Archive for category strategy

You Gotta Manage Your Social Media Risks

I began calling for the proper management of social media risks in 2009. Back then we were still trying to convince people they should use the various social media tools to advance their associations and nonprofits. The big fear was (and still is) “what if someone says something bad about us?” There are numerous examples of social media horror stories such as the Domino’s Pizza video, United Breaks Guitars, Greenpeace’s attack on Nestlé’s Facebook page, Susan G. Komen versus Planned Parenthood, and Progressive Insurance.  Bad public relations incidents are still the most significant risk with social media but is also very manageable.

As I wrote in my first post on social media risks for SocialFish in May 2009, The Hidden Risks of Social Media: It’s Not What You Think,

Lack of active participation in social media may be your greatest risk. Your association may not have a formal social media strategy but many of your employees and members (especially chapters) are already participating through LinkedIn, Facebook, Twitter, Flickr, YouTube, FriendFeed or Ning, just to name a few. People are conversing about your association – if they aren’t talking about the association, then you have a larger problem.

Social media has changed how we live and work. It is a fact of life and you better be prepared to deal with bad or negative publicity whether it starts on social media or is played out on the various outposts.

Altimer Group, a consultancy founded by Charlene Li, “provides research and advisory for companies challenged by business disruptions, enabling them to pursue new opportunities and business models.” As a research organization Altimeter focuses on how disruptive trends can be used by organizations. Social media is definitely a disruptive trend. The firm’s most recent research was on social media risks addressed in its report Guarding the Social Gates: The Imperative for Social Media Risk Management. They also hosted a webinar on the topic. As a risk management consultant I’m always pleased and excited when other people and organizations talk about the importance of risk management. I strongly encourage you to read the report and listen to the webinar. Share the information with the key people within your association or nonprofit.

Social media is unusual because it is a source of risk but also a valuable resource for mitigating risks especially negative publicity. Not all PR crises start on social media (nasty tweet or video) but they are all “played out” on social media. For example the Susan G. Komen incident started with a corporate decision reported in the press but quickly moved onto the social media stage. The Penn State scandal started with a newspaper report that promptly moved to the online world. The teachable moment is that if your association is not ready to respond quickly via social media you are at a distinct disadvantage. You will get criticized not only for the original incident but how you handled it.

There is nothing new in the report, just reinforces what I and other risk management types have been saying. Every organization regardless of its size should identify and analyze its risks arising from social media and develop its techniques to manage these risks. If your organization already has a risk management program adding social media to the mix is easy but few associations have such a plan. Croydon Consulting (me) has experience with managing these risks. I’m a member of the SocialFish team so often partner with Maddie Grant and Lindy Dreyer to address these risk management issues. We are also working with Epic PR Group to further enhance our capabilities.

Social media is too important to your association’s success to leave managing the risks to chance or fate. Follow the steps provided in Guarding the Social Gates or seek help from the many resources available (like me). Sorry for the blatant sales pitch but this is one issue that can’t wait. Good luck.

1 Comment

How Much Insurance is Enough? Risk Financing Decisions

My friend, an insurance broker, was lamenting the disconnection between her association and nonprofit clients and the insurance industry. Her clients expect their property and casualty insurance premiums to decrease while insurance companies are seeking increases. This disparity forces insurance brokers to market their accounts in search of reduced pricing. The marketing efforts can produce lower costs but usually because the incumbent carriers cut their prices to keep the account.

The insurance industry has programmed insureds to expect premium decreases. The insurance marketplace is cyclical and it has been in a “soft” market since 2005 with declining rates. However according to MarketScout’s research, the market started to turn last fall when rates stayed flat and then slight increases. Since November 2011, average premiums have increased with April recording a 3% increase compared to last year. Conning Research’s Property-Casualty Forecast & Analysis predicts net premium growth of 4% in 2012, +5% in 2013 and +5.5 in 2014.  Premium increases will be higher in catastrophe-exposed regions especially for property coverages.

What does this mean? Associations and nonprofits should expect their annual premiums to increase for the next few years. But nonprofit organizations are still recovering from the Great Recession and money is tight. Many have already reduced their insurance costs by lowering policy limits, increasing deductibles, and/or eliminating coverages. How much lower can they go?

