Creating an IT Contingency Plan at Your Nonprofit

As COVID-19 continues to affect our world in unprecedented ways, many nonprofits are settling into a "new normal" that may persist for months — or even years. For some organizations, a distributed, remote workforce will remain in place even once restrictions are lifted. And in certain cases, the unexpected and rapid shift to this "new normal" may have exposed some gaps in and limitations of the general IT infrastructure at your nonprofit. And these gaps and limitations may have temporarily made it more difficult or even impossible to serve your community.

I'm talking about issues like

• Who has access to which files and databases?
• Who controls that access?
• If the person in charge of critical operations falls ill, who is the backup?
• Who else knows how to administer our Office 365 account other than the IT manager?

All of these questions point to the need for an IT contingency plan to be in place before a disaster strikes — including pandemics, but also earthquakes, floods, you name it. In this post, I'm going to talk a bit about how we've handled this issue here at TechSoup and then provide some insights on how other organizations might approach their own IT contingency plans.

What We're Doing at TechSoup

Much of TechSoup's mission delivery relies on technology to power our marketplace, courses, and validation services. If it were to go down, that would temporarily prevent our ability to provide important information, products, and services to the thousands of nonprofits we serve each day. For that reason, we've developed a "Critical Technology Infrastructure Contingency Plan."

We (the infrastructure team) follow guidance from the NIST's (National Institute of Standards and Technology) standard procedural guidelines (PDF). These guidelines are broadly designed for organizations to prepare for emergency contingent operations — particularly when the organization's sustainability is a critical dependency for overall civil stability. Generally, this is aimed at critical civic infrastructure support organizations such as water and food supply, first responders, Red Cross, fire departments, hospitals, law enforcement, and others.

But TechSoup itself is a supporting resource to many of these organizations, and our principal operational model depends on information technology infrastructure to provide these resources globally. We therefore felt it prudent to model a similar practice in our own information management teams.

Here are some of the basic things we put in place.

• At least three people in the enterprise infrastructure know how to access key documentation and systems and can step in to support our critical infrastructure should the key SME (subject matter expert) be unable to fulfill the duties of their job. We have ensured that these three backups have their own access credentials and understand the operations related to each of the systems. Examples are system backup and recovery processes, email administration and support, and network infrastructure.
• One of these individuals is designated as "lead" (ideally should be in management) and is able to facilitate leadership and approval processes.
• We try to conduct process reviews twice a year for cross-training, testing, and updating the knowledge assets relating to supporting IT critical infrastructure and responding to an IT incident.

IT Contingency Planning at Your Nonprofit

Many nonprofits share a critical supporting role to civil society at large and as such have adopted the same general practices in the event of an emergency. Prior to joining TechSoup, I helped to establish an IT contingency plan for the Silicon Valley Food Bank. At the food bank, having a plan was top of mind due to the inevitable earthquake scenario. And very importantly, we had three very large warehouses on the peninsula filled with millions of pounds of food — a critical social resource, disaster or no.

At the food bank, we followed the steps below, and then actually practiced, updated, and improved them over time.

1. Begin with an assessment of the essential criticality of your mission as it relates to supporting critical civic infrastructure. Weigh that against the practicality and scope of developing and maintaining a contingency plan.
   
   In the food bank example, we drew up a plan for how the leadership structure and decision-making authority could be switched out to other trained staff in the event that the day-to-day decision-makers were not available.
2. Audit the organizational processes and functions involved in maintaining business continuity in the event of a critical operational disruption. Next, assess what business knowledge assets and systems require access or training to administer. Determine who currently "owns" those processes, whether they are technical or administrative, and whether there are dependencies on single individuals.
   
   When we did this audit with our tech team at TechSoup, we involved team members across the organization to participate in data collection and assigned a project manager to oversee the audit to ensure consistency of effort and documentation.
3. Once your audit is complete, develop a plan to organize the respective operating procedure instructions and documentation (SOPs). At TechSoup we use secure Box folders. Then assign and train emergency backup personnel on their roles and responsibilities in the event of a disaster. Develop an internal communications plan so that all staff members know what happens and what to do in a disaster.

Some organizations practice the contingency plan by using opportunities when the normally assigned staff members are on vacation. They have the backup staff run the daily operations of that function on their behalf. Some organizations go so far as to restrict access to corporate information systems such as email during vacations. This ensures that the backup staff is able to run things correctly and the business can continue without a single dependency on one individual for day-to-day work.

If you'd like learn more or take concrete steps toward creating a plan at your nonprofit, here are a couple of good places to start:

• Resources for Disaster and Emergency Planning (Nonprofit Center of Northeast Florida)
• Contingency Planning for Federal Information Systems (NIST; PDF)

No matter where you are in your process of securing your nonprofit's ability to operate in the wake of a disaster, it's always good to take stock of the plans you have in place to make sure they are the right ones. And, if you feel a bit behind in this area, there's never been a better time to begin planning for the future.

Additional Resources

• Learn about TechSoup Cybersecurity Offers for Your Nonprofit.
• Get training from TechSoup Courses on cybersecurity.
• See How TechSoup Uses the KnowBe4 Platform to Help Keep Our Systems (and Your Data) Safe.
• Get our latest guides to preparing for and recovering from disasters from the Nonprofit Disaster Planning and Recovery page.