Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management
Risk Management
Best Practices for
Non-Profits
11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766
Welcome! Important Web Seminar Notes
• You may download a copy of today’s presentation under
•
•
•
•
the Presentation Assets box on the left side of your screen.
Following the presentation we’ll have a Q&A session. We
encourage you to ask text questions throughout the
presentation. Please type your inquiry into the “Ask A
Question box” and click submit.
If you should need any technical assistance during today’s
event, please type your inquiry into the “Ask A Question”
box on the left side of your screen.
If you are disconnected from the webcast, you can log on
again, using the login instructions provided to you.
If you cannot log back on with these instructions, please
call Technical Support at 866.271.7592.
2
To Receive CPE Credit
• Polling question:
- Click on appropriate radio button to answer the polling
question
• Active participation:
- NASBA requires that we monitor your participation
- You must answer 75% of all polling questions offered per hour
to get credit for that hour
• Half credits may be awarded after the first hour, as appropriate
- Your interactions will be tracked through the system
• For groups, the proctor’s polling answers will be tracked
- Your computer connection will be tracked through the system
• You must be connected at least 50 minutes to receive 1 credit
• Each 25 minutes after the first hour is worth ½ credit
3
To Receive Group CPE Credit
• Group participation:
- Groups should download the Group Sign-in sheet from the
Presentation Assets box located on left side of the screen
- The group proctor must be the person logged into the streaming
platform and must answer the CPE polling questions
- Group proctors should enter all participant information and sign off
at the top of the group sign-in sheet
• Include actual time in and time out of all
participants
• Verify active participation of all group members
- Submit via email within 3 days
*Failure to follow this policy will result in NO CPE credit for everyone in the group
4
Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management
Risk Management
Best Practices for
Non-Profits
11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766
Polling Question #1
Which best describes your organization type:
A. Professional/membership/trade association
B. Charitable organization
C. Social Services (e.g. United Way, Red Cross, Salvation Army, etc.)
D. Health care organization
E. Educational institution
F. Museum/cultural organization
G.Other
6
Today’s presenters
Jeffrey D. Wallop, CIC
Vice President
PSA Insurance & Financial Services
[email protected]
443.798.7379
Lisa Chanzit, FCAS, MAAA, ARM
Senior Actuarial Consultant
Risk & Regulatory Consulting, LLC
[email protected]
855.246.0815
7
Agenda
▪ How cyber liability is increasingly becoming
a threat
▪ The importance of utilizing effective
employee handbooks
▪ Why the need for directors and officers
liability protection
▪ Insuring against financial fraud
8
What is Cyber Liability?
Cyber Liability is the risk posed by conducting
business over the internet, over other networks
or using electronic storage technology.
Two types of breaches
▪ First Party
▪ Third Party
9
First Party VS Third Party
▪ First Party Cyber Liability – occurs when your own
information is breached or compromised.
▪ Third Party Cyber Liability – occurs when customer or
partner information your organization has promised to
keep safe is compromised.
▪ First Party Cyber Liabilities can threaten a company’s
competitiveness, but third party cyber liabilities can
ruin reputations, open the door to expensive law
suits and trigger statutory fines.
10
Breaches
▪ Who? Unauthorized Access by:
– Hackers
– Employees, Faculty, Students
– Outsourced and third party vendors
▪ What? What are they accessing?
–
–
–
–
–
Laptops
Computer networks/wireless networks
PDAs/Cell Phones
Paper Files
Websites
11
Why do I need Cyber Liability?
▪ Cyber Liability exposures are excluded from a General
Liability Policy.
▪ Cyber Liability Policies cover the costs of theft,
destruction or unauthorized use of electronic data
through computer viruses and network intrusions.
12
Private Information
What are the exposures
▪
Credit card information
▪
Social Security numbers
▪
Patient health information, medical claims and records
▪
Date of birth information
▪
Customer user name and passwords
▪
Customer or employee contact information
▪
Financial records and account information
▪
Drivers’ license number
▪
Biometric information
Failure to protect private information from Cyber threats can result in losses to:
▪
Company reputation
▪
Financial loss
▪
Customer satisfaction
▪
Business opportunities
▪
Intellectual properties
▪
Possible litigation
13
How vulnerable is your business?
