Disclaimer: This post may contain affiliate links. These links, if used and purchases made, we may earn a small commission. These affiliate programs do not impact the recommendations we make or the resources we refer you to. Our focus is on providing you the best resources for your nonprofit journey.

Your nonprofit needs a disaster recovery plan, and you probably needed it yesterday. Whether it’s a ransomware attack, a server failure, a flood that destroys your office, or a key staff member disappearing with all the institutional knowledge in their head – disasters happen. The organizations that survive them are the ones that planned ahead. This guide gives you a complete, ready-to-implement framework for building your disaster recovery plan this week.

What Your Disaster Recovery Plan Must Cover

A disaster recovery plan (DRP) answers one question: “When something goes catastrophically wrong, what do we do first, second, and third?” It covers five areas:

Technology and data recovery – How you restore systems, data, and communications
Operational continuity – How you keep delivering services during disruption
Financial protection – How you access funds, pay staff, and meet obligations
Communication – How you notify staff, board, donors, and clients
Physical facility recovery – How you handle office/facility damage or loss

Step 1: Identify Your Risks and Critical Functions (Day 1)

Gather your leadership team (ED, operations lead, IT person or consultant, finance) for a 90-minute risk assessment meeting. Work through this exercise:

Risk Inventory – rate each 1-5 for likelihood and impact:

– Cyberattack / ransomware (Likelihood: __ Impact: __)
– Server/system failure (Likelihood: __ Impact: __)
– Natural disaster – flood, fire, tornado, hurricane (Likelihood: __ Impact: __)
– Extended power outage (Likelihood: __ Impact: __)
– Key person departure/incapacitation (Likelihood: __ Impact: __)
– Data breach / loss of sensitive client data (Likelihood: __ Impact: __)
– Vendor failure (hosting provider, software vendor goes down) (Likelihood: __ Impact: __)
– Pandemic / public health emergency (Likelihood: __ Impact: __)

Focus your plan on anything that scores 3+ on both likelihood and impact.

Critical Functions Inventory – list your top 10 functions and their recovery priority:

– Client/program service delivery – Recovery target: __ hours/days
– Email and communications – Recovery target: __ hours
– Financial systems (payroll, AP, banking) – Recovery target: __ hours
– Donor/CRM database – Recovery target: __ hours/days
– Website – Recovery target: __ hours/days
– Phone system – Recovery target: __ hours
– Client records / case management – Recovery target: __ hours
– Grant reporting and compliance – Recovery target: __ days

The recovery target is your Recovery Time Objective (RTO) – how quickly you need each function back online. Be realistic but aggressive. Payroll and client services likely need 24-48 hour RTOs. Your website can probably wait a week.

Step 2: Build Your Technology Recovery Plan (Day 2-3)

Technology failure is the most common disaster scenario for nonprofits. Here’s your checklist:

Backup Strategy (Implement This Week If You Haven’t Already)

The 3-2-1 Rule: 3 copies of your data, on 2 different types of media, with 1 copy offsite/cloud
Automated daily backups of all critical systems. Manual backups are unreliable – someone always forgets.
Cloud-first approach: If you’re not already using cloud-based systems (Microsoft 365, Google Workspace, cloud-hosted CRM), this is your best disaster recovery investment. Cloud providers handle redundancy, backups, and failover for you.
Test your backups quarterly. A backup you’ve never tested is a backup that doesn’t exist. Actually restore a file or database from backup every quarter to confirm it works.

System Recovery Procedures

For each critical system, document:

System name and vendor: (e.g., “Salesforce CRM – salesforce.org, Account #12345”)
Admin credentials: Stored in a password manager accessible to at least 2 people (use LastPass, 1Password, or Bitwarden – not a sticky note)
Vendor support contact: Phone number, email, account number, support tier
Recovery procedure: Step-by-step instructions for restoring the system from backup or failover
Who’s responsible: Primary and backup person for each system
Recovery time estimate: Realistic hours/days to full restoration

Cybersecurity Incident Response

Ransomware attacks on nonprofits are increasing every year. Your response plan:

Isolate immediately: Disconnect affected computers from the network. Don’t turn them off – that can destroy forensic evidence.
Notify your IT provider/consultant within 1 hour.
Do NOT pay ransom without consulting cybersecurity professionals and law enforcement.
Report to: FBI IC3 (ic3.gov), your state attorney general, and your cyber insurance carrier (if applicable).
Assess data breach scope: Was client PII exposed? You may have legal notification obligations.
Activate backup restoration once the threat is contained.
Notify affected parties per your state’s breach notification laws (typically 30-60 days).

