How to risk assess your preferred third party platform for online service delivery

Many charities have quickly moved ahead with digital services. Some have taken their existing services online. Some have changed or expanded what they offer. But not all have carried out a risk assessment to help them decide how to do so safely. This article presents a robust process and downloadable guide to get you started.

Why risk assess?

You want to get your service online but you need it to be safe. You’re worried about choosing the wrong online solution or using it wrongly and someone getting hurt or having their privacy breached. You know you need to safeguard not just your users, but volunteers and staff too. You’re probably also thinking about your organisation’s reputation.

Most charities we’ve spoken to are in the same boat as you.

But perhaps you have already made the jump. Because you needed to remain operational or continue an essential service. If this is you there’s a chance safeguarding and security hasn’t been given the same consideration it would have at any other time but the pandemic.

“Many organisations are quickly trying to get a solution sorted that works today. So it probably hasn’t had the same forethought for security and privacy than otherwise.” - Alison Stone, Cyber Resilience Coordinator at Scottish Council for Voluntary Organisations

Similar to offline

So you need a risk assessment process. It’s the best way to think through all the actions and adjustments you can make for delivering a digital service safely. While this might sound like a daunting task the good news is it’s similar to risk assessing an offline service or project. Even a trip to Dartmoor. In summary:

• It’s similar to offline
• Overarching principles are similar
• You can’t control everything that happens online
• Risks remain. No solution is 100% safe
• Acceptable risk (a reasonable level of risk acceptance) is a key concept to understand

Read more in Part 1 here.

What is online safeguarding and security?

“Safeguarding thinks about the individual. Information security is about systems and data protection.” - Kevin Burns, Head of IT, Royal Blind

Digital safeguarding and security can mean different things across the sector. In the context of getting your service online we are taking it to include:

• Safeguarding: protecting people when using online technology to engage them. Think video calls, messaging apps, interactive chat spaces etc.
• Privacy and consent: respecting and ensuring people’s privacy and choice when engaging them digitally. Because activity and details can be more visible online.
• Information security: how you protect your systems and people’s data from misuse and unauthorised access. Technical security is important but staff practice makes the biggest difference.

The Scottish Council for Voluntary Organisations describes several examples, as does The Association Of Adult and Child Online Safety Specialists in this good video and transcript.

How to minimise risk

“Risk management is about analysing our options and their future consequences, and presenting that information in an understandable, usable form to improve decision making.” - Lucas Allen, CEO Ln2X

Running a risk assessment will help you minimise risk. It’ll make you explore a platform’s security features and think through issues that might arise from delivering services through it. While some risks are similar across platforms some are unique and some depend on how your service uses the platform. One size doesn’t fit all.

Putting in the work on your own risk assessment and identifying ways to control the risks you uncover is the only way to reduce the risks enough that the benefits come to outweigh them. Once you’ve done the work you’ll be in a really strong place. You will:

• Be more aware of what could go wrong
• Have implemented some controls
• Notice incidents sooner
• Be more ready to react to an incident

And that’s usually the most you can do. Because nothing is 100% safe, online or offline.

“All this process means you have planned, you’ve tried to implement some controls and you are ready to deal with what might happen. You have some idea of how you might react.” — Lucas Allen

The 5 step process

1. Research

You’ve already begun by reading this article. You might already have a preferred solution that fulfils your users’ needs and your charity’s operational needs. If you don’t then shortlist 2–3 options and justify any must have features.

As a general principle from here on you want to document everything you do. That way you have a record of the process that informed your eventual decision.

Then list all the risks you can think of. This article and Part 1 will give you some ideas, as will SCVO’s article and its links section. You could also read this case study.

Don’t do this alone. Involve others, the more perspectives the better. That way you can be more confident that you’re capturing everyone’s needs and perspectives on risk.

“Get multiple perspectives on your risks. Especially your biggest ones. It’ll make a difference to your risk acceptance and the assessment’s outcome.” - Alison Stone

2. Assess the risks

Add your risks to a spreadsheet. This downloadable guide suggests some headings.

Rate your risks.

Describe how you will mitigate or control each risk.

Decide which risks you’re willing to accept or if any remain unacceptable.

Get external support if you need it. You should be able to manage most or all of the process internally. If you get support look for someone who understands the sector.

Review your top 10 risks again then make a decision.

“You can minimise a lot of risk by researching a platform and finding out its security features, then using them.” — Declan Doyle, Ethical Hacker at Scottish Business Resilience Centre

3. Make a decision

Someone has to make a decision to accept (or not) the risks that come with your preferred platform. Ideally that someone will be two designated senior people, who must agree before the charity moves forward.

But it’s not enough just to make a decision. You should write down your rationale as well. This might just be a statement about how you’ve analysed the risks and now consider the benefits to outweigh the risks. It could be that you mention specific key risks and their mitigation or it could be that you refer to the risk assessment doc directly. Just try and explain why you have made the decision you have.

4. Describe your approach

Then describe how you intend to use your chosen platform. This could be a short series of bullets or it could be several pages. It depends on what you’re using and how.

Include the following as a minimum:

• Summary of how you are going to use it
• Any key things you or staff will do to minimise risk (look at the controls on your risk assessment)
• The guidance and support you will provide to staff in relation to safe practice (e.g. passwords, policy briefing, training etc)
• Any new policies you will be creating

“This is more about process. Do people understand policies, are staff trained, do they know what to do if an issue arises? The boring stuff!” — Jess McBeath, Online Safety & Digital Citizenship Specialist, Jess Ltd

5. Review and exit strategy

How will you be keeping an eye on implementation of your new service? What is your Plan B for if it doesn’t work out?

Describe your review process. This could be similar to your normal risk review process, but you’ll need to run it more frequently for the first few weeks of online service delivery..

State your Plan B (and C if you have one).

State how you will review the service as movement restrictions change.

Free download to help you get started

We’ve created a downloadable guide to help you follow the process described above.

Cyber security extras

These resources focus on general cyber security. Some will be useful.

• Implement five technical controls recommended by the National Cyber Security Centre as part of your mitigation actions and build your information security knowledge with their guide: Cyber Security for Small Charities.
• Build your Board of Trustees’ ability to converse with you about digital safeguarding with the NCSC’s Board Toolkit.
• Consider the NCSC’s Exercise in a Box or Diddo’s Athena service as a way to assess your organisation’s information security situation.

Hat tips to Douglas Trainer, Declan Doyle, Alison Stone, Jess McBeath, Kevin Burns and Lucas Allen for their time and insight into digital safeguarding and information security.

‍