Tag Archives: risk managment

Nonprofit Radio for March 9, 2018: Risk Management & Your Disaster Recovery Plan

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

WegnerCPAs. Guiding you. Beyond the numbers.

Credit & debit card processing by telos. Payment processing is now passive revenue for your org.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

 

My Guests:

Ted Bilich: Risk Management

“Not all risks are bad,” says Ted Bilich. He’ll help you identify the good and bad ones and get them into your risk inventory. He’s CEO of Risk Alternatives, LLC.

 

 

 

Dar Veverka: Your Disaster Recovery Plan

An IT disaster is one of the bad risks. What belongs in your DR plan? Dar Veverka is from LIFT and she’ll help you sort it out. (Originally aired 5/1/15)

 

 


Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:


View Full Transcript

Transcript for 380_tony_martignetti_nonprofit_radio_20180309.mp3

Processed on: 2018-11-11T23:48:42.880Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2018…03…380_tony_martignetti_nonprofit_radio_20180309.mp3.621106110.json
Path to text: transcripts/2018/03/380_tony_martignetti_nonprofit_radio_20180309.txt

Buy-in hello and welcome to tony martignetti non-profit radio big non-profit ideas for the other ninety five percent. I’m your aptly named host. Oh, i’m glad you’re with me. I’d break out with cering go sista noma, if you made me sweat with the idea that you missed today’s show risk management, not all risk is bad, says ted village. We’ll walk you through why you should care about the good and bad and how to get going with your risk inventory he’s ceo of risk-alternatives and your disaster recovery plan one bad risk is you’re going to put ignore it at your own peril. What belongs in your d our plan darva arika is from lift that originally aired on may fifth twenty fifteen i’ll take two charity registration and plan giving podcasts responsive by pursuant full service fund-raising data driven and technology enabled tony dahna slash pursuant radio and by weinger cps guiding you beyond the numbers regular cps dot com tell us turning credit card processing into your passive revenue stream. Tony dot, m a slash tony tell us it’s my pleasure to welcome ted village. He is ceo of risk-alternatives llc, providing risk management and process improvement. Solutions for non-profits and start ups he used to practice law and has served on the boards of numerous organizations. Ted has written about risk management and process improvement in stanford social innovation review, where you can also hear this show. Corporate responsibility magazine. This show is not on corporate sponsors. What magazine and risk management magazine were also not there. He’s at t bilich and the company is at risk. Hyphen alternatives dot com welcome to non-profit radio. Ted. Tony it’s. Great to be here. I hope you’re doing well. Thank you. I am. And how are you? I have to ask. I’m doing great. Thanks. I’m glad. Everybody’s. Good today. All right. Um all right. You’ve been in some magazines that non-profits are most likely not reading responsability magazine. Corpse. Sorry. Corporate responsibility magazine risk management magazine. I’m sure you’re not unfamiliar with this risk management sounds boring. Why either boring or scary? Alright. And if this was not on some affiliate stations, i might use stronger language. I might put it. Put an adjective on before the word for before the word boring. Oh, my god. Why should we be paying attention to this? You know you. Hit on one of the most important issues that i face, which is when people think about risk management, they think about either the fact that it’s one more obligation for them or that they don’t wanna lift up rocks because they’re afraid of what what’s under them and and, you know, what i say to people time and time again is that risk management is a critical part of your business because especially if you’re a non-profit you are dealing with more risks than almost any other organization you could possibly think of, you know, think of the non-profit business model, toni it’s, your taking money from strangers in order to deal with intractable problems. And if you do your job really well, your business should go out of business that’s a risky model, so it really pays to pay attention to risk management, and we could get into sort of what that means if you’d like, yeah, we’re going to, um you do say that not all risk is bad. That’s exactly right? Flush it out. Yeah. Yeah, sure. You know, one of the one of the issues in risk management is what do you mean by rich? And risk matt necessarily mean bad things risk. So i always tell people, when you’re talking about risk talking about uncertainty management, you could have bad risk that could go go, go wrong, and we call those threats. He could also have good rick, you know, opportunities either opportunities for improvement of your current processes or opportunities in the sense of new initiatives, and all of that is within the framework of a good risk management process. Okay, so i like the idea of we don’t know what’s going to happen next. It’s. Just it’s something we don’t know, right? So it does not. Of course, it does not have to be bad. It could be fantastic, right? Okay, absolutely. You know, it could be that that that there is a new donor who is waiting to not give you money if you expand your programs in a new direction, but simply wants to give you money to do mohr of what you’re doing now. And you believe that this is important for non-profit sustainability? Oh, gosh, yes, if you don’t, if you don’t have a risk management process, tony, then let’s say, you’re thinking about having a strategic plan or you have a strategic plan, how can you possibly have confidence that that strategic plan is going to accomplish its its objective if you don’t have a really strong awareness of what your current capabilities are, including what the threats and opportunities are that face your organization? So there’s this thing out there called a swot tte or swat analysis? Um s w o t the o’s opportunities in the tear threats i forget with the what do you what’s the s and the w its strength and weak she’s. So weak threat. Thank you. All right. Yeah. And and people use that sometime during strategic planning process. Okay, so this is s so we’re calling altum positive risks or good risks. That that’s the opportunity. That’s, right? Those are opportunities there. Potential opportunities? Ok. Yes, exactly. And one of the things that i talk to people about when when they talk about a swat analysis, is that swat analysis tends to be a static once every couple of years, activity done during strategic planning. One way to think about risk took that slot and alan and you operationalized it so that you were as a matter of routine, looking at your strengths and weaknesses and opportunities and threats. That’s one way to think about a risk management structure is it’s taking the swat process and making it something that is ongoing over time. I think it should be swope i think it’s a long hour, i know not to quibble, but i think it’s, of course, equivalent, but i think it’s a long oh, i think so long, so might be, but i don’t think that negates anything that you