Risk Management is a broad term. The process of managing risk can be simple or complex depending on the needs and size of the community. Every decision the board makes is, in effect, an attempt to manage a risk.
There are six general classes of risk which will be evaluated. When creating a risk management plan, you need to take these classes into account. Each class encompasses topics specific to community associations.
- Economic risk – Are your unit owners paying their dues? Can you pay your bills? Can you obtain a loan if needed? Are your funds properly protected or invested? Do you need a special assessment?
- Legal Risk – How does the current law or governing code apply to you? Are their new laws or regulations to consider?
- Political Risk – Has there been a change in the interpretation of existing statues or rules and regulations?
- Physical Risk – Is there a possibility of damage to property or injury to persons? (This would encompass your typical insurance claims but also any damage that is incurred but not reported.) Are you in a flood prone area? Does your building need maintenance or structural repairs?
- Juridical risk – What are the current legal trends? Have there been any adverse decisions by judge or jury? What case law applies to your association?
- Social Risk – Does the association have a healthy public image and/or public relations? Is the association in tune with the social direction of their country/locality? How is social media affecting you?
The risk management process requires that you understand the history of your association. Your plan addresses historical trends and identifies areas for improvement. This should be completed with the assistance of professionals in their respective fields.
Each individual association will also need to be aware of their appetite for risk (i.e., how much risk are you willing to retain). It is nearly impossible to transfer all risk but depending on how much expense you are willing to bear up front your risk level may be significantly reduced.
There are four basic rules of thumb commonly used in risk management:
- Do not retain more than you can afford to lose.
- Do not risk a lot for a little.
- Consider the possibilities or likelihood of loss.
- Do not treat insurance as a substitute for loss control or maintenance.
Insurance is of course intended to protect the association in the event of a sudden and accidental loss. However, ignoring regular maintenance and timely building & systems updates can significantly affect your insurability. It can be difficult to obtain affordable insurance if you have a challenging loss history.
The first step in creating your risk management plan is to Identify your Risk. To do so you will need to gather some information, including (but not limited to):
- Copies of any previous risk management plan
- Governing documents and administrative & policy resolutions
- Loss runs, noting open/pending losses and Frequency and Severity of reported losses
- Documentation of any incidents that have been incurred but not reported as losses.
- Maintenance records (including landscaping, snow removal, sidewalk, and pavement repairs, etc.)
- Reserve studies and engineering reports
- Copies of any current disaster management plans
- Copies of current contracts
- HR policies and/or employee handbooks
- Details on applicable computer systems & protections
- Financial statements & info on current investments
The second step in the process is to Analyze the information you have gathered.
Insurance brokers tend to focus on the areas of risk management within our realm of expertise. We focus on aspects that lend themselves toward improving access to affordable insurance alternatives and obtaining the best available terms and conditions.
Your broker can provide you with important information about your loss frequency (number of reported claims, number of similar claims) and severity (amounts paid for each claim). They can extrapolate data for you and make recommendations based on this information and your exposures.
Note: typically, when we are bidding on insurance, we are focusing on loss information for a period of 3-5 years depending on the carrier requirements. However, when it comes to risk management plans it is better to have more information at your disposal as you create your overall risk map.
A community association is a business. Typically, professional risk managers require a review of a minimum of 10 years loss history.
But just obtaining loss history is not enough. The key here is that your insurance broker can only focus on losses that have been reported. If there have been damages incurred but not reported (the association decided to self-insure) these incidents should also be taken into consideration.
Data must be consistent and specific to be of any real use. In order to compare data sets you need to know specifically what caused the loss. Only with this additional data can you tell if you have a frequency of similar losses. For example, in a high-rise you might choose to categorize damages by floor or by which system or section was affected.
With this information you can set about taking steps to mitigate future losses. Note: I would not recommend narrowing down to the specific units as that could present privacy issues when the information is shared to the community.
As each community is unique, it would be impossible to provide a one size fits all list. I believe it is more important to understand the process than to come away with a set list of questions. Each document you review will require input from a professional in that area of expertise.
