risk management best practices for...
TRANSCRIPT
Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management
11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766
Risk Management
Best Practices for
Non-Profits
2
Welcome! Important Web Seminar Notes
• You may download a copy of today’s presentation under the Presentation Assets box on the left side of your screen.
• Following the presentation we’ll have a Q&A session. We encourage you to ask text questions throughout the presentation. Please type your inquiry into the “Ask A Question box” and click submit.
• If you should need any technical assistance during today’s event, please type your inquiry into the “Ask A Question” box on the left side of your screen.
• If you are disconnected from the webcast, you can log on again, using the login instructions provided to you.
• If you cannot log back on with these instructions, please call Technical Support at 866.271.7592.
3
To Receive CPE Credit
• Polling question:
- Click on appropriate radio button to answer the polling question
• Active participation:
- NASBA requires that we monitor your participation
- You must answer 75% of all polling questions offered per hour to get credit for that hour
• Half credits may be awarded after the first hour, as appropriate
- Your interactions will be tracked through the system
• For groups, the proctor’s polling answers will be tracked
- Your computer connection will be tracked through the system
• You must be connected at least 50 minutes to receive 1 credit
• Each 25 minutes after the first hour is worth ½ credit
4
To Receive Group CPE Credit
• Group participation:
- Groups should download the Group Sign-in sheet from the Presentation Assets box located on left side of the screen
- The group proctor must be the person logged into the streaming platform and must answer the CPE polling questions
- Group proctors should enter all participant information and sign off at the top of the group sign-in sheet
• Include actual time in and time out of all participants
• Verify active participation of all group members - Submit via email within 3 days
*Failure to follow this policy will result in NO CPE credit for everyone in the group
Commercial & Personal Insurance ▪ Employee Benefits ▪ Retirement Plan Services ▪ Wealth Management
11311 McCormick Road ▪ Hunt Valley, MD 21031 ▪ www.psafinancial.com ▪ 410.821.7766
Risk Management
Best Practices for
Non-Profits
6
Polling Question #1
Which best describes your organization type:
A. Professional/membership/trade association
B. Charitable organization
C.Social Services (e.g. United Way, Red Cross, Salvation Army, etc.)
D.Health care organization
E. Educational institution
F. Museum/cultural organization
G.Other
7
Today’s presenters
Jeffrey D. Wallop, CIC
Vice President
PSA Insurance & Financial Services
443.798.7379
Lisa Chanzit, FCAS, MAAA, ARM
Senior Actuarial Consultant
Risk & Regulatory Consulting, LLC
855.246.0815
8
Agenda
▪ How cyber liability is increasingly becoming
a threat
▪ The importance of utilizing effective
employee handbooks
▪ Why the need for directors and officers
liability protection
▪ Insuring against financial fraud
9
What is Cyber Liability?
Cyber Liability is the risk posed by conducting
business over the internet, over other networks
or using electronic storage technology.
Two types of breaches
▪ First Party
▪ Third Party
10
First Party VS Third Party
▪ First Party Cyber Liability – occurs when your own
information is breached or compromised.
▪ Third Party Cyber Liability – occurs when customer or
partner information your organization has promised to
keep safe is compromised.
▪ First Party Cyber Liabilities can threaten a company’s
competitiveness, but third party cyber liabilities can
ruin reputations, open the door to expensive law
suits and trigger statutory fines.
11
Breaches
▪ Who? Unauthorized Access by:
– Hackers
– Employees, Faculty, Students
– Outsourced and third party vendors
▪ What? What are they accessing?
– Laptops
– Computer networks/wireless networks
– PDAs/Cell Phones
– Paper Files
– Websites
12
Why do I need Cyber Liability?
▪ Cyber Liability exposures are excluded from a General
Liability Policy.
▪ Cyber Liability Policies cover the costs of theft,
destruction or unauthorized use of electronic data
through computer viruses and network intrusions.
13
Private Information
What are the exposures
▪ Credit card information
▪ Social Security numbers
▪ Patient health information, medical claims and records
▪ Date of birth information
▪ Customer user name and passwords
▪ Customer or employee contact information
▪ Financial records and account information
▪ Drivers’ license number
▪ Biometric information
Failure to protect private information from Cyber threats can result in losses to:
▪ Company reputation
▪ Financial loss
▪ Customer satisfaction
▪ Business opportunities
▪ Intellectual properties
▪ Possible litigation
14
How vulnerable is your business?