just said, i don’t know listeners thinking that all right, so so an ongoing process. Now you you have this cool article. Stanford social innovation review called a call for non-profit risk management, you make very clear in that, and we have about a minute before first break make very clear that that this is not really appropriate for start ups. If you start up basically, your your argument is you can cover this most of your problems or potential risks with insurance. But so when when should we start doing formalized risk analysis? You know, a good signal for that, tony and briefly before break good signal is when you start doing, when you start having regular audit, um, that usually happens when a non-profit is going into growth phase, and at that point, it’s useful to start having a risk management process because after all, you’re becoming a grown up organization. Okay, so when you start when you start having going through an audit process with your right when you and then that usually in love that you know, depending on the state seven hundred fifty thousand dollars to a million dollars of annual revenue, okay, let’s, take our first break pursuant, their newest paper demystifying the donor journey. You need to be intentional, deliberate about stuart in your donors, we’re talking about being delivered today, assessing risk. You also need to be deliberate about stewarding your donors so you don’t lose them. Pursue it will help you create and fine tune your donorsearch stewardship plan. Keep your donors with you so you don’t have to replace them each year. Demystifying the donor journey it’s at tony dot m a slash pursuant, radio let’s, go back to ted village and let’s continue our talk about risk management thiss ongoing assessment process so all right, so we know when we should begin. Um, what shall we begin with? Is it? Is it the risk inventory? That’s exactly right, tony the first step still, this good risk management process is too take stock of where you are now because you can’t start prioritizing if you don’t have awareness of what your current threats and opportunities are so there’s a process risk-alternatives hq inventory it’s simply a structured exercise that you take your staff through to help them identify threats and opportunities not just within operations, but operations and finance that i t and a talent management and development and all those different functions within the non-profit and it usually takes about, you know, two or three hours of work total for your staff to do something like this spread out over a couple of weeks, and at the end of it, you have a really good idea of the threats and opportunities you currently face, really only two to three hours for each put threespot actually not that hard of a process in fact, your listeners could go to our website, risk-alternatives risk-alternatives dot com and download a little report that shows you how to do it on your own when we do it as a facilitated manner. It takes about an hour to train people about risk management, and then they go off on their own and each person takes about forty minutes to use an online tool toe identify these threats and opportunity. So it’s really not a long involved process. I love the online resource. Thank you for that. So again, risk hyphen alternatives dot com let’s say i want to flush this risk inventory a little bit. So who should be involved in this process? First of all? Well, when when we advise customers to do it, we always say you should have your c sweet team. I’m assuming that that you have a small, that this is a fairly small organization were small. There were small to midsize non-profits here, however you think one point five, two million dollars to five million dollars in revenues, you probably have a ceo cfo, a head of development in in some form or another, and probably someone in charge of programs. You would want to have those people, but we also also always advised get one person who’s simply a staff member right on the front line and have them do it along with the senior team because they’re no thing that that the senior staff don’t have any id dea is going on. Yeah, i know that there. That could be very eye opening on ly one person, though, from from down in the trenches. Well, on in your initial risk inventory, tony wanna balance thoroughness with efficiency. And so with this initial inventory, i think it’s good to have one person from the trenches. But this is mostly going to be a bottom down identification process. His first run through the idea behind it, though, is that risk management is not a one and done thing. You do an inventory, you prioritize, you respond to those you assess and improve, and then you do another inventory and so on and so forth. And as as you grow this within your organization, you would want to make sure that mohr and more people are involved in that risk identification process. All right, so i see we’ve got an interpretive process. Let’s, go back to our initial one now. All right, so we’ve got this were basically creating a committee, that’s going to meet a couple of times, you said over, like two or three weeks. We’re creating a committee. A risk risk assessment committee is not going to scare people like we think committee, right? Okay, that sounds like when, when, when people below the c suite start hearing there’s, a risk assessment committee being formed. That sounds like they’re going to firings, coming, eyes firing or they know about. They know about the seven deadly plagues that are ten deadly plagues, depending on which version bible you read. There’s, locusts and blood and darkness coming on dh, what else we got flies really was that part of the buy-in frogs, frogs that was the effort, the other fellow. So this sounds a little scary to me if i’m not on the committee, no that’s exactly right, which is why one of the things that we advise the senior staff to do when they decide to go through this sort of exercise is to send in all staff e mail out saying, you know, we’re doing this process so that we can dip our toe in the in the waters of risk management. It’s not a matter of something to worry about. In fact, the idea over time is to get everyone in the organization involved in this process, okay? So yeah, and we’re actually trying to do is reduce worry by identifying what’s out there that we don’t know. So we’re identifying are known unknowns. What about our unknown unknowns? Can we get to them? They’re always going to be things that are unknowable, you know, there’s, a wonderful book by, uh, well, it’s called the black swan. Have you read it, tony? You know, i think i saw a movie called black swan, but i don’t i don’t think it’s very different now a very different from what i’m talking about, okay, this book is about how, no matter how well you might try to predict the future, there are always going to be significant jolt of one sort or another that you can’t possibly predict beforehand. And so you know, i again, i always tell people, risk management is not a crystal ball. The better analogy is risk management is a flashlight in the dark, it allows you to see things you might not otherwise see. It makes the path a little safer because you can see some of the things that that might be bad