Archive for category risk assessment

You Gotta Manage Your Social Media Risks

I began calling for the proper management of social media risks in 2009. Back then we were still trying to convince people they should use the various social media tools to advance their associations and nonprofits. The big fear was (and still is) “what if someone says something bad about us?” There are numerous examples of social media horror stories such as the Domino’s Pizza video, United Breaks Guitars, Greenpeace’s attack on Nestlé’s Facebook page, Susan G. Komen versus Planned Parenthood, and Progressive Insurance.  Bad public relations incidents are still the most significant risk with social media but is also very manageable.

As I wrote in my first post on social media risks for SocialFish in May 2009, The Hidden Risks of Social Media: It’s Not What You Think,

Lack of active participation in social media may be your greatest risk. Your association may not have a formal social media strategy but many of your employees and members (especially chapters) are already participating through LinkedIn, Facebook, Twitter, Flickr, YouTube, FriendFeed or Ning, just to name a few. People are conversing about your association – if they aren’t talking about the association, then you have a larger problem.

Social media has changed how we live and work. It is a fact of life and you better be prepared to deal with bad or negative publicity whether it starts on social media or is played out on the various outposts.

Altimer Group, a consultancy founded by Charlene Li, “provides research and advisory for companies challenged by business disruptions, enabling them to pursue new opportunities and business models.” As a research organization Altimeter focuses on how disruptive trends can be used by organizations. Social media is definitely a disruptive trend. The firm’s most recent research was on social media risks addressed in its report Guarding the Social Gates: The Imperative for Social Media Risk Management. They also hosted a webinar on the topic. As a risk management consultant I’m always pleased and excited when other people and organizations talk about the importance of risk management. I strongly encourage you to read the report and listen to the webinar. Share the information with the key people within your association or nonprofit.

Social media is unusual because it is a source of risk but also a valuable resource for mitigating risks especially negative publicity. Not all PR crises start on social media (nasty tweet or video) but they are all “played out” on social media. For example the Susan G. Komen incident started with a corporate decision reported in the press but quickly moved onto the social media stage. The Penn State scandal started with a newspaper report that promptly moved to the online world. The teachable moment is that if your association is not ready to respond quickly via social media you are at a distinct disadvantage. You will get criticized not only for the original incident but how you handled it.

There is nothing new in the report, just reinforces what I and other risk management types have been saying. Every organization regardless of its size should identify and analyze its risks arising from social media and develop its techniques to manage these risks. If your organization already has a risk management program adding social media to the mix is easy but few associations have such a plan. Croydon Consulting (me) has experience with managing these risks. I’m a member of the SocialFish team so often partner with Maddie Grant and Lindy Dreyer to address these risk management issues. We are also working with Epic PR Group to further enhance our capabilities.

Social media is too important to your association’s success to leave managing the risks to chance or fate. Follow the steps provided in Guarding the Social Gates or seek help from the many resources available (like me). Sorry for the blatant sales pitch but this is one issue that can’t wait. Good luck.

1 Comment

What Does Your Exhibitor Contract Say? Protect Yourself

An association executive asked me about requiring certificates of insurance from conference exhibitors. My primal response was “Of course you require certificates of insurance from exhibitors that is Risk Management 101.” But then I decided to investigate the world of meeting and event planning to see what associations are doing. Thanks to ASAE’s Knowledge Center’s Models and Samples I reviewed seven (7) exhibitor contractors. The findings surprised me; from a risk management perspective the indemnification provisions were rather weak and the insurance requirements were problematic. Bottom line, only one association had a good indemnification provision and all had problems with their insurance requirements.

Why Do We Care?

Every hotel, convention center or facility contract has an expansive indemnification provision. In most cases, the association agrees to indemnify, hold harmless and defend the facility for anything that goes wrong. What do these terms mean?

Indemnification or to indemnify means the association assumes the financial responsibility for the liability of another party such as the hotel or convention center. A hold harmless agreement requires the association to respond to certain legal liabilities of the other party. Most event contracts have an “intermediate” hold harmless form where the association is responsible for its sole negligence and the negligence of both parties. However, the agreement can be “broad” where the association holds the other party harmless for suits against the other party based on the association’s sole negligence, joint negligence of both parties or the sole negligence of the other party. The facility can try to impose liability for its sole negligence but that portion is unenforceable in a number of states. (Definitions provided by International Risk Management Institute’s Insurance Glossary.)

