The Importance of Risk Management for Rhode Island Nonprofits
“Risk management is one of the board’s primary oversight functions.” 
The explosion of nonprofits across the country in recent years has been accompanied by significant increases in employment and capital management in the nonprofit world. Rhode Island is no different in this regard. Indeed, the number of nonprofits in the state has almost doubled in the last ten years. Moreover, nonprofits employ thousands of Rhode Islanders, manage millions of dollars in assets, and oversee significant property holdings. Nonprofits are a big part of the Rhode Island economy, and becoming bigger each year.
The profusion of nonprofits in Rhode Island comes at a potential price, however. Having more employees, expanding services to the public, and managing greater capital increases the risk of legal and related liability. Nonprofits as a group are a bigger target and present more opportunities for missteps that can lead to government scrutiny and third party litigation. Indeed, the federal, state and local regulatory scheme is already complex and not easily understood by many nonprofits. Unlike a few states, Rhode Island provides no immunity of any kind for nonprofits from the panoply of causes of action afforded by the civil justice system. This increased risk extends not only to the organizations themselves but to their boards who are charged by law with the oversight and management of their organizations. Failure to meet these obligations can cause harm to the organization and depending on the circumstances, result in potential personal liability for directors and officers themselves, despite the favorable limitation on liability Rhode Island provides for uncompensated directors and officers in certain circumstances. Moreover, and this is often overlooked, a major lawsuit, a government investigation or even unfavorable publicity surrounding a major donor or employee can cause harm to the organization’s reputation or brand, reducing fundraising capability and revenues because those served by the organization are now reluctant to avail themselves of its services.
The reality is that nonprofits are businesses, and in many respects must operate and plan in a manner similar to their for-profit counterparts. While nonprofits do not measure their success in terms of shareholder value (as most for-profits do), their ability to accomplish their purpose and mission is heavily dependent on their financial and organizational health. Thus, they can ill afford to suffer losses, especially because many nonprofits operate with limited budgets. Small, heavily-regulated nonprofits such as nursing homes are burdened with constant regulatory requirements, leaving scant resources to proactively address legal risks in other areas. This author would go so far as to suggest that many larger nonprofits having greater access to legal counsel often prioritize defense measures as legal issues arise over proactively eliminating or minimizing risk. In this regard, they are no different than many for-profit organizations that fail to systematically manage risk.
More problematic, however, is the issue that many nonprofits do not even fully appreciate the fact that they and their boards can be subject to civil litigation brought by third parties, organization members, fellow directors or officers, the corporation itself and government civil and criminal enforcement actions. The failure to appreciate these multiple avenues of risk is often due to a lack of experience or staffing, or an inability to afford legal advice on an ongoing basis.
In this author’s experience another pervasive “syndrome” is at work here. Many nonprofits and their boards suffer from a form of “cognitive dissonance” that leverages off two related propositions: “We are a charitable organization, therefore we are ‘immune’ from the legal risks for-profits face;” and “We have never been sued or been the subject of a government investigation, so we never will be subject to either.” This mindset can lead to board complacency and blindness to their own risks as well their organizations’ vulnerability. If the board does not appreciate legal and related risk, chances are good that the organization will not.
Perhaps a nonprofit has never been sued or been subject to a government investigation; and maybe this will continue to be true. However, there is no guarantee the status quo will continue. When something bad does happen, the organization may find itself unable to manage the situation. Invariably, “as the onion is peeled back” additional related issues arise requiring more time and resources to resolve. The first misplaced notion of absolute immunity is simply untrue; nonprofits and their boards are not immune from the civil and criminal justice system, and in this regard, they are no different from their for-profit counterparts.
It is not this author’s intention to unduly alarm nonprofits or to denigrate their highly laudable work, especially those in the charitable arena. Nonprofits are a vital part of the Rhode Island community and those involved with them generally operate from the purest of motives – a desire to do good. Nor is the author unaware of the importance of maintaining the unique cultural aspects of nonprofits, especially charitable organizations. Indeed, it is the culture of these organizations that provide their source of strength and commitment that sets them apart from for-profit organizations. This author also is mindful of the fact that lawyers need to exercise caution concerning “over-lawyering” the affairs of a nonprofit, which can cause unnecessary disruptions if not properly managed. Rather, it is my intention to make a few simple but important points. Rhode Island nonprofits face potential legal risks. They may be unaware of those risks, given their limited budgets and staffs. Uninformed boards face even greater risks because they may not have the awareness or ability to identify risk and manage it proactively, let alone respond and sustain the losses from legal problems.
