Estimated Reading Time: 5 minutes
By Melanie Lockwood Herman & Erin Gloeckner
Q: What questions should we ask the references of a prospective new tech vendor?
A: Checking references for any new vendor is a good idea and sound risk management practice. When checking references for a new technology vendor, try to ask questions that will enable you to get a sense of the quality and responsiveness you’re likely to experience as a customer. If possible, ask for two current client references and at least one former client reference. Here are some questions to help you get started:
Q: I’m concerned that some of our staff are spending up to four hours each day posting photos and material to their personal Facebook pages. What action should I take, if any?
A: Virtually every nonprofit employee spends some time during the workday on personal matters, such as making medical appointments, answering calls from children, parents, caregivers and schools, and checking personal email or perusing social media accounts. Yet most employees understand that these tasks should constitute a small portion of the workday. As a result, most employers do not place strict time limits on such activities. However, when personal tasks and activity consume more than a fragment of an employee’s paid work time, there are a number of potential negative consequences, including:
There are two general approaches to address the abuse of your existing “acceptable use” policy that asks employees to limit time spent during the workday on personal matters. The first approach is to rework the policy to include specific examples of acceptable and unacceptable uses of the nonprofit’s systems, and provide training to the full team on the language and intent of the policy.
The second approach is to enforce your existing policy by addressing misuse with policy violators. Meet with any staff who are violating the policy and reiterate the negative consequences of policy abuse. Explain clearly what the staff member must do (or not do) to demonstrate compliance with the nonprofit’s policies, and a timeframe for doing so. Clearly state the consequences of continued policy abuse.
Q: What are the three most important considerations in selecting a Cloud storage vendor?
A: A primary consideration is that the vendor meets your technical requirements. Do you understand your storage needs and existing IT infrastructure? If not, talk to your internal IT wizard or get help from an outside expert. Once you understand the scope of services you need, you will be in the best possible position to identify and then compare suitable vendors.
A secondary consideration is to select a vendor with a good reputation in the market. Hype surrounds the cloud and a vendor’s capacity may not meet your expectations. Before entering a contract with a vendor, validate their claims. Request references from current and former clients and ask the vendor’s clients if their expectations were met.
Another consideration is to request training and guidance from your candidates for cloud services. Require a training package with your contract, particularly if you don’t have an IT expert on staff. Keep in mind that any cloud services you purchase should integrate seamlessly with other IT operations. One of your goals should be to find a vendor/partner who will empower your staff to use cloud services to achieve maximum benefit.
Q: What are the risks, if any, of using donated PCs for our staff (from different sources) rather than buying or leasing new machines?
A: One of the risks of using donated computers is that it may be hard to predict the total cost and time required to maintain these machines in working order. Before accepting donated computers, establish guidelines for determining which donations are suitable. Here are a few questions to resolve before you invite stakeholders to donate equipment to your nonprofit:
Q: Where can I find information about which insurers offer Cyber Liability policies?
A: Consider searching for insurance providers using online insurance directories like www.kirschners.com. Remember that liability for loss of client or employee data is not typically covered in standard insurance policies. As discussed in the article titled Insurance for Cyber Risks, in most cases you’ll need a cyber liability policy to protect against data breaches and other information age risks.
Q: What are the first steps we should take if we become aware that personal donor information has been compromised?
A: When your nonprofit experiences a data breach, PCI, HIPAA, and your state’s regulatory requirements will dictate what you must do. Aim to understand your requirements long before this type of risk event occurs. Check in with your nonprofit’s staff, contract or volunteer general counsel, tech vendor, and other partner advisers to develop a clear plan you can follow that will ensure a legally compliant response to the crisis. After the breach occurs and you have taken the necessary immediate steps, invite a third party firm to investigate if your IT department does not have the capacity to do so. For example, you may want to engage a computer forensic investigator or information security specialist. Keep in mind that you may be required to notify partners, customers, and/or government agencies about the breach; if possible, prepare draft crisis communication materials before the event. Finalize and disseminate your materials as soon as the breach occurs. You may also need to engage a credit monitoring firm to provide assistance to those who have been affected by the breach.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!