Consequently, hotel and convention center contracts or license agreements impose substantial liabilities onto an association. Limited attention is often given to the indemnification provisions since the association is usually in a weak bargaining position. While the association may not be able to modify the terms it can work with an insurance professional to make sure it has the appropriate insurance coverages and limits. Just as importantly, the association can transfer contractually some of these exposures to the exhibitors and other service providers (exposition companies, caterers, AV, entertainment).

Most facility contracts also hold the association responsible (liable) for the acts of any persons admitted to the facility by the association. One agreement states “For the purposes of this Agreement, the act of any person admitted to the Center by Customer shall be the act of Customer.” Therefore, the association is financially responsible to the facility for any legal liabilities caused by its employees and volunteers as well as the attendees, exhibitors, speakers, contractors, subcontractors and anyone else invited to the event. For example, if an exhibitor’s “swag” hurts a person or they serve food that causes food poisoning, the association is liable to the facility if the facility is involved in the loss or claim. A knowledgeable claimant or plaintiff will name every party even remotely related to the incident including the facility. For your protection, transfer this financial responsibility to the exhibitors and other service providers through your contracts.

What’s Wrong?

Indemnification and Hold Harmless Problems

Several of the exhibitor contracts focused on limiting the association’s liability from the exhibitor filing a claim against the association for damage to the exhibitor’s property or people. The contract should address this issue but it is more important to have a good indemnification and hold harmless provision especially if the facility contract has an “intermediate” or “broad” hold harmless provision.

The indemnification provision should protect the association to the fullest extent possible. Review the facility contract to determine your obligations and transfer the same responsibilities to the exhibitors.

Below are solutions to some common errors in indemnification provisions.

  • Clearly identify the provision with a heading such as Indemnification, Liability or Waiver
  • State that the exhibitor has to defend the association in addition to indemnify and hold it (and any other parties) harmless. Most insurance policies will not pay defense costs unless the contract specifically requires the insured (exhibitor) to defend the other party (you).
  • State what liabilities and exposures the exhibitor is assuming.
  • List all parties that the exhibitor has to indemnify. This should include the parties the association has to indemnify under its event contracts.

NOTE: Since this is a part of a contract or agreement, have your attorney review and approve the document before you use it. 

 Co-ordination with Lease

The Produce Marketing Association (PMA) has a great provision in its PMA Official Exposition Rules and Regulations that makes the exhibitors liable to the same extent that PMA is obligated to indemnify the owner of the building. Here’s the wording:

Exhibitor hereby agrees to indemnify, defend and hold harmless Exposition Management to the same extent that Exposition Management may be obliged to indemnify the owner of the building and other related entities as lessee or licensee of the exhibit hall or space. If there are any inconsistencies between Exposition Management’s lease or license for the exhibit hall or space and this agreement, the terms of the lease or license shall govern. If there are additional rules, regulations or terms or conditions that Exposition Management must comply with under its lease or license, to the extent they may be applicable to the Exhibitor’s booth, those additional rules, etc. are hereby incorporated herein by reference and the Exhibitor agrees to comply with them.

If you include a similar provision you should inform the exhibitors of the extent of your liability to the building owner so they can review their insurance program for the appropriate coverages.


Insurance is the best way to fund an indemnification agreement. However the Insurance section is either overlooked or done poorly. Another blog post will more fully explain Insurance requirements.

First, make sure the indemnification provision is written to trigger insurance coverage. Second, describe the required insurance coverages properly. Your insurance agent or broker can help you develop the correct wording. Finally require the exhibitor to provide your association with a Certificate of Insurance and Evidence of Property Insurance prior to the event. Review the certificates to verify the exhibitor has the right insurance coverages.

You have too much at risk to have a weak indemnification provision in your exhibitor contract. The larger exhibiting companies will have no trouble meeting tougher indemnification and insurance provisions – they expect it. Some smaller companies may not have the required insurance but you can help them. Short-term special event general liability policies are available if an exhibitor needs help to meet the contract’s requirements. Your insurance agent can help identify or supply these markets if the exhibitor needs help. You can provide a valuable service to the exhibitor while protecting your association.