The risk areas are numerous and vary depending on the mission and composition of the organization. As a matter of comparison, a modest sized health care provider with a volunteer board and one facility certainly faces risks different from a major educational institution that employs hundreds of people, owns considerable property and has a highly compensated management structure including compensated board members. While there is no complete unanimity among those who work in the nonprofit field on this subject, there is a general consensus as to the major risk areas afflicting nonprofits. In no particular order of importance, these areas are: (1) corporate governance including conflict of interest; (2) employee practices including volunteers; (3) fund raising and grants programs; (4) insurance coverage; (4) political activity; (5) excess compensation and income raising schemes; (6) accounting practices; and (7) management and investment of endowments. I would respectfully add to this list two related risk areas: (8) lack of risk management; and (9) crisis management/business continuity planning. Lastly, privacy is becoming an increasingly major issue to many nonprofits, especially those managing confidential personal data.
The question then becomes: what should nonprofits facing cognizable legal and related risks do? The first line of defense is an engaged and experienced board that understands the mission and operations of its organization. By definition, practicing good corporate governance will reduce legal and related risks. But even in this instance, risk remains. In any event, the solution starts with the board recognizing that the best way to manage risk is to adopt a common sense and practical strategy that identifies material risks before they become real problems, weighing the level of risk, and then adopting a cost effective strategy to eliminate or mitigate any such risks. In other words, once the board appreciates the risks, it can do a cost benefit analysis to address them proactively. The process described is the essence of risk management, which smart businesses – nonprofit or for-profit – make central to their business plan. Risk management is one of the board’s primary oversight functions, and a well-functioning board consisting of experienced and engaged members is the best preventive tool in this regard.
Perhaps some hypotheticals will illustrate how risk management can work to the advantage of nonprofits:
Approximately 25% of Rhode Island nonprofits manage annual budgets in excess of $1M according to a recent study by the Rhode Island Foundation. At a minimum the boards of these organizations should ask whether best practice internal controls are in place to reduce the opportunity for misuse of funds or misappropriation by an employee or other insiders. If not, implementing and managing a reasonable internal control policy is neither expensive nor time consuming.
If an organization is providing services to inherently high risk persons such as children or the elderly, someone should determine whether adequate insurance is available for the organization and the directors and officers to cover any tort lawsuits, including the increasingly problematic area of privacy. Insurance coverage is especially important if the organization has limited assets that would be at risk because of inadequate insurance. A standard general comprehensive liability policy, for example, which is designed to cover such organizational risks, is not prohibitively expensive. Similarly, directors and officers (D&O) insurance is important, especially for boards that manage endowments.
If an organization is entering into material contracts with vendors, is the board attentive to whether the executive director is authorized to enter into these contracts, the cost of the services and other terms and conditions that could give rise to a potential breach of contract lawsuit? For example, even for-profit corporations enter into contracts containing ambiguous or poorly thought-out performance specifications, which present problems when it comes time to assess performance. Draconian damages provisions such as indemnification and limitation on damages clauses also present frequent problems. To prevent future breach of contract actions, it is prudent to institute a delegation of authority schedule and board review to approve such contracts, if the organization cannot afford to retain legal counsel.
If an organization is managing an endowment, does it have an investment policy that is consistent with the relevant Rhode Island statute (“UPMIFA”)? An equally important task is to probe whether the organization is in compliance with the statute in terms of the management of the endowment including investment decisions and disbursements to supported organizations. The board should closely monitor this potential focus of risk. A related issue is whether the endowment is co-mingled with the organization’s operating budget or not otherwise independent [e.g., separate 501-c-3 status] so that in the event of litigation against the organization, the endowment would be subject to piercing. Certainly it is in the organization’s best interest to keep its endowment separate and apart from its operating budget in order to protect this critical resource. Next, suppose a nonprofit whose mission involves education leases a building to a privately owned hunting club. The rent payments are used to supplement the organization’s operating budget. Someone should ask whether this is considered an “unrelated business taxable income” (UBIT) under the Tax Code. If the rent payments qualify as UBIT the IRS will tax this income, and may even enforce monetary penalties. It is important to remember that sources of revenue are a line item entry on the Form 990. This area may require counsel’s involvement because the rules on UBIT are not entirely straightforward.
