Hoping for the Best While Preparing for the Worst: Nonprofit Risk Management Q&A with former Secret Service Agent James Savage

As businesses reopen around the country, the question on every social sector CEO’s mind right now is when should we open? What is the right thing to do for our employees, customers and clients? I sat down with my good friend and colleague, James “Jim” Savage, to answer this and many more questions in this must-read Q&A. Jim has been on all sides of safety and security — former Secret Service agent, former state trooper and, more recently, former chief of security for Hunt Consolidated. He has dealt with every threat imaginable and now brings his expertise to the social sector as a risk management strategist. When I asked him why he chose the social sector, he replied, “Nonprofits are in the business of people and often don’t have the resources that many for-profit companies do to hire a full-time person dedicated to risk management. I want to provide them peace of mind.”

Peace of mind. That is a good goal for any social sector organization. In fact, the Roman philosopher Seneca encouraged this type of thinking and called it “premeditatio malorum” (the premeditation of evils). It is a strategy to think ahead to all the possible ways things could go wrong and to prepare for them. Seneca said, “Unexpectedness adds to the weight of disaster.” Since 2012, we have strongly advocated to every nonprofit to develop a risk management plan that not only assesses key risks (both good and bad), but also includes a risk mitigation plan. Read our Q&A below for greater insights into these issues during the current uncertain circumstances and beyond.

We have seen more nonprofits cite “safety and security” as a high priority in our strategic plans in the last 3–5 years. What accounts for this trend? How do you define it?

First, nonprofits are businesses comprised of people — their leaders recognize that the world around them is changing. There is an increased feeling of vulnerability. I was thrilled, but not surprised, to hear that you are addressing these possible threats early through strategic planning. Second, “safety and security” is used broadly and encompasses many possible threats:

  • Physical, which includes workplace violence and fear of retribution and robbery
  • Cyber, which includes ransomware, phishing and data breaches
  • Financial, which includes fraud and embezzlement
  • Human Resources, which includes employee termination and grievances
  • Legal, which includes exposure to legal liability due to non-compliance with local, state and federal regulations and ordinances
  • Social Media, which includes stalking, threats and cyberbullying

To mitigate these threats, I encourage every social sector organization — large and small — to identify their key risks from the list above and start developing and implementing proactive policies, trainings and plans. Like all other businesses, nonprofits have a duty of care as an employer and agency. Driving this home are notable trends showing that employees and volunteers are now choosing some nonprofits over others based on how safe they feel in their job and environment. Security is no longer a nice-to-have for nonprofits — it is a must-do to protect your assets, including your reputation as a trusted provider in the community.

If you could pick one risk, what should nonprofits be most concerned about?

As a nonprofit board member and former law enforcement professional, the most persistent issue is cybersecurity. It is the greatest area of vulnerability. And, for nonprofits, it is an even greater risk, because they have volunteers working in their offices and using their technology and systems. The best way to protect your organization is a mandatory, tested training on cyberthreats for all employees and volunteers. I would also encourage policies on use of devices and public Wi-Fi. Most cyberthreats come from a trusting employee clicking a link that leads to disaster. By conducting cybersecurity trainings, you are educating your stakeholders and inviting them to help protect your organization.

Many nonprofits are deciding when to reopen their operations. With the ongoing threat of COVID-19, what advice are you giving to clients?

Safety and security go hand in hand. There is a heightened “duty of care,” and it is elevated now with a known threat. As businesses start to reopen, there is a transfer of liability and responsibility to the business. On the safety side, the business needs to follow all government regulations and checklists — check your local, state and federal government guidelines. On the security side, businesses are given latitude, but they have a responsibility of care — protection of clients, customers and employees. I would ask myself: “Can you pass the reasonableness test with respect to the precautions you are taking?” There are already lawsuits that give us a glimpse at possible issues — employers that didn’t follow proper procedures because of improper training or equipment. It is going to be incumbent on all organizations to provide PPE, follow recommended CDC and other government guidelines, and encourage distancing. I would also encourage a sign-in process, so when the government starts contact tracing, your organization is prepared.

