H E L P I N G L E A D E R S B E C O M E B E T T E R S T E W A R D S .

Presented by: Arthur J. Gallagher & Co.

STRATEGIESSAFETY

CHURCH EXECUTIVE • S A F E T Y S T R AT E G I E S 2 churchexecutive.com

S A F E T Y S T R AT E G I E S • CHURCH EXECUTIVE 3churchexecutive.com

Table of Contents

THE VAST FRONTIER — AND ASSOCIATED RISKS 4In a smaller, more technological world, we can’t afford to underestimate proactive, collaborative safety and risk management strategies.

By Peter A. Persuitti

SOCIAL MEDIA RISK — A SPOT CHECK FOR THE CHURCH? 6Recently, I convened a panel of experts for a conversation about where the Church stands relative to capitalizing on the remarkable evangelization opportunity of social media.The key questions: • Are churches actually embracing social media?• If so, how are they doing managing the risks?• How can churches establish boundaries as they row in these

unchartered waters?

By Peter A. Persuitti

4 PRACTICAL WAYS CHURCHES CAN REDUCE THEIR CYBER RISK 8In recent years, discussions about data breaches with my church and nonprofit clients have moved from “what-if’s” to, “This just happened to one of my clients.” Cyber Liability insurance is no longer a coverage that is nice to have; it’s saving organizations money, time and reputations.

By Steve Robinson

CBO: COLLABORATION = BETTER OFF 10At this year’s BoardSource Leadership Forum (BLF) — a gathering of more than 800 non-profit trustees, directors, executives and specialized service providers — I was struck by a fundamental conversation: Someone raised the issue of why we call ourselves “nonprofit.”

By Peter A. Persuitti

CHURCH EXECUTIVE • S A F E T Y S T R AT E G I E S 4 churchexecutive.com

Missionary work in third-world countries has been a noble church mission for centuries. Today, it offers a horizon of growth of evangelization in a shrinking “believing” western world.

Adams & Associates (now Gallagher Charitable International Insurance Services) — a firm we acquired eight years ago — has been serving mission-sending organizations with travel insurance products since 1981. Gallagher innovatively developed general liability coverage for the mission-sending organization to complement the coverages for individuals participating, having clearly seen the risks associated with sponsoring individuals.

So do we today — especially if you’ve read and studied (as I have) Richard Hammar’s remarkable review of a lawsuit involving a well-known boarding school (“Travel Injuries: Why Churches Must Better Prepare”) in the September / October 2014 edition of Church Law & Tax Report. In this situation, the school was found negligent in its preparation of students for short-term study in China. The Connecticut Supreme Court affirmed a $42-million jury verdict after a student (victim) sustained permanent brain damage as a result of a tick bite.

THE VAST FRONTIER — AND ASSOCIATED RISKS

Key safety tips for the “vast frontier”• Work with specialists to continually

update a comprehensive “release form”• Follow all CDC website recommended

precautions• Consult with specialists prior to the trip

for instructions on minimizing risks• Understand the unusual exposures of

the particular areas of travel• Consider new methods of

communication to those traveling — such as videos of the areas of travel when possible

• Ensure that team leaders are equipped to respond promptly in emergencies.

The Ebola crisis has all of us thinking

differently, for the time being.

Unfortunately, our sensitizing is hard to sustain with so much

information hitting our radar screens.

By Peter A. Persuitti

In a smaller, more technological world, we can’t afford to underestimate proactive, collaborative safety and risk management strategies.

Presented by: Arthur J. Gallagher & Co.

STRATEGIESSAFETY

S A F E T Y S T R AT E G I E S • CHURCH EXECUTIVE 5churchexecutive.com

An expert perspectiveFast forward to today. Dana Crowl, program manager of our

Gallagher Charitable International Insurance Services, sat down with me to talk about her experiences leading this legacy division. I had a number of questions for her — how the servicing of these groups has changed over the years, what the trends are in claims, how she and her program are dealing with the Ebola scare, as well as her reaction to the boarding school lawsuit verdict.

“Most programs are very good about using release forms,” Crowl said, very affirmatively. “However, some groups taking less formalized trips. Those with smaller churches might not use the appropriate release forms. As with many aspects of risk control, there are still opportunities to make the forms more meaningful, as Hammar points out.”

As a service provider that’s also the front line for the claims, Crowl indicated there are typical claims relative to property stolen / missing (which have escalated with the prevalence of technological gadgets) and trip cancellation reimbursements — another area that remains prevalent, especially given terrorist threats and CDC warnings.

“The emergency evacuations are few and far between, but they require an adroitness and alignment with partners that are the best in the business,” Crowl says.

