Jul 27, 2018 | Informative, RIsk Management News
How many passwords do you use for work? Five? 10? More? Most nonprofit staffers have too many passwords to remember them all. This leads to bad habits –writing them down on sticky notes, sharing them with colleagues, or reusing the same password over and over. These bad habits can put your organization’s data at risk.
Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.
Some people worry that putting all your passwords in one place is too risky because one hack opens the door to all your data. That’s a valid concern, but chances are that the encrypted system used to manage your passwords and the value-added services you get from a password manager will make you more secure than whatever you’re doing currently.
If you’re interested in implementing a password manager at your organization, here are a few of the features you should look for.
- Enterprise Control. One of the biggest benefits of a password manager is the ability to manage every password user at your organization. Look for a service that allows you to turn off access for people who have left your organization and select the users who should and should not have access to specific accounts. A good system will allow you to maintain this admin-level control without giving you direct access to any password content.
- Audits and Changing. Many password managers can guide users to choose stronger passwords. Some will audit your passwords and suggest ways to strengthen them. Many also allow you to schedule password changing and even automate password changes.
- Two-Factor Authentication. A good password management vendor will understand your concern that one password in the wild can lead to dozens more roaming passwords. Two-factor authentication, a method that requires you to verify your identity in a second way, adds an extra layer of security to make it more difficult for a thief to get into the system.
- Multiple Devices. Chances are your staffers want to use various operating systems and mobile devices. Look for a password manager that is compatible with PCs, Macs, and all the various mobile devices out there.
Source: The Nonprofit Times
Jul 20, 2018 | Informative, RIsk Management News
What would you do if your nonprofit had over 500 W2 tax forms stolen electronically and put up for sale on the dark web?
This nightmare happened to one unnamed nonprofit, and their solution was to contact the National Cybersecurity Center, a nonprofit founded in 2016 by Colorado Governor John Hickenlooper. The NCC’s mission is to provide collaborative cybersecurity services and training. Their goals are to provide education, training, and response services. According to CEO Ed Rios, almost 90 percent of the attacks reported to the center have been mitigated.
What happened to those W2s? The NCC determined that the records were obtained via an email scam. To help with prevention, the NCC offered training to the nonprofit on identifying and avoiding such attacks in the future.
Rios stated that approximately 75 percent of attacks result from user error. Commonly known as PICNIC: Problem In Chair, Not In Computer, this term is popular with IT help desk employees to describe the non-IT workforce’s propensity to click first and ask questions later.
There are three pillars of the NCC’s work:
- The Rapid Response Center is a dedicated facility with experts, vendors, and partners to serve as a trusted resource during a time of security breaches. Their plan is to be the “one-stop shop” when immediate assistance is needed to solve an attack. The RRC is reached via 877-90-CYBER. Currently only available during business hours, the plan is to offer 24/7 assistance in the future.
- The Cyber Institute takes a think-tank approach to exploring emerging tactics and trends, encryption, and protocols available to better protect our electronic assets. Examples include cyber law, cyber budgeting, cyber communications, and other activities that a small or medium nonprofit or business needs to understand, both now and as technology evolves.
- The Cyber Research, Education and Training Center partners with K-12 and higher education to drive research and development and to provide cyber workforce preparation and education.
Statistics reveal that a single breach can cost up to $9 million for complete resolution, says Rios. Referring to the management level, he said, “50 percent don’t really know enough to even have a discussion.”
Regarding the cybersecurity workforce shortages, Rios further explained that cybersecurity skills can often be taught at the “tactical level” as opposed to the formal education perspective with degrees in computer science. As nonprofits face an increase in cybersecurity and other online threats, it behooves them to be aware of the dangers and the resources available to mitigate them.
Source: The Nonprofit Quarterly
Author: Jeanne Allen
Jul 13, 2018 | Informative, Loss Control, RIsk Management News
In the era of 24-hour news coverage, and in the aftermath of highly publicized catastrophic events including hurricanes, earthquakes and terrorist attacks, insurance policyholders have very little patience for a protracted claims process.
At the risk of alienating customers, especially younger policyholders who grew up in a digital age, the insurance industry must adapt to keep up with the speed of business and increased expectations regarding how companies administer claims.
Consumer expectations aside, there’s also pressure from internal stakeholders who expect up-to-date evaluations of risk and more efficient business practices that drive down costs and create competitive advantages.
So, how can insurance companies redesign their business models, particularly the claims administration process?