▪ 77% of employees leave their computers
unattended
▪ 65% of small businesses say their organizations
sensitive information is not encrypted
▪ 56% of employees frequently store sensitive data
on their laptop or mobile device
▪ 62% of small businesses don’t routinely back up
data
*TrendMicro & Ponemon Institute 2012
15
Potential Claims Expenses
▪ Expenses to notify affected parties
▪ Business income and extra expense
▪ Extortion payments
▪ Crisis management expenses
▪ Credit monitoring costs
▪ Negligence
▪ Invasion of customer’s right to privacy
▪ Defense and damages
▪ Media / intellectual property
16
Methods of Attack
▪ Denial of service
▪ Loss of critical infrastructure
▪ Theft of information
▪ Fraud
▪ Corruption of data
▪ Insider exploitation
17
Cyber Liability Risk Management
▪ Segregate and restrict access to sensitive data
▪ Establish user control password protection procedures
▪ Review security/access to network and server
▪ Encryption of private data on database, laptops, mobile
▪ Implement and maintain firewall
▪ Apply intrusion detection software systems
18
Vulnerability of a Not-Profit
▪ Financial constraints
▪ Type and number of records stored
19
Cloud Risk Considerations
▪ Who owns the data once it resides on the cloud?
▪ Does your cloud provider guarantee the security
and privacy of your data?
▪ Will you be alerted if there is a breach of your data
within the cloud?
▪ Will you have the right to investigate the breach?
▪ Who will be responsible for notifying your
customers of a breach incident?
20
Underwriting Issues
▪ Nature of business
▪ Revenues
▪ Total number of records at risk
▪ Types of records at risk
▪ Written policies and procedures
▪ Risk management procedures
▪ Security and protection
▪ Breach/claim history
21
The Employee Handbook
22
Purpose of Employee Handbooks
▪ Maintains uniformity in the application of policies
and procedures
▪ Legal compliance and protection
▪ Communicate company policies
▪ Useful resource and guideline for managers and
supervisors responsible for resolving employee
complaints
▪ Enhance the credibility of decisions based on
policies
23
Potential Downsides
▪ Guidance demonstrating entity’s failure to
comply with their own internal policies and
procedures
▪ Can reduce flexibility needed to handle issues
as they arise if the policies are not well drafted
▪ Poorly prepared handbooks can result in liability
24
Essential Handbook Policies
▪ Introduction Provisions/Disclaimer
▪ EEO Statement
▪ Sexual Harassment policy
▪ Non-Harassment policy
▪ Problem Solving Procedure
25
Components
Disclaimer
▪ The primary way to minimize the likelihood that a court
will find that handbook provisions amount to an implied
contract is to include an unambiguous prominent
disclaimer, on the first page of the handbook, stating
that the handbook or related documents do not create
any contractual rights, and that the employment
relationship is “At Will.”
▪ At-Will Statement: “Employer or employee may
terminate the employment relationship at any time,
without notice and for any reason.”
26
Components
EEO Statement
▪ Non-discrimination provisions
▪ Summary of protected categories
▪ Reasonable accommodation language
▪ Welcome employee participation in the interactive
process
27
Components
Anti-Harassment Policy
▪ Commitment
▪ Identification
▪ Complaint Procedure
▪ Investigative Procedure
▪ Anti-retaliation
▪ Helps employer avoid liability where employee
fails to utilize these channels
28
Components
Problem Solving Procedures
▪ Importance
▪ Define “Problem”
▪ Procedure
29
Components
Safe Harbor Policy
▪ Classifications of employees
▪ Addressing paycheck mistakes
▪ Exempt status protection
▪ Reporting procedures
30
5 Things That Should Never Appear in an Employee Handbook
▪ “Permanent”
▪ “We do not pay overtime”
▪ “The name of or reference to”
▪ “And after the third violation”
▪ “Confidentiality is assured”
31
5 Things That Should Never Appear in an Employee Handbook
“Permanent”
The word “permanent” appears in handbook to distinguish employees who have completed a probationary period.
However, the term should never appear in a handbook because it weakens the important doctrine of “at-will employment.”
The term “regular” is more appropriate.
“We do not pay overtime”
This phrase suggests a non-profit’s intent to violate the wage and hour laws. If a non-exempt employee works overtime he
or she must be paid premium pay.
