December 17, 2014

Why Your Not-for-Profit Needs a Business Continuity Plan (article)

Disasters come in a variety of forms, from tornadoes and winter storms, to water main breaks and other miscellaneous building damage. Even minor incidents such as power outages and technical glitches can paralyze not-for-profit organizations if they are not adequately prepared. Business continuity plans help keep your not-for-profit organization afloat in the wake of a disruptive event. Disaster recovery and continuity plans can prevent unnecessary costs, protect valuable data and help your not-for-profit quickly respond to the crisis and resume its operations after the event has occurred. A comprehensive plan can also reduce your insurance costs. Insurance companies often reward organizations that take proactive steps to mitigate their risks with lower premiums.

Not-for-profits of all sizes need an actionable plan in place. Finding the time and internal resources can be difficult, however, especially for smaller organizations. Below, we have collected simple steps to formulate and enhance your not-for-profit organization's business continuity plan. Building your recovery plan does not have to be complicated and will result in an actionable and reliable plan for your operations.

What to Include in the Plan

Generally, you want to be sure your organization can respond to three basic types of business disruptions: Loss of People, Loss of Facility, and Loss of Technology.

For each scenario, you want to consider the during-event protocol, such as the steps your not-for-profit will take to minimize business disruption and initiate recovery efforts for your most critical business functions. This includes identifying and prioritizing your systems, staffing, and alternate worksite objectives in the event of an unplanned incident. It is also important your plan includes team assignments, responding to an incident, identifying key contacts, and communication procedures with staff, board members and/or donors about what happened.

Three-Phase Process

Once you have an idea about the types of scenarios to prepare for, it's time to build your business continuity plan. The creation and implementation process may sound overwhelming, but it doesn't have to be. You can treat it as an ongoing initiative, completing steps at a comfortable pace and retaining outside assistance as needed.

Typically, there are three phases to business continuity planning:

Phase 1. This involves an initial assessment, which includes analyzing your not-for-profit's risk profile and documenting your risk-recovery objectives. The goal of Phase 1 is to identify the biggest threats to your not-for-profit's day-to-day operations. Threats can be internal, such as employee fraud, embezzlement or data breaches. Physical location also plays a role in risk determination. Consider whether your area is vulnerable to flooding or if it experiences frequent tornado activity when you analyze your risks. How your organization responded to disruptive events in the past can provide a good idea of your organization's risk management strengths and weaknesses. The degree to which your organization can respond to its risks should factor into your organization's risk assessment.

Phase 2. Here you develop and document the plan. Business continuity plans should include everything from safety considerations to logistical details. Information gathered during Phase 1 about critical functions and key risks to their business will be prioritized and documented including checklists of actionable items and supporting procedures for recovery.

During this process it is also important to consider evacuation procedures for employees and guests. Employee communication during an event is critical. Email, automated messaging systems or simple phone tree arrangements can alert personnel to office closures or emergency situations.

To ensure your not-for-profit organization sustains minimal damage to its day-to-day operations, it is important that you back up important data at an offsite or online data management system. This way if something were to happen to your main data storage facility, your organization would sustain minimal data loss or exposure. Defining technology recovery procedures will ensure systems on can be recovered in a timely manner.

Certain organizations may need to consider alternative locations they could use during a disruptive event. Should a long-term care facility sustain structural damage, the facility's patients may need to be transferred to another health care provider. Schools may need to consider other spaces where they could hold classes and other key administrative functions during an emergency event.

Phase 3. The final phase of business continuity planning involves training, testing and maintenance. Without training and testing, your plan may prove ineffective should you need to execute it. Even the best plan becomes inadequate if it isn't kept current.

During an emergency, you need to be able to reach all of your employees. Evaluate your contact information for your employees on a semi-regular basis. Make sure your key employees can access the information they need from your remote back-up locations.

Periodically perform network penetrating testing to make sure your firewall protection is adequately securing your data. Keep in mind that an employee departure or IT network upgrade could also make major revisions to your business continuity plan necessary.

Be Ready, Don't Delay

Many not-for-profit organizations may put off business continuity planning for financial reasons or staffing availability, but doing so is risky. Your organization is the most vulnerable when it faces budgetary constraints because it has fewer organizational resources to use for disaster recovery.

Outside professionals can help guide your business continuity planning process and help you create plan that suits your unique risk environment and budgetary needs. For more information, please contact us. You may also contact Mark Madar, Director & National Leader for Business Continuity Planning at CBIZ Risk & Advisory Services. He can be reached at 216.525.1956 or mmadar@cbiz.com.

Copyright © 2014, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. To ensure compliance with requirements imposed by the IRS, we inform you that-unless specifically indicated otherwise-any tax advice in this communication is not written with the intent that it be used, and in fact it cannot be used, to avoid penalties under the Internal Revenue Code, or to promote, market, or recommend to another person any tax related matter. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox