COMMUNITY ACTION COUNCIL

Approved by the Community Action Council of Lewis, Mason & Thurston Counties Board of Directors on xxx

COMMUNITY ACTION COUNCIL OF LEWIS, MASON & THURSTON COUNTIES

RISK MANAGEMENT PLAN

Strengthening individuals and families

to lessen the impacts of poverty

Table of Contents

Overview & Philosophy ................................................................................................................................. 1

Risk Management Philosophy ................................................................................................................... 1

Risk Management Goals ........................................................................................................................... 1

General Safety Principles .......................................................................................................................... 1

Responsibility for Risk Management ............................................................................................................ 2

Board of Directors ..................................................................................................................................... 2

Legal Counsel for the Organization ........................................................................................................... 2

Executive Director or CEO ......................................................................................................................... 2

Chief Financial Officer or CFO ................................................................................................................... 2

Director of Housing & Emergency Services .............................................................................................. 2

Director of Family Services ....................................................................................................................... 3

Executive Assistant ................................................................................................................................... 3

Finance Committee ................................................................................................................................... 3

Governance Structure ................................................................................................................................... 3

Articles of Incorporation ........................................................................................................................... 3

Bylaws ....................................................................................................................................................... 4

Conflict of Interest Policy .......................................................................................................................... 4

Board Operations .......................................................................................................................................... 4

Board Manual............................................................................................................................................ 4

Board Orientation ..................................................................................................................................... 4

Board Development .................................................................................................................................. 5

Board Assessment ..................................................................................................................................... 5

Board Recruitment and Nomination ......................................................................................................... 5

Board Minutes .......................................................................................................................................... 5

Risk Financing Strategy ............................................................................................................................. 5

Human Resources ......................................................................................................................................... 5

Written Employment Policies ................................................................................................................... 5

Communicating Policy Changes ................................................................................................................ 5

Use of Position/Job Descriptions .............................................................................................................. 6

Employee Orientation ............................................................................................................................... 6

Staff Supervision ....................................................................................................................................... 6

Performance Review ................................................................................................................................. 6

Programs and Services .................................................................................................................................. 7

Client Safety .................................................................................................................................................. 7

Staff Code of Conduct ............................................................................................................................... 7

Client Code of Conduct ............................................................................................................................. 7

Guidelines for Interpersonal Relationships .............................................................................................. 7

Position Descriptions ................................................................................................................................ 7

Applications............................................................................................................................................... 7

Interview Guide ............................................................................................................................................. 7

Reference Checks ...................................................................................................................................... 7

Criminal History Background Checks ........................................................................................................ 7

Emergency Procedures ............................................................................................................................. 8

Facilities Access ......................................................................................................................................... 8

Training and Supervision ........................................................................................................................... 8

Financial Management ................................................................................................................................. 8

Financial Responsibilities and Objectives ................................................................................................. 8

Budgeting Process ..................................................................................................................................... 8

Fiscal Policies ............................................................................................................................................. 8

Contract Compliance Review .................................................................................................................... 9

Facility Risks .................................................................................................................................................. 9

Facility Needs ............................................................................................................................................ 9

Facility Design ........................................................................................................................................... 9

Inspections ................................................................................................................................................ 9

Facility Rental/Lease Policy ..................................................................................................................... 10

Policy Concerning Invitees ...................................................................................................................... 10

Using Others' Facilities Policy ................................................................................................................. 10

Policy Regarding the Use of Others' Homes or Apartments ................................................................... 10

Emergency Planning Policy ..................................................................................................................... 11

Technology and Information Management ............................................................................................ 11

Policy Concerning the Use of Wireless Communications Devices .......................................................... 11

Safeguarding Equipment and Systems ....................................................................................................... 11

Development of Systems Inventory ........................................................................................................ 11

Physical Security for Technology Assets ................................................................................................. 12

Limiting Access to Confidential Information ........................................................................................... 12

Disaster Recovery Plan ............................................................................................................................ 12

Managing Internet and World Wide Web Risks ......................................................................................... 12

Internet Security ..................................................................................................................................... 12

Website Functionality ............................................................................................................................. 12

Website Content ..................................................................................................................................... 13

Social Network Guidelines ...................................................................................................................... 14

Transportation ............................................................................................................................................ 14

Authorized Vehicle Use Policy ................................................................................................................ 14

Driver Training ........................................................................................................................................ 15

Vehicle Maintenance .............................................................................................................................. 15

Accident Procedures ............................................................................................................................... 16

Crisis Management ..................................................................................................................................... 16

Emergency Planning ................................................................................................................................ 16

Business Continuity Planning Policy ........................................................................................................ 16

Internal Distribution Policy for BCP Policies and Procedures ................................................................. 17

