Protecting the Mission: Effective Risk Management for Human Service Organizations

A business woman in a tan jacket shakes hands with a man in dark blue while two others smile as they look on.

Nonprofit human service organizations accomplish amazing things—often with budgets that would seem spartan to their counterparts in the for-profit world. However, even providers that overcome the most daunting challenges to deliver for their clients can find themselves imperiled by crises or legal actions that threaten the mission and even the continued operation of the organization itself.

Among the key risks facing nonprofit human service organizations are: workers’ compensation claims, abuse and molestation charges, cybersecurity breaches, and public relations crises that impact operations and fundraising. These dangers often are compounded by the fact that, given their limited resources, most small and mid-sized nonprofits do not have a dedicated risk manager on staff. Instead, the responsibility of risk management is usually taken on by a director or human resource manager who also wears many other operational hats. Although these individuals might be highly committed and resourceful, they generally do not have extensive experience in managing crises or expertise in specific risks. They may also assume that simply having an insurance policy means they have their exposure and risk under control.

In this paper we’ll look at these important risks and provide some initial advice on steps human service nonprofits should be taking to protect their organizations and their missions.

Workers’ Compensation Claims

Workers’ compensation coverage is one of the biggest expenses for nonprofits engaged in delivering human services. In fact, for many of these organizations it ranks behind only physical infrastructure and salaries in terms of cost.

Many organizations assume their sizable policy payments mean they have their exposure and risk under control. But when it comes to workplace injuries, there is much more to consider:

  • What are the best policies to prevent accidents and avoid claims?
  • Is there a plan in place to respond if and when someone gets injured on the job? Who’s in charge?
  • Who is documenting the event and how? How will the organization investigate what happened?
  • What can an organization do for and about individuals who suffer multiple injuries or file multiple claims?

There are standard procedures and insurance provisions that can protect both employees and organizations. To be effective, however, these elements must be in place before an injury or claim occurs. For this reason, advanced planning around established workers’ compensation “best practices” should be mandatory for all human service nonprofits. This can be a big ask for organizations without a dedicated risk manager, due to the time and resources required to research the details of these complex issues. For example: Some states allow organizations to extend workers’ compensation coverage to volunteers. If you are in a state like Connecticut that does not provide these volunteer “endorsements, ”there are insurance alternatives, but finding and picking the right coverage policies can be a challenge. Likewise, nonprofits often are unaware of the many options available to them and to their employees in terms of modified responsibilities and other means of facilitating injured employees’ return to work.

Molestation and Abuse Charges

Charges of molestation and abuse are among the most traumatic and challenging crises that any human services organization can face. When such charges arise, investigating the claims and protecting and assisting victims are the paramount priorities. However, the professionals running an affected nonprofit have the parallel responsibility of maintaining the organization for clients and employees. In many cases, this entails responding to events that took place long in the past—including events of which they have no prior knowledge, or those that occurred before they were even affiliated with the organization. If the organization has not done the work of putting in place the proper policies and protections before these charges arise, the mission could be in jeopardy.

These are not easy or pleasant issues to consider, and perhaps for that reason, many organizations remain at risk due to a lack of expertise about established methods for protecting against these events. For example, while most human services organizations use background checks for employees and volunteers, not all background checks are created equal. Criminals have been known to exploit gaps in these checks by changing addresses, and even cities and states. As a result, nonprofits should always include regional and national searches, and in some cases should consider background services covering other, specialized, data sources.

Even more difficult for non-experts is the task of analyzing the many complicated components of the insurance policies they must rely on to protect the organization and keep it solvent. Because molestation and abuse claims sometimes emerge years or even decades after the event, nonprofits should ensure they are covered for activities that pre-date the policy—even to the point of the organization’s inception—and for services and areas of operation that have been discontinued. Likewise, nonprofits should make certain that their policies offer comprehensive defense coverage and that their organizations will not be financially crippled by attorney’s fees.

Cybersecurity Breaches

Human service organizations operate on the basis of trust; trust between themselves, their clients, their employees and volunteers, and their financial supporters. In today’s digital society, few issues can destroy trust faster than a major cybersecurity breach. A hacking incident or ransomware attack can put at risk the data of donors, clients, and the organization itself.

Sound cybersecurity includes dedicated technology and information protection services. It can also include cyber insurance, which can cover an organization’s liability for the loss of sensitive information such as Social Security numbers, credit card numbers and health records.

However, the foundation of cybersecurity is not in technology, but in people. Cybersecurity starts with training programs and internal policies that teach employees and volunteers how to handle internal passwords, safely use technology, and avoid risks such as ransomware and “phishing” (also known as social engineering) through e-mail, text message or even traditional mail. Since internal human resources and IT professionals often are not equipped to provide this type of training, human service organizations should seek out partners that can help develop and implement this essential programming.

Public relations crises that impact operations and fundraising

Nonprofits that have served clients and communities for decades can have their reputations tarnished overnight by controversies that capture the attention of the media. Although crises can hit any type of group or business, nonprofits are at extra risk due to their reliance on financial donors who can and will abandon an organization associated with scandal.

There’s no way to predict where these risks will arise. Past examples have included everything from relatively minor issues, such as mold in a campus dormitory, to major scandals related to misappropriation of funds or molestation and abuse charges.

Since it’s impossible to know in advance what will trigger these situations, the only way to protect the organization is to have plans and resources in place to react and manage a crisis as it unfolds. The first step in readying your organization is to create a crisis response plan that names the executives and employees that will manage the response, and provides contact information where they can be reached at any time. In the age of social media, organizations must be prepared to respond to crises immediately—seven days a week, day and night.

Finally, the organization should have at least some relationship with a public relations and/or crisis management firm that can step in to provide expertise and access to media relationships in the event of a crisis.

People’s United Bank: Partners in Risk Management

All the risks outlined above have one thing in common: Guarding against them requires expertise in specialized areas including insurance, law, technology, regulation and communications. Nonprofits without a dedicated risk manager on staff are unlikely to possess such a detailed level of knowledge across all these complex fields. As a result, organizations could be vulnerable to these and other threats, and less-than-fully prepared to manage crises when they do materialize.

People’s United Bank helps nonprofits in human services protect their organizations and their missions by acting as an extension of their internal risk management function. We help our clients understand risks, implement policies to avoid problems in the first place, ensure robust insurance coverage and develop plans to manage crises. Our bankers provide advice based on established best practices across the full range of disciplines required to manage risks, and also provide access to third-party experts that deliver critical risk-management capabilities.

© 2021 People's United Bank, N.A. | Member FDIC | Equal Housing Lender icon Equal Housing Lender