Although you may still need to cut costs, reducing your insurance coverages can be a false savings. Having adequate insurance is important to your financial well-being but what is “adequate” for you? How did you decide where to cut your insurance costs?

 Risk Financing Strategy

In a perfect world every nonprofit has a risk management policy but few have one. It is valuable to discuss how to manage your risks and then adopt a formal policy. A plan for financing your risks – how you will pay for losses – is a part of your risk management program. A risk financing strategy helps you make these difficult risk financing decisions. Most associations have policies or strategies for their investments and reserves but not for financing its risks.

Risk Financing Techniques

There are two ways to finance risk; retention or financial transfer. An organization retains a risk when it pays for all or part of a loss. A deductible is one form of retention; not purchasing insurance for an exposure is another. Hopefully your types and amounts of retention are conscious decisions but you can passively retain a risk when unaware of its existence and have no plans for paying for a loss. A good risk identification process may prevent an unexpected risk retention.

With financial transfer another party is financially responsible for a loss but you need to make sure they have the financial resources to meet their obligations. Purchase of insurance is a financial transfer. Indemnification or hold harmless provisions in contracts are another transfer technique since another party has to pay for certain types of losses. For all financial transfers make sure the other party can meet their financial obligations.


Insurance is the primary risk financing technique for nonprofit organizations. Every nonprofit has an informal risk financing strategy based on the scope of its insurance program but it would be better to formalize your strategy.

Insurance purchasing guidelines, a part of a risk financing strategy, are similar all organizations. An organization should:

  1.     1.        Assume risks whenever the amount of the potential loss would not significantly affect the organization’s financial position; and
  2.     2.        Insure risks whenever the amount of potential loss is significant or insurance is required by law or contractual agreement.

The first step is to decide what is a “significant loss.” Often a “significant loss” is one that threatens the organization’s survival. You may have established your loss threshold when setting your reserves level.

Another consideration is your association’s risk appetite – how much risk the association is willing to accept in pursuit of its strategic objectives. In some pursuits you are willing to accept more risk than others. These factors affect your insurance purchasing decisions.

Your association may be subject to certain laws or regulations requiring specific insurance coverages and limits. For example most states mandate Workers Compensation insurance and the Employee Retirement Income Security Act (ERISA) requires Employee Dishonesty insurance for your fiduciaries.

Contracts are often an overlooked exposure due to an indemnification or hold harmless agreement as well as specific insurance requirements. The person responsible for the insurance program isn’t always informed of the contractual requirements so the insurance program is non-compliant. You could inadvertently breach a contract or have an uninsured exposure.

Think Before You Cut

Before you make cuts in your insurance program adopt a risk financing strategy. Decide what you want to do via retention and financial transfer. Make retention a conscious decision matching your risk appetite. Insurance is another option but don’t forget you can transfer a risk or operation to another party (outsourcing). Just make sure the other party has the right types and amount of insurance to protect both you and them. When necessary buy insurance but base your decisions on your risk financing strategy and organizational goals. You’re less likely to be surprised.

Leave a comment

Innovation is Risky! D’oh!

I love all of this talk about innovation because it always leads to discussing risk. I just watched Rita Gunter McGrath a professor at Columbia Business School talk about strategy and innovation in highly uncertain environments at DigitalNow: Association Leadership in a Digital Age. DigitalNow offered a free live stream option for its general sessions.

Dr. McGrath summarizes her view of complexity in her DigitalNow bio:

Complex organizations are far more difficult to manage than merely complicated ones. It’s harder to predict what will happen, because complex systems interact in unexpected ways. It’s harder to make sense of things, because the degree of complexity may lie beyond our cognitive limits.

My ears perked up when she talked about managing risk (or trying to manage uncertainty). She challenged our use of prediction when the world is unpredictable. Every decision has unintended consequences that may lead to failure or unexpected outcomes. But McGrath encourages us to from these “intelligent failures” to improve our decisions.