Leveraging the wisdom of crowds
With these challenges in mind, innovative insurance companies increasingly see a reason to incorporate alternative data sources as an element of their insurance contracts. Given the prevalence of smartphones and the general public’s willingness to use their social media accounts to share events as they happen, real-time social media posts are often the fastest indications of a breaking event. In fact, governments, news agencies, and businesses commonly rely on social media to keep track of breaking news stories.
The real-time nature of social media dovetails with the need for insurance companies to pick up the pace when processing claims. When analyzed correctly, social media data can inform a parametrics insurance contract, triggering the payment of a predetermined amount when conditions exceed certain metrics, such as the wind speed associated with a hurricane or tremors accompanying an earthquake. In addition to natural disasters, alerts derived from social media could justify payouts of a parametric insurance policy covering a man-made event, such as a terrorist attack.
In short, when a significant incident impacts policyholders, a parametric contract that relies on social media alerts can generate a payment. And there’s an added bonus: After an event, the real-time information from social media becomes historical information that helps underwriters assess future policy risks.
A front-row seat to insured events as they unfold
As the recent hurricane in Puerto Rico or the 2017 terror attack in the Parson Green Underground station in London demonstrate, a spike in volume of real-time social media posts is a leading indicator of breaking news. In the simplest terms, social media posts emanating from Puerto Rico or in the vicinity of the Parson Green station provided compelling evidence of an incident. Over time, as the volume of posts grows, the evidence of a covered event becomes incontrovertible.
Nonetheless, insurance companies don’t need to wait until there’s a vast amount of social media posts to initiate the claims process. With the right tools in place to mine social media, insurance companies can be alerted to an event before the volume of posts surges exponentially.
Whether an insurance company relies on the first post to act or decides to wait until the volume of social media posts mushrooms, the corroborative nature of social media, including the analysis of geolocated posts, offers an up-to-date portrayal of events.
While incorporating alternative data as part of parametric insurance contracts may face organizational resistance, making use of social media data benefits those covered by policies, as well as the insurers themselves — removing the burden of assessing a loss solely off insurance adjusters and shortening the time needed to assess a loss and issue a payment. Customers who are helped quickly are also less likely to complain about service and may support the insurance company publicly, contributing to brand strength.
The rush to leverage social media alerts
Up until recently, the insurance industry has resisted the pressure to jump on the technology bandwagon. However, in the midst of unrelenting changes in consumer expectations, and the proliferation of online insurance upstarts determined to disrupt the industry, many insurance companies are in the process of overhauling their business models and embracing the latest technology.
In particular, the claims process is ripe for change. While the industry’s staid approach to claims used to suffice, today’s policyholders no longer deem it acceptable for insurance companies to take months to evaluate and pay out claims. In order to attract and retain customers, while reducing claims processing costs and creating competitive advantages over less refined competitors, insurance companies must build business models that allow for a faster, more agile response. That means looking beyond the traditional tools and approaches for a nimble solution with the potential to support the accelerated payouts policyholders expect.
Using alerts derived from social media provides claims processors with real-time, actionable alerts, including images and video that offer third-party evidence of an event and the extent of the damage, and consequently, the ability to expedite and automate policy payments. Insurance companies that tap into social media data to speed the claims process may impress policyholders by avoiding typical operational challenges and may help the strength of public brand perception.
The competitive landscape of shifting business models may propel many insurance companies to use social media data as an indispensable linchpin in their revamped claims administration process.
Source: Property Casualty 360
Author: Dillon Twombly
Jul 6, 2018 | Informative
This resource discusses and provides examples of possible financial risk that a nonprofit organization may encounter. Nonprofit grantees may find this resource useful in identifying potential risks within their organization. The risks in financial management are any actions that result in the reduction in value or loss of any of the organization’s financial assets.
The management and protection of financial resources must be a concern for all nonprofit organizations—from the smallest all-volunteer group to a large, national association. Without adequate financial resources, an organization is unable to achieve its mission and may not survive. Financial resources or assets fall into three categories—money, goods, and services. Money consists of cash, checking and savings accounts, securities and other investments. Goods involve merchandise or stock, supplies, and equipment. Services are the programs and activities the organization offers to its clients. Accountants classify goods and services as resources because they have a value or may be used to create value or revenues.
The risks in financial management are any actions that contribute to the reduction in value or loss of any of the organization’s financial assets. The decrease can be from the actions of an internal source such as an employee or volunteer, or someone outside of the organization can perpetrate the loss—a burglar, “con man,” or client defrauding the organization. Every organization should be aware of the possibility of a financial loss and take the appropriate protective actions.