Vital Records, Data and Documents Backup Policy ................................................................................ 17

Crisis Communications Policy ................................................................................................................. 17

General Evacuation Policy ....................................................................................................................... 17

Special Accommodations ........................................................................................................................ 17

Insurance Program ...................................................................................................................................... 17

Insurance Advisors .................................................................................................................................. 17

1

Overview & Philosophy

Risk Management Philosophy Community Action Council of Lewis, Mason & Thurston Counties aspires to operate in a way that protects the health, safety and security of clients, staff members and volunteers while lifting up the organization's mission and safeguarding assets needed for mission-critical programs and activities. Risk Management Goals Community Action Council of Lewis, Mason & Thurston Counties seeks to harness state-of-the-practice nonprofit risk management principles and strategies in order to create and sustain a safe environment that enables the caring delivery of services and the creation of meaningful opportunities for individual and community involvement. General Safety Principles

• Community Action Council of Lewis, Mason & Thurston Counties strives at all times to operate in compliance with local, state, and federal laws and regulations.

• Community Action Council of Lewis, Mason & Thurston Counties adheres to the policies and standards of [name of national umbrella organization or accrediting agency] in matters related to the health safety, and well-being of service recipients.

• All adults involved in Community Action Council of Lewis, Mason & Thurston Counties bear responsibility for the health, safety, and security of service recipients. This is a primary responsibility of the board of directors, CEO, operational volunteers, and program staff.

• Community Action Council of Lewis, Mason & Thurston Counties purchases insurance coverage

as a financing mechanism for certain risks, but recognizes that insurance is not a substitute for vigilance in planning and implementing programs. Safety and risk management activities are multi-faceted and include: o Thoughtful screening, selection and training of operational volunteers and employed staff. o Creation and enforcement of policies, standards, guidelines, and procedures as guides for

planning. o Maintaining safe and secure facilities. o Establishing procedures to be followed in the event of an emergency. o Maintaining clear communications channels.

2

Responsibility for Risk Management

Board of Directors • Sets risk management goals, adopts annual operating objectives and budget with risk

management included. • Adopts annual capital budget with risk management in mind. • Reviews operational reports to determine compliance and future priorities. • Ensures compliance with policies and standards imposed by national organization or

accrediting organization. • Adopts and establishes policies and standards. • Reviews the organization's insurance program periodically. • Reviews the organization's risk management plan annually.

Legal Counsel for the Organization

• Serves as advisor to the Board of Directors in legal matters, making referrals to specialists on an as needed basis.

• Advises senior staff on the contracts, agreements, forms, etc.; reviews contracts on an as needed basis.

Executive Director or CEO

• Assigns staff to design and carry out safety and risk management activities. • Assigns staff to perform annual review of the safety and risk management activities. • Executes contracts for the organization. • Keeps the board apprised of emerging threats and opportunities facing the organization.

Chief Financial Officer or CFO

• Responsible for all Corporate Assets including financial and capital. • Coordinates annual corporate financial and compliance audit process. • Develops/monitors Council’s annual budget. • Prepares monthly financial reports for Board review. • Coordinates with all external monitors/auditors. • Develops, implements and monitors loss prevention programs. • Integrates risk management throughout the organization's programs. • Manages organization’s client data management system (CSST) • Coordinates delivery, storage and distribution of surplus commodities; manages inventories

and reporting • Maintains all of the Council’s facilities. • Responsible for all affordable housing assets.

Director of Housing & Emergency Services

• Responsible for all operational responsibilities associated with programs in the division including, but not limited to Energy Assistance and Weatherization.

• Responsible for orientation of all new staff within program division • Operation and implementation of the Employee Handbook

Commented [KH1]: New

3

Director of Family Services • Responsible for all operational responsibilities associated with programs in the division

including, but not limited to Housing Rehabilitation, Women’s Infants and Children and Monarch Children’s Justice and Advocacy Center

• Responsible for orientation of all new staff within program division • Operation and implementation of the Employee Handbook

Chief Accountant

• Responsible for onboarding new employees, performing exit interviews, payroll and employee benefits

• Ensures completion of employee background checks • Employment contract reviews including indemnity agreements, hold-harmless agreements

and consent forms. Executive Assistant

• Coordinates Board of Director functions and meetings • Coordinates meetings of the Finance Committee. • Monitors and evaluates the insurance policies, maintaining appropriate funding levels,

accurate loss forecasting, claims management, loss prevention and cost containment programs.

Finance Committee

• Champions organization-wide effort to protect the vital assets of Community Action Council of Lewis, Mason & Thurston Counties and engage key stakeholders in risk management activities.

• Convenes periodically to review the Agency's priority risks and corresponding risk management strategies.

