For nonprofit boards that don’t have information technology (IT) expertise on their boards, it can be like a foreign concept. Since some nonprofit boards simply don’t understand IT and all the issues that go along with it, they don’t typically know what their responsibility towards it is. That makes IT issues a little scary when they surface and creates significant concern over legal liability. Managing IT risks is a legal responsibility for all boards, so scary as it may be, nonprofits need to create a risk management system, develop mitigation plans, and carefully monitor risks on a continual basis.
Managing IT Risks Is a Legal Responsibility
Nonprofit board directors, regardless of the type of nonprofit, should be aware that they have to abide by the fiduciary duty known as duty of care. What they may not realize is that the duty of care applies to all of their board duties including their approach to risk management in the IT space. Nonprofit board directors can face legal action for a breach of fiduciary duty or breach of trust if they don’t protect the nonprofit’s assets from risk to the best of their ability.
Depending on the size and structure of the nonprofit, the responsibility for managing IT risks can fall to various people. If the nonprofit has a management team, the responsibility falls to them. In this case, boards still have responsibility for oversight over IT risk management. For nonprofits that don’t have employees, the responsibility falls directly on the board.
Nonprofit boards also have to realize that IT risk management is far from a “one and done” effort. IT risk management has to be an ongoing activity and nonprofit boards are responsible for overseeing it all year long.
The Beginning Phase of an IT Risk Management System
In the beginning phase of establishing an IT risk management system, the board has to designate the individual or team that will take primary responsibility for it. Initially, the board may take on that responsibility until they can get a qualified management team in place. Whether the board has the responsibility or a paid employee, the board should know and understand the process and be proactive about monitoring it.
Understanding IT risks requires nonprofit boards to be able to identify various types of risks and to know where they should be looking for them. There are cyber risks, industry sector risks, regulatory and compliance risks, and other risks that may stem directly from operations. As with all other types of risks, financial risks and reputational risks can also be a factor when managing IT risks.
On a positive note, nonprofit boards don’t need to start from scratch when putting an IT risk management plan together. Other industries have set up risk management plans which can serve as a template for nonprofits that are in the beginning stages of it. Nonprofits may also choose to enlist the help of an IT expert, at least in the beginning. Setting up a risk management system will surely be time-consuming in the beginning, but it will get easier over time as board directors become more familiar with it.
Some nonprofits find that it works well to set up a task force or committee and charge them with getting an IT risk management plan in place. Other nonprofits find that it works better to recruit volunteers to get it done and have the board oversee their work. In the end, it matters less who does it, than ensuring that the board addresses the issue.
Creating an IT Risk Management System
While nonprofit organizations can learn much about IT risk management plans from other nonprofits, they can also learn a lot from how corporations approach risk management.
It’s a little more work to do things like creating a risk register and labeling risks as high, medium, or low. This process entails getting input from managers and assigning dollar values to risks, as well as factoring in all other types of considerations. This work is very important because it ultimately defines the risk appetite of the organization. The board’s role is to critically analyze the risk and mitigation plans and oversee them.
For larger nonprofits, it’s well worth the time and effort to complete this type of groundwork, regardless of how the conversation about IT risk may intimidate some board directors. IT risk management plans don’t have to be perfect. It’s more important that nonprofit boards get something started that they can build. The whole process will be much easier to oversee once they have an established process.
Developing IT Risk Mitigation Plans
Once nonprofit boards have identified risks, the next step it to mitigate them to reduce the potential harm to the organization. There are three ways to do this. Boards can eliminate them, avoid them or manage them.
It’s impossible to eliminate risks entirely. The key to mitigating IT risks is to minimize the harm they can cause. One way to manage risks is for boards to set up policies and procedures to reduce risks. Nonprofit boards can also transfer some degree of risk by purchasing the appropriate insurance policies or by outsourcing some activities. For example, perhaps a nonprofit would choose to hire an event planner to set up a major fundraising event rather than use their own volunteers.
Nonprofit boards should have a good working relationship with their insurance agents. It’s a good idea to ask the insurance representative to come in and make a board presentation once or twice a year to review the organization’s insurance coverages. In most cases, insurance agents insure other similar organizations and they can share from their experience related to risks, claims, and protections.
Monitoring IT Risks
Nonprofit boards can monitor IT risks in several ways. They can put the responsibility for managing IT risks in the CEO’s job description and the board policy manual. It’s also important to put it in the annual plan so that the organization has the financial resources for risk management plans and training.
Boards can use a spreadsheet, heat map, or risk management matrix to monitor IT risk management, and they should keep it on their board agendas on a regular basis. Keeping it on the board’s agenda also ensures that the minutes will reflect the board’s actions on the issue.
Using technology doesn’t have to be a scary thing for nonprofits. In fact, a good place to start is by using BoardEffect, a board management software system for modern nonprofit organizations. Besides giving nonprofit boards and committees a highly secure online platform where they can do their work in complete confidence, gaining familiarity with BoardEffect will demonstrate to board directors how much easier it will be to get started on an IT risk management program.