Risk management is any procedure or practice that nonprofit and charitable organizations use to reduce exposure to liability. Managers at nonprofit and
charitable organizations may not think they have enough time to develop organizational and structural policies that protect the organization from exposure to financial liabilities. But developing and implementing good policies and procedures can minimize the risk faced by boards of directors, staff, and volunteers.
Although they will not entirely eliminate the risk of financial liability, risk management procedures can reduce the exposure to an acceptable level.
Few agencies have the reserves or funds necessary for complete self- insurance of their exposures. Purchasing insurance, however, is not synonymous with risk management. In the nonprofit sector, practicing risk management is living the commitment to prevent harm. In addition,
risk management addresses many risks that are not insurable – such as the
potential loss of tax exempt status, public goodwill, and continuing donor support. (Alliance for Nonprofit Management).
During 2004, the Prince Albert & District Chamber of Commerce conducted research to find out what strategies nonprofit and charitable organizations
use to minimize and deal with risk. The Knowledge Development Centre at Imagine Canada funded the research project. A total of 81 nonprofit and charitable organizations from across Canada responded to our survey. This
planning guide is based on the responses to our survey and is supported by information that we gathered through a review of existing literature.
We have included a section of promising practices that we think will be helpful to nonprofit and charitable organizations. We hope that this planning guide will enable managers and board volunteers to better understand the importance of risk management and to learn how easy and inexpensive it is to implement risk management policies and procedures.
The Importance of Risk Management Nonprofit and charitable organizations have traditionally engaged in basic risk management.
These practices include obtaining insurance coverage for volunteers; screening volunteers to protect clients from harm; developing board orientation and training materials; developing strong employment practices; and implementing policies and procedures that protect
Research Objectives and Methodology
The issue of liability changed because of two rulings by the Supreme Court of Canada in 1999 (Jordan, 1999): Children’s Foundation v. Bazley
(also known as Bazley v. Curry) and Boys’ and Girls’ Club of Vernon (also known as Jacobi v. Griffiths). In both cases, the Supreme Court of Canada
imposed vicarious liability on nonprofit and charitable organizations. Vicarious liability means that a person or organization is liable for another person’s actions, even though they are not directly responsible for the
These cases were landmark decisions for the nonprofit and charitable sector in Canada. For the first time, organizations could be responsible for
what their employees or volunteers did, even if the organization did not do anything wrong. As a result of the rulings, “insurance companies are raising rates to unaffordable levels when there is no due diligence program in place, excluding many programs and services from coverage and disqualifying a wide range of organizations from any coverage” according
to the Voluntary Sector Initiative’s 2003 Pre-Budget Submission to the House of Commons Committee of Finance (Voluntary Sector initiative, Objectives
The purpose of our study was to find out how much nonprofit and haritable organizations understand about risk management and to learn about the
strategies, programs, and procedures that Canadian nonprofits and charitable organizations are using to manage risk.
Specifically, our objectives were:
1. To identify strategies that Canadian nonprofit and
charitable organizations use to minimize risk and
to highlight some of the most commonly used
2. To identify which strategies most effectively
reduce the levels of risk.
3. To demonstrate how these strategies can be
implemented in a cost-effective manner.
Our research consisted of three stages:
1. a review of existing literature on risk management
in both the for-profit and nonprofit sectors;
2. a survey of nonprofit organizations about their
risk management practices; and
3. an analysis and report of our findings.
Our survey was a self-administered questionnaire that included both open and closed questions.2 We sent our survey to Canadian Chambers of Commerce and nonprofit and charitable organizations in their communities.
We distributed the survey to 298 nonprofit and charitable organizations across Canada including 55 Chambers of Commerce, 11 service clubs/ organizations, 10 non-government organizations,
3 Friendship Centres and 2 nonprofit business/ development corporations. The final sample includes respondents from all provinces and a wide range of nonprofit and charitable organizations that perform a variety of functions.
We began by sending an introductory letter that explained the research project along with our survey. If an organization did not return the survey within the specified time, we contacted them again by telephone, fax, or email. The researchers hoped that 50% of the respondents would complete the survey; however, we received 81 completed surveys, which meant a response rate of 27%. When we followed up, the people who did not
respond indicated that they did not have time. We sent the survey to the director or managers of the organizations and concluded that we may not have had the response rate we hoped for because of the high workload of people in these positions.
In our survey, we asked what risk management activities an organization used and what other activities were part of their risk management plans.
The following section provides a summary of the research findings. It is organized by the questions in the survey. How many people are involved in your organization? On average, 192 people were involved in the organizations we surveyed, not including Board and committee members or volunteers for projects or events. The average Board had 15 members. On
average,3 organizations had 51 volunteers on committees. Many organizations (42%) said that not as many people were volunteering as in the past.
