When the worst happens – government funding dries up, a market meltdown cripples the endowment fund or a natural disaster destroys key assets – what do you do? Risk management can be like visiting the dentist. You know you have to do it, but the pain (i.e. time and expense) makes people put it off.
DIY risk management
Let’s start by agreeing that you can’t plan for every contingency. Risk management is an ongoing process that involves identifying risks and delegating the organization’s response, whether internally or externally. It’s far better to address one new issue each quarter than to attempt to do a complete plan all at once.
Risks can be hard to identify. It might be easier to ask what has happened in the past. Has a storm made it impossible to access the facilities? Has the sudden loss of a key staff member stopped service delivery? Is there a time of year when you don’t have the cash to pay staff? If any of these events had been prolonged, would the ability of your organization to survive been threatened? If so, then that is a good place to start your planning.
Example: A new executive director felt she didn’t know the organization well enough to identify all of the risks, so she asked the chair of the board for assistance. He formed a committee including an engineer, a lawyer, an accountant and an insurance agent who were able to put together a list of risks and possible mitigation strategies for the organization.
How long could you survive without the administrative computer systems? Are there systems that your services need in order to function? Systems are managed by people, so ask all the managers to identify which systems they rely on, how long they could survive without them and how long it would take to restore them if they were suddenly unavailable.
Example: When asked which systems were critical to the organization, the bookkeeper identified payroll as being critical. Since payroll was handled by an independent company and the bookkeeper was able to do the data entry online from home, all that was needed were instructions about how to send the employee time (estimated by the managers if the time cards were unavailable) to the bookkeeper’s personal email. In this case the Executive Director was already doing the payroll when the bookkeeper was on vacation, otherwise the fact that only one person could operate a critical system would have had to be addressed in the planning.
Very few organizations have a formal, written disaster plan, but without a plan, how do people know what to do in a disaster? How do you even figure out what’s missing or test it? On the other hand, sitting down to write a disaster recovery plan can seem like an overwhelming task. An intermediate step may be to make certain there is a secure, central location for the critical information, such as how to reach people at home and how to recover and run the critical systems, stored outside of the office.
Example: when an organization’s auditors noted in their report to the board that there was no written disaster plan, the executive director realized that most of the work had been done, but it hadn’t been brought together into a plan. As a first step, he and his management team decided to put copies of all of the instructions into a password-protected, shared space on social media so that it would be available even if the organization’s servers had been compromised.
The best solution is still a formal plan created by an experience professional with input from all of the organization’s stakeholders. Failing that, some planning is better than none at all. Use the collected experience of your staff, board and volunteers and tackle a new risk at each management and/or board meeting, so that people learn how to identify and plan for the organization’s risks.
Bill Kennedy is a Toronto-based chartered accountant with Energized Accounting, focusing on financial and reporting systems in the charitable sector. He blogs at www.EnergizedAccounting.ca/blog/. Find out more at www.EnergizedAccounting.ca; follow Bill @Energized.