“Reference to another organization”
It is surprising the number of organizations that copy another organization’s handbook and just substitute in their name.
Policies that are suitable for one non-profit may not be suitable for yours.
“And after the third violation”
Your handbook should not contain overtly prescriptive disciplinary measures. The best handbooks afford management
maximum discretion in determining the discipline that should apply in a given instance. Statements such as “violation of this
policy could result in discipline, up to and including termination” give management the ability to determine the appropriate
measures.
“Confidentiality is assured”
It is never appropriate to provide outright assurances of confidentiality when the nature of the matter may require that
person within the organization be informed of the allegations or status of an investigation. A more appropriate statement
may be “all complaints will be investigated promptly and as confidentiality as possible.”
32
Handbook Receipt
▪ Right to modify without notice
▪ Acknowledgement of receipt and obligation to
read, understand and adhere to policies and
procedures
▪ At-will status/employment contract disclaimer
33
Distributing Handbooks
▪ Provide employees with verbal summary of major
policies and/or change upon distribution
▪ Provide opportunity for employees to ask
questions and voice concerns freely
▪ Always require receipt of handbook be signed and
turned in promptly to managers of HR department
34
What to Say and How to Say It
▪ Be consistent with company culture
▪ Write clearly and concisely
▪ Avoid making promises
▪ Avoid “shall” and “will”
▪ Maximize flexibility using “may” and “usually”
▪ Eliminate reference to management procedures
▪ Comply with applicable local, state and federal
law
35
D&O Insurance
36
Respondents Reporting D & O Claims in the Past 10 Years
36%
64%
0%
10%
20%
30%
40%
50%
60%
70%
All Respondents Non Profit Respondents
Respondents Reporting D & O Claims in the Past 10 Years
Source: Towers Watson 2012 Directors and Officers Liability Survey
37
Polling Question #2
What is the most frequent type of D&O claim
faced by non-profit organizations?
A. Fiduciary
B. Donor
C. Employment Practices
D. Regulatory
E. Other
38
Types of D & O Claims in the Past 10 Years
0%
20%
40%
60%
80%
100%
Direct Investor Suit
Derivative Investor Suit
Employment Related
Regulatory Fiduciary Other
Types of D & O Claims in the Past 10 Years
All Respondents
Non Profit Respondents
Source: Towers Watson 2012 Directors and Officers Liability Survey
39
Why do Non-Profits need D&O Insurance?
▪ Exposures: Driven by what the organization does
▪ Personal Liability
▪ Duties of Directors (care, loyalty, obedience)
▪ Volunteer Protection
▪ Indemnification
▪ D&O insurance does not replace responsible
governance
40
Claims Overview
▪ Almost triple the number of non-profits reported having
a D&O claim in 2010 (35%) vs. 2008 (13%)
▪ 67% of claims filed under non-profits D&O policies were
EPLI related
▪ Significant % of all loss dollars are for defense costs as
opposed to damages/settlement
▪ 35% of non-profits have D&O claims – compared to
29% for publicly traded and 26% for privately held
▪ Claimants can be employees, volunteers, donors,
members, competitors, creditors, regulators,
governmental bodies, beneficiaries of service
41
Allegations?
▪ Breach of fiduciary duty
▪ Negligent supervision
▪ Mismanagement of assets
▪ Conflict of interest
▪ Misrepresentation
▪ Tortious interference
42
Who and what are covered?
Covers directors and officers plus…
▪ Employees, volunteers and committee members
▪ Full entity coverage
▪ Includes Employment Practices Liability Coverage
▪ Third party liability extension
43
Policy Overview
▪ Duty to defend
▪ Aggregate limit
▪ Defense costs either inside/outside limit
▪ Exclusions
44
Insuring Claims
▪ Clause 1 or Side A
– Covers insured persons for loss which they are
not indemnified for by their non-profit
▪ Clause 2 or Side B
– Covers loss for which the non-profit is lawfully
permitted or required to indemnify its insured
person
▪ Clause 3 or Entity Coverage
– Covers the non-profit itself
45
What constitutes a loss?
▪ Loss – covered damages, settlements and
defense costs
▪ Typically excludes, taxes, fines, penalties, costs to
comply with injunctive relief, amounts due under
breached contract
▪ Includes front pay, back pay, salary and benefits
components in employment context
46
What is a wrongful act?