Most of the respondents said that volunteers were less involved because they did not have time. What does risk management mean? Many organizations (46%) said that risk management meant having a good management plan or process to handle risk or liability. Others said it meant reducing financial liability, ensuring that the organization had insurance, and making sure the members and clients of the organization are safe and secure.
How did you learn about risk management?
Most organizations learned about risk management from knowledgeable staff and from the historical records of their organization. More than half of the respondents (56%) said they believed that their directors, officers, and volunteers understood the concept of risk management.
Components of Risk Management
This section includes more information about financial management, board governance and management, volunteer management, and insurance. The information is taken from a range of published sources and complements ur findings. We have started the section by identifying common areas of
exposure to financial risk. Common Areas of Exposure to Financial Risk
There are seven key areas where nonprofit and charitable organizations are exposed to risk: fraud, misuse of funds, tax liabilities, potential loss of
nonprofit or charitable status, investments, fundraising activities, and the loss of physical assets.4 The best way to control risk in these areas is to develop and use effective internal controls. Management has a major role to play in controlling risk. We will talk more about management controls in the Board governance and planning section.
There are many ways to defraud an organization.People inside or outside an organization can commit fraud or steal an organization’s assets or resources. An employee can embezzle funds, steal office supplies or merchandise, increase their expense accounts, or create a fictitious company and bill the organization for services they did not perform. An
outsider can sell fake merchandise, overcharge the organization for materials or services, or persuade the organization to make bad investments. Organizations have also discovered other groups
using their name and logo to raise money. If you find that someone is using your name you must act immediately to protect your organization. If nother
group uses your name and logo to stage a fundraising event, you could be liable for any injuries at that event.
One way to protect your logo is to register it as a trademark. This gives your organization the exclusive right to use the logo in Canada. However,
Offices do not monitor or enforce how trademarks are used. It’s your responsibility to start professional or legal action if someone uses your logo. A registered trademark is legal evidence that you own the logo.
Registering a trademark can also be preventive. If you own a trademark, there is less risk that another organization will claim to own it and challenge your right to use the mark (Carter, 2004).
2. Misuse of funds
Nonprofit and charitable organizations are usually told exactly how they can use the gifts or money they receive. If the organization uses money for
something else, this is a misuse of funds. The funder could withdraw the money, ask for the money back, or refuse to give any support in future. Organizations that misuse funds could face legal action or lose their
tax-exempt status. The Charities Act and the Income Tax Act of Canada
outline how to protect your organization from misuse of funds.
3. Tax liabilities
Although they are tax exempt, nonprofit and charitable organizations are required to pay many taxes. Organizations are at risk if they do not follow
tax regulations. The Canada Corporations Act Part II focuses on nonprofit and charitable organizations and states the requirements for organizations in Canada.6 All employers must submit payroll deductions. Nonprofit
and charitable organizations are no exception. They must submit Canada Pension, Employment Insurance premiums, and federal income taxes
withheld from employees’ pay. Failure to do so can result in fines. All directors should request regular reports on the status of payroll deductions and remittance. The Income Tax Act requires that directors ensure the organization takes these deductions from employee pay cheques. The Act also releases directors from personal liability if they have done
everything a prudent person can be expected to do to ensure individuals’ taxes are paid. It is unlikely that a nonprofit and charitable organization would have sales tax or GST liabilities. But, as organizations search for creative ways to raise funds, sales can become more important. Your
organization may be required to pay sales tax if you sell merchandise.
4. Noncompliance to charitable regulations
Registered charities can lose their tax-exempt status if they take on activities that are not related to their charitable purpose, or if they spend their money incorrectly. Registered charities must file an annual
information return with the Canada Revenue Agency. If registered charities do not follow these requirements, they risk losing charitable status.
5. Investment exposure
Every organization has different types and sizes of investments. Smaller organizations may only have cash on hand while larger institutions such as
hospitals, colleges, and universities may have large endowment funds. Every nonprofit and charitable organization needs to monitor and control its investments, no matter how large or small. The board of directors should establish an investment policy that guides investment and financial decisions.
6. Fundraising activities
Organizations can be responsible for injuries or harm to any participants – employees, volunteers, and the general public – involved in fundraising events.
7. Loss of physical assets
Your organization’s physical assets – including furniture, fixtures, equipment, and supplies – may also be at risk. You could lose these items through fire, flood, or theft. Your organization also has a wealth of
information and confidential data on its computers. An angry employee, volunteer, or computer hacker could harm the organization by stealing or damaging these assets. Any of these losses could have a devastating
effect on the organization and its ability to deliver its mission. The best way to protect these assets is by setting up systems and procedures to limit the number of people who have access to them.