For these crises, Gallagher Charitable aligns with red24 [ www.aaintl.com/red24.cfm ], a worldwide security service available to help members manage or avoid personal risk to themselves and their families. Members have access to advice on both a preventative and reactive level, relating to personal security, risk and travel, through: a members-only website; personalized briefings; and 24/7 assistance online, by phone and by email.

A key takeaway from my discussion with Crowl: the need to manage participants’ emerging medical conditions. Mindful that much of this is personal information, one of the trends Crowl sees is the triggering of medical conditions on these short- and long-term ventures that lead to danger — not only for the participant, but perhaps also for others in the program!

As a former boarding school administrator, this was an interesting reminder. I once took students abroad and recall one of our students causing harm to others when xenophobia appeared to get the best of her. We had to ensure she was immediately returned to the United States.

While the boarding school case might reflect more the obligations when including minors on your program, the verdict is striking in its message to sponsoring organizations: The School failed to take the basic safety precautions to protect the minor children in its care.

I hope this case will help alert all schools which sponsor overseas trips for minors that they need to check with the CDC for disease risks in the areas where they will be traveling, and that they must advise children in their care to use repellant and wear proper clothing when necessary.

As the plaintiff’s attorney in the boarding school case showed, these injuries were easily preventable.

Peter A. Persuitti is managing director, Religious Practice, at Arthur J. Gallagher & Co. ( www.ajg.com ) in Chicago. Gallagher is a financial services firm specializing in insurance brokerage , benefits and retirement consulting, claims administration and advocacy, institutional investment and fiduciary services, alternative risk financing and program administration and risk management. As a dedicated Religious Practice, Gallagher works with more than 24,000 nonprofits around the world.

CHURCH EXECUTIVE • S A F E T Y S T R AT E G I E S 6 churchexecutive.com

STRATEGIESSAFETY

a spot check for the church?

By Peter A. Persuitti

The expertsCrispin Ketelhut has extensive experience managing

church safe environments and is the Associate Director of the VIRTUS Protecting God’s Children Program [ www.virtus.org ]. She brings a wealth of experience to the table regarding the methodology of systems as key to the foundation of risk management and protecting children.

Paul Timm, president of Reta Security, is a foremost expert on crisis management. He is often consulted when there is a breach of security at schools and churches.

Miles Shepp is a broker who leads Impac, an insurance program for mega-vision ministries. The program makes sure policies and procedures for risk management are complemented with the right coverages.

Q: Are churches using social media?Ketelhut, Timm and Shepp agree that churches are embracing all forms

of social media; few are opting not to go there. Timm is adamant about social media being core to the ministry. Thus,

he says, it should be embraced and will be good for Kingdom-building. “Social media might be the one way to bring back youth to the

Church,” he says — and of course, technology has a lot of power as a mass notification resource for emergencies and for communicating key

Recently, I convened a panel of experts for a conversation about where the Church stands relative to capitalizing on the remarkable evangelization opportunity of social media. The key questions:• Are churches actually embracing

social media? • If so, how are they doing managing the risks? • How can churches establish boundaries as

they row in these unchartered waters?

Social media risk —

S A F E T Y S T R AT E G I E S • CHURCH EXECUTIVE 7churchexecutive.com

information. “It puts the Church back in the center of the town square as an informer!”

For his part, Shepp says he has witnessed more and more churches enhancing their websites. To this end, many church leaders are asking questions related to, Is

the church protected?However, if these experts were to rate the systems in

place at churches overall, most congregations would not receive a passing grade. Even so, Ketelhut, Timm and Shepp agreed that a breach of failure is the best possible resource for all of us.

“There is no need to reinvent the wheel of what needs to be in place,” Timm explains. “These churches have been on their knees and forced to put in place the systems necessary to deal with this ‘tidal wave.’”

Q: What are the vital components of a viable system? • Policies and practices• Education and training• Communication• Transparency and accountability • Monitoring systems• Checks and balances

Over the past 10 years involving serious violations of boundaries in churches, we have learned a great deal. All three experts agree there are lessons inherent to these violations that can apply to churches’ social media exposure, as well.

For example, we now know that we must treat children and adults differently in the communication process. “Teach the children, yes; but, we can’t put the main responsibility on the children,” Ketelhut explains.

Ketelhut continues: “With adults, the days of saying ‘Don’t’ are over; how the message is delivered is important. Yet, adults — no matter what — have the responsibility and main role of protecting children. This is

no longer about whether we trust the adult, but rather about adults as protectors of children. Adults represent their churches, and thus

have greater trust, greater access and greater responsibility.”Context and reality are two important concepts here,

Ketelhut adds. “For example, while technology is great and social media connects people, churches must provide education, especially regarding the risks inherent to both.

“We then must take action — we screen, we monitor, we establish checks and balances, we watch for warning signs, we

communicate if there is an issue,” she continues. “The opposite of these systems is chaos.”