• Oversees the development, implementation and monitoring of loss prevention programs. • Oversees the purchase of insurance for the organization. • Evaluates the insurance program.

Governance Structure Articles of Incorporation Community Action Council of Lewis, Mason & Thurston Counties was incorporated in the State/Commonwealth of Washington on April 19, 1966. The Articles of Incorporation were last reviewed by legal counsel in August 2015 to ensure compliance with state laws. We have maintained our corporate status by filing with the state as required by law. The date of our last filing was November 28, 1988. The Board and legal counsel will review the articles of incorporation every two (2) years (beginning 2011) to maintain its currency and legality. The Articles of Incorporation are stored at the Lacey Family Resource Center, at 3020 Willamette Drive NE, Lacey WA 98516.




4

Bylaws The bylaws were originally filed and approved by the State of Washington on November 26, 1968. Board representatives reviewed the bylaws to determine the need for any revisions and if necessary followed the proper amendment process. All amendments were filed with the state and the last filing was made in September 2014. The bylaws were reviewed by legal counsel in September 2014 to ensure compliance with federal, state and local laws. The Board will review the bylaws every two years (2) beginning in 2011 and propose amendments as needed. Every member of the board receives a current copy of the bylaws when they join the board and whenever the bylaws are amended. The original bylaws as approved by the state and any amendments are stored at the Lacey Family Resource Center located at 3020 Willamette Drive NE, Lacey WA 98516. Legal counsel will review the indemnification provision for compliance with state law every two years (2) beginning in 2011. The indemnification provision is funded by a Directors' & Officers' liability insurance policy with a term of one (1) year. The policy limit of liability will be consistent with all current contract requirements. Conflict of Interest Policy The conflict of interest policy was adopted by the Board on September 27, 2006. Every year each board member completes and signs a disclosure statement declaring any known conflicts and agreeing to comply with the policy. These annual statements are gathered in September of each year.

Board Operations Board Manual Each new member will receive the Council’s Board of Director Manual. Members can choose to receive documents in a hard copy format or digital format. They will also be granted access to the Board Member’s Only Website, which will contain most recent documents in the manual. This website is secure and can only be accessed by staff and the Board. Information on the site includes all of the Council’s operating polices/procedures, reports, minutes etc. Board Orientation Once a new member application is reviewed and accepted formally by the Board of Directors, the Executive Assistant will schedule an orientation with the CEO within six months of being seated. The discussion will include, but is not limited to:

• The overview of roles and responsibilities as a new member. This will include lists of meetings, current members and committees, commitment letters, conflict of interest policies and whistleblower policy

• Board meeting minutes • Current fiscal documents • Other corporate documents, such as Bylaws and Articles of Incorporation • Agency Overview • Strategic Planning and other important data • A tutorial of the members-only website.



5

Board Development The Board of the Council is dedicated to improving the skill and knowledge of its members by continually educating the members on the legal, financial and operational aspects of governing a nonprofit organization. The board will allocate time during the year to increase its governance knowledge. Board Assessment To become a more effective board, the board members of Community Action Council of Lewis, Mason & Thurston Counties will conduct a board self-assessment at least once every three years beginning in 2012. The Board will use the self-assessment as a tool to improve its performance and energize the organization to achieve its mission. Board Recruitment and Nomination Community Action Council of Lewis, Mason & Thurston Counties strives to have a diverse and qualified board with people who bring the skills, qualities and expertise needed to lead and govern the organization in accomplishing its mission. Board Minutes Community Action Council of Lewis, Mason & Thurston Counties recognizes the importance of the board meeting minutes and each board member is aware of his/her responsibility for ensuring the accuracy of the minutes. The minutes are maintained in a safe location to preserve their integrity. Risk Financing Strategy To safeguard the assets and resources of the Council, the organization will purchase insurance for those insurable risks of major importance to mission-critical operations and the financial health of the organization. It is the COO’s and CFO’s responsibility to oversee the organization's insurance program and provide an annual insurance report to the board.

Human Resources

Written Employment Policies The Council has adopted a number of critical employment policies which are contained in the Employee Handbook. The Handbook is distributed to all incoming staff within the first week of employment and employees are required to acknowledge receipt of the Handbook and an agreement to abide by the policies therein. It is the organization's policy to review the Handbook carefully prior to taking any disciplinary action against an employee to ensure that the organization's policies have been followed. Employees who have questions or concerns about any of the policies contained in the Handbook are encouraged to speak with their direct supervisor. or the COO. Communicating Policy Changes All new policies are communicated in writing to staff through the use of memos and other appropriate policy documents. In addition, new policies are incorporated in the policy manual when that manual is updated periodically.