▪ 77% of employees leave their computers
unattended
▪ 65% of small businesses say their organizations
sensitive information is not encrypted
▪ 56% of employees frequently store sensitive data
on their laptop or mobile device
▪ 62% of small businesses don’t routinely back up
data
*TrendMicro & Ponemon Institute 2012
14
Potential Claims Expenses
▪ Expenses to notify affected parties
▪ Business income and extra expense
▪ Extortion payments
▪ Crisis management expenses
▪ Credit monitoring costs
▪ Negligence
▪ Invasion of customer’s right to privacy
▪ Defense and damages
▪ Media / intellectual property
15
Methods of Attack
▪ Denial of service
▪ Loss of critical infrastructure
▪ Theft of information
▪ Fraud
▪ Corruption of data
▪ Insider exploitation
16
Cyber Liability Risk Management
▪ Segregate and restrict access to sensitive data
▪ Establish user control password protection procedures
▪ Review security/access to network and server
▪ Encryption of private data on database, laptops, mobile
▪ Implement and maintain firewall
▪ Apply intrusion detection software systems
17
Vulnerability of a Not-Profit
▪ Financial constraints
▪ Type and number of records stored
18
Cloud Risk Considerations
▪ Who owns the data once it resides on the cloud?
▪ Does your cloud provider guarantee the security
and privacy of your data?
▪ Will you be alerted if there is a breach of your data
within the cloud?
▪ Will you have the right to investigate the breach?
▪ Who will be responsible for notifying your
customers of a breach incident?
19
Underwriting Issues
▪ Nature of business
▪ Revenues
▪ Total number of records at risk
▪ Types of records at risk
▪ Written policies and procedures
▪ Risk management procedures
▪ Security and protection
▪ Breach/claim history
20
The Employee
Handbook
21
Purpose of Employee Handbooks
▪ Maintains uniformity in the application of policies
and procedures
▪ Legal compliance and protection
▪ Communicate company policies
▪ Useful resource and guideline for managers and
supervisors responsible for resolving employee
complaints
▪ Enhance the credibility of decisions based on
policies
22
Potential Downsides
▪ Guidance demonstrating entity’s failure to
comply with their own internal policies and
procedures
▪ Can reduce flexibility needed to handle issues
as they arise if the policies are not well drafted
▪ Poorly prepared handbooks can result in liability
23
Essential Handbook Policies
▪ Introduction Provisions/Disclaimer
▪ EEO Statement
▪ Sexual Harassment policy
▪ Non-Harassment policy
▪ Problem Solving Procedure
24
Components
Disclaimer
▪ The primary way to minimize the likelihood that a court
will find that handbook provisions amount to an implied
contract is to include an unambiguous prominent
disclaimer, on the first page of the handbook, stating
that the handbook or related documents do not create
any contractual rights, and that the employment
relationship is “At Will.”
▪ At-Will Statement: “Employer or employee may
terminate the employment relationship at any time,
without notice and for any reason.”
25
Components
EEO Statement
▪ Non-discrimination provisions
▪ Summary of protected categories
▪ Reasonable accommodation language
▪ Welcome employee participation in the interactive
process
26
Components
Anti-Harassment Policy
▪ Commitment
▪ Identification
▪ Complaint Procedure
▪ Investigative Procedure
▪ Anti-retaliation
▪ Helps employer avoid liability where employee
fails to utilize these channels
27
Components
Problem Solving Procedures
▪ Importance
▪ Define “Problem”
▪ Procedure
28
Components
Safe Harbor Policy
▪ Classifications of employees
▪ Addressing paycheck mistakes
▪ Exempt status protection
▪ Reporting procedures
29
5 Things That Should Never Appear
in an Employee Handbook
▪ “Permanent”
▪ “We do not pay overtime”
▪ “The name of or reference to”
▪ “And after the third violation”
▪ “Confidentiality is assured”
30
5 Things That Should Never Appear
in an Employee Handbook
“Permanent”
The word “permanent” appears in handbook to distinguish employees who have completed a probationary period.
However, the term should never appear in a handbook because it weakens the important doctrine of “at-will employment.”
The term “regular” is more appropriate.
“We do not pay overtime”
This phrase suggests a non-profit’s intent to violate the wage and hour laws. If a non-exempt employee works overtime he
or she must be paid premium pay.
“Reference to another organization”
It is surprising the number of organizations that copy another organization’s handbook and just substitute in their name.
