In the wake of a business interruption such as shutting down for a pandemic, many nonprofits face catastrophic property losses, often accompanied by income losses due to a complete cessation of program activities. Business interruptions affecting nonprofits during the past decade have consisted of natural disasters, cyberattacks, severe economic recessions, the pandemic, and multi-day energy blackouts.
All of these can be a devastating period of time. Loss of income and cash flow, coupled with increased business expenditures, results in scarce resources available to run normal mission operations and remain financially sustainable.
Adjust Your Technology Ecosystem
Revenue streams at many nonprofits were suddenly reduced and business operations halted due to COVID-19. Due to the global shutdown, nonprofit managers began reimagining revenue streams out of both necessity and opportunity. For example, annual special events were forced to go remote or were cancelled altogether. This change proved manageable for those who were prepared for an unexpected remote environment and had the capabilities to adjust and move events online.
These virtual events were actually even more profitable due to the lack of expenses incurred. Leaders at organizations that rely on in-person mentorship programs had to find creative ways to maintain that connection in a virtual environment. The impact to the normal course of business was not just about creative problem solving, but also about infrastructure and technology solutions that carried with them a heavy price tag.
The focus now is on lessons learned and how to be better prepared in the future. There are proactive steps that nonprofit leaders can make to brace for a business interruption. For example, one of the most valuable resources a nonprofit maintains is its donor database. However, what if that database cannot be accessed due to the pandemic, or perhaps the organization is being hit with a ransomware attack? Maintaining that information in a secure environment that can be accessed virtually will be critical to avoid business interruptions in the future. The focus is on the term “secure environment.” But just how can that be achieved? What other risks should be prioritized when planning for the future?
Perform a Business Impact Analysis
To prepare for a business interruption, a risk assessment of the entire organization should be performed to gather information on how to reduce this risk to an acceptable level. A key step in this assessment is doing a business impact analysis, which is a process of identifying and documenting the critical business functions and processes, along with the resources that support them, to develop a plan to ensure continued operations both during and after a business interruption.
A formalized business continuity plan documents the processes and procedures in place on how an organization will continue operations during an unplanned disruption in service. It is a comprehensive plan that contains contingencies for business processes, financial resources, human resources, and other critical areas that might be affected by a business interruption. The creation and implementation of these plans will require an investment of time by organizational leadership and perhaps board members, as well as an investment in infrastructure. But, the resources expended are likely to be insignificant compared to the cost of being unprepared.
Create an IT Disaster Recovery Plan
These days, every business continuity plan needs to include a formalized IT disaster recovery plan, which will document the policies and procedures necessary to assist in the recovery to protect business IT infrastructure. IT disruptions — such as file corruption, data loss, and system failures — can be a result of cyberattacks, human error, or hardware and software errors. If implemented correctly, the disaster recovery plan will limit the impact of the disruption and serve as a guide to recovery.
As many nonprofits have learned from the COVID-19 pandemic, the IT infrastructure currently in place needs to be continually evaluated and upgraded to ensure the appropriate capabilities are in place that would allow for the switch to a remote work environment at a moment’s notice.
Cyberattacks are unfortunately accounting for a large portion of business interruptions. A remote work environment, which has become increasingly the new normal, carries additional risks as nonprofits are responsible for protecting confidential information, including donor information, personally identifiable information and banking information. A remote workforce increases the need for an IT disaster recovery plan. Employees might be working outside the VPN (virtual private network) creating a less secure environment, using weak passwords, utilizing unencrypted file sharing, working on an unsecure home WiFi, or working from personal devices that might be more prone to cyberattacks.
Remote employees are also more susceptible to phishing and other scams that can result in significant damage to the IT infrastructure or theft of confidential information. The theft of confidential information can negatively impact a nonprofit’s most important asset, its reputation. Cybersecurity awareness trainings and implementation of continuing education programs are critical for employees to understand the risks and learn best practices.
Test the Plan
Although it is common to have a disaster recovery plan in place, it is less common to see the plan tested on a regular basis. The absence of regular testing is why nonprofits continue to incur significant business-related losses. Testing can be done internally by designing and performing various recovery tests and evaluating the results, or externally by an outside professional conducting a review or audit of the IT system and operations currently in place or conducting a penetration test to evaluate the system vulnerabilities.
Plan for Succession
Another important consideration with respect to business interruption is the loss of key employees. Due to budget constraints and the desire for financial resources to be spent directly on mission fulfillment, many nonprofits do not have a succession plan for key employees. Developing a succession plan for key employees, and building a pipeline of talent will provide organizational sustainability by memorializing processes and procedures to preserve historical memory, identify talent within or outside of the organization, and create a pipeline for board members.
Competition for talent is fierce, since due to the changing workplace landscape, employers are able to search nationally or globally for candidates. Accordingly, succession planning has never been more critical.
Consider Business & Interruption Insurance
To respond to losses sustained from a business interruption, nonprofit leaders should look to their business insurance policies for funds to help rebuild and cover losses from a business interruption. A business interruption claim is often more complex than other types of claims and demands more forensic work.
Typically, preparing and supporting a business interruption claim is a project best tackled by a team of experienced professionals with different skill sets — including accounting, legal, insurance and possibly construction. In addition, reach out to your insurance broker as they are a critical team member because they have an existing relationship with the insurer and will likely be the best conduit of information during the handling of the claim. Nonprofits should also be reviewing cyber insurance to make sure the coverage is adequate and appropriate for the current working environment.
While business interruptions cannot be entirely avoided, the impact felt by them can be significantly mitigated by strategic planning.
Timothy Schroeder, CPA, is a senior manager in EisnerAmper’s Not-for-Profit Services Group. His email is email@example.com