6

The Council reviews and updates its Employee Handbook every five years to ensure that policies remain suitable to the organization and in compliance with state and federal laws. The organization obtains assistance from a personnel attorney in this effort. Policies are available to all staff on the agency share drive. Use of Position/Job Descriptions The Council uses job descriptions for both paid and volunteer positions in the organization. These documents are developed by supervisory personnel and updated on an “as needed” basis. Employee Onboarding & Orientation The Chief Accountant is responsible for conducting an onboarding session for all new employees within the first week of employment. During this session, key provisions of the Employee Handbook are discussed and the employee is encouraged to ask questions about any aspect of employment policy or operations. The Division Director is responsible for conducting an Employee Orientation, which includes introductions to other staff. During this session, employees are provided with an overview of equipment and systems they will be required to use.

Staff Supervision The Council views effective staff supervision as an essential component of risk management. Supervisory staff is expected to communicate their expectations of direct reports clearly and consistently and hold employees accountable with regard to key tasks and responsibility and compliance with the organization's employment policies. All employees are encouraged to raise concerns or questions about work priorities and assignments with their direct supervisor. Performance Review The purpose of the Performance Review is to assist employees in achieving their highest level of performance. In each category listed on the approved Review form, there are several factors which are taken into consideration in evaluating the employees overall performance. Supervisors conducting the Review will rank each appropriate factor as illustrated on the Review. Written comment reflecting/documenting the ranking is to be made in the space provided immediately below each category. Upon completion of the review, with review and comment by the supervisor, employee and reviewer, the original document will become part of the employee's personal file. A copy of the review will be provided to the employee. Types of Performance Reviews

• 90 Day/Probationary for new employees • 6-month review for new employees • Annual required for all employees to be eligible for annual step increase • Other review might be required if an employee is placed on probation

7

Programs and Services The Council administers a number of services including housing, emergency services, child abuse services, etc. Each service has identified protocols specific to the service provided to reduce risk and exposure.

Client Safety

Staff Code of Conduct The Council's Employee Handbook addresses code of conduct. Client Code of Conduct Each of the Council's programs employs specific rules regarding participation. Guidelines for Interpersonal Relationships In pursuit of its mission, the Council seeks to provide appropriate activities and services to its clients. All activities must meet the organization's guidelines and have its approval. Acceptable activities and services are documented in position descriptions and program handbooks. Violation of or disregard for these guidelines may poise an undue danger to our clients, staff and the organization and may lead to disciplinary action. Position Descriptions The Council has developed job descriptions for all positions in the organization. Applications The Council uses an application form for paid and volunteer positions.

Interview Guide The Council uses an interview guide as a strategy for managing the risks associated with interviewing prospective staff and volunteers. All personnel involved in interviewing have been trained on the principles contained in the guide. Reference Checks The Council’s screening process includes checking references for finalists for both paid and volunteer positions. Criminal History Background Checks It is the policy of the Council to conduct criminal history background checks on all successful candidates for paid employment and volunteer service. The results of these checks are reviewed against the

8

organization's eligibility criteria to determine whether any applicants must be excluded due to the results of the background check. Emergency Procedures To ensure the safety of our clients, the Council has established an Emergency Action Plan. The Emergency Action Plan is a way for the Council to prepare and plan for various emergencies. All personnel are responsible for knowing and following the plan. Each facility must schedule and hold emergency drills to test the Plan and ensure its readiness in the event of an emergency. Facilities Access The Council has adopted a policy requiring central check-in for all unscreened personnel and visitors to the organization's facilities and premises. Once checked-in, all visitors must be escorted on the premises. Training and Supervision It is the Council's intent to retain a well-trained and skilled staff to best serve the needs of our clients. The Council encourages staff to participate in additional training that will enhance their skills.

Financial Management Financial Responsibilities and Objectives It is the responsibility of the Board of Directors to formulate financial policies and periodically review the operations and activities of the Council. The Board delegates this oversight responsibility to the Finance Committee, of which the Treasurer is the Chair. The CEO of the organization acts as the primary fiscal agent with responsibility for implementing all financial management policies and procedures on a day to day basis. The CEO may delegate to qualified professional staff (CFO) the responsibility for managing various aspects of financial management. The financial management’s primary objectives of the Council are to:

• Preserve and protect financial assets needed for mission critical activities. • Exercise appropriate care in the handling of incoming funds and disbursement of outgoing

funds. • Strive for transparency and accountability in fiscal operations.