Policies that are suitable for one non-profit may not be suitable for yours.
“And after the third violation”
Your handbook should not contain overtly prescriptive disciplinary measures. The best handbooks afford management
maximum discretion in determining the discipline that should apply in a given instance. Statements such as “violation of this
policy could result in discipline, up to and including termination” give management the ability to determine the appropriate
measures.
“Confidentiality is assured”
It is never appropriate to provide outright assurances of confidentiality when the nature of the matter may require that
person within the organization be informed of the allegations or status of an investigation. A more appropriate statement
may be “all complaints will be investigated promptly and as confidentiality as possible.”
31
Handbook Receipt
▪ Right to modify without notice
▪ Acknowledgement of receipt and obligation to
read, understand and adhere to policies and
procedures
▪ At-will status/employment contract disclaimer
32
Distributing Handbooks
▪ Provide employees with verbal summary of major
policies and/or change upon distribution
▪ Provide opportunity for employees to ask
questions and voice concerns freely
▪ Always require receipt of handbook be signed and
turned in promptly to managers of HR department
33
What to Say and How to Say It
▪ Be consistent with company culture
▪ Write clearly and concisely
▪ Avoid making promises
▪ Avoid “shall” and “will”
▪ Maximize flexibility using “may” and “usually”
▪ Eliminate reference to management procedures
▪ Comply with applicable local, state and federal
law
34
D&O Insurance
35
Respondents Reporting D & O Claims in
the Past 10 Years
Respondents Reporting D & O Claims in the Past 10 Years
70%
60%
50%
40%
64%
30%
20%
36%
10%
0%
All Respondents
Non Profit Respondents
Source: Towers Watson 2012 Directors and Officers Liability Survey
36
Polling Question #2
What is the most frequent type of D&O claim
faced by non-profit organizations?
A. Fiduciary
B. Donor
C. Employment Practices
D. Regulatory
E. Other
37
Types of D & O Claims in the Past 10
Years
Types of D & O Claims in the Past 10 Years
100%
80%
60%
All Respondents
Non Profit Respondents
40%
20%
0%
Direct Investor
Suit
Derivative
Investor Suit
Employment
Related
Regulatory
Fiduciary
Other
Source: Towers Watson 2012 Directors and Officers Liability Survey
38
Why do Non-Profits need D&O Insurance?
▪ Exposures: Driven by what the organization does
▪ Personal Liability
▪ Duties of Directors (care, loyalty, obedience)
▪ Volunteer Protection
▪ Indemnification
▪ D&O insurance does not replace responsible
governance
39
Claims Overview
▪ Almost triple the number of non-profits reported having
▪
▪
▪
▪
a D&O claim in 2010 (35%) vs. 2008 (13%)
67% of claims filed under non-profits D&O policies were
EPLI related
Significant % of all loss dollars are for defense costs as
opposed to damages/settlement
35% of non-profits have D&O claims – compared to
29% for publicly traded and 26% for privately held
Claimants can be employees, volunteers, donors,
members, competitors, creditors, regulators,
governmental bodies, beneficiaries of service
40
Allegations?
▪ Breach of fiduciary duty
▪ Negligent supervision
▪ Mismanagement of assets
▪ Conflict of interest
▪ Misrepresentation
▪ Tortious interference
41
Who and what are covered?
Covers directors and officers plus…
▪ Employees, volunteers and committee members
▪ Full entity coverage
▪ Includes Employment Practices Liability Coverage
▪ Third party liability extension
42
Policy Overview
▪ Duty to defend
▪ Aggregate limit
▪ Defense costs either inside/outside limit
▪ Exclusions
43
Insuring Claims
▪ Clause 1 or Side A
– Covers insured persons for loss which they are
not indemnified for by their non-profit
▪ Clause 2 or Side B
– Covers loss for which the non-profit is lawfully
permitted or required to indemnify its insured
person
▪ Clause 3 or Entity Coverage
– Covers the non-profit itself
44
What constitutes a loss?
▪ Loss – covered damages, settlements and
defense costs
▪ Typically excludes, taxes, fines, penalties, costs to
comply with injunctive relief, amounts due under
breached contract
▪ Includes front pay, back pay, salary and benefits
components in employment context
45
What is a wrongful act?
