If you want your nonprofit to get off to a strong start in 2020, take these three steps this January. Each is designed to provide immediate “little wins” that will enhance your nonprofit’s risk management and resilience in the coming year:
1. Confirm that you have a working Business Continuity Plan.
Our research shows that only about 30 percent of nonprofits have a business continuity plan, and most of those organizations have not reviewed their plans recently. A business continuity plan is a simple document that provides staff with a set of notification and recovery procedures in the event of emergency. If you have a plan in place, take time this month to review and update it. If you don’t, don’t panic. You can find more on business continuity plans here.
How this creates immediate wins – If you don’t have a plan, you will take the first step toward building one. This will increase your staff’s sense of security and safeguard your mission. If you do have a plan, you will draw attention to it and confirm that it is responsive and up to date.
2. Take an inventory of your risks.
It doesn’t matter whether you use our suggested process, some other consultant’s approach, or your own in-house methodology, but every nonprofit needs to understand its current capacities. You can’t understand what your organization can achieve if you don’t have a solid awareness of its threats and opportunities.
This is especially important if you have never done the exercise before. But even if you have, the beginning of the year is an important time for a refresh.
How this creates immediate wins – If you haven’t performed a risk inventory recently, your staff is likely walking around with unspoken concerns and possibilities for improvement. Performing the inventory will increase clarity and peace of mind and unlock value in your nonprofit.
3. Perform basic scenario planning.
If you’d like to have a spirited staff meeting (and generate interest in risk management), consider taking 20 minutes at your first January meeting to announce the following hypothetical scenario:
“Our computers have just been ransomewared. We cannot access any of our electronic data. What should we do now?”
Once people get over the shock, you will quickly learn where some of your key cyber risks currently reside. Don’t let the discussion go on for more than 20 minutes. Set another session to address the issue in greater depth.
You can use this exercise every month or so for this entire year. If you do, I guarantee you will get more buy-in for your risk management efforts.
How this creates immediate wins – Nothing is more likely to generate interest in risk management than a sober reflection on potential vulnerabilities. In raising ransomware, you’re not being alarmist. Nonprofits are routinely hit with such attacks these days. If you have any doubts, look at ransomware reports for the weeks of December 6, December 13, and December 20, which refer to schools and educational institutions, an offender aid organization, and a theatre company.
Here’s to a great 2020!
Despite threats on the horizon, our sector has strong fundamentals and deep human capital. Together, we can do things that we couldn’t hope to do independently. Please visit our website to see the tools and blog posts we have available to build sustainability. We hope your organization has a prosperous and resilient New Year!