Budgeting Process The CFO will prepare the budget for each fiscal year (October 1 - September 30) to be presented for approval by the Finance Committee of the Board of Directors. At the Board of Director’s Annual Meeting in September it will approve the Council’s budget. The Finance Committee will meet quarterly to review budget and approve any significant changes. The CFO will provide a financial report at each of the Board of Directors meetings. Fiscal Policies The CFO is responsible for the development and adherence to the Council’s fiscal policies and procedures. Polices should include at a minimum the internal controls, the annual compliance and

9

financial audit procedures, investment policies, production of interim financial statements, gift policies, solicitations, etc. The CFO will update polices annually, to ensure polices are consistent with applicable regulations. Polices will be prepared and presented to the Council’s Finance Committee for ratification annually. Contract Compliance Review The Council employs a contract review process to ensure that the Council’s procedures, practice and operations are consistent with the compliance requirements of contracts executed by the Council. The CFO is responsible for the review process for all contracts executed by the Council. The process will include the development of a routing and tracking document documenting that all affected parties have reviewed the documents and a review of each contract will include:

• Special terms and conditions • General terms and conditions • Scope of work • All attachments and conditions • All referenced CFR’s, USC’s, Office of Management and Budget (OMB) circulars, Executive

Orders, Public Laws, RCW, WAC’s, etc. will be reviewed and as appropriate filed on the Council’s server for access.

During the review process, questions/concerns related to compliance will be addressed. The CFO will be notified of all reporting requirements.

Facility Risks Facility Needs In achieving the Council’s mission, it seeks to fully utilize its resources and assets. The prudent use of facilities and resources is required to protect the safety and well-being of all personnel including staff, volunteers, interns and service recipients while safeguarding the organization's financial assets. Facility Design The Council is committed to providing a safe environment for its clients and staff through the appropriate use of its premises whether owned, leased or borrowed. The organization strives to construct or modify each property to efficiently and effectively provide services to clients while meeting all required codes and regulations. Inspections To ensure the safety of the Council’s operations, it will inspect its facilities on a regular basis to ensure compliance with regulations, accreditation standards and its own principles. Preventive Maintenance To protect its property, personnel and clients from harm, the Council will take steps to ensure that the organization complies with manufacturer recommended guidelines for maintenance and repair of equipment and premises, building codes and safety regulations of all jurisdictions applicable to its facilities and maintains a log of service, repair and replacement.

10

Facility Rental/Lease Policy The Council rents/leases its facilities to outside groups as appropriate. Policy Concerning Invitees As a facility owner, the Council is committed to providing outside users of its premises with a safe environment. This commitment includes, but is not limited to, meeting building code requirements, making timely repairs and provides and maintaining appropriate security. Using Others' Facilities Policy The Council will lease space to provide its services at the best market rate available in locations consistent with the need to lease facilities. When drafting or signing a lease agreement, considerations will include but are not limited to:

• Maintenance and upkeep - who is responsible for general upkeep: trash pickup, repairing broken steps and clearing snow or ice.

• Mutual indemnification - a contract clause that assures that each party only assumes legal responsibility for those areas or activities under its control

• Instructions on the use of property and facilities - detailed directions on how special features operate (e.g. alarm system, fire escape, window air conditioner) and what to do if problems occur

• Limits on accessible areas - if the organization is only using a part of the premises or if a certain areas are off limits (e.g. roof, basement, parking lot/garage, outbuildings)

• Potential hazards - specific warnings about dangerous or hazardous conditions on the premises • Delegation or supervision - when the landlord/owner chooses to provide staff to assist with

supervision (e.g. lifeguards at a swimming pool). • The Council will determine if the use is consistent with its current insurance or if additional

insurance (i.e. event insurance) will be required sufficient to cover the event The Council will spell out its requirements and negotiate the most favorable agreement possible. The Council will seek legal review, if necessary, prior to entering into a lease, whether the arrangement is for a long-term or short-term occupancy. Policy Regarding the Use of Others' Homes or Apartments The Council recognizes that many accidents occur when organizations have good intentions but poor planning. It will only accept the generous offer of the use of a private home or rental apartment for its purposes when:

• Staff has ascertained that a public facility cannot be held to accommodate its needs (purpose, budget, dates, times, etc.)

• There is adequate Council insurance coverage to cover injury or accidents to visitors to the residence.

• Parents or guardians of any vulnerable participants sign a waiver that is specific about any dangers associated with the use of the home (e.g. use of a swimming pool, riding horses on a ranch or farm, etc.).

11

Emergency Planning Policy It is the policy of the Council to promote good health, well-being and occupational safety for its employees, volunteers and service recipients. Emergency situations require the participation of all staff, everyone must be familiar with emergency operations. Certain responsibilities are defined to ensure smooth operations. The emergency plan must be readily available, posted in a prominent location and reviewed annually by the organization's senior management. Technology and Information Management The Council's current policy for use of technology is available to all employees for review. Policy Concerning the Use of Wireless Communications Devices As part of the organization's commitment to safety in the delivery of programs and services, the Council places special emphasis on the safe operation of motor vehicles used by employees or volunteers to conduct the organization's business. In the event that an employee must use a wireless communications device (hereinafter "WCDs") while driving, it should be used only in a life-threatening emergency and when the employee cannot pull to the side of the road and stop safely. For the purposes of this policy, WCDs include, but are not limited to, wireless phones, personal digital assistants, computers, online email devices, navigation aids and any other information or entertainment service or equipment, whether or not such devices are provided by or paid for by the organization. Employees are advised to adhere to the following safety precautions with respect to the use of WCDs:

• If you must make a telephone call while driving on the organization's business, pull into a parking lot or off the road onto a wide shoulder and park the car before retrieving the telephone to receive or make the call.