along the way and some of the things that might be good, that can help you, but it also gives you a healthy sense of maybe we shouldn’t be running too fast, because if we run too fast, we’re not going to see the things that could trip let’s. Let’s, go back to our to our initial committee now. So so how do we ah wei, is that there’s a risk assessment committee? Yeah. Can we call that? Okay, managing committee, risk inventory shoretz are risking our r i c were first our first rick. So way get the group together. What do we do? How do we get the process started? If we don’t, we don’t have the luxury of the of a professional facilitator, right? Well, if i were doing it and i didn’t want to bring my company or some other company and it’s, what i would do is i would cheat in the following way, i would go get that that report that that we have on our website and i would download that and it says, ah, this is how you do it. These air, the various different functions that you want to look at, and it lists eleven different functions of the organization, and it says what you ought to do is you hot auto, have each team member within each function, identify three things that could go wrong, and one thing that could go right in the near future either because it’s a new process that we could adopt, or a new initiative or a process that we could tweak in some way. So each one of the people goes off and does and and they identify three threats and one opportunity in each function of the organization. Okay, then they do it, but they do it, tony, even if it’s not their function oh, you’re going all right. Well, let’s, take one step at a time. First of all, just just name a couple of the functions. You know, talent management. Okay. Hiring, developing and if necessary, firing people that’s one funky reputation management, you know, how do you influence what? What people think about your organization. Um, fernand is another function. How do you account for the money that flows through the the organization? Just give us one. Give us one more. We don’t want to eleven. Because because there are available on the title is the big ones. You know, how do you use elektronik technology in order to enhance the services you provide? Why’re we waited three, three potential bad and one potential. Good. Why can’t we be? Do equalize it out two and two. You could do it that way. I’ve found just over time that people are going to be very, very, um, free with identifying things that could go wrong. People have lots of worries, especially during an initial risk inventory. They like to dump a lot of stuff out on on the table it the reason why we emphasize identifying at least one opportunity is that we want them to be balanced in their presentation to some extent. Nevertheless, it always is that people are going to identify more threats than opportunities, and so we’ve set it up as a rubric of three to one to at least get the one in each because really not balance it’s tze, twenty five percent good and seventy five percent bad, but but you see, people are thinking mohr negatively, people thinking more about the bad risks that’s, right? And and also when when you know, when we reconvene after after having people look at those things out on their own. One thing that that happens is that the team the committee that you’ve developed is going to find that they identified it ah lot of the same risk, so you might get a list of one hundred risks, but really it’s going to end up with about sixty sixty to seventy risks and and a lot of those things that they identify as bad things aren’t going to stand up to the light of day one person might be worried, but another person has a full explanation, and so it will simply go away. You’ll end up with about forty or fifty for challenge either positive challenges or negative challenges, and and at the end of that process, i can almost guarantee that someone who does this will be aware of two or three things that are low hanging fruit, that they can pick very rapidly in order to help their organization thrives. Now, are we allowed to come back to the committee then with mohr than the four that you challenged us with? And then the committee and the committee flushes them out to get down to this forty or fifty? Is that the way it works? Yes, if someone wants to identify more than three threats and one opportunity, i would never say, no, you can’t, but but on the other hand, you don’t want someone, for instance, to focus so much on this that they become, you know, all engrossed in in their potential worries rather than doing their job. So you wanted to be somewhat manageable, all right? We’re in the details of this, which is where i want to be. So so our first meeting is introductory. And then we give some homework second meeting you’re coming back in a week or maybe give him ten days. All right, maybe it’s a it was a long weekend in there, so e-giving e-giving ten days you’re coming back with your your analysis of threats and opportunities with the understanding that we’re going to narrow, we as a committee are going to narrow it down to three, three and one for each functional area, okay? No, no, no, that that i think i misled you on that one. Well, you’re going to narrow it down to a certain number of risks. It may be that there are that that the committee ends up saying, yeah, there really are seventeen risks in the development function. And they all are really rich. Each person would have identified only three. But, you know, maybe maybe it ended up that that you had ah, fifteen at least, um, legitimate risks threats that were identified, that is, you don’t limit it artificially as far as the total number of risk that could be identified within a function. Okay, i think you did mislead me, but that’s all right? You know, character. So listeners going go back, listen to what ted originally set the record will now pass that’s, right? I think it’ll show that i’m correct, but, um, so all right, so and you had also said that people can identify threats and opportunities outside their their own functional area, so a cfo can comment on it, and i can’t comment on hr and talent development, et cetera. Okay, um, that’s our second meeting, what happens after that? Now, we’ve now we’ve got our core of forty to fifty yeah, you’ve got your core of forty to fifty. The next step in that in the process would be to prioritize along those risks, because if you have forty two, fifty two, sixty risks and you think they’re all equally important, well, you’re just going to be frozen in inaction. So the next step is to use whatever tool you wish to use to prioritize those risks down to the most important ones that your organization face. And when i’m advising r our clients, i say the simpler the better, as far as prioritization, use a simple, you know, ah, point system, where each person on the team gets a certain number of points and they can allocate those points, however they wish among the fifty or sixty rhys so that if you want to push him all of your chips on toe one risk because you think that’s really important and should be really high priority for the organization, you could do that. Um, and and by doing that, you end up with your top ten or fifteen risk that got the most