Resiliency During Uncertain Times: To Protect Your Nonprofit from Another Crisis, Focus on Business Continuity Planning and Best PracticesBy Hassan Khan | March 29, 2021
The COVID-19 crisis has certainly put the spotlight on business continuity; especially with the recent advent of new virus strains that continue to stall the successful reopening of the global economy. In the case of organizations that worked to continue servicing constituents during the crisis, one may ask - did having a business continuity plan actually help? The simple answer is ‘yes.’
Although the plans may not have considered a pandemic of this magnitude, nonprofits and higher education institutions with well-established business continuity plans have largely found that having such plans in place enabled a swifter activation of contingencies required to continue operating, with remote work being one example.
To respond to the continued challenges ahead and protect your nonprofit from the next crisis, leaders need to prepare their strategies and execute them across three disciplines: plans, people, and practices. Each of these dimensions is essential for delivering a thoughtful response, keeping people safe and productive, and creating a resilient organization.
Our focus in this article will be on ‘practices’ which help to preserve continuity of operations. Below are some considerations to continue establishing best practices in your organization.
- Equip your security & infrastructure for heavy traffic. If you are preparing for continued remote work, ensure that your organization has the necessary technology capacity. This includes bandwidth demands, VPN infrastructure, authentication/ access control mechanisms and security tools—all must be able to support peak traffic demands. Consideration should also be given to provide VPN/remote access to contractors and third parties who are supporting critical services and purchasing additional licenses for collaboration tools such as Zoom and Skype. In the event it is necessary, an increase in online activity can have big implications on system stability, network robustness and data security. Using Zoom or Skype for 1:1 or small group meetings, using cell phones to free up bandwidth for larger meetings, and avoiding sending large files in favor of using tools such as SharePoint and Teams can all help.
- Be ready for disruptions in your ecosystem. Do not forget that your workforce is comprised of more than just your employees; consider the large contingent workforce of contractors, outsourcers, and service providers your organization may rely on. Identify all critical technology vendors, partners, and suppliers, and ensure they are able to support the spikes and adjustments in demand. Determine the impact if they become unavailable or have capacity constraints. Ask for their disaster recovery, pandemic, and business continuity plan to get assurance of their resilience in addition to your own.
- Prepare for life without a data center. With the shift to cloud, many organizations are already on their way to ensuring that a major event at their data centers will not disrupt critical operations. Plan for the contingency of a data center shutdown - even if the physical infrastructure is available, the possibility of not having the people to operate the data center is real. Ensure your technology team takes stock of critical operations and assesses the vulnerability of that infrastructure to constraints in physical hardware or other resources.
- Embed compliance & privacy requirements in your plans. During a crisis, it is easy to forgo security or privacy controls temporarily. However, if risks and their mitigation tactics have not been considered in advance, it can lead to major security, privacy, or compliance vulnerabilities within your organization. Not having a VPN while connecting remotely, not having proper authentication or access control for critical applications or not encrypting Personally Identifiable Information could lead to security breaches, compliance violations and loss of intellectual property. Protecting donor privacy and mitigating risk is important part of upholding your organization’s reputation.
- Rationalize projects and portfolios. With limited resources, you want to be clear on your organization’s priorities during a crisis. Having a clear view of the prioritization and planning to stop or continue projects across various scenarios is important. Additionally, a crisis may lead to the need to support new projects or accelerate projects that are important to an organization’s mission in order to manage risk and/or prepare for the rebound. It is critical for leaders to convey the priorities to their workers, help them manage the demand versus supply for work and make decisions on what can be deferred or deprioritized.
- Be prepared for financial instability, but also be ready to defend additional investments. A major impact of the spread of COVID-19 is the cash flow constraints it is putting on organizations. Even not-for-profits and colleges and universities with significant endowments that appear to be in good financial shape may not be immune, depending on how the situation progresses. The most common reaction is to put all non-essential projects on hold, but this can lead to significant restart costs later on. Having a proactive and precise plan for prioritization and cost savings will allow for thoughtful cuts in discretionary spending. However, the organization must also be able to defend investments in critical capabilities such as collaboration tools, remote working, and security to support the response to crises such as COVID-19, some of which may not have received proper funding or prioritization in the past.
Looking to the Future
While existing business continuity frameworks did offer benefits to those organizations that had them, it is likely that they can continue to be improved based on the lessons learned over the past year. So how should the face of business continuity change to meet emerging needs and protect an organization in the advent of a new crisis? A strategic focus now needs to be placed on resilience. As institutions ponder long term changes to their operating models, either for enhancement or as a response to macro environment developments, resilience needs to underpin their thought process, with continuity principles built into all changes. Decisions made now will impact success in the future. This is the time for nonprofit leaders to ensure that their organization, post-COVID-19, is a resilient one.
This article is part of the series "Resiliency During Uncertain Times." Click here to read the first article in the series, entitled "What's Next for Technology Operations and Investments?"
About Hassan Khan
Hassan Khan is a Principal in Marks Paneth’s Technology Services Group. Mr. Khan works collaboratively with clients’ management, audit committees and boards, and provides independent, senior-level expertise that enables executives to drive value from technology and improve business performance. Over the course of his career, he has led and delivered advisory engagements including technology governance, risk and compliance assessments; organizational reviews; board governance; benchmarking and best practices reviews; enterprise risk management (ERM); internal audits; technology... READ MORE +