One question that isn’t being discussed enough, but is crucial in the decision to open is: how are our employees and stakeholders doing? We’ve all faced this pandemic together, but our individual experiences have been very different. Some employees have endured extreme stressors and may need extra consideration or support during this time. We are in this together, but we are all having a different experience. Before you make the decision, make sure managers are able to provide mental health check-ins with every employee.

Some nonprofits are having to make tough choices. What should they consider if they need to terminate or furlough employees or contractors?

This is a situation no one is prepared for. But, how you handle this and how you message it internally and externally will determine whether you have sad but understanding former employees or mad and vindictive former employees. You don’t want the latter.

Here are points to consider so that you can preserve the dignity of your employees while making tough choices about termination and furloughs:

  • How can we create a termination process that is compassionate and consistent? How do we protect sensitive financial and donor data? How do we recover computers, storage devices and other company-owned assets?
  • How do we identify high-risk terminations — individuals who may be leaving with cause — and put into place enhanced security measures?
  • How do we identify high-impact terminations of individuals who represent single points of failure in the organization’s business processes and prevent this through cross-training, succession plans and written business continuity plans?
  • Do we have resources that can be provided internally (through an EAP program) or externally (through a workforce board) to get affected employees mental health, financial and job assistance? How do we leverage these early in the process to ease the transition for those employees?
  • How do we message this internally and externally to protect all those involved?

As nonprofits and business are going “back to business,” what should they be thinking about?

There will be two camps: 1) groups that feel they dodged a bullet and go back to the old normal, and 2) groups that feel changed by the threat and use it as an opportunity to grow and evolve into a new normal. I strongly encourage the latter. Your board and leadership team should have an honest conversation about this threat and conduct an after-action review that hopefully will lead to a new (or better) business continuity plan. Consider questions, such as:

  • Where were we strong? Where were we challenged? Why the difference?
  • Where were others strong? What can we learn from them?
  • Were we able to continue conducting critical business outside of the physical office? Why or why not?
  • What did we find out about our business? What is mission-critical?
  • Who were we dependent on that served us well? Not so well?
  • Could we access the systems and data we thought we could?
  • How did our employees and volunteers hold up? Did we lose several along the way?
  • Were we able to meet and communicate effectively outside the office using alternative platforms? Which ones did we like or not like?
  • What could the future look like?
  • What can we do better next time?
  • What supplies do we need to stock up on?
  • What new training should we invest in?
  • Is this something we can do ourselves or should we hire someone to help us?

Some nonprofits are contracting with experts such as yourself to proactively and reactively address issues. This is new for many organizations now. What questions should they be asking to ensure they bring in the right experts for each issue? When should they call an expert rather than consult with the local police?

With budget constraints and manpower challenges, your local police department may not have the capacity to address your specific planning and prevention needs. Most major departments have crime prevention specialists and routinely handle high-threat public events but stop short of an assessment that holistically evaluates your organization in depth.​ So, for many nonprofits, a third-party, objective expert is a wise investment. Think of it like going to the doctor — you want a doctor with a solid reputation and background who asks you lots of questions about your medical history and examines you before giving you a diagnosis or prescription. Security and safety experts will do the same thing — first, they will understand your business and assess the strengths/weaknesses of your current processes. Then, they will assess the risks on their own to find risks you may not know about. And, finally, they should give you a customized menu of possible solutions. They should be well-versed in various standards and their latest applications: premises liability, duties of care, and the reasonable and foreseeable standard. After the assessment, they can also assist with providing trainings, re-writing policies and represent your interests with vendors. The right consultant will serve YOUR interests, not represent any particular brand or product; will have the ability to liaise with the police and first responders on your behalf; and create a security plan for your organization that reflects its business processes and culture.

I know I learned a lot from this interview, and I hope you did as well. If you have any questions about the above, you can contact Jim through his website. If you have experience with taking measures to ensure the security and safety of your nonprofit, please share with us. I hope each and every one of you will incorporate an after-action review as soon as possible into your management team meetings. It is an opportunity to reflect, learn and evolve as a team and practice “premeditatio malorum.”

Features bite-size posts providing the latest trends and ideas within social sector. Place to be inspired, cross-pollinate, and provoke new thinking.