A review of your governing documents, any changes in applicable statutes or regulations, and updating your administrative and policy resolutions will require input of association legal counsel. If you have employees, they can also recommend updates to your employee handbook (or help you create one). Note: you may also be able to obtain sample employee handbooks from some D+O carriers.
Your attorney, in conjunction with your insurance broker, can also assist you with review of your current contracts to confirm there is no inappropriate limitation of liability wording or hold harmless and indemnifications sections not in favor of the association.
Your CPA, investment, and property management professionals can assist you in reviewing your financials for any problem areas. Ask yourself the following questions: Are you making the appropriate contributions to the reserve funds? Is your delinquency rate higher than expected? If so, how can you address the issue? Are you investing association funds appropriately? Do you have proper financial controls in place for payments and transfers between bank accounts? Is a second signature or approval needed for funds transfer or large checks?
If you have a site office with computer systems, or even just electronic access to the building and amenities, you should consult an IT professional. You need to consider the protection of those systems. What measures are in place to protect personally identifiable association information and association records? Do you have the appropriate firewalls and anti-virus software? Are software patches and anti-virus updates immediately addressed? Do you have a policy regarding creation and sharing of passwords? Are your security protocols up to date?
If your systems were compromised, how would you supervise access to pools, fitness centers, etc. Do you have backups of your system saved off site and offline? Note: applications for cyber liability coverage will ask questions regarding your systems – this is a good place to start if you are looking to fully review your protections.
If you use a third party for credit card or direct debit processing of association dues, how are they protecting your unit owner’s information? Can the association be held liable if this vendor is compromised? What does your contract say about their limitation of liability or hold harmless and indemnification?
Association legal counsel can advise whether your state will hold the association responsible for notification and credit monitoring. If your vendor is not responsible for the costs, then the association may end up paying those expenses.
Associations should also understand the protections that their contracted property management firms have in place to protect their unit owners personally identifiable data. This protected data includes (but is not limited to) names, addresses, email addresses, banking info, credit card numbers, social security numbers, and birth dates.
If you currently have a cyber liability policy in place you should confirm whether hardcopy records are covered in addition to the digital. Privacy breaches have occurred during loss or mishandling of paper records.
If you have an aging building it is essential to consult the appropriate professionals for reserve studies and engineering reviews. Aging buildings need regular maintenance and systems should be updated or replaced as per professional recommendations. If your reserve fund is currently lacking, now would be a good time to determine how you can improve the financial health of your association.
In many associations it is difficult to convince unit owners that expensive repairs are a necessity. Unfortunately, we have recently seen media coverage regarding Champlain Towers South Condominium and just how imperative those repairs can be. As I am writing, we still don’t have clear understanding of what happened. We likely won’t have that information for a few months, but it seems clear that lives could have been saved if the appropriate risk management plans had been implemented.
Once you have identified your risk and analyzed the information the next steps are Control, Financing, and Implementation. Several of the following articles delve into these roles of the risk manager in personnel and human resources, mitigating risk and risk transfer, financial risk management, investments, and other aspects of risk management specific to community associations. I hope you will take this opportunity to review those articles.
Your risk management plan should be an active process. This is not a singular task. The last step in the risk management process is Administration. To be effective, you must constantly monitor your plan and adjust as needed.
A successful risk management plan will involve education opportunities for your unit owners. For residents to fully embrace the plan they need to understand how it will benefit them in the long run.
If you need help with your plan, or community outreach, contact your professional partners for assistance.
By Lauri Ryder, CIC, CRM, CMCA, EBP
Lauri is the real estate practice leader for Sahouri Insurance & Financial and has over 16 years of experience in the real estate insurance industry specializing in homeowners and condominium associations. Prior to moving to insurance, she worked in community association management which she believes gives her a unique perspective. Lauri is a CAI Educated Business Partner, a CMCA (Certified Manager of Community Associations), a CIC (Certified Insurance Counselor), and a CRM (Certified Risk Manager).