What Happens to Your Sport When Everything Goes Wrong?

I was talking to a county cricket board administrator last year who told me a story I've heard, in various forms, about a dozen times since. Their finance officer - a volunteer who'd been doing it for eleven years - had a stroke. He recovered, thankfully. But for six weeks, nobody could access the accounts. Nobody knew the passwords. Nobody knew which suppliers were on direct debit and which needed manual payments. The insurance renewal was due. Nobody knew the broker's name.

They got through it. People always do, somehow. But six weeks of scrambling, missed payments, and panicked committee meetings is not a plan. It's luck.

This is what UK Sport and Sport England are trying to address with Requirement 2.7 of the Code for Sports Governance. The requirement is straightforward: "The Board shall have in place continuity plans for the organisation and succession plans for orderly appointments to the Board and to key posts within the organisation."

Straightforward on paper. In practice, most sports organisations don't have anything close to a continuity plan. And the ones that do often have a document that was written three years ago by someone who's since left, sitting in a Google Drive folder nobody can find.

Business continuity is not disaster recovery

This distinction matters, and it's where most people go wrong.

Business continuity is about keeping your organisation running during a disruption. It answers the question: if something bad happens tomorrow, what do we do to keep functioning?

Disaster recovery is narrower. It's about getting your IT systems and data back after they go down. It's a subset of continuity planning, not a synonym for it.

The disruption might be a cyber attack. It might be a flood at your premises. But far more often in sport, it's mundane. Your CEO resigns with two weeks' notice. Your membership secretary moves away. The volunteer who's been running your events for eight years just stops replying to emails because they're burned out and don't know how to say it.

The UK Sport guidance on Requirement 2.7 acknowledges this directly. It breaks the requirement into three parts: business continuity, data recovery, and succession planning. All three matter. But for most sports organisations, it's the human risk - not the technological one - that's most likely to cause problems.

Start with the people, not the systems

If I were building a continuity plan for a county football association or a national governing body tomorrow, I'd start with one question: who knows what?

Not who does what - who knows what. Because in most sports organisations, these are very different things. The job descriptions say one thing. The actual distribution of knowledge and access says another.

Map it out. Literally write down every critical function - membership processing, financial management, safeguarding compliance, event coordination, competition scheduling, facility bookings - and then write down who currently knows how to do each one. If the answer is one person, you've found your risk.

The Charity Commission's guidance on risk management calls this a "key person dependency." In corporate governance, they call it a bus factor. Blunt, but accurate.

Most sports organisations have a bus factor of one. One person who knows the membership system. One person who has the relationship with the council. One person who can operate the booking software. One person who understands the accounts.

Your continuity plan exists to raise that number.

What your plan should actually cover

The temptation is to produce something enormous and comprehensive. Resist it. UK Sport's own guidance says this: the plan should be written in "plain, jargon-free language" and "ensure as a minimum that everyone in the business has read it and, ideally, received training."

If your plan is 40 pages, nobody will read it. If nobody reads it, it doesn't exist.

Here's what it genuinely needs to cover:

1. An inventory of critical functions. What does your organisation actually do, day to day? List every function that, if it stopped, would cause real problems within a week. Membership processing. Financial payments. Safeguarding case handling. Communications. Competition management. Facility access. Rank them by urgency - what breaks first if it stops?

2. Who's responsible for each function - and who's the backup. For every critical function, name a primary person and a deputy. If you don't have a deputy for a function, that's an action item, not a footnote. The Sport and Recreation Alliance has practical guidance on structuring committee roles with built-in redundancy.

3. Access and credentials. This is the one that catches people out. Who has the login for your website hosting? Who has admin access to your membership system? Where are the bank account details? Who can authorise payments? Where is the insurance documentation?

Write all of this down. Store it securely - a password manager like 1Password or Bitwarden works well for shared credentials. Store the master access details with at least two people, ideally the Chair and CEO (or the equivalent volunteer roles). A sealed envelope in a safe deposit box might sound old-fashioned, but it's better than nothing.

4. Communication cascades. If something goes wrong, who tells whom? Draft a short communication plan: who contacts the Board, who contacts staff, who contacts members, who contacts the media (if relevant), who contacts your funder. The National Council for Voluntary Organisations (NCVO) publishes useful templates for crisis communication in the voluntary sector.