What to Do

So what does your exhibitor contract say about indemnification and insurance? Review your contract with your insurance agent and attorney. They can draft a stronger contract to protect your association from harm caused by others. Get to it!


How Much Insurance is Enough? Risk Financing Decisions

My friend, an insurance broker, was lamenting the disconnection between her association and nonprofit clients and the insurance industry. Her clients expect their property and casualty insurance premiums to decrease while insurance companies are seeking increases. This disparity forces insurance brokers to market their accounts in search of reduced pricing. The marketing efforts can produce lower costs but usually because the incumbent carriers cut their prices to keep the account.

The insurance industry has programmed insureds to expect premium decreases. The insurance marketplace is cyclical and it has been in a “soft” market since 2005 with declining rates. However according to MarketScout’s research, the market started to turn last fall when rates stayed flat and then slight increases. Since November 2011, average premiums have increased with April recording a 3% increase compared to last year. Conning Research’s Property-Casualty Forecast & Analysis predicts net premium growth of 4% in 2012, +5% in 2013 and +5.5 in 2014.  Premium increases will be higher in catastrophe-exposed regions especially for property coverages.

What does this mean? Associations and nonprofits should expect their annual premiums to increase for the next few years. But nonprofit organizations are still recovering from the Great Recession and money is tight. Many have already reduced their insurance costs by lowering policy limits, increasing deductibles, and/or eliminating coverages. How much lower can they go?

Although you may still need to cut costs, reducing your insurance coverages can be a false savings. Having adequate insurance is important to your financial well-being but what is “adequate” for you? How did you decide where to cut your insurance costs?

 Risk Financing Strategy

In a perfect world every nonprofit has a risk management policy but few have one. It is valuable to discuss how to manage your risks and then adopt a formal policy. A plan for financing your risks – how you will pay for losses – is a part of your risk management program. A risk financing strategy helps you make these difficult risk financing decisions. Most associations have policies or strategies for their investments and reserves but not for financing its risks.

Risk Financing Techniques

There are two ways to finance risk; retention or financial transfer. An organization retains a risk when it pays for all or part of a loss. A deductible is one form of retention; not purchasing insurance for an exposure is another. Hopefully your types and amounts of retention are conscious decisions but you can passively retain a risk when unaware of its existence and have no plans for paying for a loss. A good risk identification process may prevent an unexpected risk retention.

With financial transfer another party is financially responsible for a loss but you need to make sure they have the financial resources to meet their obligations. Purchase of insurance is a financial transfer. Indemnification or hold harmless provisions in contracts are another transfer technique since another party has to pay for certain types of losses. For all financial transfers make sure the other party can meet their financial obligations.


Insurance is the primary risk financing technique for nonprofit organizations. Every nonprofit has an informal risk financing strategy based on the scope of its insurance program but it would be better to formalize your strategy.

Insurance purchasing guidelines, a part of a risk financing strategy, are similar all organizations. An organization should:

  1.     1.        Assume risks whenever the amount of the potential loss would not significantly affect the organization’s financial position; and
  2.     2.        Insure risks whenever the amount of potential loss is significant or insurance is required by law or contractual agreement.

The first step is to decide what is a “significant loss.” Often a “significant loss” is one that threatens the organization’s survival. You may have established your loss threshold when setting your reserves level.

Another consideration is your association’s risk appetite – how much risk the association is willing to accept in pursuit of its strategic objectives. In some pursuits you are willing to accept more risk than others. These factors affect your insurance purchasing decisions.

Your association may be subject to certain laws or regulations requiring specific insurance coverages and limits. For example most states mandate Workers Compensation insurance and the Employee Retirement Income Security Act (ERISA) requires Employee Dishonesty insurance for your fiduciaries.

Contracts are often an overlooked exposure due to an indemnification or hold harmless agreement as well as specific insurance requirements. The person responsible for the insurance program isn’t always informed of the contractual requirements so the insurance program is non-compliant. You could inadvertently breach a contract or have an uninsured exposure.