points and those become your first prioritized punch list of high value items that your organization should focus on during the coming period of time. You could do this like a poker game. You could all be you could buy everybody a stack of chips and okay, number one, we’re going to go through all forty or fifty. Number one who wants to throw is number one throwing your chips. But when you have a chip on that one that you exactly right, good bet judiciously, because when you’re out of chips, then you’re silent. There’s no taking chips back. Alright, right? Yeah. And? And what is happening is that people will take different different approaches to deciding what you know what their priority risks are and and the reason why. I say it needs to be a simple process is that deciding priority really is a judgment call? It has something to do with how dangerous or how good is this opportunity of its opportunity? How, how, how big is the risk if it comes about, how likely is it to come about? And if it comes about, how much lead time are we going to get before it manifest? Seldman now, you know, if you’re a multi billion dollar corporation, you khun create huge financial models to make those sorts of decision, but for the average non-profit you have to rely on people’s considered judgment, and so having a simple prioritization process where people are told, you know, consider those three factors and then put your chips the way they should. It ends up being a pretty powerful system for identifying the core risk organization and say those three three factors again, yes, it is it’s, the magnitude of the risk if it comes about the likelihood of the risk coming about and how much lead time you’re going tohave once the risk manifests itself before the full impact hit, okay, that third one could be it could be a day or so? I mean, that could be short term and they could on the end. And that might mean that you would get several rank that risk hyre because you don’t get that much lead. On the other hand, if you’re talking about a legislative change, you might have not in front. Okay? Yes, exactly. Yeah. So you’re aware, of course, weighing the factors, it might be low, like a low, low, low probability, but xero lead time and great magnitude you’re going to rank that thing. Hyre okay. All right, all right. So now we’ve got our ten. We’ve got our top ten. Yeah. Now, do we continue in just the committee and dealing with these? Or do we start to open it up in, like, meeting three or four guard to open it up? Ok, start opening up when you, when you boil that tend the risks down to your poor wrist, then you start opening it up to the rest of your staff by bringing those the list of those risks to your staff meetings and talking about those with your staff asking, ah, you know, for for their reactions tow those risks. Signing those. Risks, too. Particular people tto be dealt with a signing check in dates for when when you’re going to check back, you know that that list of core risks, which is second big tool that risk managers use, they call it a risk register. But that prioritized list becomes the operational judge document that you share with your staff in all staff meetings and and other staff meetings. You also share that up to your board of directors because those are the core risk that the organisation face and the board may want to weigh in on some of those risks. Excellent. Ted. We’re gonna leave it there. That’s a perfect place to ah overviewing on dh, of course, there’s get you could get thie get the format at risk. Hyphen alternatives dot com. You could follow ted at t bilich b i l i c h ted village. Thank you so much for sharing. Uh, tony was great to be here. Thank you so much for having me on my pleasure. We need to take a break. Wittner, cps, anek cerp from the latest testimonial quote, they’re accessible. They care about their clients. End quote, can you say that about your accounting and audit firm? This is another way that wagner goes beyond the numbers remember all the guides and the templates you heard me rattle on about, but they’re valuable. So it’s rattling and it’s valuable rattle. Yes, it was very it was a high tone rattle, good tone, so there’s that but then there’s also they’re accessible. They care let’s make it personal. Talk to eat. Which tomb he’s. The guy you want to talk to? Check out wagner, cpas, dot com he’s a very good guy. Now time for tony’s take two two people have me on their podcasts, it’s their lives joe correct, and i talked about charity registration. Now, first of all, i have to apologize to joe correct, who i’ve always called joe garrick, including what he was on the show. Why he didn’t correct me, i guess. It’s too polite. I don’t know. I think i take notes. Well, as long as they’re not from my wife, i think i’m open so i would. Appreciate it, but joe correct did not. So i have to correct, correct and eso yes, joe, correct, and i did charity registration and i did, launching a planned e-giving program with heather yan tao. Those are my two tricks to trick pony that’s what i know, plan giving and charity registration heimans lots of people say they feel passionate, passionate about their their work you need i love you. The twitter bios air are actually pretty interesting there’s a lot of passion out there, they’re passionate about whatever they do. I don’t know, i like it. I like playing giving i like charity registration let’s just leave it at that let’s not get carried away about passion. Um, so those are the two things i talked about. So the plan the plan giving with heather watching apollo program? Not surprisingly, i talked about charitable bequests that is the place to begin your plan giving program, as you know, and it could be the place to stop. If you’re a smaller, maybe even midsize shop, you don’t want to invest in more and more like infrastructure and further expertise or something it’s not necessary, you can have a very respectable program with charitable bequests start and stop there so you’ll hear that message. And then, of course, we’re going to more detail about starting a plan giving program against marketing tips that i shared with heather et cetera and for charity registration that was the one with job. Correct? Um, you know, the biggest hook with that is your donate. Now button, if you have a donate now button on your website, you’re accepting gifts on your site. That thing is a solicitation in lots of states the day that it goes live, and it doesn’t matter whether anybody in montana ever clicks on it. I don’t know if montana is one states you gotta register is like ten or twelve states where you don’t but let’s just don’t don’t fight the hypothetical, um, it’s it’s a solicitation in a lot of states, the moment it goes live because people in those states can see it so that’s a big hook you donate now button and just generally, of course, charity registration. You need to be registered in each state where you solicit donations, and joe and i went into some of the generalities about registration because it’s a morass. But there are some generalizations you could draw about what the states require in terms of timing and forms and fees, things like that when you get into the weeds of charity registration, then