This article is the third in a four-part series offering risk management approaches to not-for-profit organization leaders and volunteers. In the first article we focused on what risk management is and offered examples of fiscal risk prevention and mitigation strategies. In the second, we explored risks related to people and offered a Risk Management Committee Terms of Reference template. This article examines risks that involve technology and intellectual property and we provide advice on developing a risk management strategy and plan. In the next and final article, we will study regulatory risks and provide a Crisis Management Plan template, as well as a summary of the highlights of this series.
Technology and intellectual property risks
Your organization's information and its storage places are extremely valuable assets that are susceptible to risk. It is critical that your computers are routinely backed up and that you have written procedures for everyone involved to follow (even the volunteers if they store information that belongs to your organization). This also applies to personal digital assistants (PDAs). You should also document lock up procedures for all of your equipment and files.
High performance organizations produce an "Asset Protection Plan" - a detailed catalogue of all of the organization's valuable assets in complete detail. The catalogue should be as comprehensive as possible, so that it is useful for an insurance claim or filing an incident report. The following is a sample layout.
List of Valuable Assets:
|Name of Asset
||Identification Information (e.g. serial number)
||Description of Asset (colour, model, size)
||Location of Asset
||Asset catalogue number
||Black, IBM Think Pad 3
||Association Executive's care
||REB - 01-01
||Grey metal, Sony 36 in plasma
||REB - 02-01
||Brown, six drawers, 3.6'
||Receptionist work station
||REB - 03-01
Asset Protection Plan:
|Asset Catalogue Number
AE offsite password file registry
Insurance policy number:
Backup file location:
Date to replace:
|Rental replacement source:
Computer Crashes & Viruses: Follow back up procedures to archive data and monitor compliance; install virus protection software; circulate a computer use policy; use password protection; replace aging computer hardware and software before their terminal fate.
Phones, Fax & Copier Malfunction: Replace aging equipment and have adequate warranty and temporary replacement insurance coverage; have back up plans (i.e. record cell phone numbers on your voice mail; arrange to be able to use a neighbouring office's equipment).
Information Protection: Critical hard-copy documents should be stored off-site in a fire-proof safe. Restrict access to file drawer keys. Have written guidelines explaining how to comply with privacy legislation (especially as it applies to membership records); enforce copyright and trademark adherence. Formalize a records retention and destruction policy. Revenue Canada requires that financial records be kept for a minimum of seven years (in a safe place).
Critical electronically-stored information requires additional risk management. Files should be copied and stored on a disc offsite. Change password access routinely. Document how privacy, trademark and copyright laws apply and monitor compliance. Work only with legal copies of software.
Website Content: Work with the experts to protect your website from hackers and other forms of abuse that deny service to legitimate users.
Constructing a Risk Management Strategy & Plan
Risk management incorporates policies, programs, measures and competencies for identifying, assessing and managing risk.
Include these elements in your Risk Management Strategy:
- Definition of risk: A risk is any incident or condition that will impact the effective and efficient operation of your organization. Remember that, while we tend to think of risk as a threat, it can potentially be an opportunity.
- Risk factors: Risk factors are those potential incidents that can place your organization at risk. The risk management plan below identifies several potential factors. List all predictable risk factors that apply to your organization in this strategy document.
- Risk appetite is the amount of risk, on a broad level, your association is willing to accept in pursuit of it mission. It should reflect the associations risk management philosophy, which in turn will influence culture and operating style.
- Risk tolerance is the acceptable level of variation relative to achievement of a specific objective. It is best measured in the same units as those used to measure the related objective.
- Risk management process: You and your board of directors need to decide how to manage risk. You can decide to have a Risk Management Committee, or you may choose to outsource the leadership to an outside expert in risk management. However you choose to lead your risk management initiative, it will require the cooperation of staff and directors. Therefore, you should delineate a process to execute risk management prevention and mitigation.
- Evaluation: After each incident, evaluate how well your strategy served your organization. Learn from experience and amend your strategy and procedures accordingly. Whether or not you have a best practices network, let your peer boards and associations learn from your experience.
High performance organizations bring together leaders and experts in a workshop led by a knowledgeable facilitator to develop a risk management strategy and plan. Here is a sample agenda:
|Risk Management Workshop Agenda
8h30 Self introductions; agreement on desired workshop outcomes
8h50 Identification of potential risks
9h30 Establish of risk appetite and risk tolerance measurements
10h30 Assignment of risk management priorities
11h30 Review of risk management resources available and required
13h15 Description of risk management strategy
16h00 Assignment of next steps
16h30 Development of risk management plan evaluation process
Your Risk Management Plan should be functional. A proposed layout could be:
||ACCOUNTABLE & RESPONSIBLE
||Crisis Management Planning
|Budget & Timelines
||Incident Report Template
||Asset Protection Plan
Paulette Vinette, CAE, is the co-author of Risk Management - A primer for directors of not-for-profit organizations, which was recently published by the Canadian Society of Association Executives in 2005 (ISBN 0-921998-01-5). Paulette in President of Solution Studio Inc., a consulting practice that serves the not-for-profit association community. She can be reached at 1-877-787-7714 or Paulette@solutionstudioinc.com.