• Exercise extreme caution if pulling on or off the shoulder of a busy thoroughfare. • Where possible, try to make all necessary calls before setting off on a trip or after arriving safely

at your destination. • Call for help to protect yourself and your passengers from dangerous situations or to report an

emergency situation involving others. Dial 911 in case of fire, traffic accident, road hazard or medical emergencies.

Employees and volunteers who violate this policy are subject to discipline, up to and including termination of employment or volunteer service. The Council’s Employee Handbook should be referenced pursuant to use of WCDs.

Safeguarding Equipment and Systems Development of Systems Inventory The Council is committed to preserving its assets. To expedite recovery from an incident involving the organization's equipment and systems, the CFO has been assigned the responsibility for establishing and maintaining an inventory and documentation of all systems. The documentation shall include a complete inventory of electronic equipment and computers technology including hardware, software, media and data. The CFO will update the documentation on a quarterly basis or as warranted by system acquisitions. The inventory will be stored on-site as well as off-premises.

12

Physical Security for Technology Assets The Council is committed to protecting its office technology assets. The organization takes all reasonable steps to protect and safeguard systems and equipment from damage due to power fluctuations, water damage, dust, extreme temperature change and other environmental factors. In addition, the organization guards against threats due to viruses, worms, malicious software and hackers. The Data/IT Department is responsible for overseeing the security of office systems is the. Limiting Access to Confidential Information Due to the nature of the Council’s programs, it has client files containing confidential information as well as business records that are proprietary. It is essential to limit access to certain records to only personnel whose positions require access. Confidential information in paper form will be stored in locked file cabinets or in a locked room as necessary or required. All personnel should use good judgment and common sense in protecting confidential information while in use during business hours. The Data/IT Department will oversee the creation of a system to limit access to electronic records based on duties and responsibilities in the organization. Access will also be protected through the use of passwords. Access will be modified from time to time as work assignments change. Any employee who intentionally obtains unauthorized access to records shall be subject to discipline, up to and including termination. Any employee who accidentally obtains access to confidential records should inform his or her supervisor immediately. Disaster Recovery Plan Information technology is critical to the Council’s ability to provide its programs and services. As a key component of the Council’s operations, the Data/IT Department is responsible for establishing a disaster recovery plan for its network and computer operations. All employees and volunteers will support this staff person in developing, maintaining and testing the plan. All personnel involved with the disaster response must be familiar with the plan and their assigned roles and responsibilities.

Managing Internet and World Wide Web Risks Internet Security Due to the critical nature of the Council’s information systems and network, it will implement the most stringent yet appropriate security measures to protect its information. The Data/IT Department is responsible for devising and implementing its security protocols. The failure of staff to follow these security protocols may result in suspension of privileges or disciplinary action, up to and including termination. Website Functionality Due to the importance of the Council’s website, Data/IT Department has been assigned responsibility for the site. This position shall oversee the creation of a policy to ensure ongoing monitoring/maintenance of the website. This policy shall include a process for suspending the operation of the site when required as well as its speedy restoration.

13

Website Content To maintain the integrity of the organization's website, the Data/IT Department will oversee the content, and the feel of the site. This position is responsible for ensuring that content meets the organization's quality standards and due diligence has been completed to ensure that the organization is within its rights to use any material it posts. As part of its work to protect the reputation and legal interests of the organization, the Council will post the following website disclaimer, effective September 2011:

Website Disclaimer: All materials posted on this site are subject to copyrights owned by Community Action Council of Lewis, Mason & Thurston Counties or other individuals or entities. Any reproduction, retransmission, or republication of all or part of any document found on this site is expressly prohibited, unless Community Action Council of Lewis, Mason & Thurston Counties or the copyright owner of the material has expressly granted its prior written consent to so reproduce, retransmit or republish the material. All other rights reserved. The names, trademarks, service marks and logos of Community Action Council of Lewis, Mason & Thurston Counties appearing on this site may not be used in any advertising or publicity or otherwise to indicate the organization's sponsorship of or affiliation with any product or service with the organization's prior express written permission. Although this website features links to other sites, Community Action Council of Lewis, Mason & Thurston Counties takes no responsibility for the content or information contained on those sites, as it does not exercise editorial or other control over these sites. This website provides information and services in furtherance of the Council’s mission. The Council makes no representations about the suitability or accuracy of the information on its site for any purpose. If you see any objectionable, inaccurate or improperly functioning content or features on this site, please contact the Council as soon as possible.

