Resources & Library Français | Help | Contact Us

Risk Management: You Need a Risk Management Strategy and Plan

By Paulette Vinette, CAE
September 26, 2005

This article is the third in a four-part series offering risk management approaches to not-for-profit organization leaders and volunteers. In the first article we focused on what risk management is and offered examples of fiscal risk prevention and mitigation strategies. In the second, we explored risks related to people and offered a Risk Management Committee Terms of Reference template. This article examines risks that involve technology and intellectual property and we provide advice on developing a risk management strategy and plan. In the next and final article, we will study regulatory risks and provide a Crisis Management Plan template, as well as a summary of the highlights of this series.

Technology and intellectual property risks

Your organization's information and its storage places are extremely valuable assets that are susceptible to risk. It is critical that your computers are routinely backed up and that you have written procedures for everyone involved to follow (even the volunteers if they store information that belongs to your organization). This also applies to personal digital assistants (PDAs). You should also document lock up procedures for all of your equipment and files.
High performance organizations produce an "Asset Protection Plan" - a detailed catalogue of all of the organization's valuable assets in complete detail. The catalogue should be as comprehensive as possible, so that it is useful for an insurance claim or filing an incident report. The following is a sample layout.

List of Valuable Assets:

Name of Asset	Identification Information (e.g. serial number)	Description of Asset (colour, model, size)	Location of Asset	Asset catalogue number
Laptop computer	IBM33445566.789	Black, IBM Think Pad 3	Association Executive's care	REB - 01-01
Television	Sony1122334455	Grey metal, Sony 36 in plasma	Board room	REB - 02-01
Desk	REB 0424	Brown, six drawers, 3.6'	Receptionist work station	REB - 03-01

Asset Protection Plan:

Asset Catalogue Number	Asset Description	Protection Plan	Maintenance Plan	Mitigation Plan
REB-04-06	Webmaster's computer	Password location: AE offsite password file registry Insurance policy number: Backup file location:	Date purchased: Date to replace: Maintenance scheduled:	Rental replacement source: Rent-a-computer 457.6678

Computer Crashes & Viruses: Follow back up procedures to archive data and monitor compliance; install virus protection software; circulate a computer use policy; use password protection; replace aging computer hardware and software before their terminal fate.

Phones, Fax & Copier Malfunction: Replace aging equipment and have adequate warranty and temporary replacement insurance coverage; have back up plans (i.e. record cell phone numbers on your voice mail; arrange to be able to use a neighbouring office's equipment).

Information Protection: Critical hard-copy documents should be stored off-site in a fire-proof safe. Restrict access to file drawer keys. Have written guidelines explaining how to comply with privacy legislation (especially as it applies to membership records); enforce copyright and trademark adherence. Formalize a records retention and destruction policy. Revenue Canada requires that financial records be kept for a minimum of seven years (in a safe place).

Critical electronically-stored information requires additional risk management. Files should be copied and stored on a disc offsite. Change password access routinely. Document how privacy, trademark and copyright laws apply and monitor compliance. Work only with legal copies of software.

Website Content: Work with the experts to protect your website from hackers and other forms of abuse that deny service to legitimate users.

Constructing a Risk Management Strategy & Plan

Risk management incorporates policies, programs, measures and competencies for identifying, assessing and managing risk.

Include these elements in your Risk Management Strategy:

• Definition of risk: A risk is any incident or condition that will impact the effective and efficient operation of your organization. Remember that, while we tend to think of risk as a threat, it can potentially be an opportunity.
  
  
• Risk factors: Risk factors are those potential incidents that can place your organization at risk. The risk management plan below identifies several potential factors. List all predictable risk factors that apply to your organization in this strategy document.
  
  
• Risk appetite is the amount of risk, on a broad level, your association is willing to accept in pursuit of it mission. It should reflect the associations risk management philosophy, which in turn will influence culture and operating style.
  
  
• Risk tolerance is the acceptable level of variation relative to achievement of a specific objective. It is best measured in the same units as those used to measure the related objective.
  
  
• Risk management process: You and your board of directors need to decide how to manage risk. You can decide to have a Risk Management Committee, or you may choose to outsource the leadership to an outside expert in risk management. However you choose to lead your risk management initiative, it will require the cooperation of staff and directors. Therefore, you should delineate a process to execute risk management prevention and mitigation.
  
  
• Evaluation: After each incident, evaluate how well your strategy served your organization. Learn from experience and amend your strategy and procedures accordingly. Whether or not you have a best practices network, let your peer boards and associations learn from your experience.

High performance organizations bring together leaders and experts in a workshop led by a knowledgeable facilitator to develop a risk management strategy and plan. Here is a sample agenda:

Risk Management Workshop Agenda 8h30 Self introductions; agreement on desired workshop outcomes 8h50 Identification of potential risks 9h30 Establish of risk appetite and risk tolerance measurements 10h30 Assignment of risk management priorities 11h30 Review of risk management resources available and required 12h15 Lunch 13h15 Description of risk management strategy 14h00 Construction of risk management plan (including accountability & timelines) 16h00 Assignment of next steps 16h30 Development of risk management plan evaluation process

Your Risk Management Plan should be functional. A proposed layout could be:

Risk	MANAGEMENT PLAN	ACCOUNTABLE & RESPONSIBLE
Planning risks	Crisis Management Planning Changing Goals Strategic Planning/Evaluation Technology Replacement Meeting Contracts
Organizational risks Fiscal risks HR risks Technology risks Regulatory risks	Prevention Strategies Mitigation Activities
Budget & Timelines
Appendices	Incident Report Template
	Asset Protection Plan

Look for the final article in this series next month when we will summarize the highlights of not-for-profit risk management.

Paulette Vinette, CAE, is the co-author of Risk Management - A primer for directors of not-for-profit organizations, which was recently published by the Canadian Society of Association Executives in 2005 (ISBN 0-921998-01-5). Paulette in President of Solution Studio Inc., a consulting practice that serves the not-for-profit association community. She can be reached at 1-877-787-7714 or Paulette@solutionstudioinc.com.

About CharityVillage  |  Free Newsletter  |  Media Centre  |  Contact Us    Terms and Conditions of Use  |  Privacy Policy    © CharityVillage Ltd.  All rights reserved.