that’s where it’s it’s a morass because every state has its own let’s be polite and say video sync christie’s that they’re their own personalities that must emerge through the charity registration channel so you can’t make a lot of you can’t go into a lot of detail and, you know, like a forty minute podcast, but there are generalizations you can draw, and so we talk about exemptions also exemptions or key, you know, once you find a state that you need to register in because, you know you’re soliciting in that state, the first thing you want to do is look at the exemptions in that state. What do those look like? Because you might very well be exempt. Then, of course, drill down to the details of exemptions and that’s where the morass comes in is in a state where you apply for the exemption or the state, and you have to be approved for the exemption. Or is it a state where? You could just walk away, throw up your hands and go to the next state because you just deem yourself exempt, right? So joe, correct, and i talked about the exemption, of course, too, because, you know, you could save a lot of time if you find that you are exempt. All right. So carrie restoration job, correct planned e-giving beginning of launching a plant e-giving program that’s with heather, you, lando and i’ve got links to those two podcasts, of course, there’s. My video. I have to have my own personality and nuances. So my video, with the links to the those two podcasts where i was a guest, is that tony martignetti dot com live. Listen, love it’s got to come now, pre recorded today, but the love goes out the life, the live the love goes out, the live love is out. If you’re listening live, you’re getting the love that’s the key. So live listeners so glad you are with us. Love goes out to you thanks for being with us and the podcast pleasantries you expected me to say the word heels, didn’t you? And you were waiting for heels on the heels off, but your ah your hopes are dashed. I’m not going to say the word heels today. Podcast pleasantries today over twelve thousand listening whenever wherever, whatever device the bulk of our audience the podcast dorian’s so glad you’re with us. Thank you very much and the affiliate affections on the heels of the podcast pleasantries has to come. The affiliate affections our am and fm station listeners throughout the country affections to you. I’m grateful that you listen that your station carries us whatever time, whatever day thanks for being with us. Thanks to your station for carrying us affiliate affections that’s the liveliest or love the podcast pleasantries and the affiliate affections. Now let’s, go to darby, barca and your disaster recovery plan. Welcome to tony martignetti non-profit radio coverage of ntc twenty fifteen the non-profit technology conference were in day two. We’re in austin, texas, at the convention center and my guest is dar vivir ca she’s vice president of technology for lift a lefty and her workshop topic is avoiding disaster a practical guide for backup systems and disaster recovery planning. Dar welcome, thank you very much. Good to be here. It’s a pleasure to have you this day two we’re highlighting one swag item at ntc per for interview and, uh, i have a double chip biscotti from ah sputnik moment the hashtag is hashtag is sputnik smiles and i’m told that the glasses go with the biscotti, so this is essential. This is this interview’s swag moment. Thank you very much. Sputnik smiles and it goes into the goes into the swag collection. There it is. Okay, door. Um, we need to know some ah, little basic turn. Well, you know what? Before we even get into why is disaster recovery and the related and included back-up so i don’t know if it’s just for gotten ignored, not done well, what inspired the session is a organization i used to work for. We were required by auditors to do a disaster recovery plans. So when it came time for the annual audit, i got out the current disaster recovery plan and went all right, i’m going to go ahead and update this and when i discovered when i read the plan was there were servers, there were eight years old gone for the last eight years server and reading the planet was very clear that what the previous person had done was simply change the date and update the plan for auditors. And as i thought about it and talk to other people, i found that that actually happens a lot people it’s d r is sort of that thing they don’t have time for because no one ever thinks it’ll happen to them, so you push it off and you push it off, and you either just download the template, you know, a template off the internet, and you slap a date on it and basically fill it out just for the auditors. But a lot of organizations never actually think through their disaster recovery, they don’t get into the details, they don’t worry about it, and then when a disaster actually happens to them, they’re sort of stuck. You don’t have a plan that i don’t have a functioning crush on, they’ve never tried it out, so that was what inspired the session and as we dug into it. We we tried to give the thirty thousand foot view because disaster it cover, you know, there’s an entire industry, the deals with technology, disaster recovery. You can spend days on this topic, and obviously we didn’t have days. We had a ninety minute session, so we tried to give the thirty thousand foot view of the practical items you need to pay attention to if you’re not confident in your organisation’s d our plan, if you don’t have a d our plan or if you do and you really don’t, you know, you think it really needs an overhaul that sort of the top ten of items of what you should really be looking at when you’re dealing with disaster recovering backups. And we tried to give some several practical examples myself and the other speaker and andrew, who could not make it this morning of disasters we’ve had to deal with as well as other well known ones. Yeah, okay, do we need some basic language? Miree before we get into the d r disaster recovery topic short jr is one of them. Disaster recovers, often referred to his d r it’s often spoken about in terms of business continuity or bc, which is sort of the larger plan for the entire organisation should’ve disaster strike there’s the others very d are specific things such as our poet recovery point objective that we could talk about your rto, which is recovery time objective there’s very specific language like that for disasters. It’s usually just revert to de ours. So whenever we say d arts disaster recovery okay, we’ll see if we get into those eyes and i could explain to ms wick. Okay, um, all right? So clearly we should have a disaster recovery written, just recovery plan. Even if we’re an organization that small enough that doesn’t have an annual audit, we still should have something in place. Yes. Okay. What belongs in our day? Our plan top ten things. You need a contact list for your team. So if you have a top ten of the d r i do of what should your plan d our plan? You know, it could be anything from a five page outline that just covers the basics. And in in our sessions slides, which i’ve posted in the ntc library gives it some good resource is for doing andy. Our plan, or it could be a, you know, a huge hundred