The following policy statement is posted on our website:

Web Privacy Policy Community Action Council of Lewis, Mason & Thurston Counties respects the privacy of visitors to its website. We strongly believe that if electronic commerce and online activities are to flourish, consumers must be assured that information provided online is used responsibly and appropriately. To protect online privacy, the organization has implemented the following policy: Information the Council Collects: Most of the data and information collected through its website is used only to help us achieve the Council’s mission. It is the Council’s policy to collect and store only personal information that the clients knowingly provide.

• For Casual Website Visitors and General Users: The Council does not collect any personal information from users browsing our website. When you use the public areas of our website you are doing so anonymously. The Council does collect aggregate use information, such as

14

the number of hits (visits) per page. It aggregates data for internal and marketing purposes, but we don't collect any personally identifying information.

• For Clients, Donors and Other Customers: If while visiting The Council’s website, you apply

for a program, register for a conference, submit a technical assistance question, or request other information, you may be asked to provide certain information. In all cases this information is submitted voluntarily. In most cases, we ask clients to provide their name, title, organization name, address, telephone and e-mail. If you're making a donation, you may be asked for credit card information in order to complete your purchase. Similar information may be submitted to us on an order form or registration form.

• Customer Lists - The Council’s client list is not for sale. When you visit our website or

become a client, your name and mailing information will not be sold to a commercial organization.

• Credit Card Account Information - We utilize secure transaction methods when collecting

credit card information over the Internet. It does not disclose credit card account information provided by its clients. The Council submits the information to the appropriate clearinghouse in order to obtain payment.

• How the Council Uses Cookies - Cookies are small text files that are sent to your computer

when you logon to a website that allows the Council to identify you when you return to the site. The Council uses cookies only to support the operations of its shopping cart. It does not use cookies to track your usage or any other personal information about you.

Social Network Guidelines The Council employs a variety of communication channels to reach out and connect with clients, the communities, and business partners. The use of social media tools allows us to communicate with the public, to promote CAC and monitor how the organization is perceived. Social media provides new opportunities to attract and retain clients, promote and build awareness of our programs and services, and gain recognition in the community. The Council has adopted a set of guidelines for use of social media by the Council. The guidelines are illustrated in a separate document entitled “Community Action Council of Lewis, Mason & Thurston Counties, and Social Media Use Guidelines”

Transportation Authorized Vehicle Use Policy Providing transportation services to clients is not a mission-critical function; however, the organization recognizes its responsibility to provide safe and efficient transportation for employees for the conduct of the Council’s business. The following rules apply to all drivers and vehicles:

• Only people approved and authorized by the Council are permitted to driver either an agency owned vehicle or any other vehicle on the organization's behalf.

15

• Agency owned vehicles are not to be driven for personal use without the permission of the CEO or his/her designee.

• While driving on behalf of the organization, personal errands should be avoided. • Agency owned vehicles are to be used within the approved guidelines for use.

The Council is committed to providing a safe environment for its staff and clients. To achieve this goal, anyone driving on behalf of the organization must be approved. All approved drivers must possess a valid Washington State driver's license, acceptable driving record, and adequate personal automobile insurance. Further all drivers must be approved by the Council’s insurance company. If a staff person is using their vehicle on behalf of the Council, on a regular basis as per of their assigned duties, they must produce proof of insurance. Driver Training The Council strives to provide a safe environment for all of its personnel. In light of this goal, it is necessary that all persons driving on the organization's behalf know and understand the organization's transportation policies and procedures. Each authorized driver is expected to participate in a driver orientation program conducted by the appropriate Program Manager/Director prior to driving for the organization. During the orientation program authorized drivers will review the following issues:

• Driver safety rules. • Authorized use of agency owned, leased and personal automobiles. • Operating specially-equipped agency or leased vehicles or vehicle equipment. • Pre- and post-trip vehicle inspections. • Vehicle maintenance guidelines. • Accident procedures

Persons who drive on the Council’s behalf are subject to oversight by their direct supervisor. As part of the regular performance review process, driver performance will be assessed annually and continuing eligibility to drive will be verified. This verification will include review of a current Motor Vehicle Report (MVR) to ensure that the driver meets the organization's minimum eligibility requirements, appropriate insurance coverage and review of any deficiencies to determine if any corrective action is required. The Council does not permit 15-passenger vans to be used on the organization's behalf. Permitted vehicles include buses, small vans and passenger vehicles designed to carry at least four passengers. All vehicles used on the organization's behalf must be inspected prior to use and must, at a minimum, have the following equipment:

• Adequate tire tread. • Working brakes. • Operational windshield wipers and wiper fluid. • Operational defroster. • Appropriate side and rear view mirrors. • Working seatbelts for all occupants.

