How Much? Costs to Manage Your Reputation

Several nonprofit organizations have had their reputations tarnished recently. The National Restaurant Association had its 15 minutes of fame via Herman Cain. Susan G. Komen for the Cure  is still reeling from its decision to defund Planned Parenthood. Penn State University (PSU) has been handling the repercussions of a grand jury report of child abuse allegations against former assistant football coach, Gerald (Jerry) A. Sandusky. Unfavorable media coverage is every organization’s worst nightmare.

Quantifying reputational risks is hard because the financial impact can take months to appear. The association may experience a decline in membership, advertising revenues, donations, or sponsorship that won’t be known for awhile. How do you know if you are still attracting or retaining members, students, talented employees, volunteers or board members? But there can be substantial upfront costs when your reputation is being attacked. Penn State has disclosed scandal offers insight into the initial costs of managing its reputation.

Penn State established a website, http://openness.psu.edu/, to demonstrate its commitment to openness and transparency. The site details the costs associated with the scandal.

Costs to Penn State

Protecting your reputation is not cheap. Penn State disclosed that as of January 31, 2012, it had paid $5,723,553 to respond to the Sandusky incident. (F.A.Q. 14. How much money is the University paying for legal fees, consultants and PR firms associated with the Sandusky matter?)

•  Internal Investigations and Crisis Communications                 $3,936,137
• University Legal Services/Defense                                                    $  813,427
• Externally Initiated Investigation                                                     $     49,788
• Officers Legal Defense                                                                              $  338,545
• Other                                                                                                              $  558,656

The University states that it will not use donations or tuition fees to pay for the scandal. Some of the costs may be covered by insurance but much of it will be “out of pocket.”

Indemnification

The University’s bylaws [Article 5, Section 2 (a)] state that “except as prohibited by law, every trustee and officer of the University shall be entitled as a right to be indemnified by the University against expenses (including counsel fees) and any liability (including judgments, fines, penalties, excise taxes and amounts paid in settlement) paid or incurred by such person in connection with any actual or threatened claim, action, suit or proceeding, civil, criminal, administrative, investigative or other.”

Penn State promises to reimburse every trustee and officer for their expenses and any resulting liability from this scandal via its bylaws. The indemnification provision does not include employees so it is unclear what protection Penn State will provide to its non-officer employees.

General Liability Insurance

Penn State is relying on its general liability policy to cover many of the lawsuits and allegations arising from the Sandusky scandal. However, according to Business Insurance, the University’s general liability insurer, Pennsylvania Manufacturers’ Association Insurance Company (PMA), filed for declaratory judgment or basically denied any coverage for the lawsuit filed in November 2011 (alleging Penn State’s negligence related to Mr. Sandusky’s alleged sexual misconduct). PMA asserts that Penn State is not entitled to coverage and defense under certain policies issued by PMA mainly because of an abuse and molestation exclusion. Penn State has countersued PMA over its refusal to cover the lawsuit (Penn State sues insurer PMA in dispute over Sandusky case coverage).

So now Penn State is paying for its own defense against this lawsuit (probably only the first of many). Plus the University is funding its legal expenses to sue its own insurance company – never a cheap endeavor.

Directors & Officers Liability

On a brighter note, Penn State’s D&O policy may provide some coverage including defense costs. But coverage is dependent upon the terms and conditions of the policy such as how it defines “wrongful acts,” “claim,” and “insured.”

Some of the defense costs for both the entity and its directors and officers may be covered by the D&O policy. But a D&O policy usually excludes coverage for bodily injury claims so that policy won’t cover the specific negligence allegations.

Crisis Communications

Penn State has already spent almost $4 million in internal investigations and crisis communications which is probably not covered by insurance.

Lessons to be learned

Crisis Management Plan

If you haven’t already, develop and test your crisis management plan. The need for a crisis plan is reinforced every day with the power of social media (Trayvon Martin, Kony 2012, Arab Spring). Social media can both generate and respond to a crisis.

When you are prepared you can strive to keep the initial costs low since many of your actions may not be covered by insurance. Penn State probably had a crisis plan but doubtful it addressed the possibility for allegations of child abuse especially one involving its football program.

Indemnification

What does your bylaws or other corporate indemnification provision say about directors, officers, employees, volunteers, etc? The provision is probably rather broad and not all costs will be covered by insurance.

Review your insurance coverages

Meet with your insurance agent to review your coverages; use these current crises to analyze your coverages and limits. Remember several liability policies such as D&O, professional liability, media liability and others may include defense costs inside the policy limits. Penn State has already paid over $1.1 million in defense expenses; it’s not unusual for defense costs to exceed the settlement.

No one likes to think about bad things happening but they do and often occur to good people. It is only a matter of time before your association experiences unfavorable attention. Be prepared – it may save your association.

Analyze This!

Many consider risk management the language of “NO.” “No we cannot do X because it is too dangerous or risky.” But this decision is usually made too early in the risk management process before the organization has analyzed its risks to decide if they truly threaten your association. To be effective in managing risks you have to follow all the steps in the risk management process starting with (1) risk identification and (2) risk analysis and prioritization.

Risk Identification
Identifying risks seems pretty easy where you just sit around and brainstorm everything that can go wrong with an idea. However the brainstorming approach is limiting and less effective. People’s personal knowledge and worldviews restrict their ability to discern when a good idea is stopped or a more dangerous project goes forward.