My favorite subject was Dr. McGrath discussion of resource trade-offs suggesting that redundancy and stockpiled resources are our friend. As the business continuity professionals and Dr. McGrath says: “Time is your friend before a disaster and your enemy afterward.” She followed with “we also over-invest in prevention and under-invest in resilience.” From a risk management perspective I couldn’t agree more. So many associations only focus on preventing a loss from occurring but don’t consider how to respond to the actual event. For example, most associations lack risk management plans for succession, business continuity/disaster recovery, and crisis management and communication. This DigitalNow tweet sums it up (Follow the discussion on Twitter #diginow12)

We all agree that innovation is risky but we don’t do much to manage the risks other than trying to avoid it. If we do nothing we can avoid the risks of innovation. But social media shows us that the greater risk is to do nothing. If associations continue to maintain things as they are we lose our relevance and meaning to the point where we may ultimately die.

The appropriate use of various risk management techniques increases our chances for success. As we evaluate our options we both control or reduce the risks and maximize the opportunities. Our decision may be wrong but with proper planning and analysis we experience an “intelligent failure” instead of a catastrophe.

Risk control techniques let us avoid, prevent or reduce the loss. Building redundancy into our systems and processes (especially information technology) reduces the size of the loss. Back-up of electronic data and software provide redundancy while the use of hosted sites and the cloud segregate your loss exposures (a loss at your office doesn’t affect the hosted sites) and enable a rapid recovery.

So I’ll continue to beat the drum for associations to incorporate risk management into its daily operations and innovative efforts. The identification, analysis and mitigation of risks are crucial to your success and growth as an organization. Risk management is not a separate activity done by a committee but integral to all of your operations, strategic and tactical. Risk management has evolved into an enterprise-wide activity. As Dr. McGrath said associations are complex organizations requiring new management systems and methods. Incorporating enterprise risk management (ERM) in your association helps you with this new complexity.


Policies and Strategies

We all write policies, lots of them. It’s one of the services I provide to my clients. But what purpose do policies serve? Should they serve? Do your current policies meet these purposes?

My hypothesis is we have too many documents called “policies” that are really procedures, rules and guidelines, not policies. For example, personnel manuals contain “employee policies” but most are rules (with a few guidelines) such as office hours, leave/time off, electronic communications, workplace environment, and benefits. Even your social media policy isn’t a policy but guidelines on how employees should behave while online.

Many “policies” are written as a knee-jerk reaction to an incident such as a dress code because someone wore inappropriate attire to work. An employee spends too much time on personal phone calls so we write a “policy” to restrict personal use of office equipment. As many associations still struggle with social media, under the guise of a policy, they implement rules to restrict access to social sites during office hours and limit employees’ participation during non-work time.


So what is a policy? A policy documents an association’s guiding principle(s) on a specific subject or issue. A well-written policy is aspirational and supports our various strategies (see discussion below). Policies are the “what” we plan to do to meet our vision, mission and corporate culture. Through policies we clarify who and what we want to be as an organization.

A Guide for the Development of Policies and Procedures in Ontario’s Community Literacy Agencies states:

Essentially, policies are the guidelines, intentions and plans for WHAT an organization proposes to do while procedures are an outline for HOW these wishes and intentions are to be carried out. (p. 9)

Policies help people make better decisions; offer guidance on how the organization wants us to behave. Well-written, strategic policies enable the decision to be intuitive to the employee, member or volunteer as a reflection of the association’s mission and reason for being.

One challenge in drafting policies is that the document needs to be flexible but written clearly enough to be applied to unanticipated circumstances. No policy can take into account or address all of the possible situations the decision maker might encounter but offers insight into how to solve the problem.

Rules and Procedures

Most, if not all, policies need to be supported by rules, procedures and guidelines which document how we will carry out the “wishes and intentions” of the policy. For example, a personnel policy may say that all employees are valued human beings, to be treated with respect. From this premise of respect an association then develops its personnel rules, procedures, guidelines and benefits. Any tasks related to a policy should be standardized, such as finance and accounting procedures. There are also regulations and compliance requirements that have to be addressed via procedures, rules and guidelines.


