left side of your screen)

▪ 1.0 CPE credit hours will be issued to eligible participants within 60 days

▪ NASBA will not issue credit if all criteria is not met, without exceptions

Follow-up materials

▪ The presentation slides and a link to the call recording will be sent to all

participants within a few days of the webinar

78

Today’s presenters

Jeffrey D. Wallop, CIC

Vice President

PSA Insurance & Financial Services

jeffw@psafinancial.com

443.798.7379

Lisa Chanzit, FCAS, MAAA, ARM

Senior Actuarial Consultant

Risk & Regulatory Consulting, LLC

lisa.chanzit@mcgladrey.com

855.246.0815

79

PSA Insurance & Financial Services

Washington, DC Metro Office

2275 Research Blvd., Suite 500

Rockville, MD 20850

Baltimore Office

11311 McCormick Road

Hunt Valley, MD 21031

Jeffrey D. Wallop, CIC

Vice President

jeffw@psafinancial.com

443.798.7379