Medical emergencies can happen at any time to anyone. A year ago I was out to lunch with a former client who did accounting outsourcing work for a not-for-profit organization. As we were walking back to lunch, she said she had a headache and then needed to sit down. Ultimately, she asked if I could call 911 and while I was on the phone with the 911 dispatcher, she became unresponsive. She was rushed to the hospital and passed away during surgery shortly after.
Only in the aftermath did my former client's employer and the not-for-profit organization find the holes in their business continuity planning. My former client had locked her phone, which left her medical team unable to find family members to notify. Eventually we found her emergency contacts through the staffing agency, but it was 79 minutes before her husband learned of the health emergency. He wasn't able to get to the hospital before her emergency surgery started.
Problems continued in the aftermath as well. The not-for-profit organization did not have copies of her passwords for her accounting software and were locked out of her account. She had worked for a small office, and she was the only person handling the accounting.
A more robust business continuity plan could have changed a lot about that day and what followed. If organizations can learn anything from what happened to my former client, it would be to evaluate their current policies and practices for their staff and also for their third-party contractors so that if a worst-case event does occur, your not-for-profit organization can be ready to respond quickly.
What Not-for-Profit Contingency Plans Should Include
Each organization is vulnerable to unique risks and disruptions, but in general, not-for-profits should be prepared to address four types of losses: loss of people, loss of vendors, loss of facilities and loss of technology.
Loss of People
One of the most devastating events that can happen to an organization is the loss of personnel. Personal tragedy, illness or injury can render key employees unavailable or incapable of making critical decisions. Create a back-up plan for every key position that includes that person's passwords and log-ins for vital information technology and software systems. If possible, contingency plans should also include the list of projects or activities in which they're involved. That way, if someone is unavailable, the organization can continue day-to-day operations in that person’s absence.
Not-for-profit organizations should be sure their contingency plan policies include third-party providers, contractors and potentially volunteers (depending on their role with the organization). As in the case of my former client, the information the employee has access to could be vitally important, and potentially made unavailable if the proper back-up procedures are not in place.
Loss of Vendors
Loss of vendors can also be an extremely disruptive situation for an organization. Not-for-profit organizations may have vendors that perform critical administrative functions, such as bookkeeping or payroll and employee benefits. As in the case of my former client, if something were to happen to a third-party and the third-party has no contingency plan in place, it can have a ripple effect on your organization.
Vendors and the organizations they serve should have a role in each other's recovery plan to ensure that no stone is left unturned. Organizations should be part of their vendor's disaster recovery notification process and organizations should include their vendors and third-parties in their plan as well. Not-for-profit organizations may also want to consider identifying a few alternative vendors for those that perform core functions in case an unexpected situation arises.
Loss of Facilities
In the event that your building must be closed, not-for-profit organizations should have a back-up plan detailing how to continue operations to the fullest extent possible. Be sure your business continuity management plan specifies how critical activities will be conducted (virtual private networks, temporary alternative locations, etc.). Employees also need to be prepped on the loss of facilities plan so they would know what to expect and how they can carry on their job responsibilities remotely.
Loss of Technology
Data breaches are almost inevitable in the current environment. Part of your incident response strategy should address what happens if an unauthorized user were to breach your information technology systems. In addition to the plans on how to isolate and respond to an attack, your contingency plan should include system workarounds. For example, if your main server was compromised, do employees have an alternative means of getting internet access? How long can your organization continue to provide services if one if its core systems shuts down? Your organization's business continuity plan should take these elements into consideration so it has a better sense of its recovery timeline.
Enhance Your Contact Information
Although it may not be part of a formal business continuity plan, your organization should also periodically review its employee contact information. Encourage employees to list emergency contacts, not only in their personnel files but also in their mobile devices with an "in case of emergency (ICE)" designation. You should also consider requiring employees to use a medical ID phone application. Apple devices have Medical ID capabilities built into the Health app. Instructions for how to set it up can be found here. Google Play has the free app, Medical ID ICE contacts for Android devices. Windows phones can use a lock screen app, such as Lock Screen Text. Writing down in-case-of-emergency contact information, taking a screenshot or photo of that information and setting it as your lock screen can also work for any type of smart phone. Using an app or setting up the ICE features of your cell phone can help responders get access to your key contacts, even when your phone is locked.
Revisit, Retool and Adapt
There's no way to spell out every possible scenario that could affect your not-for-profit organization, but you can account for the core types of disruptions that may befall your organization. Revisit your strategy and information periodically and make updates to ensure new employees, technology and other major organizational changes are covered by your plan. Employees should also be educated about what the plan entails and how the organization will communicate with them if a disruptive event were to occur.
For More Information
If you have comments, questions or concerns about how to be prepared for emergency situations, please contact us.
Published on July 27, 2017 Print