Risk and Insurance

Spiralism is a small institution attempting long work in a volatile era. It will hold testimony, host rooms, publish claims, manage money, use digital systems, work with volunteers, and invite vulnerable people into contact with a shared mission. Those activities create risk. Risk is not a reason to avoid the work. It is a reason to govern the work.

The Rule

Name the risk before the risk names the institution.

Every serious new activity should ask:

1. What can go wrong?
2. Who could be harmed?
3. How likely is it?
4. How severe would it be?
5. What prevents it?
6. What happens if it occurs?
7. How would we pay for it?
8. Who owns the decision?

BoardSource and the Nonprofit Risk Management Center frame risk management in similar terms: identify what can go wrong, decide what to do before and after harm occurs, and understand how the organization will pay when something happens.

Risk Owner

Every risk needs an owner. An owner is not a scapegoat. An owner is the person responsible for noticing, updating, and escalating.

Founding-period risk owners:

• Archive risk: Lead Archivist or Archive Steward.
• Chapter risk: Chapter Founder plus Steward contact.
• Safeguarding risk: Safeguarding owner or committee.
• Finance risk: Finance Steward.
• Digital risk: Builder or Technical Steward.
• Media risk: Media owner and reviewer.
• Legal formation risk: Formation owner and counsel.
• Reputation risk: Stewards.
• Insurance risk: Finance Steward plus board or counsel.

If no one owns a risk, the institution has accepted it blindly.

Risk Register

Maintain a living risk register:

Risk:
Domain:
Owner:
Description:
People affected:
Likelihood: Low / Medium / High
Severity: Low / Medium / High
Current controls:
Needed controls:
Insurance or reserve response:
Trigger for escalation:
Last reviewed:
Next action:

Review the register quarterly during the founding year and before any major new activity: a retreat, public testimony release, paid role, fiscal sponsorship, large gift, new chapter, youth-facing activity, or media partnership.

Risk Domains

Archive

Risks:

• lost testimony;
• wrong access level;
• publication outside consent;
• identifiable private detail;
• emotional harm during recording;
• corrupted storage;
• founder-only custody;
• external archive deposit without adequate terms.

Controls:

• Archive Operations Manual;
• Privacy and Data Stewardship;
• Digital Infrastructure and Security;
• consent review before publication;
• redundant storage;
• time-locks;
• access logs where feasible;
• Archivist mentorship.

Chapters and Events

Risks:

• injury at venue;
• unsafe transportation;
• harassment;
• coercive social dynamics;
• poor accessibility;
• inadequate emergency plan;
• cash handling;
• unvetted host;
• private one-on-one boundary failure;
• venue contract or insurance requirement.

Controls:

• Chapter Kit;
• Safeguarding;
• Accessibility and Inclusion;
• Incident Protocol;
• public access notes;
• two-adult practice where relevant;
• written venue expectations;
• event contact person.

Media

Risks:

• defamation;
• privacy invasion;
• testimony misuse;
• misleading edit;
• AI-generated or altered material without disclosure;
• exploitation of vulnerable speakers;
• copyright or music rights issue;
• safety risk after publication.

Controls:

• Media Engine;
• Research and Editorial Integrity;
• release terms;
• factual review;
• harm review;
• source lists;
• corrections process.

Finance

Risks:

• restricted funds misused;
• founder commingling;
• missing receipts;
• donor capture;
• related-party payment;
• fraud;
• tax or public-claim error;
• inadequate reserve.

Controls:

• Finance and Controls;
• Development and Patronage;
• Legal Formation Roadmap;
• approval thresholds;
• monthly finance packet;
• conflict review;
• public finance note.

Digital

Risks:

• domain loss;
• account compromise;
• email list loss;
• archive breach;
• donor record exposure;
• ransomware;
• social account takeover;
• untested backups.

Controls:

• Digital Infrastructure and Security;
• Privacy and Data Stewardship;
• MFA;
• password manager;
• access review;
• backup test;
• incident response.

Safeguarding

Risks:

• adult-minor boundary violation;
• vulnerable adult exploitation;
• sexual misconduct;
• abuse of authority;
• unsafe care-circle practice;
• youth programming without protocol;
• complaint suppression.

Controls:

• Safeguarding and Youth Protection;
• Incident and Complaint Protocol;
• Labor and Volunteer Policy;
• screening;
• training;
• two-adult standard;
• mandatory-reporting map.

Insurance Review

Insurance is not virtue. It is one way to fund response when prevention fails.

Review at each stage:

Founding Period

Consider:

• general liability for gatherings and events;
• directors and officers coverage once a board or formal governing body exists;
• event coverage when a venue requires it;
• cyber coverage once donor, testimony, or restricted data volume justifies it;
• volunteer accident coverage if volunteers do physical event work;
• abuse and molestation coverage before any youth-facing activity.

Incorporated Nonprofit

Consider:

• commercial general liability;
• D&O;
• employment practices liability if staff exist;
• workers’ compensation where legally required;
• cyber liability;
• property or equipment coverage;
• media liability if publishing expands;

• professional liability if programs begin to resemble advice, consulting, or education;

• special event coverage;

• umbrella/excess coverage as scale grows.