Think Before You Cut

Before you make cuts in your insurance program adopt a risk financing strategy. Decide what you want to do via retention and financial transfer. Make retention a conscious decision matching your risk appetite. Insurance is another option but don’t forget you can transfer a risk or operation to another party (outsourcing). Just make sure the other party has the right types and amount of insurance to protect both you and them. When necessary buy insurance but base your decisions on your risk financing strategy and organizational goals. You’re less likely to be surprised.

Leave a comment

Innovation is Risky! D’oh!

I love all of this talk about innovation because it always leads to discussing risk. I just watched Rita Gunter McGrath a professor at Columbia Business School talk about strategy and innovation in highly uncertain environments at DigitalNow: Association Leadership in a Digital Age. DigitalNow offered a free live stream option for its general sessions.

Dr. McGrath summarizes her view of complexity in her DigitalNow bio:

Complex organizations are far more difficult to manage than merely complicated ones. It’s harder to predict what will happen, because complex systems interact in unexpected ways. It’s harder to make sense of things, because the degree of complexity may lie beyond our cognitive limits.

My ears perked up when she talked about managing risk (or trying to manage uncertainty). She challenged our use of prediction when the world is unpredictable. Every decision has unintended consequences that may lead to failure or unexpected outcomes. But McGrath encourages us to from these “intelligent failures” to improve our decisions.

My favorite subject was Dr. McGrath discussion of resource trade-offs suggesting that redundancy and stockpiled resources are our friend. As the business continuity professionals and Dr. McGrath says: “Time is your friend before a disaster and your enemy afterward.” She followed with “we also over-invest in prevention and under-invest in resilience.” From a risk management perspective I couldn’t agree more. So many associations only focus on preventing a loss from occurring but don’t consider how to respond to the actual event. For example, most associations lack risk management plans for succession, business continuity/disaster recovery, and crisis management and communication. This DigitalNow tweet sums it up (Follow the discussion on Twitter #diginow12)

We all agree that innovation is risky but we don’t do much to manage the risks other than trying to avoid it. If we do nothing we can avoid the risks of innovation. But social media shows us that the greater risk is to do nothing. If associations continue to maintain things as they are we lose our relevance and meaning to the point where we may ultimately die.

The appropriate use of various risk management techniques increases our chances for success. As we evaluate our options we both control or reduce the risks and maximize the opportunities. Our decision may be wrong but with proper planning and analysis we experience an “intelligent failure” instead of a catastrophe.

Risk control techniques let us avoid, prevent or reduce the loss. Building redundancy into our systems and processes (especially information technology) reduces the size of the loss. Back-up of electronic data and software provide redundancy while the use of hosted sites and the cloud segregate your loss exposures (a loss at your office doesn’t affect the hosted sites) and enable a rapid recovery.

So I’ll continue to beat the drum for associations to incorporate risk management into its daily operations and innovative efforts. The identification, analysis and mitigation of risks are crucial to your success and growth as an organization. Risk management is not a separate activity done by a committee but integral to all of your operations, strategic and tactical. Risk management has evolved into an enterprise-wide activity. As Dr. McGrath said associations are complex organizations requiring new management systems and methods. Incorporating enterprise risk management (ERM) in your association helps you with this new complexity.


Earthquake Insurance?

After the recent Virginia earthquake, many people asked about the need for earthquake insurance. Let’s do a risk assessment.

The Risk

Earthquake is not the risk but rather the peril or cause of loss for damage to property. A building can sustain structural damage, walls crumble and ornate facades, pinnacles and spires fall off. Heating, ventilation and air conditioning equipment if not secured properly will shift and be damaged. Broken gas pipes and electrical wiring create other dangers. The shaking can make interior walls collapse, file cabinets, large furniture and other objects tip over, and pictures fall off walls.

If the quake caused any significant direct property damage your business operations will be interrupted. During the interruption your association may lose income (rental fees, dues, sales, conference registrations) or incur added expenses to keep up operations including setting up a temporary office.

The Analysis

During the analysis phase we consider the frequency (how often) and severity (dollar loss) potentials of earthquakes. The U. S. Geological Survey (USGS) is a tremendous resource all things earthquake.