Step 3: Build Your Operational Continuity Plan (Day 3-4)

Remote Work Readiness

If your office becomes inaccessible, can your team work remotely within 24 hours? Ensure:

– All staff have laptops (not desktops) or can access systems from personal devices
– Cloud-based email and file storage (Microsoft 365 or Google Workspace)
– VPN access configured and tested for any on-premise systems
– Video conferencing tool (Zoom, Teams, Google Meet) with all staff trained
– Phone forwarding or VoIP system that works from any location

Service Delivery Continuity

For each major program, document:

Minimum staffing needed to maintain essential services
Alternative service delivery methods (phone, virtual, partner referrals)
Partner organizations that can absorb clients temporarily
Client communication plan: how you’ll notify clients of service disruptions

Financial Continuity

– Online banking access for at least 2 authorized signers
– Payroll processor (ADP, Paychex, Gusto) accessible remotely
– Emergency operating reserve: 3-6 months of expenses in an accessible account
– Insurance policies current: property, liability, business interruption, cyber liability
– Critical vendor contact list with account numbers

Step 4: Create Your Communication Plan (Day 4-5)

In a disaster, communication failures compound every other problem. Build a communication chain:

Emergency Contact Tree:

Tier 1 (within 1 hour): ED notifies board chair, IT lead, and operations director
Tier 2 (within 4 hours): Operations director notifies all staff via text/phone (not just email – email may be down)
Tier 3 (within 24 hours): Program directors notify clients, partners, and key vendors
Tier 4 (within 48 hours): ED notifies major donors/funders as appropriate

Communication templates (write these now, before you need them):

Staff notification: “Our [office/systems] have been affected by [incident]. Here’s what we know, here’s what we’re doing, here’s what you should do.”
Client notification: “Our services are temporarily [modified/suspended] due to [incident]. Here’s how to reach us and what to expect.”
Donor/funder notification: “[Org] experienced [incident]. Our disaster recovery plan is activated. Here’s our recovery timeline and how it affects [grant/programs].”
Media statement (if needed): Brief, factual, forward-looking. Have your board chair or ED as the sole spokesperson.

Keep all emergency contact information in:

A cloud-accessible document (Google Doc or shared drive)
A printed copy stored off-site (board chair’s home or safe deposit box)
Key numbers saved in the ED’s and operations director’s personal phones

Step 5: Document, Test, and Maintain (Day 5+)

Document the Plan

Your DRP should be a single document (15-25 pages) with these sections:

Purpose and scope
Risk assessment summary
Critical functions and recovery priorities
Technology recovery procedures
Operational continuity procedures
Financial continuity procedures
Communication plan and templates
Emergency contact directory
Insurance policy summary
Appendices: vendor contacts, system credentials location, floor plans, etc.

Store it in three places: your cloud drive, a printed binder in the ED’s office, and a printed copy with the board chair.

Test the Plan

An untested plan is a plan that won’t work. Schedule these:

Quarterly: Test backup restoration (actually restore a file or database)
Semi-annually: Tabletop exercise – gather your team and walk through a scenario: “It’s Monday morning and ransomware has encrypted all our servers. What do we do?” Walk through the plan step by step and note gaps.
Annually: Full plan review and update. Update contact information, system inventories, and recovery procedures.

Quick-Start Disaster Recovery Checklist

If you’re starting from zero, do these 10 things this week:

– Set up automated daily backups with offsite/cloud storage
– Test that you can actually restore from backup
– Store all critical passwords in a shared password manager (not one person’s head)
– Ensure 2+ people have admin access to every critical system
– Confirm remote work capability for all essential staff
– Set up online banking access for at least 2 authorized signers
– Create an emergency contact tree with personal phone numbers
– Write 3 communication templates (staff, clients, donors)
– Review insurance policies: property, liability, business interruption, cyber
– Schedule a 90-minute risk assessment meeting with leadership to build the full plan

You don’t need a perfect plan – you need a plan. Start with the checklist above, build out the full DRP over the next 2-4 weeks, and test it regularly. The organizations that recover from disasters aren’t the ones with the most resources – they’re the ones that thought about it before it happened.

More Uncategorized Resources