To this point, Timm rhetorically asks: What is the remedy for chaos? The answer: education.

“We must set expectations for social media management,” he emphasizes. “And we won’t tolerate the 40+ age group ignoring social media. Ignorance is never the tool to combat issues.”

Churches want to grow, and all three experts say they believe this explosion of social media is a gift of stewardship. But, there is also a cost of discipleship — and they refuse to allow me to reduce the discussion to what one thing is most important in managing this risk.

Instead, they reinforce the importance of seeking out those who have been harmed. These churches will have model policies and practices in place as a result.

“In all of this, we want to allow youth to help lead the way,” Timm emphasizes.

Q: How can church leaders get ready for a potential breach? Is there a “fire drill”-type practice they can use? Not so much; all three

experts agree that in many ways, social media use in the Church is akin to unchartered waters.

“Technology is like a tidal wave,” Shepp points out. “Education is the key. Follow the lessons to be learned, seek ways to reduce risk.

“We can never reduce the risk to zero, but what are we doing with the level of risk we have?” he concludes. “We need expertise and collaboration in place. Insurance is a piece of the pie.”

Peter A. Persuitti is managing director, Religious Practice, at Arthur J. Gallagher & Co. www.ajg.com in Chicago. Gallagher is a financial services firm specializing in insurance brokerage, benefits and retirement consulting, claims administration and advocacy, institutional investment and fiduciary services, alternative risk financing and program administration and risk management. As a dedicated Religious Practice, Gallagher works with more than 24,000 non-profits around the world.

— Paul Timm, president of Reta Security

“[W]e won’t tolerate the 40+ age group ignoring social media. Ignorance is never

the tool to combat issues.”

CHURCH EXECUTIVE • S A F E T Y S T R AT E G I E S 8 churchexecutive.com

But, cyber insurance is only part of the risk transfer equation — we are often asked for basic tips a church can take to help prevent a cyber loss from happening in the first place. A few points to consider:

#1: Have someone own it.Data breach studies have consistently shown that organizations

that identify a staff member as having ownership responsibility for information security are less likely to suffer a data breach. If they do, the financial impact is smaller. We understand that for churches of varying sizes, this individual could range anywhere from a worship / media pastor who is assigned this task because he or she is computer-savvy (“Hey, give it to Jud — he likes computers!”), to a full-time IT specialist.

The important thing is that someone is responsible and held accountable for ensuring other items in this article are given proper attention. Make sure that person is equipped with the knowledge he or she needs to protect your data.

In recent years, discussions about data breaches with my church and nonprofit clients have moved from “what-if’s” to, “This just happened to one of my clients.” Cyber Liability insurance is no longer a coverage that is nice to have; it’s saving organizations money, time and reputations.

4 practical ways churches can reduce their cyber risk

STRATEGIESSAFETY

By Steve Robinson

S A F E T Y S T R AT E G I E S • CHURCH EXECUTIVE 9churchexecutive.com

#2: Take inventory of the data you collect.If your church’s giving records are older than the headstones in the

yard, you might want to rethink that practice. Collecting only the data that is absolutely necessary — and keeping it for the minimal amount of time — will significantly reduce the volume of information that could potentially be breached.

If you are storing credit card numbers, stop doing this; transfer some of that risk to a third party who has the resources to properly secure this data.

On your website, only collect data that is absolutely necessary, and make sure you have permission to collect it.

You know that recycling box on the floor next to the receptionist’s desk? If that person is dropping sensitive information (confidential prayer requests and so on) in that box, make sure the practice stops immediately. Use locked boxes for document destruction, recycling, etc.

#3: Remember: the best firewalls are useless if the front door of the church is left unlocked.

Secure servers, laptops and any other equipment that provides a pathway to your data with locks, access limitations and unique passwords. You know that router you just bought? It came with a factory-installed password.

Remember Jud? Make sure he changes that password when he installs it for your church. The bad guys know that the Juds of the world can be lazy, and this is the first place they look when trying to get in.

When it comes to laptops and portable storage devices, the name of the game is encryption. Employing full disk encryption on laptops provides safe harbor under most state data breach notification laws. It is an extra step, but one that might save your church significantly if a laptop gets left in an airport on the way back from a youth conference.

When it comes to computer use, make sure your staff is well-versed in the common sense practices of locking access to their computers when they step away for lunch. While trust is prevalent among ministry partners, we need to be aware of the fact that others who might not share our same ideals can enter our office space. Janitorial services, contractors, mail delivery personnel, document destruction companies — you get the picture. When employees or volunteers leave your church, be sure to immediately disconnect any privileged access they have.