A wrongful act means:
▪ Any error, misstatement, misleading statement,
act, omission, neglect, breach of duty or
committed, attempted or allegedly committed or
attempted by an insured person in his or her
insured capacity or by the organization, or
▪ Any other matter claimed against an insured
person solely by reason of his or her serving in an
insured capacity
47
What is a claim?
A claim means:
▪ A written demand for monetary damages or non-monetary relief
▪ A civil proceeding commenced by the service of a complaint or similar
pleading
▪ A criminal proceeding commenced by the return of an indictment, or
▪ A formal civil administrative or civil regulatory proceeding commenced
by the filing of a notice of charges or similar document, or by the entry
of a formal order of investigation or similar document
48
D&O
▪ Importance of reporting claims
▪ Timely reporting
▪ Who chooses counsel can be an issue
49
Endorsements to Consider
▪ Defense outside limit of liability
▪ Outside directorship
▪ Wage and hour
▪ Fiduciary
▪ HIPAA
50
51
Polling Question #3
Only larger nonprofit organizations need to be
concerned about the diversion of funds.
▪ True
▪ False
52
Significant Diversions of Nonprofits’ Assets Since 2008
0
50
100
150
200
250
300
350
400
450
Tax Year 2008 Tax Year 2009 Tax Year 2010 Tax Year 2011
Significant Diversions of Nonprofits' Assets by Tax Year
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
53
Significant Diversions of Nonprofits’ Assets by Organization Type
664
152
353
Significant Diversions of Nonprofits' Assets by Organization Type
Charitable Organizations
Educational Organizations
Other
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
54
Significant Diversions of Nonprofits’ Assets by Revenue
0
50
100
150
200
250
300
350
400
$0 or less $1-$250k $250k-$500k $500k-$1mill $1mill-$10mill $10mill +
Significant Diversions of Nonprofits' Assets by Revenue
Source: Analysis of Form 990 Disclosures, as reported in the October 26, 2013 Washington Post
55
What is fraud?
▪ Deceit, trickery or breach of confidence,
perpetrated for profit or to gain some unfair or
dishonest advantage
- Dictionary.com
▪ Occupational Fraud: The use of one’s
occupation for personal enrichment through the
deliberate misuse or misapplication of the
employing organization’s resources or assets - Association of Certified Fraud Examiners
56
Occupational Fraud Elements
▪ Effort to obscure from detection
▪ Violates perpetrator’s fiduciary duties to the
organization
▪ Committed to benefit perpetrator,
organization or both
▪ Costs victim organization assets, revenues
or resources
57
Fraud or Abuse?
▪ Stealing incoming or outgoing cash
▪ Stealing assets
▪ Padding an expense report
▪ Using the non-profit’s equipment for
personal reasons
▪ Using sick leave or personal leave
▪ Spending work hours on personal business
58
Fraud Stats and Facts: Non-Profits
▪ Median duration of fraud for non-profits – 24
months
▪ Lack of balance between funding for stated
mission of the organization and protection
of the organization’s assets
▪ Inordinate emphasis on ineffective controls
59
Fraud Stats and Facts
▪ Estimated to impact 7% of all organization revenues in
U.S. = $99 billion per year
▪ Median duration of fraud is 18-24 months
▪ Only 7% of perpetrators had prior convictions
▪ Fraud was most often committed by accounting staff
or upper management.
- Source: Association of Certified Fraud Examiners
60
Polling Question #4
What is the median cost of a fraud loss for a
nonprofit organization?