USGS suggests you find your proximity to active earthquake faults, the seismic history of the region (frequency), and how long since the last earthquake. On the East Coast earthquakes are relatively low in both frequency and intensity. However the New Madrid Fault in southeastern Missouri and western Tennessee has a higher probability of a significant earthquake. The West Coast including Utah and Nevada has a higher incidence of earthquakes. USGS’s 2009 Earthquake Probability Mapping site enables you to check the probability by zip code.


As we say in the insurance world “frequency breeds severity,” so the more earthquakes in a region the greater the chance for a significant event. Alaska is the most earthquake prone state but California has had the most substantial earthquakes.

When assessing severity consider both the potential intensity of an earthquake and your building’s and office’s susceptibility to damage. Brick buildings don’t do well in earthquakes while frame construction fares better due to its “flexibility.” Other construction types depend upon its level of “earthquake resistance.” Buildings in California are more earthquake resistant than in other parts of the country. You also need to consider the soil composition, slope of the land and annual rainfall to assess severity.

Earthquake Insurance

You can purchase earthquake insurance as an additional peril under your property insurance policy (personal and commercial). The premium depends upon your location (proximity to faults) and building construction. Earthquake insurance is much cheaper on the East Coast than the West Coast. You can buy coverage for the full value of your property or as a sublimit.

Another factor is the size of the deductible. On the East Coast your deductible may be as low as 2% of the property values while in California your deductible would be 10 – 15% of the property values.

While assessing the need for earthquake insurance, determine the property values subject to loss by an earthquake. If the property values are low and you have a high deductible, the claim may be under the deductible. If you own an older building with ornate features you may sustain more damage than a newer building. The East Coast quake caused damage mainly to churches and older brick buildings where it might be appropriate for earthquake insurance.

If you are still undecided, ask your insurance agent to get a quotation for earthquake insurance. Knowing the cost and deductible can help you decide if you need earthquake insurance.

The Virginia earthquake awakened people to this exposure. We learned that few of us know what to do and unintentionally endangered themselves and others. Even if you don’t purchase insurance learn what you should do before, during and after an earthquake to protect people and property. After writing your new procedures don’t forget to train your staff. Be safe.

1 Comment

Risk Management as Change Agent: Adopting a Culture of Risk

By Leslie White on August 2, 2011

During the CommPartners’ Learning Socially: Associations at the Crossroads Seminar, Susan Robertson, CAE executive vice president of ASAE and president of ASAE Foundation, mentioned a speech by Barry C. Melancon, CPA, chief executive officer, American Institutes of CPAs about risk. Association TRENDS selected Mr. Melancon, as its 2011 Association Executive of the Year. According to Association TRENDS Melancon said that “association executives ‘have an obligation to drive our individual associations forward,’ noting that this cannot happen without taking risks, finding an appropriate balance, and communicating effectively.” You can view his speech here (risk discussion begins around 16:00).

My heart warms when an association executive talks about risk especially one that practices good risk management. Melancon shared his view that an association’s board and key volunteers need to be willing to take risks. The association leaders have to recognize that not every effort will be successful or get the results expected. When an association tries something new and gets unexpected results it is not “failure” but rather an opportunity to learn and move forward.

Innovation and Risk
I’ve written about Innovation and Risk before that an association has to take risks to be creative but be smart about the risks it takes. Risk involves uncertainty; we don’t know the outcomes of our efforts. A lot of us are uncomfortable with uncertainty we still hold the illusion of control. We don’t know if that new service, program, membership model will have the results we want (or expect)? As Jamie Notter tweeted during the seminar

Jamie was talking about social media but the statement holds true for other activities. Some associations are still offering the same arguments against social media – what if someone says something bad about? An employee or member misbehaves? In my first guest post for SocialFish, The Hidden Risks of Social Media: It’s Not What You Think, I declared the greatest social media risk is not being an active participant. If you use social media you are aware negative comments and can respond accordingly. Therefore,
The greatest threat to an association’s survival is to not take any risks; not trying something new or moving forward.

Or another way to say it is failure to take risks leads to failure. Albert Einstein defined insanity as doing the same thing over and over again expecting different results. If you don’t change what you are doing the results won’t change either. The downward spiral will continue until your association becomes completely obsolete and out of business.