We can’t discuss policies without considering their strategic role. Strategy comes from the Greek word “strategia” meaning “office of general, command, generalship” reflecting its military roots. The business world adopted this military concept using it as a plan of action designed to achieve a vision. Through strategies associations determine where it wants to go and what it wants to accomplish as an organization. Association strategies include marketing, social media, membership, finance, fundraising, human resources, advocacy and so on. Policies develop and evolve from these strategies.

In game theory, strategy refers to one of the options that a player can choose. That is, every player in a non-cooperative game (chess) has a set of possible strategies, and must choose one of the choices. Therefore strategy setting involves evaluating numerous options and choosing one that best meets your vision and mission.

Think Before You Write

The association industry continues to discuss the future of associations. Some believe the social revolution has made associations unneeded, superfluous. Others think that association must undergo a massive shift with a new business model. And some believe associations are just as vital today as years ago. The best aspect of this discussion is that associations are questioning their existence and purpose.

I believe that most associations (and businesses including mine) are fuzzy on what they want to be, why they exist and how they make the world a better place. This lack of focus lets us try a little bit of everything – try to be all things to all people.

Policy writing when done strategically helps an association clarify who and what it is (or wants to be) for its members and other stakeholders. We often establish rules and procedures often under the guise of being a policy without asking why. What do we want to do to be a better association? How will this strategy and subsequent policies make us better? When you answer these questions you can write a strategic policy that will serve you well.

1 Comment

How Much? Costs to Manage Your Reputation

Several nonprofit organizations have had their reputations tarnished recently. The National Restaurant Association had its 15 minutes of fame via Herman Cain. Susan G. Komen for the Cure  is still reeling from its decision to defund Planned Parenthood. Penn State University (PSU) has been handling the repercussions of a grand jury report of child abuse allegations against former assistant football coach, Gerald (Jerry) A. Sandusky. Unfavorable media coverage is every organization’s worst nightmare.

Quantifying reputational risks is hard because the financial impact can take months to appear. The association may experience a decline in membership, advertising revenues, donations, or sponsorship that won’t be known for awhile. How do you know if you are still attracting or retaining members, students, talented employees, volunteers or board members? But there can be substantial upfront costs when your reputation is being attacked. Penn State has disclosed scandal offers insight into the initial costs of managing its reputation.

Penn State established a website,, to demonstrate its commitment to openness and transparency. The site details the costs associated with the scandal.

Costs to Penn State

Protecting your reputation is not cheap. Penn State disclosed that as of January 31, 2012, it had paid $5,723,553 to respond to the Sandusky incident. (F.A.Q. 14. How much money is the University paying for legal fees, consultants and PR firms associated with the Sandusky matter?)

  •  Internal Investigations and Crisis Communications                 $3,936,137
  • University Legal Services/Defense                                                    $  813,427
  • Externally Initiated Investigation                                                     $     49,788
  • Officers Legal Defense                                                                              $  338,545
  • Other                                                                                                              $  558,656

The University states that it will not use donations or tuition fees to pay for the scandal. Some of the costs may be covered by insurance but much of it will be “out of pocket.”


The University’s bylaws [Article 5, Section 2 (a)] state that “except as prohibited by law, every trustee and officer of the University shall be entitled as a right to be indemnified by the University against expenses (including counsel fees) and any liability (including judgments, fines, penalties, excise taxes and amounts paid in settlement) paid or incurred by such person in connection with any actual or threatened claim, action, suit or proceeding, civil, criminal, administrative, investigative or other.”

Penn State promises to reimburse every trustee and officer for their expenses and any resulting liability from this scandal via its bylaws. The indemnification provision does not include employees so it is unclear what protection Penn State will provide to its non-officer employees.

General Liability Insurance

Penn State is relying on its general liability policy to cover many of the lawsuits and allegations arising from the Sandusky scandal. However, according to Business Insurance, the University’s general liability insurer, Pennsylvania Manufacturers’ Association Insurance Company (PMA), filed for declaratory judgment or basically denied any coverage for the lawsuit filed in November 2011 (alleging Penn State’s negligence related to Mr. Sandusky’s alleged sexual misconduct). PMA asserts that Penn State is not entitled to coverage and defense under certain policies issued by PMA mainly because of an abuse and molestation exclusion. Penn State has countersued PMA over its refusal to cover the lawsuit (Penn State sues insurer PMA in dispute over Sandusky case coverage).