Instead of just brainstorming possible negative outcomes you should be identifying all potential events (positive or negative) that affect the organization. To increase your chance for success use a more systematic identification method. The process starts with identifying the values exposed to loss (people, property, income, business operations). Then look at the possible events that can cause a loss. The cause or peril can be natural, human or economic coming from an internal or external source. There are risk checklists and other means of identifying risk available based upon your association’s needs and operations.

Risk Analysis
The second step of the risk management cycle is to analyze and prioritize the identified risks. Many overlook this step and make decisions based solely on their personal perception of the risk. Without analysis, risk becomes an emotional issue; we are considering the loss of something of value. Each person perceives risk differently (Read Risk and Fear: How Do You Perceive Risk?) and reacts based upon their beliefs. Human beings are not rational; we don’t always act in our own best “rational” interest but our emotions. Many exposures especially liability generate fear that equates to risk for many folks. Fear affects your decisions that may or may not be in the best interests of your organization.

Risk analysis offers a practical and rational approach to counter the emotional responses to risk. In this phase we decide how likely and often an identified event will occur, its potential “frequency.” If you live on the Atlantic or Gulf Coasts there is a higher probability of a hurricane than in the Midwest.

After assigning the level of frequency of an event, you have to rank the potential severity when it happens. Severity is usually evaluated in financial terms – how much it will cost – but can also consider non-financial factors such as reputational damage.
The process of assigning frequency and severity rankings helps people to recognize their fears and perceptions of risk. For example you may be a risk-taker in a group of risk-averse people so you need to acknowledge and address their concerns.

Priorities
After analyzing the risks we can set our priorities for managing these risks. Not all risks are equal some are more important than others. Through frequency and severity analysis you decide which risks need to be addressed first. Generally any risk with a high severity ranking has to be managed or avoided. An exposure with both high frequency and high severity should be first on your priority list. A low-frequency – low severity risk can perhaps be ignored. By setting priorities attention is focused on managing the most important risks improving your chances for success.

Don’t just identify your risks. Without analysis and setting priorities you can’t be confident you will manage the right exposures and make the best decisions. Analysis enables a full understanding of the risk and selecting the most proper management techniques. Anything less leads to bad decisions and possible harm to your association.

Everyone’s a Risk Manager

As a risk management consultant, I should be happy everyone thinks they are a risk manager. But often the person’s sense of risk and liability is more of a weapon than a tool. She convinces others that a course of action is too risky due to liability. The activity may be risky but that shouldn’t be the only reason not to pursue the idea. Liability is just one exposure to consider when assessing risk.

While it is true in the United States anyone can sue anybody for any reason whether or not the case has merit but you should not fear every liability exposure. Filing a claim or lawsuit is not the same as winning although insurance companies spend a lot of money defending you for such claims which is why you buy insurance. But having insurance does not negate your need to assess and manage your risks.

Understanding liability and negligence will help with your risk assessment efforts. I am not an attorney so I view liability from an insurance and risk management perspective. Consult with your legal counsel on the law but remember an attorney’s opinion is just one factor to consider in your analysis. You can manage most liability risks if you’re willing to expend the time and resources to do so.

Liability

Society considers a person or organization liable when an individual is legally responsible for damages (financial consequences) due to negligence. Not all types of liability (such as criminal, statutory or strict) require the presence of negligence but that is what worries association executives the most.

Negligence

You are deemed negligent when you fail to perform the standard of care that society expects of a reasonable person under similar circumstances. “Negligence is an unintentional of a legal duty causing damage reasonably foreseeable without which breach the damage would not have occurred” (van der Smissen, Betty, Legal Liability and Risk Management for Public and Private Entities, (Anderson Publishing Company, Cincinnati, 1990, p. 65).

Standard of Care

Negligence is tricky because your actions are judged by the “standard of care” a reasonable person would exercise. There is no Standard of Care Manual detailing society’s expectations for your behavior a judge or jury decides if you are negligent by what they think you should have done. Many attorneys argue against associations setting standards or best practices since the association is possibly creating the standard of care required of your industry or profession.

Reasonable Person

The “reasonable person” is another ambiguous term defined by the judge or jury. The standard is based upon what someone with the same level of training and experience would do under similar circumstances. Your actions are judged by what another person with similar training and experience would have done in that situation. A doctor is held to a higher standard than someone with basic first aid training.

Elements of Negligence

A negligent act has to meet four elements for the claimant to be successful. If any one of these elements is missing you aren’t negligent.

• Existence of a duty – You must have a duty of care to the person injured. If you have no duty, you can’t be negligent. Entire books have been written and endless court cases cited to define the legal tenets of duty of care. In most cases an association will have some type of duty to its employees and members.
• Breach of duty – You have to breach or violate your duty of care to another person. You can do something wrong, do nothing, or you do the right thing incorrectly. Negligence involves sins of both of omission and commission.
• Actual harm or damage – The other person has to suffer some type of injury or harm. As the saying goes “No harm, no foul.”
• Reasonably close relationship between the breach and harm – The breach of duty has to be the proximate cause of the harm. There needs to be a direct causal relationship between the breach and harm. Your failure to check the driving record of someone driving on your behalf may be the proximate cause of an auto accident when the driver has an unsatisfactory driving record.

Your defense attorney will contend the claimant has not met these four elements of negligence while the plaintiff attorney will dispute those arguments.

Now What?

Now you have a rudimentary knowledge of negligence to use when assessing risks. Before you dismiss or go blindly into a new idea, program, and product or service consider the nature and potential consequences of the exposure. Liability is a major concern for associations. The key is to decide the desired level of risk and whether you can mitigate the risk, modify the activity, to make it acceptable in an effective and cost-effective way. Too many good ideas can be lost because no one took the time to evaluate and manage the risks.