A. $58,000
B. $76,000
C. $109,000
D. $157,000
61
Median Losses
▪ Private companies - $278,000
▪ Public companies - $142,000
▪ Non-profits - $109,000
▪ Government Agencies - $100,000
62
Impact/Consequences
▪ Bad PR
▪ Loss of public trust
▪ Increased oversight/scrutiny
▪ Increase of operating costs
▪ Damaged employee morale
▪ Loss/theft of funds and assets
63
Fraud
Triangle
Opportunity
64
Leg 1
“Pressure”
▪ Living beyond one’s means
▪ Financial difficulties
▪ Medical/health issues
▪ Grief/loss
▪ Post-traumatic stress disorder symptoms
▪ Addictions to gambling, alcohol, drugs
▪ Marital/relationship conflicts
▪ Unachievable goals set by self/organization
▪ Societal expectations for status and desires
65
Leg 2
Rationalization
▪ Just “borrowing” and plan to give back
▪ Lack of adequate pay – includes volunteers
▪ Lack of career ladder
▪ Entitlement mentality
▪ Encouragement by “tone at the top”
66
Leg 3
Opportunity
▪ Ease of access to funds and assets
▪ Relaxed control environment
▪ Low emphasis on support functions
▪ Repetitive processes without review/revision
▪ Lack of fear of detection
67
Occupational Fraud
▪ Misappropriation of Assets
– 89% of occupational fraud cases
– Cash – larceny, skimming
– Inventory – misuse, larceny
▪ Corruption (27%) – bribes, conflicts of interest
▪ Fraudulent statements (10%) low frequency, high
severity
- Statistics from ACFE
Note: Total does not equal 100% since some fraud schemes reviewed comprised multiple
classifications
68
Common Fraud Schemes
Misappropriation of assets: incoming funds
▪ Checks and cash
▪ Donated property
▪ May occur prior or after transaction recording
Misappropriation of assets: outgoing funds
▪ Billing fraud
– Phony vendors
– Fraudulent payments (i.e. duplicate payments,
overpayments, check tampering, refunds)
– Conflict of interest/inappropriate vendor selection
▪ Travel and expense fraud
69
Prevention
▪ Code of conduct, ethics policy, fraud policy
▪ Documented policies and procedures for core functions
▪ Employee assistance programs
▪ Background checks for employees
▪ Protect proprietary and confidential information
▪ Fraud hotline
▪ Segregation of duties
– Record the transaction
– Authorize the transaction
– Custody of the transaction
– Execute the transaction
70
Prevention con’t
▪ Required vacation
▪ Rotate responsibilities and cross train
▪ Review key controls
▪ Trust but don’t over delegate
▪ Secure assets and document custody transfer
▪ Management review of financial statements
▪ Background checks – 67% of all resumes/applications contain material inaccuracies
– Periodically review position requirements and responsibilities to ensure continued relevance
– Reasonably verify disclosures ▪ Education
▪ Employment experience
▪ Professional references
▪ Credit background
▪ Criminal background
71
Prevention con’t
▪ Protect vendor and proprietary information (i.e. donors)
▪ Strong board participation and ask difficult questions
▪ Audit committee involvement and external audit assurance
▪ Fraud risk assessment
– Peer organization involvement
– Top down approach and participation
72
Polling Question #5
What is the most common way financial fraud
cases are discovered?
A. Internal Audit
B. External Audit
C. Employee tips
D. By accident
73
Sources of Fraud Detection
▪ Independent (external) audits
▪ Financial management or internal control
▪ Employee tips or complaints
▪ Accident – 19%
▪ Internal Audit – 19%
▪ Customer tip – 9%
▪ Vendor tip – 5%
74
Special Fraud Challenges for Non-profits
▪ Sympathetic thief
▪ Fear of publicity
▪ Resources
75
How do you protect the entity against fraud?
Commercial crime coverage
▪ Employee dishonesty coverage or Fidelity
Bonds
76
Q & A
• It is now time for our Q&A session.
• Click the “Ask a Question” button, type your
question in the open area and click “Ask
Question” to submit.
77
Thank you for attending!
Reminder to obtain CPE credit
▪ Individuals: No further action is required
▪ Proctors on behalf of a group:
– The group proctor should be the same individual who logged in to the web and
teleconference lines
– Submit the group sign-in form within 3 days (available by clicking on the
Presentation Assets section on the left side of your screen)
▪ 1.0 CPE credit hours will be issued to eligible participants within 60 days
▪ NASBA will not issue credit if all criteria is not met, without exceptions
Follow-up materials
▪ The presentation slides and a link to the call recording will be sent to all
participants within a few days of the webinar
78
Today’s presenters
Jeffrey D. Wallop, CIC
Vice President
PSA Insurance & Financial Services
443.798.7379
Lisa Chanzit, FCAS, MAAA, ARM
Senior Actuarial Consultant
Risk & Regulatory Consulting, LLC
855.246.0815
79
PSA Insurance & Financial Services
Washington, DC Metro Office
2275 Research Blvd., Suite 500
Rockville, MD 20850
Baltimore Office
11311 McCormick Road
Hunt Valley, MD 21031
Jeffrey D. Wallop, CIC
Vice President
443.798.7379