Estimated Reading Time: 4 minutes
By Christy Grano
While attending the Risk Summit, it occurred to me that a powerful benefit of the conference was the opportunity to exchange true stories and tough lessons learned on the frontlines of nonprofit service. After hearing several leaders describe how their organizations narrowly escaped significant losses or recovered from a loss, I began asking attendees for permission to share their stories. Below are a few anecdotes and lessons I picked up while attending my first NRMC conference.
Bank Account Breach: A nonprofit leader received notice from their bank that an unknown party had attempted to access their account. The timely discovery of the breach protected the nonprofit from financial loss. The leader I spoke to believes that the perpetrators acquired bank logins from a phishing attack. Takeaway: Be certain proper security protocols are in place with your financial institution. If you have questions, ask your bank for a security review.
Sudden CEO Departure: A CEO with a great deal of critical operational knowledge announced a sudden departure. By springing into action and quickly drafting a succession plan the nonprofit’s leadership team was able to facilitate a smooth transition. Takeaway: The organization became more resilient from the experience; succession planning is now employed throughout the organization.
OSHA Investigation Called for Properly-Working Doors: A nonprofit was investigated by OSHA when employees reported that they had been trapped in a facility by faulty doors and were forced to exit through a window. The investigation revealed that the facility doors weren’t faulty but had a 3-second delay. Takeaway: The event served as a reminder that training is key to facility safety.
Payments Sent in Phishing Attack: A nonprofit fell victim to a phishing attack when a believable and well-timed email sent wire instructions for a vendor payment. Two US-based banks flagged two payments as suspicious, but one foreign bank processed the fraudulent payment and the nonprofit has been unsuccessful recovering the lost funds. Takeaway: Hackers may spoof your organization’s website and use email and signatures of individuals or entities familiar to you. Phishing is a numbers game, it just takes one email out of thousands to get through to someone on your team, and for them to do something your IT team has warned them against (such as saving and launching attachments without verifying the source, or opening Office documents and deliberately enabling macros). Online security training for all staff can help spot phishing expeditions.
Surviving a Ransomware Attack: One nonprofit had a portion of their organization’s data, including emails, locked by a ransomware attack demanding many tens of thousands of dollars. The organization concluded that the data was protected under breach laws because it did not include Personally Identifiable Information. The nonprofit decided to restore and rebuild its data rather than pay the ransom. The information published by the hackers was benign, causing stress but no financial or other harm to the nonprofit. Takeaway: Ransomware Attacks are known to spread via use of Remote Desktop Protocol or insecure software. Be sure your software is up-to-date. Set up two-factor identification and use a VPN when traveling overseas. Many smaller organizations outsource IT, so check with your contractor, make certain they and their staff are trusted with your network.
Annual Risk Review Boosts Event Success: A nonprofit leader reported that her organization conducts a thorough debrief and reflects on what went right as well as what went wrong after each major event. The team attributes the success of their events to this practice. Takeaway: You may learn more from your hiccups than your slam dunks (and from your successes only if they are evaluated as thoroughly as your losses). Be sure to conduct thorough reviews of both.
Stories such as these are reminders of the importance of vigilance in protecting the assets of an organization. Do you have risk stories or near-misses that might be valuable to other nonprofits? We’d love to hear about risk from your vantage point. Please email us any time at info@nonprofitrisk.org.
Workplace Wellness: Managing Risks to Employee Health and Productivity – www.https://nonprofitrisk.org//resources/articles/workplace-wellness-managing-risks-employee-health-productivity/
Pass the Remote! The Trials, Tribulations, and Triumphs of Telecommuting Team – www.https://nonprofitrisk.org//resources/articles/pass-remote-trials-tribulations-triumphs-telecommuting-teams/
Happy Knot: Managing Workplace Culture Risk – www.https://nonprofitrisk.org//resources/e-news/happy-knot-managing-workplace-culture-risk/
Valiant Volunteerism: Managing Volunteer Risk & Reward – www.https://nonprofitrisk.org//resources/e-news/volunteer-risk-management-2/
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!