A wrongful act means:
▪ Any error, misstatement, misleading statement,
act, omission, neglect, breach of duty or
committed, attempted or allegedly committed or
attempted by an insured person in his or her
insured capacity or by the organization, or
▪ Any other matter claimed against an insured
person solely by reason of his or her serving in an
insured capacity
46
What is a claim?
A claim means:
▪
A written demand for monetary damages or non-monetary relief
▪
A civil proceeding commenced by the service of a complaint or similar
pleading
▪
A criminal proceeding commenced by the return of an indictment, or
▪
A formal civil administrative or civil regulatory proceeding commenced
by the filing of a notice of charges or similar document, or by the entry
of a formal order of investigation or similar document
47
D&O
▪ Importance of reporting claims
▪ Timely reporting
▪ Who chooses counsel can be an issue
48
Endorsements to Consider
▪ Defense outside limit of liability
▪ Outside directorship
▪ Wage and hour
▪ Fiduciary
▪ HIPAA
49
50
Polling Question #3
Only larger nonprofit organizations need to be
concerned about the diversion of funds.
▪ True
▪ False
51
Significant Diversions of Nonprofits’
Assets Since 2008
Significant Diversions of Nonprofits' Assets by Tax Year
450
400
350
300
250
200
150
100
50
0
Tax Year 2008
Tax Year 2009
Tax Year 2010
Tax Year 2011
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
52
Significant Diversions of Nonprofits’
Assets by Organization Type
Significant Diversions of Nonprofits' Assets by
Organization Type
Charitable Organizations
353
664
152
Educational
Organizations
Other
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
53
Significant Diversions of Nonprofits’
Assets by Revenue
Significant Diversions of Nonprofits' Assets by Revenue
400
350
300
250
200
150
100
50
0
$0 or less
$1-$250k
$250k-$500k
$500k-$1mill
$1mill-$10mill
$10mill +
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
54
What is fraud?
▪ Deceit, trickery or breach of confidence,
perpetrated for profit or to gain some unfair or
dishonest advantage
- Dictionary.com
▪ Occupational Fraud: The use of one’s
occupation for personal enrichment through the
deliberate misuse or misapplication of the
employing organization’s resources or assets
- Association of Certified Fraud Examiners
55
Occupational Fraud Elements
▪ Effort to obscure from detection
▪ Violates perpetrator’s fiduciary duties to the
organization
▪ Committed to benefit perpetrator,
organization or both
▪ Costs victim organization assets, revenues
or resources
56
Fraud or Abuse?
▪ Stealing incoming or outgoing cash
▪ Stealing assets
▪ Padding an expense report
▪ Using the non-profit’s equipment for
personal reasons
▪ Using sick leave or personal leave
▪ Spending work hours on personal business
57
Fraud Stats and Facts: Non-Profits
▪ Median duration of fraud for non-profits – 24
months
▪ Lack of balance between funding for stated
mission of the organization and protection
of the organization’s assets
▪ Inordinate emphasis on ineffective controls
58
Fraud Stats and Facts
▪ Estimated to impact 7% of all organization revenues in
U.S. = $99 billion per year
▪ Median duration of fraud is 18-24 months
▪ Only 7% of perpetrators had prior convictions
▪ Fraud was most often committed by accounting staff
or upper management.
- Source: Association of Certified Fraud Examiners
59
Polling Question #4
What is the median cost of a fraud loss for a
nonprofit organization?