Risk Management as Change Agent
So how do we get out of this insanity loop? How do we start taking some risks? A risk averse association isn’t going to change simply by a board or CEO edict; this requires a cultural change. Change doesn’t come quickly to many people or associations but the practice of risk management provides techniques to facilitate change and address people’s fears.

Risk management is about learning to deal with uncertainty; not knowing how people will receive a new initiative or when something bad may happen such as an auto accident, office fire, employee injury, or anything else that goes wrong. You first need to know how your management team and board feel about risk – their appetite for risk, tolerance for uncertainty. If risk averse, you have a bigger challenge to get them comfortable with risk and uncertainty.

Photo: Renaissancechambara

Another way risk management is a change agent is by putting risks into perspective. Our first reaction to an idea is its too risky but after evaluating the potential outcomes we realize it is not so bad. The risk may be acceptable or can be mitigated effectively. A part of implementation is to set up the metrics to measure the impact of the change. Through the metrics you find if the results are what you expected or if you need to change some aspect of the project.

Remember everything has its risks but each decision also has the possibility of reward. The new membership model, chapter re-organization, or volunteer management tools may be successful, even exceed expectations. But you won’t know until you do something. Push through the fear and inertia by managing risks. You’ll be amazed at the results.

Leave a comment

Analyze This!

Many consider risk management the language of “NO.” “No we cannot do X because it is too dangerous or risky.” But this decision is usually made too early in the risk management process before the organization has analyzed its risks to decide if they truly threaten your association. To be effective in managing risks you have to follow all the steps in the risk management process starting with (1) risk identification and (2) risk analysis and prioritization.

Risk Identification
Identifying risks seems pretty easy where you just sit around and brainstorm everything that can go wrong with an idea. However the brainstorming approach is limiting and less effective. People’s personal knowledge and worldviews restrict their ability to discern when a good idea is stopped or a more dangerous project goes forward.

Instead of just brainstorming possible negative outcomes you should be identifying all potential events (positive or negative) that affect the organization. To increase your chance for success use a more systematic identification method. The process starts with identifying the values exposed to loss (people, property, income, business operations). Then look at the possible events that can cause a loss. The cause or peril can be natural, human or economic coming from an internal or external source. There are risk checklists and other means of identifying risk available based upon your association’s needs and operations.

Risk Analysis
The second step of the risk management cycle is to analyze and prioritize the identified risks. Many overlook this step and make decisions based solely on their personal perception of the risk. Without analysis, risk becomes an emotional issue; we are considering the loss of something of value. Each person perceives risk differently (Read Risk and Fear: How Do You Perceive Risk?) and reacts based upon their beliefs. Human beings are not rational; we don’t always act in our own best “rational” interest but our emotions. Many exposures especially liability generate fear that equates to risk for many folks. Fear affects your decisions that may or may not be in the best interests of your organization.

Risk analysis offers a practical and rational approach to counter the emotional responses to risk. In this phase we decide how likely and often an identified event will occur, its potential “frequency.” If you live on the Atlantic or Gulf Coasts there is a higher probability of a hurricane than in the Midwest.

After assigning the level of frequency of an event, you have to rank the potential severity when it happens. Severity is usually evaluated in financial terms – how much it will cost – but can also consider non-financial factors such as reputational damage.
The process of assigning frequency and severity rankings helps people to recognize their fears and perceptions of risk. For example you may be a risk-taker in a group of risk-averse people so you need to acknowledge and address their concerns.

After analyzing the risks we can set our priorities for managing these risks. Not all risks are equal some are more important than others. Through frequency and severity analysis you decide which risks need to be addressed first. Generally any risk with a high severity ranking has to be managed or avoided. An exposure with both high frequency and high severity should be first on your priority list. A low-frequency – low severity risk can perhaps be ignored. By setting priorities attention is focused on managing the most important risks improving your chances for success.

Don’t just identify your risks. Without analysis and setting priorities you can’t be confident you will manage the right exposures and make the best decisions. Analysis enables a full understanding of the risk and selecting the most proper management techniques. Anything less leads to bad decisions and possible harm to your association.


%d bloggers like this: