If 2020 has taught us anything, it is about the need for organisations – including not for profits – to be more resilient, and able to “pivot” or innovate to ensure continuity in changing external conditions.
Many organisations have either written a business continuity plan for the first time, or have reviewed their existing one for its adequacy to respond to the COVID-19 pandemic and the associated lockdowns and economic crisis that has followed.
Business resilience is about much more than having and testing a business continuity plan, though that is an important element. It’s also about having the right people, robust systems and plans in place to ensure the ongoing sustainability of the organisation.
If you are about to go through a strategic planning process, then we suggest that you consider identifying initiatives to include in the strategic plan which help to build the resilience and sustainability of the organisation.
As Christmas approaches and we head in to 2021, what can you do to make your organisation more resilient in the future? Here are five suggestions.
1. Business Continuity Plan
If you don’t have a business continuity plan (BCP), then this is a first place to start. Ensure that it has the following in it: introduction/purpose, contemplation of different scenarios (e.g. fire, flood, cyber attack, pandemic), insurances in place, data backup strategies, key contacts (internal and external) and their roles and responsibilities, incident response plan, recovery response plan, communications plan and plans for testing or role play.
If you haven’t reviewed or updated your BCP since COVID-19, then now is a good time to do so. Bring together a broad cross-section of your staff and managers and go through reflections based on your experiences through the pandemic. Asking the questions, “what went well?”, “what didn’t go so well? and “what could we do better next time?” is a good way to generate feedback that will help you to improve the BCP.
Once you have developed or updated the BCP, it is important to periodically perform scenario tests on it. For example, bring together a team or the management group and role play through what you would do in the event of a scenario happening. Through role play you get to see what works, what doesn’t and identify missing parts to the plan. If you’d like someone external to facilitate, then CBB could help you with this.
2. Senior leader succession planning
Ultimately, the not for profit sector is about people, and it’s about people helping other people. Not for profits need the right people in the right roles who are acting through the right values to ensure their effectiveness and sustainability.
Organisations can become quite vulnerable when there is a change in a key person or group of people. At CBB, we refer to it as “key person risk”. Often it is a leader who is the key person, but increasingly this also includes some middle managers or key technical staff who bring skills that are difficult to find. It can also include frontline staff and those with the corporate history who know how everything works. You should also consider who ‘owns’ any key relationships with clients and stakeholders, and what would happen to these relationships if that person left.
At Board level, there should be a skills matrix and visibility over the dates when director terms end in order to drive proactive succession planning ahead of time when certain roles and skills are needed.
The Board should also have a CEO succession plan – which might be as simple as having identified an internal candidate to take over. One organisation I know has a succession plan developed which includes: identifying potential internal and external candidates, draft plans of what to do in the event of a CEO resignation (such as developing a working committee of the Board), list of potential recruiters and a draft request for proposal to solicit proposals from those recruiters. Though this organisation is not expecting an imminent CEO change, they have robust plans in place to act quickly when that does occur.
Depending on the size or nature of your organisation, the CEO should also have a succession plan for the exec team or key roles in the organisation with unique skills that are hard to replace. It doesn’t necessarily always mean having a suitable internal candidate to fill a role (since that is challenging in smaller organisations), but is about having a plan in place of what to do if a key person was to leave, or suddenly become unavailable another way (e.g. sickness).
Succession plans tend to look at permanent replacements, but you should also consider what happens in the short term for key roles. Do you have people who are ready and willing to step up to cover leave, or to bridge the period between departure and replacement?
3. Financial reserves review
Diversification of revenue is one way that organisations can build their resilience and sustainability. A greater range of revenue sources will usually provide better protections when some are impacted.
Additionally, COVID-19 has affected the balance sheets of many not for profit organisations in different ways – some have had their revenues negatively affected, resulting in declining financial reserves, whilst others have received significant benefit from government assistance packages and now find themselves with stronger financial reserves than before the crisis.
Organisations should periodically review the level of cash and assets that they need to hold in reserve through a risk based assessment of their own activities and situation.
If you’d like to look at this further then I would commend the article written by my colleague Dimitri Matsouliadis recently on conducting a financial health check and building a cash bridge. CBB have the skills and capacity to help you with this.
4. Systems
Organisations with well documented systems, policies, procedures and tools (including CRM and other databases) are usually better equipped to face major disruptive events that threaten business continuity.
Having good systems includes the risk policy, risk procedure and a regularly updated risk register which identifies action items and the person responsible for each.
5. Cyber resilience
The last action to take is in many ways the most important – and that is to have robust processes that protect the organisation from cyber attack.
Having first-hand experience of a cyber attack, I would recommend you have an approach to cyber risk which includes:
- People and the important role of training– ensuring that employees understand how to detect and report threats, protect their devices and the organisation’s data.
- Technology – encryption, backups, multi-factor authentication and modern hardware/software.
- External testing or independent review by a specialist consultant.
Earlier this year, we wrote an article with Five steps to protect your organisation from cyber risk that you might like to review.
CBB has a number of consultants with demonstrated business experience leading and supporting organisations to become more resilient and sustainable.