page document, it covers absolutely every aspect of business continuity or something in between it’s going very by organization, and the reality is, if you’re a small organisation with a small team, you might only be able to do the five page outline but that’s better than nothing that’s better than no d our plan or a d r plan that realistically hasn’t been updated in the last ten years, but i would say, you know, the top ten you really should have in your day. Our plan is number one, a contact list for your team members. What is the contact for your team, folks, your business continuity folks, if you normally would get that out of your email and you’re in a disastrous situation, you know you can’t get to your email or, you know, like we’re ever going through, and i want listeners to know that she’s doing this without notes, i it seems very confident that she’s got the hopefully i’ve ever altum in-kind get seven out of seven or eight ten will be ecstatic, but so continue. Oh, but i want to say yeah, as we’re going through, consider two organizations that may not have someone devoted to it. Correct, that is, our listeners are small and midsize non-profits right? They very, very well just all be outsourced or it falls on the executive director’s desk. Excellent point. Would you cover that in the session? So t finish at the top ten contactless three team members contact list for your vendors, a call tree and some sort of communications. How do you tell your organization in your members that you’ve had a disaster? Either your servers have gone down your parts of burst and your communications air underwater? How do you do that? What is your network look like? So? Network diagram process outline how you’re actually going to do your disaster recovery a timeline? How long do you expect these activities to take before you? Khun b live again, a list of systems and applications that you’re going to recover if you’re a large enough or gore, you can afford a hot site what’s called a hot or warm site where you can immediately switch over two other equipment. You know information about that, you’d need that to start your recovery and then also information about your backups. You know, who’s got your back ups? What system are you using? How do you, you know? Get those back. So those air sort of like the top ten things or d our plan should have. Alright, let’s dive intothe process. Ok a bit, because that intrigues me. And hopefully listeners. I think so. I think i have a fare beat on what’s. Interesting. I hope i do. Um, yeah. What? How do we start to think about what our dear process should be? First, you have to think about what all could be a disaster for your organization. A lot of people think about things, you know, earthquakes, hurricane, sandy, hurricane katrina. But it could also be water pipes bursting in your building. That is one of the most common thing. If your server is not properly protected, which a lot aren’t a lot of stuck in closets. Ah, dripping pipe water. We call those water events and that seems to be the most common thing departments encounter is leaking pipes in the building or some sort of a flooding situation. But it could also be an elektronik. Disasters such i’ve worked at an organization that underwent what’s called a ddos attack, which is a distributed denial of service. It took out our entire web presence because malicious hacker hacker went after that’s where there’s millions of right the network and they just flood your network seconds you’re overloaded and yeah, and that’s a disaster situations. So one, why would they attack like that? Why wasn’t non-profit attack malicious? The cp dot organ are attacked out with avon marchenese travon martin decision. Folks attacked our our petition site way. We were able to get it back online, but for a couple of hours. Yeah, we were off line. And that could be considered a disaster situation. For sure. Yeah. How do you help us think through what potential disasters are not even identify them all i think about what could affect your or what you wear. You vulnerable? Some of the things we talked about in the session and we’ll think about it. How would you get back online if the’s various things happen to you are your are your services sort of in the cloud? Do you have servers on site and start there when thinking about your process is what would you have to recover if these various scenarios affected you or with these various scenarios. Scenarios affect you if your website is completely outsourced to a vendor that has de dos protection. Okay, that’s, not a scenario you have to worry about so kind of analyze it and every organs going to be different. You know, if you live on the west coast, you’re probably concerned more about earthquakes than other regions. So it’s it’s going to vary for each organization, what sort of disaster you’re going to be worried about? And then you start getting down into the practical nuts and bolts in terms of who are your disaster recovery people, who’s your team, if you’re really small lorry, that might just be you or as you mentioned before, if you’re using outsourced, manage service provider and your vendors responsible for that, make sure your vendor has a d our plan for you. Ah lot of folks just assume your vendors taking care of that, but when it comes right down to it, do they actually have d our experience? Can they recover your items? Actually sit down and have that conversation? Because so many of the small org’s as you pointed out, do youse outsourced thes days and there’s there’s a lot of manage service providers that specialize in non-profit, but you need to have that conversation. Don’t wait till you’re under a disaster scenario to discover that groups they don’t actually have that experience have that conversation ahead of time. What else belongs in our process? Outline in your process latto outline if you’ve got a another site either a cold, a warmer, hot site or if your stuff is based in the cloud, where would you recover to the hot side is some place you go to drink cold water or hot? Sure, a cold site would be where you’ve got another location let’s say you have a dozen servers at your location, and in the case of, you know, your building being inaccessible or underwater. A cold site would be where you’ve got another location you could go to, but you don’t really have any equipment stage there, but it is another location you can begin operations out if that’s a cold sight there’s nothing ready to go, but you’ve got a sight a warm site would be where you sort of have a skeletal equipment there it’s far less capacity than you’re currently at, but you’ve got something there it’s not live, but you got stuff ready to go that you can restore to and get going. And a hot site is where you can flip over immediately. Your live replicating to somewhere else, it’s ready to go? It might not be full capacity, so it might not have, you know, full blown data line size that you’re used to might not have your full range of service, but it is live and you could switch over near instantaneously. That’s a hot site, ok, eso you’d want that in your process, and you’re going to want to think about what are you restoring and that’s where we get into the backups? What comes first