For non-profit or community-based organisations, many times the composition of the board does not have information technology (IT) expertise, it can be like a foreign concept. Since some non-profit boards simply don’t understand IT and all the issues that go along with it, they don’t typically know what their responsibility towards it is. That makes IT issues a little scary when they surface, perhaps put back on the back burner and creates significant concern over legal liability. Managing IT risks is a legal responsibility for all boards, so scary as it may be, non-profits need to create a risk management system, develop mitigation plans, and carefully monitor risks on a continual basis.
Managing IT Risks Is a Legal Responsibility
Non-profit board directors, regardless of the type of organisation, should be aware that they have to abide by the fiduciary duty known as duty of care. What they may not realise is that the duty of care applies to all of their board duties including their approach to risk management in IT. Non-profit board directors can face legal action for a breach of fiduciary duty or breach of trust if they don’t protect the non-profit’s assets from risk to the best of their ability.
Depending on the size and structure of the non-profit, the responsibility for managing IT risks can fall to various people. If the non-profit has a management team, the responsibility falls to the most senior manager or those with responsible for finance. In this case, boards still have responsibility for oversight over IT risk management.
Non-profit boards also have to realise that IT risk management is far from a “one and done” effort. IT risk management has to be an ongoing activity and non-profit boards are responsible for overseeing it all year long.
The Beginning Phase of an IT Risk Management System
In the beginning phase of establishing an IT risk management system, the board has to designate the individual or team that will take primary responsibility for it. Initially, the board may take on that responsibility until they can get a qualified management team in place. Whether the board has the responsibility or a paid employee, the board should know and understand the process and be proactive about monitoring it.
Understanding IT risks requires non-profit boards to be able to identify various types of risks and to know where they should be looking for them. There are cyber risks, industry sector risks, regulatory and compliance risks, and other risks that may stem directly from operations. As with all other types of risks, financial risks and reputational risks can also be a factor when managing IT risks.
On a positive note, non-profit boards don’t need to start from scratch when putting an IT risk management plan together. Other industries have set up risk management plans which can serve as a template for non-profits that are in the beginning stages of it. Non-profits may also choose to enlist the help of an IT expert, at least in the beginning. Setting up a risk management system will surely be time-consuming in the beginning, but it will get easier over time as board directors become more familiar with it.
Some non-profits find that it works well to set up a task force or committee and charge them with getting an IT risk management plan in place. Other non-profits find that it works better to recruit volunteers to get it done and have the board oversee their work. In the end, it matters less who does it, than ensuring that the board addresses the issue.
Creating an IT Risk Management System
While non-profit organisations can learn much about IT risk management plans from other non-profits, they can also learn a lot from how corporations approach risk management.
It’s a little more work to do things like creating a risk register and labelling risks as high, medium, or low. This process entails getting input from managers and assigning dollar values to risks, as well as factoring in all other types of considerations. This work is very important because it ultimately defines the risk appetite of the organisation. The board’s role is to critically analyse the risk and mitigation plans and oversee them.
For larger non-profits, it’s well worth the time and effort to complete this type of groundwork, regardless of how the conversation about IT risk may intimidate some board directors. IT risk management plans don’t have to be perfect. It’s more important that non-profit boards get something started that they could build. The whole process will be much easier to oversee once they have an established process.
Developing IT Risk Mitigation Plans
Once non-profit boards have identified risks, the next step it to mitigate them to reduce the potential harm to the organisation. There are three ways to do this. Boards can eliminate them, avoid them or manage them.
It’s impossible to eliminate risks entirely. The key to mitigating IT risks is to minimise the harm they can cause. One way to manage risks is for boards to set up policies and procedures to reduce risks. Non-profit boards can also transfer some degree of risk by purchasing the appropriate insurance policies or by outsourcing some activities. For example, perhaps a non-profit would choose to hire an event planner to set up a major fundraising event rather than use their own volunteers.
Non-profit boards should have a good working relationship with their insurance agents. It’s a good idea to ask the insurance representative to come in and make a board presentation once or twice a year to review the organisation’s insurance coverage’s. In most cases, insurance agents insure other similar organisations and they can share from their experience related to risks, claims, and protections.
Monitoring IT Risks
Non-profit boards can monitor IT risks in several ways. They can put the responsibility for managing IT risks in the CEO’s job description and the board policy manual. It’s also important to put it in the annual plan so that the organisation has the financial resources for risk management plans and training. Boards can use a spreadsheet, heat map, or risk management matrix to monitor IT risk management, and they should keep it on their board agendas on a regular basis. Keeping it on the board’s agenda also ensures that the