Security is not something that takes you away from your mission; it is part of it. For nonprofit executives, board members, and for that matter, anyone who steps up to lead a faith-based community, the duty to provide some level of protection for the people who come through your doors is both moral and legal.
The operative challenge is the “limited” part. Nonprofits are already doing so much with so little – limited budgets, limited staff, and unlimited need. And faith-based organizations have that “additional” challenge in that their mission calls them to throw the doors open wide regardless of circumstances. This is why you hear about violence at a place of worship, struggling volunteers dragging the chairs in front of the door of a central meeting space during a book club event, pending bills in the state legislature to make it easier to carry a weapon into church or day-care center, etc. This is what you can do about it.
Reframe what “security risk” actually means
Too often, discussions about security and safety lead naturally to the topic of an active shooter. The fear of these events (thankfully still rare, despite their incredible impact and the mental scars they leave on those who survive) dominates headlines and emotions. The survivor trauma, the media attention, the search for someone or something to blame, all make this the most difficult and consuming type of incident to prepare for, physically or mentally.
But the day-to-day likelihood of an active shooter targeting your organization is incredibly low. It’s certainly not zero, and for organizations that get serious threats or that are part of a highly-public dispute, it can be just a matter of time – but if you plan your security based on only that event you are effectively gambling odds comparable to winning the Powerball.
In a complex world with thousands of potential high-consequence, low-frequency risks, worrying incessantly about only one is an irrational human response, not a rational risk-management strategy. Given the stakes, any good security program simply has to start from the recognition that there are a lot of things that could go wrong, any one of which could be the thing that fundamentally changes or ends your organization.
Understand the legal duty of care – and what it costs to ignore it
All non-profit board members and, usually, all religious leaders are part of the legal structure of “duty of care.” In practical terms, if someone is injured on your premises, and a court decides that an organization in your circumstances would have taken precautions, you’re on the hook for that injury.
Liability for insufficient premises security is the same. Property owners – including a non-profit that owns or leases a property – can be successfully sued over injuries and criminal acts that occurred due to inadequate security. “We’re small” and “we never thought about that” are not strong defenses in civil court.
Charges of failing to have a written risk analysis, failing to implement basic physical security, or failing to train staff in security measures can all be brought in a civil case. That’s not to say that you need to physically resemble a bank, security-wise. It is to say that you need to prove in court that you acted reasonably, and that you have documentation.
Conduct a physical security audit – starting with the obvious
You don’t need physical security consultants or a lot of money to audit your space. CPTED (Crime Prevention Through Environmental Design) is a framework that helps you evaluate how the built environment can encourage or deter criminal behavior, and most of its recommendations are low- or no-cost.
Start by understanding that human behavior is influenced by a person’s surroundings. Architectural designs that control or guide people’s access to buildings, safety strategies that protect employees by minimizing their exposure to risk, and even simple inherently secure installed items like locks and lighting can deter crime.
What does this look like in practice if you are without a budget for anything beyond basics? One low-cost recommendation commonly made is to simply prevent unauthorized access to the building’s interior by installing a lock, or to obtain operator buy-in to secure the entryway with a metal detector.
Walk the perimeter of the facility. Are there places where someone could hang around and not be seen due to tall weeds, bushes, or poor lighting? Low-cost solutions could include improved maintenance practices, a working relationship with an adjacent property owner who shares the bushes, and small motion-activated solar lights that don’t require electrical connections.
Professional security vs. volunteer safety teams
Most community organizations and houses of worship can’t afford professional security except on an irregular contract basis, if at all. So the real-world options are either off-duty law enforcement contracted only for specific high-risk meetings or events, or a consistent safety ministry literally volunteering to protect a congregation or membership.
Off-duty law enforcement is very expensive by the hour, so only feasible for high profile one-off meetings or events. And for your normal weekly operation, it’s simply cost-prohibitive for the vast majority of organizations. That leaves volunteer safety teams, which are very common and can be effective – if structured. Simply having good-intentioned members with no training, no roles, and no written authorization in advance to act as your security ministry is not a safety program. It’s a liability. Left and right you find organizations with no clue they’ve just violated 10 laws or their insurance policy by trying to do the right thing.
Agency/operations level training is the first thing you throw in the trash once you get out of a professional uniform and waive right to arrest under state law. The people you let do this have to have at least some de-escalation training, basic first aid skills, and a piece of paper somewhere that outlines exactly what that member is officially allowed to do and not do in your building.