A financial loss can have a tremendous impact on a nonprofit. The loss of money can create a cash flow crunch and force the organization to reduce its spending. The actions may include eliminating staff or reducing the hours worked plus adjusting the services offered to clients. Besides reduced services, the nonprofit may experience negative publicity about the incident. The bad press can lead to a decrease in donations and the willingness of volunteers to work with the organization. Lastly, a financial loss can affect the reputations of the people involved. Often, the board dismisses an executive director if a large theft occurs on his or her “watch.” Members of the board are questioned by family, friends, associates, and others about the details of the incident and how could it happen to that organization. All of these factors make it imperative for every nonprofit organization to have the proper financial controls in place.
Categories of Risk
Fraud
Fraud, the intentional pervasion of the truth in order to induce another to part with something of value or to surrender a legal right, is the umbrella term for most financial losses. Fraud is the most common crime perpetrated against nonprofits. Theft is a generic term for the fraudulent taking of property. In insurance terms, theft means any act of stealing. Types of theft include:
- Burglary – breaking and entering into a building for the purpose of committing a crime.
- Swindling – convincing someone to give or entrust property to you using deceit or false pretenses
- Forgery – the unauthorized making or altering of a writing so that it looks to be lawfully authorized
- Embezzlement – taking property lawfully entrusted to you and converting it to your own use.
Someone inside or outside the organization can commit a fraud or theft of organizational assets or resources. An employee can embezzle funds, steal office supplies or merchandise, pad their expense accounts or create a fictitious company and bill the organization for services never rendered. An outsider can sell bogus merchandise, overcharge the organization for materials or services, or entice the organization to make bad investments. Imagination is the only limit to the ways to defraud an organization. Unfortunately, for every control or security system the organization implements, there is always someone smart enough to breach it. Catching wrongdoing before it translates to sizable losses is key. Therefore, in addition to establishing internal controls, nonprofits must be ever vigilant in monitoring its programs.
Investments
The size and types of investments will vary with each organization. For the smaller organizations, investments might be cash on hand while large hospitals, colleges and universities may have sizable endowment funds. Regardless of the size of the investment funds, every nonprofit needs to control and monitor its investments. Many organizations lost money in the savings and loan crisis when banks and lending institutions closed. Another danger is that the organization may make poor investment decisions such as the purchase of junk bonds by Orange County, California that resulted in its bankruptcy.
The New Era scandal is another example of a bad investment decision. Another potential financial risk for an organization is investing in “politically incorrect” companies. If the nonprofit purchased stocks or bonds in a company that subsequently comes under public and media scrutiny, it may experience adverse publicity or a significant decrease in the value of the investment. Every board should establish an investment policy that will guide the nonprofit in its investment and financial decisions. Even an organization operating on a cash current basis should have a policy.
Misuse of Funds
All nonprofits exist for a specific purpose with a defined mission. The board is responsible for ensuring that the organization stays focused on its mission. An excellent way to monitor an organization’s progress is through its use of funds. Many nonprofits receive gifts or funding with restrictions or limitations on its use. The improper use of these funds can cause the funder to withdraw the money, require repayment of the expended funds, and refuse to provide future funding.
A similar risk is the use of funds for purposes other than serving the organization’s mission. Funds inappropriately expended can lead to the loss of the organization’s tax-exempt status or other legal actions. As pressures continue to mount for nonprofits to meet social needs, it is often easy to lose sight of the organization’s mission.
Tax Liabilities
Although most nonprofits are “tax-exempt,” the government still requires them to pay many taxes. An organization must pay the appropriate employment taxes such as Social Security, FICA, and state and federal income taxes. Failure to pay these taxes will lead to large fines.
A nonprofit may also be responsible for charging and remitting sales tax on items sold. Also, unrelated business income is becoming a significant concern as nonprofits seek creative ways to raise funds. Every nonprofit is responsible for knowing and paying its tax liabilities.
Tax-Exempt Status
The IRS’s approval of tax-exempt status is not a right but a privilege that it can easily revoke. One possible challenge to the status is that the organization is not meeting the charitable purpose guideline. If the nonprofit uses its funds for reasons not related to its charitable purpose, it can lose its tax-exempt status.
Private inurement is another cause for losing the exemption. In one case, the IRS revoked the tax-exempt status for a child care center. The board, whose members were parents of the children in the center, set a fee structure substantially below market rates. The board made up the short-fall with tax-deductible “contributions.” The IRS ruled that it was unlawful private inurement, revoked its exemption and is investigating prior years.
