Members Login

Sign into your account

Login Details

In This Section

Dealing with risk at board level

Susan O’Connell and Cormac Brennan of O’Connell Brennan Solicitors consider the responsibilities of board members of non-profit organisations involved in high risk activities.

In early 2011, High Court proceedings were settled against a HSE funded crèche service for €650,000, in a particularly tragic case arising from brain injuries suffered by a child who fell into a pond while under the care of the organisation.

This case highlighted the challenges faced by Boards of non-profit organisations that carry out activities that could be considered high risk. While the enactment of the Charities Act 2009 provided an impetus for many non-profit and charitable organisations to review their risk assessment and management procedures, as part of an overall review of their corporate governance, it is of critical importance for Board members to ensure that this area of corporate governance is kept under active review, so that the highest standards are maintained.
 
 
Health and Safety
While health and safety is only one of a number of potential areas of concern, the potential consequences where the relevant legislation is breached is perhaps most illustrative of the consequences of risk management being inadequately addressed.

The main legislation providing for the health and safety of people in the workplace is the Safety, Health and Welfare at Work Act 2005. The Act sets out the obligations of employers both to their employees and other individuals at the place of work. Breaches of health and safety law can give rise to fines of up to €3M and/or imprisonment for up to two years. These are criminal penalties, and fines will not be covered by insurance. Invariably, where there is a prosecution, a civil action will follow. These penalties can apply to directors, managers or similar officers, as well as the organisation itself. This should serve to inform the decisions of directors contemplating the cost or “hassle” of creating and implementing sufficient policies in relation to risk management within the health and safety area.

It is generally accepted that the offence of corporate manslaughter will shortly come into existence in Ireland, having been highlighted by the Law Reform Commission as far back as 2006. The Commission has prepared a draft Bill which provides for the offence of “corporate manslaughter” and “grossly negligent management causing death”. The former will attribute criminal liability on a corporate entity and the latter on a director or senior manager of the entity, who could face prison for up twelve years. Should the Law Reform Commission’s recommendations be implemented, the court will also have the power to impose unlimited fines on companies convicted of corporate manslaughter.
 
 
The Role of the Board
The responsibility for the management and control of a non-profit organisation rests with the Board, and therefore their involvement in the key aspects of the risk management process is essential, particularly in setting the parameters of the process and reviewing and considering the results.

This should not be interpreted as meaning that the Board must undertake each aspect of the process themselves. In all but the smallest charities, the Board are likely to delegate elements of the risk management process to staff or professional advisers. The Board should review and consider the key aspects and results of the process.
 
 
Risk Identification and Assessment
The risks that a non-profit entity faces depend very much on the size, nature and complexity of the activities it undertakes, and also on its finances. As a general rule, the larger and more complex or diverse an organisation’s activities are, the more difficult it will be for it to identify the major risks that it faces and put proper systems in place to manage them. This means that the risk management process will always need to be tailored to fit the circumstances of each individual organisation, focusing on identifying the major risks. Directors of large, complex charities may need to explore risk more fully than the outline given here.

Identifying and managing the possible and probable risks that an organisation may face over its working life is a key part of effective governance for non-profit entities of all sizes and complexity.

By managing risk effectively, the Board can help ensure that:

  • significant risks are known and monitored, enabling them to make informed decisions and take timely action;
  • the organisation makes the most of opportunities and develops them with the confidence that any risks will be managed;
  • forward and strategic planning are improved; and
  • the organisation’s aims are achieved more successfully.

Generally, risk will need to be considered in terms of the wider environment in which the organisation operates. The financial climate, society and its attitudes, the natural environment and changes in the law, technology and knowledge will all affect the types and impact of the risks to which an organisation is exposed. Although the risks that a non-profit entity might face are both financial and non-financial, a part of the ultimate impact of risk is financial in most cases. This could be where a party seeks compensation for loss, or costs incurred in managing, avoiding or transferring the risk, for example by buying employers’ liability insurance or buildings insurance.

The potential legal risks to which any non-profit organisation is exposed derive principally from its occupation of premises, and from the activities in which it engages. Many risks are of a common or generic nature, such as the common law tort of negligence, contract law, health and safety regulations, occupiers liability, controls on use of land, data protection requirements, waste management and protection of the environment obligations and equality law. Additional risks may derive from specific activities such as fundraising. Risks also derive from employment and commercial relationships, from potential misuse of the organisation’s goodwill, its logo and its brand, and also generally from the ability of staff members to ensure compliance with policies established by the Board.