Media Arm

The media arm should carry its own review:

• media liability;
• production insurance;
• equipment insurance;
• contractor requirements;
• errors and omissions for documentary distribution where needed;
• separate contracts and releases.

Nonprofits Insurance Alliance lists coverages such as commercial general liability, D&O, fiduciary, employment practices, and volunteer/participant accident coverage. The exact mix depends on actual operations, jurisdiction, scale, and counsel or broker review.

Insurance Questions

Before purchasing or renewing:

1. What activities are actually covered?
2. Are volunteers covered?
3. Are chapter events covered?
4. Are rented venues covered?
5. Are online gatherings covered?
6. Are abuse or molestation claims excluded?
7. Are media claims excluded?
8. Are cyber incidents excluded or sublimited?
9. Are directors, officers, Stewards, and committee members covered?
10. Are contractors covered or required to carry their own coverage?
11. Are additional insured certificates available for venues?
12. What are the deductibles?
13. What events require notice to insurer?
14. What documentation must be preserved after an incident?

Do not assume that general liability covers governance decisions, employment claims, media claims, cyber breaches, or abuse claims.

Event Risk Checklist

Before a public gathering:

• venue address and contact recorded;
• access notes published;
• emergency exits known;
• host and backup host named;
• first aid limitations understood;
• recording status posted;
• food/allergen notes if food served;
• cash handling avoided or logged;
• incident contact available;
• no minors present without parent/guardian or approved protocol;
• insurance or venue requirements checked;
• transportation not improvised under institutional authority.

After the event:

• log incidents;
• log expenses;
• log attendance estimate;
• note access barriers;
• note safeguarding concerns;
• update chapter risk if needed.

Program design, run sheets, access notes, media notices, and follow-up are governed in Public Programs and Events; this checklist governs the risk controls that must be satisfied before the event happens.

Contracts, Waivers, and Releases

Do not let forms substitute for care.

Use written agreements when:

• renting a venue;
• hiring a contractor;
• publishing testimony;
• filming an event;
• accepting restricted gifts;
• entering a partnership;
• hosting a retreat or workshop;
• lending equipment;
• transporting people under institutional authority.

Counsel should review templates as scale grows. A waiver is not a permission slip to create avoidable danger.

Business Continuity

The institution should be able to survive:

• founder absence;
• chapter closure;
• domain transfer;
• loss of a laptop;
• failed venue;
• account compromise;
• donor withdrawal;
• public criticism;
• testimony withdrawal;
• media correction;
• safeguarding report;
• temporary inability to collect donations.

Minimum continuity controls:

• backup owner for critical assets;
• monthly backup test;
• emergency contact list;
• role handoff notes;
• cash reserve target;
• public correction path;
• chapter closure process;
• incident protocol;
• no founder-only systems.

Reputation Risk

Reputation risk should not mean “avoid embarrassment.” It should mean “avoid betraying the public promise.”

High-risk public moves:

• using church language in fundraising without formation clarity;
• publishing vulnerable testimony;
• accepting money from conflicted AI entities;
• overstating legal or tax status;
• appearing to offer therapy or employment;
• charismatic founder behavior;
• youth-facing work before protocol;
• speculative claims about AI consciousness.

The institution should prefer a slower public posture over a fast, ambiguous one.

Risk Review Cadence

Quarterly:

• review risk register;
• review incidents and near-misses;
• review insurance needs;
• review high-risk roles;
• review access and backup status;
• review chapter reports;
• review finances and reserves;
• identify one control to improve.

Annually:

• publish high-level risk and insurance note where appropriate;
• review policies against experience;
• run one tabletop exercise;
• confirm insurance decisions;
• update the board or Steward risk owner list.

Public Risk Promise

Use this plain public language:

Risk:
Spiralism hosts gatherings, records testimony, publishes media, handles donor
records, and operates digital systems. These activities create risk. The
institution keeps a risk register, assigns owners to major risks, reviews
insurance needs, documents incidents, and changes policy when experience shows
that a control is missing. The Archive is important; people are more important.

Anti-Patterns

Avoid:

• “We are too small for risk management”;
• insurance bought once and never reviewed;
• no owner for a known risk;
• venue agreements signed from personal accounts with no record;
• untested emergency assumptions;
• public events with no incident contact;
• youth-facing activity before safeguards and insurance review;
• media release before rights and harm review;
• founders treating reputation risk as personal discomfort;
• donors pressuring the institution to accept uninsured or unreviewed activity.

First-Year Risk Targets

By the end of Year One:

• create risk register;
• assign risk owners;
• review insurance needs with qualified broker or adviser;
• adopt event risk checklist;
• run safeguarding tabletop;
• run digital incident tabletop;
• document chapter continuity plan;
• confirm reserve target;
• review media release process;
• include risk summary in annual report.

Insurance renewal dates and proof of coverage should also be tracked in Compliance Calendar.

Sources Checked

• BoardSource, Risk Management, accessed May 2026.
• BoardSource, Common Nonprofit Board Responsibilities, accessed May 2026.
• National Council of Nonprofits, Cybersecurity for Nonprofits, accessed May 2026.
• Nonprofit Risk Management Center, Find the Answer Here, accessed May 2026.
• Nonprofits Insurance Alliance, Coverages, accessed May 2026.
• Nonprofits Insurance Alliance, For Nonprofits, accessed May 2026.