A. $58,000
B. $76,000
C. $109,000
D. $157,000
60
Median Losses
▪ Private companies - $278,000
▪ Public companies - $142,000
▪ Non-profits - $109,000
▪ Government Agencies - $100,000
61
Impact/Consequences
▪ Bad PR
▪ Loss of public trust
▪ Increased oversight/scrutiny
▪ Increase of operating costs
▪ Damaged employee morale
▪ Loss/theft of funds and assets
62
Fraud
Triangle
Opportunity
63
Leg 1
“Pressure”
▪ Living beyond one’s means
▪ Financial difficulties
▪ Medical/health issues
▪ Grief/loss
▪ Post-traumatic stress disorder symptoms
▪ Addictions to gambling, alcohol, drugs
▪ Marital/relationship conflicts
▪ Unachievable goals set by self/organization
▪ Societal expectations for status and desires
64
Leg 2
Rationalization
▪ Just “borrowing” and plan to give back
▪ Lack of adequate pay – includes volunteers
▪ Lack of career ladder
▪ Entitlement mentality
▪ Encouragement by “tone at the top”
65
Leg 3
Opportunity
▪ Ease of access to funds and assets
▪ Relaxed control environment
▪ Low emphasis on support functions
▪ Repetitive processes without review/revision
▪ Lack of fear of detection
66
Occupational Fraud
▪ Misappropriation of Assets
– 89% of occupational fraud cases
– Cash – larceny, skimming
– Inventory – misuse, larceny
▪ Corruption (27%) – bribes, conflicts of interest
▪ Fraudulent statements (10%) low frequency, high
severity
- Statistics from ACFE
Note: Total does not equal 100% since some fraud schemes reviewed comprised multiple
classifications
67
Common Fraud Schemes
Misappropriation of assets: incoming funds
▪ Checks and cash
▪ Donated property
▪ May occur prior or after transaction recording
Misappropriation of assets: outgoing funds
▪ Billing fraud
– Phony vendors
– Fraudulent payments (i.e. duplicate payments,
overpayments, check tampering, refunds)
– Conflict of interest/inappropriate vendor selection
▪ Travel and expense fraud
68
Prevention
▪
▪
▪
▪
▪
▪
▪
Code of conduct, ethics policy, fraud policy
Documented policies and procedures for core functions
Employee assistance programs
Background checks for employees
Protect proprietary and confidential information
Fraud hotline
Segregation of duties
– Record the transaction
– Authorize the transaction
– Custody of the transaction
– Execute the transaction
69
Prevention con’t
▪
Required vacation
▪
Rotate responsibilities and cross train
▪
Review key controls
▪
Trust but don’t over delegate
▪
Secure assets and document custody transfer
▪
Management review of financial statements
▪
Background checks
–
–
–
67% of all resumes/applications contain material inaccuracies
Periodically review position requirements and responsibilities to ensure continued relevance
Reasonably verify disclosures
▪
▪
▪
▪
▪
Education
Employment experience
Professional references
Credit background
Criminal background
70
Prevention con’t
▪
Protect vendor and proprietary information (i.e. donors)
▪
Strong board participation and ask difficult questions
▪
Audit committee involvement and external audit assurance
▪
Fraud risk assessment
– Peer organization involvement
– Top down approach and participation
71
Polling Question #5
What is the most common way financial fraud
cases are discovered?
A. Internal Audit
B. External Audit
C. Employee tips
D. By accident
72
Sources of Fraud Detection
▪ Independent (external) audits
▪ Financial management or internal control
▪ Employee tips or complaints
▪ Accident – 19%
▪ Internal Audit – 19%
▪ Customer tip – 9%
▪ Vendor tip – 5%
73
Special Fraud Challenges for Non-profits
▪ Sympathetic thief
▪ Fear of publicity
▪ Resources
74
How do you protect the entity against fraud?
Commercial crime coverage
▪ Employee dishonesty coverage or Fidelity
Bonds
75
Q&A
• It is now time for our Q&A session.
• Click the “Ask a Question” button, type your
question in the open area and click “Ask
Question” to submit.
76
Thank you for attending!
Reminder to obtain CPE credit
▪ Individuals: No further action is required
▪ Proctors on behalf of a group:
– The group proctor should be the same individual who logged in to the web and
teleconference lines
– Submit the group sign-in form within 3 days (available by clicking on the
Presentation Assets section on the left side of your screen)
▪ 1.0 CPE credit hours will be issued to eligible participants within 60 days
▪ NASBA will not issue credit if all criteria is not met, without exceptions
Follow-up materials
▪ The presentation slides and a link to the call recording will be sent to all
participants within a few days of the webinar
77
Today’s presenters
Jeffrey D. Wallop, CIC
Vice President
PSA Insurance & Financial Services
[email protected]
443.798.7379
Lisa Chanzit, FCAS, MAAA, ARM
Senior Actuarial Consultant
Risk & Regulatory Consulting, LLC
[email protected]
855.246.0815
78
PSA Insurance & Financial Services
Jeffrey D. Wallop, CIC
Vice President
[email protected]
443.798.7379
Baltimore Office
11311 McCormick Road
Hunt Valley, MD 21031
Washington, DC Metro Office
2275 Research Blvd., Suite 500
Rockville, MD 20850
79