Every organisation that is faced by a risk, the hazard of which is high and the consequences of which are onerous, must consider whether it is necessary that it remain exposed to the relevant risk at all, and if it is determined to be necessary that it remain exposed to the particular risk, then risk minimisation strategies would be particularly important. Non-profit organisations should frequently consider the merits and demerits of continued involvement in activities which could be deemed high risk. This places an important focus on the need for a particular risk to be managed and minimised if the activity is to be continued.
 
 
Risk Minimisation
Every legal risk that cannot be eliminated should be managed, in order to minimise the risk to the greatest extent possible. Frequently there will be a cost to risk reduction, and if so the organisation would be justified in making an economic assessment of the potential cost of the risk materialising, as compared with the cost of reducing it below the level at which the organisation will regard the risk as being tolerable, particularly where insurance is put in place to cover the risk.

There are five key steps towards the minimisation of legal risks:

Risk Audits – every organisation should establish a programme in which it regularly reviews each of its activities and assesses the legal risks that each activity raises, as well as developing practical risk reduction strategies relating to each incidence of the identified risk. For example, if some employees of the organisation would be involved in sorting materials that require the wearing of protective clothing, it is crucial for the organisation to ensure that the supply of such clothing is available in each relevant area, and that the importance of using the protective clothing is emphasised in induction, education and training programmes, and is reinforced by supervisory staff.

Education and Training - education and training of members, officers and staff should be a central component of each organisation’s risk minimisation strategy. The starting point of that education and training programme should be the induction procedures in which every member, officer and employee should be required to participate.

Management, Supervision and Oversight – awareness of risks and an interest in preventing them from materialising should be embedded within an organisation and should be evident at every detail, from board level down. It is the responsibility of the board to ensure that all members, officers and staff have a keen awareness of risk assessment and minimisation.

Whistle-blowing – organisations should consider putting in place procedures to enable those within the organisation to alert others to any concerns that they may have regarding the conduct of other members, officers or employees. Such whistle-blowing procedures should be confidential and extend to every aspect of the organisation’s activities, for example suspected financial impropriety, disregard for proper procedures or protocols in delivery of services, harassment or bullying.

Investigation and grievance procedures – organisations must be able to respond promptly and effectively to suspicions and allegations of inappropriate behaviour of which they become aware. The ability to deal with a concern promptly, fairly and effectively is an important practical component in the management of legal risks.

Risk management is a dynamic process, ensuring that new risks are addressed as they arise. It should also be cyclical to establish how previously identified risks may have changed. Risk management is not a one-off event and should be seen as a process that will require monitoring and assessment. Staff will need to take responsibility for implementation. There needs to be communication with staff at all levels to ensure that individual and group responsibilities are understood and embedded into the culture of the charity.
 
 
Insurance
The existence of an adequate and effective policy of insurance operates as an important risk management tool. The terms of the policy must be wide enough to cover the liability that has arisen and be adequate in order to provide cover to an amount at least equal to the liability that has occurred. Where an economic view is taken and an intended level of risk is to be accepted by an organisation in respect of certain activities, the risk must be covered by a robust policy of insurance.
 
 
Exclusion and Limitation of Liability
In many circumstances potential legal liability may be excluded or its extent may be limited by the terms of a contract, and in commercial terms such exclusion and limitation clauses are an important practical means of managing an organisation’s exposure to legal risks.
 
 

Allocation of Roles to Individual Directors

It is prudent for Boards to allocate roles to individual directors, who would have special responsibility for key areas of the organisation’s services. Risk assessment should be specifically included as one of those key roles and responsibilities. Where appropriate, a sub-committee should be established if the role cannot be adequately covered by an individual director. Whatever the arrangements adopted, regular reporting back to the Board is always an important element.
 
 
Ring-fencing of Activities
Another element of legal structure that should be considered is whether higher risk activities should be ring-fenced in separate corporate entities, in order to safeguard the assets of the organisation in the event of a catastrophic claim arising from any of its high risk activities. In many cases, depending on the size of the organisation and the level of its activities, it would be recommended that the organisation’s property assets be held in a company that is separate from the entity that is providing the organisation’s services. This would give rise to a group corporate structure that separates assets from operations and establishes high risk activities in special purpose companies within the group. This structure has been adopted by a number of the medium to large charitable organisations operating in Ireland.
 
 
Summary
The adoption of an effective corporate governance framework, including active and continuous assessment and management of risk, should free up charities and non-profit organisations and allow them to champion new causes and take on new activities or services, in the knowledge that they are taking all reasonable and appropriate action to minimise risk.