5. External contacts. Your insurance broker. Your accountant. Your IT support (if you have it). Your web hosting provider. Your bank's business line. Your solicitor. Your funder contact at Sport England or UK Sport. List them. With phone numbers, not just email addresses. When systems are down, email might be too.

The technology question

Here's where I'll be direct about our perspective, because we obviously have a stake in this.

The single biggest continuity risk in most sports organisations is institutional knowledge locked in one person's head - or worse, in one person's personal email account, their personal laptop, or their home filing cabinet.

When that person leaves, the knowledge goes with them. The next volunteer starts from scratch. They don't know how the membership system works. They don't know which members haven't renewed. They don't know the arrangements with the council about facility hire. They don't know where the insurance documents are.

A centralised system - something cloud-based that your whole committee can access with their own credentials - doesn't eliminate this risk, but it makes it dramatically smaller. If your membership data, financial records, meeting minutes, committee documents, and communication history all live in a shared system rather than in one person's personal Gmail, the organisation survives that person leaving.

This isn't a pitch for any specific product. It's a structural observation. The Charity Commission's internal financial controls guidance makes the same point: organisations should not be dependent on any single individual for access to financial systems and records.

Cyber security isn't optional either

The National Cyber Security Centre (NCSC) has published specific guidance for charities and small organisations. Most sports bodies fall into this category but don't think of themselves as targets.

They are. Not because hackers care about your fixture list, but because volunteer-run organisations tend to have poor password hygiene, shared login credentials, no multi-factor authentication, and data that's worth something - member names, addresses, email addresses, payment details.

The NCSC's Small Charity Guide is genuinely good and mercifully short. If your organisation handles member data - and every sports organisation does - this is worth reading. If you process payments, the Information Commissioner's Office (ICO) has clear guidance on your obligations under UK GDPR.

Your data recovery plan should address the basics: what data do you hold, where is it stored, how is it backed up, how quickly can it be restored, and who's responsible for doing it. If the answer to "how is it backed up" is "someone emails themselves a spreadsheet every month," you have a data recovery problem.

Testing the plan

A plan that's never been tested is a hope, not a plan.

UK Sport's guidance recommends periodically testing your continuity plan in a "simulated environment." That sounds grand, but it doesn't need to be. Try this: pick a random Tuesday, and ask your deputy treasurer to process that week's payments without any help from the treasurer. Could they? Did they have the access, the knowledge, and the documentation?

If the answer is no, your plan has a gap. Better to discover that on a quiet Tuesday than during an actual crisis.

The Business Continuity Institute has free resources on testing methodologies if you want to get more formal about it. But for most sports organisations, the Tuesday test is enough to surface the real vulnerabilities.

The honest bit

Look, I know how this reads. Another governance requirement. Another document to produce. Another thing the Board needs to oversee. On top of safeguarding, equality and diversity, financial reporting, and everything else the Code for Sports Governance asks for.

I get it. The people running sports organisations - particularly at the grassroots level - are mostly volunteers. They signed up to run a cricket club or a swimming association, not to write risk management frameworks.

But the alternative is what happened to that county cricket board. Six weeks of chaos because one person's knowledge was the only copy. The continuity plan isn't a bureaucratic exercise. It's the thing that stops your organisation falling over when - not if - someone leaves, gets ill, or just decides they've had enough.

Write the plan. Keep it short. Test it once a year. And make sure more than one person knows where the passwords are.

That's it. That's the whole thing.

The [Code for Sports Governance](https://www.sportengland.org/guidance-and-support/governance) is published jointly by [UK Sport](https://www.uksport.gov.uk/) and [Sport England](https://www.sportengland.org/). Requirement 2.7 covers business continuity, data recovery, and succession planning. For guidance on cyber security for small organisations, visit the [National Cyber Security Centre](https://www.ncsc.gov.uk/collection/charity).

References

• Sport England - Code for Sports Governance and Requirement 2.7 on business continuity
• UK Sport - Governance code guidance and continuity planning resources for funded organisations
• NCVO - Crisis communication templates and continuity guidance for the voluntary sector
• TidyHQ - Centralised membership and governance platform that reduces key-person dependency
• Xero - Cloud accounting software that ensures financial data survives volunteer turnover