Nonprofits have restrictions on the types of “political” activities they can undertake. The IRS guidelines bar any direct or indirect political activity. Lobbying is another area with restrictions. An organization may, however:
- Communicate with its legislators as a constituent
- Petition the government
- Respond to governmental inquiries and testify before legislative and administrative bodies
- Offer nonpartisan analysis of an issue to educate the public
- A nonprofit cannot devote a “substantial part” of its activities to lobbying
Fundraising
The financial risks for fundraising are two-fold and extend beyond the theft of the money raised. First, an organization must protect itself from unscrupulous fundraising. Many organizations have discovered fictitious groups raising funds on their behalf. However, the organization never receives any of the money. An organization may also suffer losses stemming from injuries at a fundraising event staged by the fictitious group. Every nonprofit must guard against improper use of its name and logo, especially in regard to fundraising. The organization should respond quickly whenever it discovers someone using its name and logo without authorization.
The second issue concerns the selection and use of sponsors and cause-related marketing partners. An organization may spend hours and many dollars to negotiate a sponsorship arrangement only to later discover a flaw with the new partner. Although it did not involve a nonprofit, the Kathie Lee Gifford controversy regarding the use of child labor had a negative impact on sales. Imagine if your organization had been a partner in that deal. The potential damage to an organization’s reputation and goodwill could have a lasting impact. A nonprofit need to evaluate carefully its sponsors and partners to avoid a press relations incident and other losses.
Physical Assets
When discussing financial risks, most of the attention focuses on the loss of money or funds. However, all nonprofits have physical assets at risk. Every organization owns office furniture and other fixtures and equipment used to meet its mission that is subject to loss. A fire or flood can damage or destroy the office contents. Also, an employee, volunteer, computer hacker, or other person wanting to harm the organization can steal or damage its assets. In addition, some nonprofits may have warehouses of supplies whether it is a food bank, soup kitchen, sports organization, or mentoring program. The loss of the supplies could have a devastating effect on the organization’s mission.
The best protection is systems and procedures that limit the access to these assets. Computers contain not only a wealth of information but also confidential data. Control and limit access to the people with the “need to know.” Also, protect the organization’s supplies and merchandise. Although every employee “borrows” a pen or pad of paper, what about the merchandise (sweatshirts, briefcases, coffee mugs, books) that the organization sells to raise money? Many organizations lose money on merchandise sales due to the lack of inventory and access controls.
Risk Management Techniques
One key to controlling financial management risks is the development and use of effective internal controls. Every nonprofit needs policies and procedures to control the access and use of its financial resources. The techniques involve general management controls and accounting controls.
General Management Controls
General management controls consist of the board’s and senior management’s responsibilities for establishing the proper oversight of financial operations. The board should require clear and informative financial reports and statements on a regular basis. The organization, if possible, should use a certified public accountant and have an outside independent audit. If it cannot afford an audit, it should at least have an outside party review its financial reports and accounting records. A word of caution, an audit is not designed to detect fraud. An audit’s purpose is to affirm the organization’s financial records and position.
The board should establish the appropriate financial polices such as investment and loan policies. Senior management and the board also must ensure that the proper financial and accounting procedures are in place. Lastly, the board and senior management should set the organization’s priorities and goals, keeping the nonprofit focused on achieving its mission.
Accounting Controls
Accounting controls are the procedure used to safeguard the nonprofit’s assets. Proper accounting controls also provide reliable and accurate financial records. Both of these goals enable the board and senior management to monitor the organization’s financial operations.
The creation of adequate accounting controls should focus on four areas—authority and approval, proper documentation, physical security, and early detection. Authority and approval procedures require the identification of who has the authority to perform and approve certain transactions, such as approving invoices, expense accounts, signing checks, and dispensing supplies. Proper documentation is a part of the approval and authority process, in that every financial transaction should leave a “paper trail.” Physical security addresses limiting access to various physical assets (accounting records, personnel files, merchandise, supplies, and other equipment).
Organizations often ignore the early signs of wrongdoing. If the proper controls are in place, the systems should alert someone to possible fraud. Unfortunately, people tend to ignore the early warning signs and let the deceit continue. Everyone must follow the established procedures for the controls to work. Any deviation from the system will enable someone to defraud the organization successfully. Good risk management may prevent a financial loss or catch the culprit early in the process, thereby minimizing the loss.
Source: ECLKC