Principle 6

A charitable organization’s board should ensure that the organization has adequate plans to protect its assets — its property, documents and data, financial and human resources, programmatic content and material, and its integrity and reputation — against damage or loss. The board should review regularly the organization’s need for general liability and directors’ and officers’ liability insurance, as well as take other actions necessary to mitigate risks.

The board members of a charitable organization are responsible for understanding the major risks to which the organization is exposed, reviewing those risks on a periodic basis, and ensuring that systems have been established to manage them. Establishing and implementing sound policies and procedures for the organization’s governance, financial operations, employee and volunteer management, fundraising activities, and program administration is a key part of avoiding many of the legal and operational risks that face charitable organizations. The board is responsible for approving those policies and reviewing them periodically to ensure they are up-to-date and properly enforced.

The board’s responsibilities include establishing the level of risk tolerance for the organization concerning its finances, its operations, and its reputation. Board members then work closely with staff to outline the areas where managing risk is solely a staff responsibility, such as the hiring and supervision of staff, and those where both groups share responsibility for determining whether it is appropriate or necessary for the organization to assume certain risks, such as deciding to launch a new program effort. Given the high level of risk exposure associated with fraud and mismanagement of financial resources and inappropriate fundraising activities, boards should pay particular attention to the recommendations listed under STRONG FINANCIAL OVERSIGHT and RESPONSIBLE FUNDRAISING.

Many charitable organizations maintain extensive records regarding donors, employees, volunteers, clients, and consumers of goods and services, including data used to document the impact of their services on individuals and groups. Loss or outside manipulation of such data could expose those individuals and the organization to significant risk. Organizations that gather personal information from donors, individuals who receive or purchase their goods and services, or other visitors to their websites should have a privacy policy that informs those individuals what information is being collected about them, how that data will be used and kept secure as well as how to inform the organization if the individual does not wish personal information to be shared. Organizations that gather personally identifiable information about individuals, including photographs, fingerprints, or other biometric data, should ensure that they have the appropriate permissions and protections in place. Individuals’ rights to access and control their personal information is protected under federal and state laws. There are also laws that specify rules and conditions for gathering and using information from and about children and other protected populations.

The level of risk to which the organization is exposed and the extent of the review and risk management process it may employ will vary considerably based on the size, programmatic focus, geographic location, and complexity of its operations. While larger organizations may require more extensive risk management programs, all organizations should have emergency preparedness and disaster response plans in case of natural or man-made disasters or other crises that may affect their facilities, programs and operations. Every organization should have procedures for backing up, preserving, and protecting electronic and print documents and information vital to its governance, financial, and programmatic operations, including personal data it may collect about employees, volunteers, donors, consumers, and other individuals.

Organizations that employ staff should have written personnel policies that conform to federal and state laws and that reflect the values of the organization. They should develop appropriate procedures to protect the health and safety of employees and volunteers while they are at work or participating in an event sponsored or conducted by the organization. Organizations providing services to vulnerable individuals should ensure that appropriate screening, training, and supervision procedures are in place to minimize safety risks to their consumers and clients, as well as to paid and volunteer staff.

Board members may be personally liable for fines and other penalties as a result of certain legal violations, such as failure to pay required payroll and other taxes or approval of excess benefit or self-dealing transactions. Federal and some state volunteer liability laws provide some protection for board members who are not compensated, other than receiving reimbursement of expenses, and who act in good faith. Nonetheless, while it is rare for a charitable organization and its board to be the target of a lawsuit, each organization should nonetheless take steps to protect its assets in such an event. The board should consider including indemnification provisions in the organization’s governing documents, based on a review of the laws of the states in which it is based or operates. The board should also assess periodically the organization’s need for insurance coverage based on its program activities and financial capacity. Insurance is only one risk management strategy, however. Other strategies should also be considered to protect an organization’s assets, such as establishing reserve funds to absorb minor losses, borrowing from lenders, and negotiating with third parties to assume certain losses.