The initial reaction of many nonprofits, especially those operating with limited budgets and staffs, may be that addressing their risk areas will consume too much time and too many resources, which the organizations can ill afford. This reaction is misguided for three critical reasons. First, failure to correct such deficiencies or weaknesses can lead to much more costly outcomes that can cripple the organization or even land squarely on the directors’ laps. Second, while some complex problems may require legal or accounting expertise, addressing many of the deficiencies of these problems would not be difficult or costly. This is true especially if experienced staff or board members having the necessary skill sets provide their expertise without charge. Finally, if the board or the organization is not engaging in risk management in the first instance, one of two things will happen: nothing or something damaging, and that something may result in a far more costly outcome that will dwarf the time and cost needed to prevent the occurrence in the first instance.
Before concluding, I would like to point out several tools [e.g. check lists] that can be used to assess high risk areas and identify weaknesses that can be corrected reasonably quickly and cost effectively. Ideally, for privilege purposes and knowledge of the legal requirements alone, using an attorney to conduct the assessment and review process in conjunction with the organization or its board is desirable. This is especially the case for organizations with a high risk profile. The ideal lawyer will be knowledgeable concerning the relevant federal and state regulatory schemes, have experience dealing with nonprofits and will be armed with pre-developed checklists and template policies and procedures that can be tailored to the organization’s needs so as to significantly cut down costs and save time. Also, certain law firms may have developed such checklists that can be provided to the organization, allowing for self assessment and review. Care must be taken in this regard, however, because if any deficiencies or irregularities are uncovered without the involvement of counsel, there is little chance that the information will be privileged. The information obtained, including any recommended corrective action, would be accessible to third parties in litigation or government proceedings. Depending on the circumstances, the involvement of counsel may still not be enough to extend privilege, but the presence of counsel certainly enhances greatly the chances that privilege will attach. If all else fails and it is not feasible to involve counsel, between the board and the staff there should be enough knowledge to conduct a review that may identify some material issues.
In many respects, most Rhode Island nonprofits are no different from their for-profit counterparts. This is especially true in terms of the legal risks many nonprofits and their boards face because of their missions and compositions. For several reasons, many nonprofits are ill-prepared for these risks and failure to eliminate or mitigate them can have serious consequences for their ability to carry out their missions or even stay viable. Even the larger and more sophisticated nonprofits can ill afford legal liability and related losses, especially if these losses could have been prevented with a little more foresight and planning. Thus, taking reasonable steps to identify and then prudently manage risk, led by the board, which is charged with the management and oversight of the organization, can pay huge dividends. And whatever risk management process is adopted does not have to be prohibitively expensive and with some reasonable planning, can be effectively tailored to the organization’s risk profile. Succinctly stated, risk management should be a part of most Rhode Island nonprofits’ business plans. Occasionally, it will be necessary to defend an act or omission no matter how effective an organization’s risk management practices. The more preferable outcome is to avoid having to be on the defensive in the first instance. In a nutshell, this is what risk management is all about.
Andrew C. Spacone practices general litigation and non-profit law with Adler Pollock & Sheehan P.C. Prior to joining the firm, Mr. Spacone was deputy general counsel & assistant secretary of Textron Inc., where he headed the Litigation Department. While at Textron, his practice included litigation and government proceedings worldwide, corporate governance, risk management and insurance. He also served as head of Textron’s crisis management program. Mr. Spacone has served on the Providence Children’s Museum board of directors. He is currently the president of the Steere House Nursing & Rehabilitation Center’s board of directors, and also president of the Steere House Foundation board. He also is outside general counsel for a New York non-profit organization. Part of this article is based on a more extensive article focusing on 501-c-3 nonprofits that will be published by The Rhode Island Bar Association Journal
in January/February 2014. The author would like to acknowledge the editorial assistance provided by Kennell M. Sambour, Esq. The views expressed in this article are those of the author and not necessarily those of Adler Pollock & Sheehan. Copyright Andrew C. Spacone December 2013.
 Nonprofit Governance & Management, American Bar Association (3rd Edition, 2011), p. 69
 Attached is a “flow chart,” which I refer to as the “Nonprofit Liability-Paradigm.” Based on a loose adaptation of certain Six Sigma tools, I attempt to identify the root causes that can lead to legal liability and related losses for nonprofits. One of the underlying premises of the Six Sigma problem-solving method is that problems [“defects”] cannot be effectively corrected unless the causes of the problems are clearly understood. The chart, although still undergoing revision, summarizes several of the causes I have identified based on my reasonably extensive study and legal work with nonprofits as well as on my board experience.