Here’s a more specific example that carries real legal and financial liability: 80% of active threat incidents in community spaces are over in 5 minutes, and often before law enforcement arrives (FEMA). When establishing a formal safety ministry, a religious leader must ensure that those volunteering to protect the congregation are backed by specialized legal defense programs like Right To Bear, because standard organizational insurance rarely covers the civil litigation costs associated with personal self-defense actions.
Navigate the hidden gaps in general liability coverage
Standard general liability insurance is designed to protect businesses against many common risks, such as slips, falls, and property damage. However, most general liability policies also have explicit exclusions, including intentional acts, assault and battery, and often the use of firearms. This presents a significant liability risk for any organization with an armed volunteer or a safety team authorized to use force.
For instance, if a volunteer uses a firearm to respond to a threat and injures someone in the process, the resulting civil lawsuit could be financially ruinous. The organization will likely be sued, the volunteer will absolutely be sued, and their liability insurance carrier may not have to assist them. Why? Because general liability insurance will likely deny coverage based on those exclusions.
The scenario has played out in real life. Organizations that fail to secure appropriate coverage for armed volunteers have discovered that insurers are not obligated to provide defense funds. This makes board members particularly liable, as they are responsible for overseeing and potentially underinsuring the organization. It is far better to determine the specific exposure and ensure coverage is appropriate before an incident.
Build a real emergency action plan – and drill it
An Emergency Action Plan (EAP) is a written document detailing who is responsible for what during an emergency. While OSHA requires written EAPs for a wide variety of workplaces, any business or organization that doesn’t fall under those rules should still have a plan.
It doesn’t need to be fancy. It needs to be detailed. Who dials 911 when something goes wrong? Who locks down – and where are the keys or codes? Who provides first aid? Who is responsible for meeting arriving law enforcement? Who communicates with families and the media?
For active shooter scenarios, the FBI and Department of Homeland Security’s Run-Hide-Fight template is a solid EAP foundation. Every organization should add its specifics on top of that – lockable rooms here, exits that lead away from the likely threat there, the first aid kit in that cabinet.
The plan doesn’t do any good if no one knows it or remembers it when things get hairy. Low-stress, unannounced or semi-announced drills every quarter or so help keep those habits fresh. Add the low-cost, no-notice Stop the Bleed training, which teaches laypeople how to address traumatic bleeding until the professionals arrive, and the business or organization is that much more ready to respond.
De-escalation is not optional
Most security incidents that community organizations face don’t see weapons or require hands-on only response. They are disturbances, where someone in crisis (emotionally, mentally, or chemically) needs to be left not worse for the wear, or tangles where nobody gets hurt.
De-escalation is the set of verbal and non-verbal tools that your front-of-house volunteers and staff need in order to defuse a situation rather than make it worse. This is not about being a push-over. This is about having the skill to keep things from getting physical in the first place. That helps protect everyone, including people in need, and protects your organization’s legal exposure as well.
It should be a mandatory orientation for anyone in a greeter, usher, or security role. It’s low-to-no cost and readily available and people really will handle themselves differently in stressful situations if they regularly get this training. That is a very different legal position than the group that can’t state they have given de-escalation training to their staff.
Formal policies on armed carry are non-negotiable
A formal written policy is required for any organization where you allow concealed carry – whether by employed staff, volunteers, or members. This is not optional. Anytime something like this is legal, people aren’t going to see eye to eye. If those of you who are responsible for the operation aren’t able to come to a consensus on gun laws in modern America, you’re just going to default to whatever the law is. And that’s how we end up in places with 30.07 signage that doesn’t actually apply to non-profits at all…
That means, without written policy, there’s no standard to train to, no authorization process, no documentation that the organization acted responsibly, and no defense when a plaintiff’s attorney looks a jury in the eye and says, “Clearly they didn’t know what they were doing, look at the cowboy who shot someone in the parking lot.” The policy should specify who is authorized to carry on the premises, what training requirements apply before authorization is granted, how the organization verifies compliance, and what the response protocol is if an authorized carrier has to use a firearm. CCW laws vary incredibly depending on jurisdiction, so the policy needs to account for the specific legal context the organization operates in.
That list of specifics protects the individual carrier and the organization. It shows intent and structure. An official proceeding will have a judge asking if there was a policy – the clear answer should always be yes.
