For an association, risk management is about making sure the organization is protected from occurrences that could prevent it from fulfilling its mission or cause financial hardship or loss in reputation. While it is staff’s job to determine exactly what those risks are, the board’s role is to make sure there are processes, protocols, policies, and internal controls in place to safeguard the assets of the association. After all, as fiduciaries for the association, the board is tasked with ensuring its long-term viability — and a key part of that is managing risk and anticipating the potential consequences of its decisions and actions. Nat Bartholomew, Principal in Charge, Associations and Membership Organizations, at CliftonLarsonAllen, says the board can help ensure the association is well-protected from risk by asking the right questions.
What are the risks?
To provide good oversight, boards need to know the types of risks the association is susceptible to. Risks generally fall into several different categories, explains Bartholomew. There are financial risks, which include risk to cash, investments, property, equipment, or other physical assets the association owns. The board, which oversees the association’s budget, has to make sure the organization is on sound financial footing. But it also must ensure that programs are all effectively serving members, and that the association’s mission and its biggest revenue generators, such as the annual meeting, are adequately protected.
There are also risks to the personal security of staff and volunteers, whether they are in the office, at a meeting, or traveling on behalf of the association. There are also risks to the association related to discrimination, harassment, ethics violations, conflicts of interest, or copyright or trademark violations, among others. Also, if staff morale is low, or membership numbers are dwindling, there are risks associated with staff, volunteer, and member retention.
In addition, there are risks from a natural disaster, emergency, or some other situation that threatens the day-to-day operation of the association or an off-site meeting or event. “If you’re in San Francisco and there's an earthquake; if you're in New Orleans and there's a flood; if you’re in Boston and there's a snowstorm — are you prepared?” said Bartholomew.
Further, there are risks to data, including membership information, intellectual property, and other important documents. At the same time, the association must follow data privacy regulations, such as GDPR, or they could be sued. “What would happen to your association’s good name if the credit card information for every member you had was compromised?” asked Bartholomew. That could lead to reputation risk — which might be negative media attention or a negative view of the association among members, partners, or the industry or community the association serves. That could certainly impact the future state of the organization.
These are just some of the most common types of risks, but certainly not all. For some associations, there could be the risk of new regulations that would hurt their constituency and create the need for costly lobbying or other advocacy. There could be the risk of being sued over something like an accreditation program if its standards are found to be negligent or faulty in some way. There are also risks in not complying with new state, federal, or local laws relating to the associations (e.g., tax reform, or the Affordable Care Act). There may also be risks to the association in not achieving its strategic objectives or keeping up with industry or demographic shifts. It’s imperative for boards to consult with management to make sure that all risks are identified.
Do we have the right protocols in place?
Once risks are identified, it’s necessary for boards to ensure that plans and processes are in place throughout the association to address them. For example, does the association have a business continuity plan in the event of an emergency? Are certain individuals trained in disaster preparedness? Does the association have a crisis management plan to protect attendees, staff, and vendors at meetings and other off-site functions? Does the association have a system or plan in place to protect data and handle cybersecurity? Is data adequately stored? Is it accessible to hackers and data breaches? What is the protocol if that information was lost or stolen?
Further, the board should examine if the association has a code of conduct or ethics policies in place for members, staff, and volunteers. Does the board have a conflict of interest policy? If the association faces media scrutiny, does the association have a communications or PR strategy? Are the association’s finances in good shape both now and into the future? Does the board regularly review the performance of the association’s programs to make sure they are meeting their strategic objectives? These are just some, but not all, of the areas that need to be reviewed.
Have we met our insurance needs?
Insurance is a big part of risk management. Most associations hold a variety of different policies, including general liability insurance, which protects the organization from slips and falls and other like scenarios. The organization should also have an automobile insurance policy for staff or volunteers when they use vehicles, even their own, for association business. Further, associations should consider both directors and officers insurance and professional liability insurance to cover volunteer leaders and staff, respectively, against lawsuits or workplace-related claims, like discrimination or sexual harassment. It’s also prudent to have a workers compensation insurance policy.
The board should also make sure the association has event cancellation insurance to protect large meetings in the event they need to be canceled due to storms, natural disasters, or other unforeseen forces. The board may even want to consider content liability insurance given that associations produce so much digital content. These are some of the more common types of insurance, and the board needs to determine if the association is adequately covered for the breadth of risks it faces.
Does the board have oversight processes in place?
The board should monitor and review the organization's risk management plans and processes regularly to make sure they are working effectively. Does the board have a process in place to provide that type of oversight? Is there a committee or task force assigned to oversee risk management and review processes? Is it something the board handles?
Also, the board should ask whether staff conducts periodic risk assessment or risk management analysis. “A risk management analysis will help the association identify where risks lie, prioritize them, and provide guidance on how to mitigate them,” explains Bartholomew. It may also reveal some risks that the association isn’t addressing. These assessments don’t have to be done every year, but they should be done regularly and reviewed by the board, Bartholomew adds. This, again, is the responsibility of management or the executive director, but it’s up to the board to make sure these oversight practices are in place.
The goal for any association should be to create a culture where risk management is routinely practiced by the board, staff, volunteers, members, and partners. That starts with effective board oversight and communicating the importance of risk management throughout the association. Ultimately, good risk management is essential for organizational growth. As billionaire investor Warren Buffett said, “Risk comes from not knowing what you’re doing.”