So now Penn State is paying for its own defense against this lawsuit (probably only the first of many). Plus the University is funding its legal expenses to sue its own insurance company – never a cheap endeavor.

Directors & Officers Liability

On a brighter note, Penn State’s D&O policy may provide some coverage including defense costs. But coverage is dependent upon the terms and conditions of the policy such as how it defines “wrongful acts,” “claim,” and “insured.”

Some of the defense costs for both the entity and its directors and officers may be covered by the D&O policy. But a D&O policy usually excludes coverage for bodily injury claims so that policy won’t cover the specific negligence allegations.

Crisis Communications

Penn State has already spent almost $4 million in internal investigations and crisis communications which is probably not covered by insurance.

Lessons to be learned

Crisis Management Plan

If you haven’t already, develop and test your crisis management plan. The need for a crisis plan is reinforced every day with the power of social media (Trayvon Martin, Kony 2012, Arab Spring). Social media can both generate and respond to a crisis.

When you are prepared you can strive to keep the initial costs low since many of your actions may not be covered by insurance. Penn State probably had a crisis plan but doubtful it addressed the possibility for allegations of child abuse especially one involving its football program.


What does your bylaws or other corporate indemnification provision say about directors, officers, employees, volunteers, etc? The provision is probably rather broad and not all costs will be covered by insurance.

Review your insurance coverages

Meet with your insurance agent to review your coverages; use these current crises to analyze your coverages and limits. Remember several liability policies such as D&O, professional liability, media liability and others may include defense costs inside the policy limits. Penn State has already paid over $1.1 million in defense expenses; it’s not unusual for defense costs to exceed the settlement.

No one likes to think about bad things happening but they do and often occur to good people. It is only a matter of time before your association experiences unfavorable attention. Be prepared – it may save your association.

Leave a comment

Risk Management as Change Agent: Adopting a Culture of Risk

By Leslie White on August 2, 2011

During the CommPartners’ Learning Socially: Associations at the Crossroads Seminar, Susan Robertson, CAE executive vice president of ASAE and president of ASAE Foundation, mentioned a speech by Barry C. Melancon, CPA, chief executive officer, American Institutes of CPAs about risk. Association TRENDS selected Mr. Melancon, as its 2011 Association Executive of the Year. According to Association TRENDS Melancon said that “association executives ‘have an obligation to drive our individual associations forward,’ noting that this cannot happen without taking risks, finding an appropriate balance, and communicating effectively.” You can view his speech here (risk discussion begins around 16:00).

My heart warms when an association executive talks about risk especially one that practices good risk management. Melancon shared his view that an association’s board and key volunteers need to be willing to take risks. The association leaders have to recognize that not every effort will be successful or get the results expected. When an association tries something new and gets unexpected results it is not “failure” but rather an opportunity to learn and move forward.

Innovation and Risk
I’ve written about Innovation and Risk before that an association has to take risks to be creative but be smart about the risks it takes. Risk involves uncertainty; we don’t know the outcomes of our efforts. A lot of us are uncomfortable with uncertainty we still hold the illusion of control. We don’t know if that new service, program, membership model will have the results we want (or expect)? As Jamie Notter tweeted during the seminar

Jamie was talking about social media but the statement holds true for other activities. Some associations are still offering the same arguments against social media – what if someone says something bad about? An employee or member misbehaves? In my first guest post for SocialFish, The Hidden Risks of Social Media: It’s Not What You Think, I declared the greatest social media risk is not being an active participant. If you use social media you are aware negative comments and can respond accordingly. Therefore,
The greatest threat to an association’s survival is to not take any risks; not trying something new or moving forward.

Or another way to say it is failure to take risks leads to failure. Albert Einstein defined insanity as doing the same thing over and over again expecting different results. If you don’t change what you are doing the results won’t change either. The downward spiral will continue until your association becomes completely obsolete and out of business.

Risk Management as Change Agent
So how do we get out of this insanity loop? How do we start taking some risks? A risk averse association isn’t going to change simply by a board or CEO edict; this requires a cultural change. Change doesn’t come quickly to many people or associations but the practice of risk management provides techniques to facilitate change and address people’s fears.