Vehicle Maintenance It is the policy of the Council to inspect all vehicles, except personal vehicles, frequently. Vehicle operators/custodians are responsible for ensuring vehicles are serviced/maintained according to the

16

manufacturer's recommended schedule. Any safety problems should be reported by vehicle operators/custodians to the fleet coordinator immediately for proper follow-up. Accident Procedures Any accident involving a motor vehicle driven on the Council’s behalf, regardless of severity, location or fault must be reported immediately to the law enforcement authority within the jurisdiction where the accident occurred and to the driver's supervisor. Fleet vehicles contain an Emergency Kit with the following: reflective triangles, accident procedures, blank accident report, and first aid kit. In the event a rented vehicle is being used, the driver should also follow the procedures outlined on the rental agreement and/or posted in the vehicle. All of the organization's drivers have been instructed to follow the following procedure for all accidents:

• Stop and secure the vehicle. • Set out warning devices (triangles) properly. • Immediately contact the local police to advise them of the accident and request medical

assistance if there are any injuries. • Once any medical needs are taken care of, obtain information on the other driver or drivers

involved in the accident. Use the accident form to record this vital information. • Provide the other driver(s) involved in the accident with your information and the vehicle's

information, including insurance coverage. Insurance information is located in the Emergency Kit of all fleet vehicles.

• Cooperate with the police and other authorities but do not admit fault. • If necessary, due to the condition of the vehicle, arrange for towing to a nearby garage.

Crisis Management Emergency Planning The Council views emergency planning as essential to mission fulfillment. The organization's emergency plans reflect input from key organization personnel. Components of the plan include business continuity, crisis communications and facility evacuation. Business Continuity Planning Policy The Business Continuity Plan of the Council will:

• Help the organization fulfill its moral responsibility to protect employees, other stakeholders and the community in which it operates.

• Facilitate compliance with regulatory requirements of federal, state and local agencies. • Enhance the organization’s ability to reduce its financial losses, regulatory fines, damage to

equipment or disruption to service delivery in the event of a business interruption. • Reduce exposure to civil or criminal liability in the event of an incident. • Enhance the organization’s image and credibility with employees, clients, funders, vendors and

the community.

17

Internal Distribution Policy for BCP Policies and Procedures The Council will distribute policies and procedures that need to be enacted to all senior managers and staff initially at orientation and annually thereafter or any time a policy or procedure is added, eliminated or changed. Vital Records, Data and Documents Backup Policy In order to ensure the continuity of mission-critical services, the Council will duplicate and store off site all information identified as essential to fulfilling its business continuity plan. Crisis Communications Policy During a disturbance or crisis situation, the first priority of the Council is to assure the safety of service recipients, staff and its volunteers; however, the Board of Directors recognizes the need to provide timely and accurate information to parents/guardians and the community during a crisis. The Board also recognizes that the media have an important role to play in relaying this information to the public. To help ensure that the media and the Council work together effectively, the CEO or designee shall develop a crisis communications plan to identify communication strategies that will be implemented in the event of a crisis. General Evacuation Policy The organization's building should be evacuated whenever remaining in the building becomes life-threatening, when a warning device (alarm, flashing light, other) is activated or upon the request of authorities. The occupants of the building should be evacuated away from the source following routes posted on each floor. If it is safe to do so, windows and doors should be closed and left unlocked as occupants leave the building. No elevators are to be used in either a drill or an actual fire or other emergency evacuation. Once people have evacuated the building, they should proceed to the designated assembly point and report to their supervisor who will document the safe exit of all employees, volunteers, interns and service recipients under their chain of command. Special Accommodations Evacuation of the building shall be by the nearest ramped exist (if accessible) or another exit by those persons working or receiving services on the ground level. Those persons located on an upper floor or a lower level accessible only by an elevator or stairway shall proceed to the designated evacuation area and wait until an assigned person can assist them.

Insurance Program Insurance Advisors The Council retains the services of insurance advisors in order to assist the organization with the purchase of adequate insurance coverage at an acceptable price. It is the policy of the Council to evaluate the performance of any and all insurance advisors (agents or consultants) on an annual basis. and seek competitive bids for these services no less than every five

18

years. The incumbent advisor will be invited to participate in the bidding process as long as their current performance meets the minimum requirements of the organization. The current insurance policies detailing coverage are on file in the Council’s office located at the Family Support Center in Lacey at 3020 Willamette Drive Lacey, WA 98516.