and that’s, where you start getting into terms such as recovery point, objective and recovery time objective those air to very common d our terms recovery time is how far back are you recovering, too? And what does that mean for each system? So if it’s your donorsearch system that’s probably fairly critical, you want a recent restore of that? If it’s a system that doesn’t change very much, maybe a week ago restores okay for that and sorry that’s recovery point objective recovery time objective is how long does it take you to get back online after a disaster? You know, ifyou’ve got to download your data from an external source. Has anyone thought about how long that’s going to take you to get the data back? Is it going to take you fifteen hours or three days? So it’s in a lot of folks don’t think about that ahead of time, they just go oh, you know, we’ll we’ll pull it back down if we have a disaster, but they don’t think about instead of their nice normal data communications, they’re going to be on a tiny d s l line trying to pull down one hundred fifty gigs of information and it’s going to take a week to get it back down. I have to say you’re very good about explaining terms and thank you, proper radio. We have jargon jail? Yes, we try not teo transcend. You haven’t transgressed cause your immediate about explaining exactly what recovery point river and recovery time objectives are. It could be very confusing, you know, if you don’t understand the terms in tech, you can be confusing what folks are talking about, and that was one of the the focus is of our station session is making it less confusing and being very practical, practical about what you can or cannot do. And if folks go and look at our slides, they’ll see on several of the items we did a good, better best, and we tried to talk about that all throughout the session because we realized again for a small ork or, you know, even a large order that just doesn’t have the resources to devote to it. You might not be able to do best practice, but you could at least try a good practice that would be better than nothing. And then so we do a good, better best for each each type of thing like what does a good d our plan look like? Versace best day our plan and at least try and get to that good, because at least you’ll have something and it could be a continuum where you try and improve it along the way. But you’ve got to start somewhere it’s better than just ignoring it, which is what happens. At a lot of places. Got to take a break. Tell us credit card and payment processing. You know these people check out the video at tony dot m a slash tony tello’s that will start to explain to you the long tail of revenue that you can earn from. Tell us when you get companies to look att tello’s. Let tell us look at their processing fees. Then they switch to tell us you get fifty percent of the revenue forever. Tony dahna slash tony. Tell us now back to your disaster recovery plan with dar do we need to prioritize what what’s mission critical. And, yes, we can work with out for a time. Yes. How do we determine that? Definitely. We talk about that in terms of its not just a knight each decision either because we may think that the emails the most critical thing out there, but development may see the donor system as the most critical out there program might think that the case management system is the most critical out there. So you finance wants their account. They want their accounting system up. Obviously you’ve got to have an order in which you bring these things up. You’re probably not gonna have enough staff for bandwith or, you know, equipment to bring everything back online, so there needs to be and hopefully your executive team would be involved in deciding for the organization what is most critical in what order are you going to bring those things up? And that needs to be part of your d r plan? Because otherwise, if you’re in a disaster scenario, you’re not going to know where to start and there’s going to be a lot of disagreement of who starts where so you guys need to decide on the order, okay, we still have a few minutes left, but what more can we say about d r and related back-up that’s not going to wait till i’m back up because i think we could do a little bit in terms of d r i would say the key points on backups are check them because a lot of time, yes, monthly or quarterly, at least is anyone looking at your back-up back-up work-life one of the scenarios that we talked about that actually happened to my co speaker, andrew, was that their server room flooded and it hit their razor’s edge server, which is their entire c, m, s, c r, e, m and donorsearch system, and they thought it was backing up, but no one had actually check the backups in the last two months, and it was on, and it was not s o in terms of back-up just typical, you know, pay attention to the maintenance. What do you backing up? Has anyone checked it? And again, if you’re using a manage service provider, make sure if they’re responsible for for looking at your backups of managing them, make sure they’re doing that, you know, double check and make sure that they understand that your backups are critical and they can’t just ignore the alerts about your backups. You know, you don’t want to be in the unpleasant situation of three of our servers just got flooded. We need the data and discover nobody was backing it up. It ain’t exactly okay. All right. Anything else? You wanna leave people about back-up before we go to the broader diar? No, i think that’s. Good for those were the highlights for it. All right. So back to the disaster recovery. What more can we say about that. There are going to be a lot of watches if you’re in a large d our situation and so one of things we stress is one getting down into the details of your d our plan before disaster hits, you see, if you’ve never thought about how you’re actually going to do the restores air, actually, how you’re going to be rebuild those servers, you need two ahead of time. A lot of folks never practice have a fire drill. I hate fire drill, but and you don’t have a live fire drills in this case, it might be a live fire drill. You don’t want to have that, so you should make some effort to practice, even if it’s just something small, you know, trying to restore one server. I mentioned in this session that i was put in a situation years ago at johns hopkins university, where we were required to have verification of live tr practice. So i was put in a room that had a table, a telephone, a server, and we were carrying two laptops, and we couldn’t come out of the room, and so we had completely restored our domain. We had a set. Of backups on the thumb drive and added the second laptop to that domain improve that we had restored the domain, and an independent person that was not connected to our department was monitoring to make sure we had done it and we had to prove it, and that was an eye opening experience is as experienced as i was doing that i’d never done it live, and it took me three tries to do it so that’s, right? Encourage folks to really try and practice this stuff ahead of time and get down into the you know, the weeds on there on their d our planet on also to think about it. You