Risk management is about learning to deal with uncertainty; not knowing how people will receive a new initiative or when something bad may happen such as an auto accident, office fire, employee injury, or anything else that goes wrong. You first need to know how your management team and board feel about risk – their appetite for risk, tolerance for uncertainty. If risk averse, you have a bigger challenge to get them comfortable with risk and uncertainty.

Photo: Renaissancechambara

Another way risk management is a change agent is by putting risks into perspective. Our first reaction to an idea is its too risky but after evaluating the potential outcomes we realize it is not so bad. The risk may be acceptable or can be mitigated effectively. A part of implementation is to set up the metrics to measure the impact of the change. Through the metrics you find if the results are what you expected or if you need to change some aspect of the project.

Remember everything has its risks but each decision also has the possibility of reward. The new membership model, chapter re-organization, or volunteer management tools may be successful, even exceed expectations. But you won’t know until you do something. Push through the fear and inertia by managing risks. You’ll be amazed at the results.

Leave a comment

Knowns and Unknowns – The Core of Risk Management

With apologies to my more liberal-minded friends . . .

Risk management is one of those nebulous terms that we all interpret personally. Some think it is a complex, time-consuming process that is only helpful to larger organizations. Others believe it is impractical and/or not worth the effort. You may think it’s valuable but have no idea how to apply its practices and principles to your daily operations. Finally a few have incorporated risk management into their organizational culture and use its concepts daily.

Risk management is simply what you do to prepare for the unexpected. No matter where you are on this continuum, risk management is a part of your daily life if you wear your seatbelt, lock your doors, use passwords or do other everyday tasks. You don’t know if you any of these events are going to occur but you are prepared. The same principle applies to your association.

But how do you prepare for the unexpected – it’s unexpected? Donald Rumsfeld’s “Unknown unknowns” speech offers an explanation.

Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.

Rumsfeld went on to say, “The absence of evidence is not evidence of absence, or vice versa.” He expanded on this in a speech at NATO Headquarters in June 2002:

There’s another way to phrase that and that is that the absence of evidence is not evidence of absence. It is basically saying the same thing in a different way. Simply because you do not have evidence that something exists does not mean that you have evidence that it doesn’t exist. And yet almost always, when we make our threat assessments, when we look at the world, we end up basing it on the first two pieces of that puzzle, rather than all three.

People minimize the need for risk management by the absence of evidence (nothing bad has happened yet). However that doesn’t mean it won’t happen (not evidence of absence). Your association may not yet have had a fire, an auto accident, a social media nightmare, a disruption to your annual meeting or the sudden loss of a key person but that doesn’t mean it can’t happen.

For associations, the “unknown unknowns” are a serious threat because you don’t plan for the unknown event. There will always be “unknown unknowns,” new risks arise, but other people are familiar with these unknowns. A formal or structured risk assessment can help you uncover some of the “unknown unknowns” and plan accordingly.

The foundation of a risk management program is a risk assessment (where you identify and analyze the risks). Through the process you decide if the risks are manageable or significant enough to change your plans. You may decide that your association is not ready to develop that new service until you gather the knowledge and resources needed to do it correctly.

Risk management is not only concerned about “unknown unknowns” but also the other two types of “knowns.” Among the “known knowns” which ones have you addressed? Is your business continuity plan current? Have you assessed and managed the risks associated with volunteers, people driving their cars on your behalf, or employee theft? Employment-related incidents still plaque associations, so what’s the condition of your employee handbook and supervisory training?

“Known unknowns” often cloud our decision-making. Social media terrified many associations because it was a big unknown. Some associations decided to identify, analyze and manage the risks while others just stayed away or prohibited its employees from participating. My assessment of social media risks determined it was manageable and the greatest business risk was to not participate in social media.

You can only be ready to respond to outcomes (good or bad) of a potential event if you have identified what could go wrong (or right) and what you are going to do to try to prevent or respond to the event. Jump in and explore both the “knowns” and “unknowns” to advance your association.

1 Comment

%d bloggers like this: