Because the nature of every organization differs, this can’t be a panacea.
Management should develop policies and procedures collaboratively, taking into consideration the expectations between hybrid and remote teams and which processes and controls can shift to different staff, while maintaining segregation of duties.
You can create new policies and procedures with the following considerations.
Risk Assessment
First, devise a rating scale from low to high and brainstorm risks to the organization financially and operationally, as both have a significant impact.
Evaluate each risk and decide on controls and processes you could implement to mitigate the risk.
Implement controls and processes as above, and schedule time to review and revise the risk assessment periodically, as risks change.
Segregation of Duties (SOD)
This principle divides responsibilities within a critical process. Many organizations maintain SOD surrounding the cash cycle, as this is easiest to identify.
Segregation of duties should apply anywhere feasible, including but not exclusively:
- Investments
- Contributions
- Payroll
- Net assets
- Financial close and reporting
It’s imperative to review roles and responsibilities within each cycle, including IT. Perform on a periodic basis and revise accordingly.
Automate Security Processes
Security automation underpins prevention, detection, investigation, and remediation of cyberthreats.
According to the IBM Cost of a Data Breach Report 2020, malicious attacks cause 52% of breaches and 80% involve breaches with customer personal identifiable information (PII).
Success rides on containing and resolving issues quickly, especially considering the wealth of confidential donor information organizations maintain.
Disaster Recovery and Business Continuity Planning
Disaster recovery plans ensure that business operations can continue to thrive through a period of disruption. Examples include natural disaster, emergency, or a cyberattack.
Identify key operations, functions, and processes. Determine acceptable downtime for each key function, operation, or process and define a plan.
The plan should detail components and strive for minimal interruption when it’s time to share throughout the organization. Hybrid and remote workplaces can cause additional delays in disaster recovery if an organization isn’t adequately prepared.
After arriving at new policies and procedures to best suit your organization, be certain to implement controls according to design. This step, though last, is just as important as the design of new policies and procedures.
For further guidance, see our article on how IT controls testing can help protect data in a post-COVID-19 workplace.