weren’t fired because way, john no, no, no. I actually like too much john soft. No, we did complete it within the time frame, but we were a little startled when we discovered that we thought we knew how to do it first time out. And we kept making little mistakes. There were two of us and they’re doing it. And we were surprised ourselves that we thought, oh, of course we know this. This is not a problem, but no, we were making little mistakes. Because we didn’t have the documentation down, a specific is it needed to be, and so that was a very eye opening experience. There’s a couple of their d r gotchas we talked about, which is crossed, people don’t think about the cost ahead of time. How much is going to cost to get you that data? Back in the instance of my co presenter who had the damaged drives, they weren’t expecting a near ten thousand dollars cost to recover those drives, but that’s what happened when they didn’t have the backups? They had to take those hard drives to a data recovery place, and the price tag was nearly ten thousand dollars. Dealing with insurance is another big one that people don’t think about having to account for all of the equipment that was lost, and dealing with that insurance morass often gets dumped on the auntie department in a small organization. There’s not, you know, a legal department that’s going to deal with that it’s going to be you so to, you know, kind of talk to your insurance provider ahead of time and see what all you have to deal with in a disaster situation, so you don’t get an unpleasant surprise if you’re ever, in one a cz well, on the insurance topic, just are you covered? Exactly what what, exactly, is your equipment covered, and what do you have to do with that? In terms of accounting for it, if you suffer a disaster and you know the gooch is, we get so a couple of minutes, if if oh, about conscious. Trying to think about somebody we don’t hold back on provoc video, i think some of the other ones that we covered in their thick wit mint again to the cost, how much is it going to cost you? Two gets new equipment and did you account for that when you were doing your d our plan and a time to recover? A lot of folks don’t understand how long it may take them to do a recovery and also deciding what is important and what is not important, not just in terms of what should be restored in what order, but in terms of practical things, do you really need to restore your domain? Er, or could you just start over from scratch if your domain only contains maybe fifty accounts and doesn’t have any associated servers faster for you to just start over and just recreate the domain immediately? Especially if a lot of your emails in office three, sixty five or google maps, you could reconnect it very quickly. So, you know, thinking about more practical gotsch is like that that you should think about have time, you know, obviously it’s that’s the best practice to think? Of all these details, and he realized folks may not be able to, so we provided someone sheets and some samples of them of just quick, yes or no questions and thinking this through and things to think about and where will we that is not notice provoc radio has a professional sound i don’t know about ntcdinosaur ten, but that was a way over there. They’re on their own. They can come to us for expertise if they if they need to. But, uh uh, now i messed myself up because i ask you about something. What were you just talking about? How much? How long will actually take you to recover things? And whether or not you should practically skipped recovering something because it might be faster to rebuild it. Okay, i have a follow up to that my smart ass humor, maybe lose it. All right, so why did you leave us with one take away? Dror back-up the session was a little bit misnamed because technically, you’re not going to avoid a disaster you really can’t in many cases, you’re not gonna avoid the flood. You’re not going to avoid the earthquake if you’re in that. Region so you need to plan on how to deal with it. So it’s more like avoiding avoiding your d are becoming the disaster because you’re not going to avoid the disaster itself, so you might as well plan for it. Outstanding. Thank you very much. Door. Thank you much. Darby america vice president of technology for lift. This is tony martignetti non-profit radio coverage of ntc non-profit technology conference two thousand fifteen. Thank you so much for being with us. Thank you. Next week date your donor’s returns with jonah helper. If you missed any part of today’s show, i beseech you, find it on tony martignetti dot com were supported by pursuing online tools for small and midsize non-profits data driven and technology enabled. Tony dahna slash pursuant radio wagner c p a’s guiding you beyond the numbers regular cps dot com and tell us credit card and payment processing your passive revenue stream tony dot m a slash tony tell us our creative producers claire meyerhoff family boots is the line producer show social media is by sirs and chavez and this great music is by scott stein with me next week for non-profit radio big non-profit ideas for the odd. They’re ninety five percent go out and be great. Kayman you’re listening to the talking, alternate network, waiting to get you thinking. Nothing. Cubine are you stuck in a rut? Negative thoughts, feelings and conversations got you down. Hi, i’m nor ing. Sometimes the potentiality tune in every tuesday line to ten eastern time and listen for new ideas on my show. Beyond potential live life your way on talk radio dot n y c. Me, are you feeling unhappy with your body, shape or size? Ever feel out of control with food? I’m elizabeth from nourish the soul, and on this show you will uncover the route to these imbalances and discover a permanent solution toe having a healthy relationship to food and your body. Join us every thursday morning at eleven a, m eastern time on talk radio dot buy-in. Hey, all you crazy listeners looking to boost your business? Why not advertise on talking alternative with very reasonable rates? Interested simply email at info at talking alternative dot com. Yeah. Are you into comics, movies and pop culture at large? What about music and tv? Then you’re in for a treat. This is michael dulled, your host on talking alternative dot com. I’ve been professionally writing comic books, screenplays and music articles from fifteen years. Catch my show secrets of the sire at its new prime time slot. Wednesdays, eight p m eastern time, and get the inside scoop on the pop culture universe you love to talk about. For more info, go to secrets of the sire dot com dahna. You’re listening to talking alt-right network at www. Dot talking alternative dot com, now broadcasting twenty four hours a day. Are you a conscious co creator? Are you on a quest to raise your vibration and your consciousness? Sam liebowitz, your conscious consultant, and on my show, that conscious consultant, our awakening humanity. We will touch upon all these topics and more. Listen, live at our new time on thursdays at twelve noon eastern time. That’s, the conscious consultant, our awakening humanity, thursday’s twelve, noon on talk radio dot. You’re listening to the talking alternative network. Napor