How not-for-profits can manage risks and build resilience

The report provides useful guidance on understanding crises, and it distills characteristics of a crisis and suggests appropriate responses:

• It will be difficult to obtain accurate and timely information
• Decisions made during a crisis can have long-term consequences
• Not everyone is a good in a crisis, which means any response team must be carefully selected
• Being able to keep all your stakeholders happy in a crisis is rare, and priorities must be established
• Consider how documents produced and shared during a crisis might be viewed later
• Assign a liaison person to work with authorities and regulators
• Considering how you would respond to multiple crises occurring in a confluence of events
• Consider the value of rest for key team members.

In the report, Maddocks proposes organisations consider conducting drills and exercises to test organisational capabilities.

"It is important that NFPs understand the common features of a crisis and test your systems bearing those features in mind, so that you will be well prepared if you are faced with a crisis,” Maddocks partner Catherine Dunlop said.

The central conclusion of the 36-page document is that the set-up, management and enforcement of compliance and risk policies are crucial to preparedness.

It is no surprise that cyber risks are now at the forefront of many NFP leaders’ minds, given the recent spate of cyber attacks affecting the community sector.

In a worrying trend, the report found that small organisations (with less than 100 staff) were far less likely to have existing cyber risk plans (47%), consequence management plans (19%), business continuity plans (55%) or crisis management plans (32%).

A separate study last year by community tech advocate Infoxchange suggests that the cyber risk situation could be even more dire than the Maddocks report suggests: it found that as few as 23% of smaller NFPs had “effective processes to manage information security risks”.

Ms Dunlop said that a significant area of concern for not-for-profits would be “those where the risk is difficult to quantify or address merely with internal resources”. She cited situations in which organisations and their leaders were reliant on external advice in relation to cyber and privacy risks or ageing IT systems.

Ms Dunlop said NFPs would also need to take a close interest in risks “arising from the behaviour of people, such as fraud or poor behaviour (e.g. sexual harassment), which can be unexpected and confronting given how many NFPs rely on dedicated and hard-working staff who are committed to the principles of their organisation.”

According to the Maddocks study, the top three barriers to good risk management are:

• budget constraints (34% of participants)
• being unaware of best practice (27%)
• not having resilience/risk as a priority (17%).

The Maddocks report suggests a series of strategies to overcome these barriers:

• risk assessment and identification
• better risk-awareness culture
• clear roles and responsibilities
• risk management frameworks
• good risk monitoring and reporting
• considering the use of external experts.

Those suggestions align with ICDA’s own recommendations, as outlined in this helpsheet: An introduction to the risk management process.

The Maddocks report also provides a sample risk management checklist and places risk management within an overall “organisational resilience framework”, which also encompasses incident management and recovery management.

More information

Maddocks report: Risk, Regulation and Resilience

ICDA tools and resources: Insurance and risk management