#4: Beware of the click. My team is working an active data breach claim as we speak, because

one administrative person clicked on a link in his email that opened a door for a virus that quickly gave username and access rights to 90 users on the network. Within three weeks, the bill on IT forensics and legal assistance — just to figure out what happened — has tallied into the six figures. Seek resources on the appropriate use of email, and communicate this to your staff.

Social media: great outreach tool / great threat to information securityChurches are increasingly using social media in creative ways to

connect with their members. That’s the good news. However, churches need to make sure that social media policies are

implemented that don’t allow connections between social media websites and sensitive server data. Additionally, setting clear expectations on the dos and don’ts of using social media can help avoid costly claims involving invasion of privacy, intellectual property infringement and personal injury.

The majority of data breach claims we receive could have been prevented with the most basic levels of due diligence on the front end. Not every claim is a sophisticated hack. Don’t get overwhelmed by the technology of it, and understand your church’s best defense can sometimes be good, old-fashioned common sense.

Steve Robinson is Area President, Technology & Cyber at Risk Placement Services, Inc. www.rpsins.com, a division of Arthur J. Gallagher & Co. and its Religious Practice, in Cambridge, MD.

CHURCH EXECUTIVE • S A F E T Y S T R AT E G I E S 10 churchexecutive.com

CBO:Collaboration = Better Off

By Peter A. Persuitti

At this year’s BoardSource Leadership Forum (BLF) — a gathering of more than 800 non-profit trustees, directors, executives and specialized service providers — I was struck by a fundamental conversation: Someone raised the issue of why we call ourselves “nonprofit.”

The query brewed as a result of the number of corporate executives in the audience on hand for training and awareness-building as it relates to their own nonprofit-serving governance roles. This tension is not uncommon; in fact, as someone who represents a for-profit corporation with a vertical specialization in the third sector, it’s quite familiar.

Perhaps the bubbling of interest was also a result of the number of BLF sessions that related to efficiency, transparency, accountability and metrics.

It’s a theme that has exacerbated a fissure that exists between the worlds of for-profit and nonprofit; something which, for me — having worked on “both sides of the aisle” — seems anachronistic.

I will never forget a frustrated Peter Drucker lamenting years ago, with a heavy German accent: “Why do we call ourselves ‘nonprofit,’ when the fact remains that profitability is vital to our sustainability?” To this point, I’ve been so impressed with the tools of technology (and equally with recent management appointments in nonprofits) that I’ve been encouraging nonprofits to raise their game relative to risk retention. This can be achieved with a more sophisticated form of reinsuring their liabilities and operations — captive, risk retention group — so that nonprofits’ efforts are rewarded through an ROI on their capital (i.e., a surplus), generating a “profit center” for mission protection.

I believe the time has come for a more holistic view of how we manage, whether it’s our company, our organization or our household. (Interestingly, the word economics actually comes from two Greek words — Oikos and Nomia — whose earliest origins relate to taking stock of the affairs of the home.) I believe this blurring is manifest in much of what I am witnessing:• For-profit executives leaving a life of “success,” corporately, for a life of

“significance” in a mission-based organization (Bob Buford’s theory) at a mid-point in their lives;

• For-profit executives sitting on non-profit boards advocating for more Enterprise Risk Management (ERM), a more sophisticated form of risk management; and

• A tidal wave of interest among emerging generations in the non-profit sector — for careers, volunteerism and engagement.

Another concept of this blurring relates to the need for nonprofits to see resources, talent, contribution and solutions in their non-profit, community-based neighbors. In fact, it appears that risk management is no longer an “organization issue,” per se; you can have the best-laid plans, but if you aren’t aligned with your community, you risk vulnerability.

Additionally, so many recent security breaches point to the need for community-based solutions that are global, not just US-centric.

Below is a diagram I raised with a faith-based nonprofit to demonstrate how its approach to risk might, more effectively, be to find greater impact through alignments within the local community.

Engaging your communityIdentifying engagement for a local ministry protection committeePerhaps now is the time for “nonprofits” to change the semantics of their

sector to a broader Community-Based Organization (CBO) concept. In fact, one idea which emerged at this year’s BLF gathering was an alternative label for a nonprofit: CBO.

Perhaps — as CBOs — we will more effectively live out our missions, starting with a positive, inclusive versus a negative (“non”) dynamic. And, no doubt, we’ll better manage risk through these alignments.

Ultimately, we’re better off with collaboration!

Peter A. Persuitti (@ppersuitti) is managing director, Religious Practice, at Arthur J. Gallagher & Co. [ www.ajg.com ] in Chicago. Gallagher is a financial services firm specializing in insurance brokerage, benefits and retirement consulting, claims administration and advocacy, institutional investment and fiduciary services, alternative risk financing and program administration and risk management. As a dedicated Religious Practice, Gallagher works with more than 24,000 non-profits around the world.

RISK MANAGEMENTREPORT