Not-for-profit organizations continue to face an ever-evolving and challenging landscape. Executives and audit committees must deal with concerns ranging from attracting and retaining donors and grants, achieving operational and programmatic goals, and ensuring compliance with regulatory requirements. One item often overlooked by many not-for-profits is the impact that technology can have on their success. The role of new technology and its use must be a priority for organizations.
Not-for-profits are awash in a sea of data related to their programs and operations, information about current events, research and commentary affecting the organization’s mission and constituents, and regulatory requirements.
Controllers and CFOs are skilled at utilizing this data to assess and correlate various components of the organization:
Along with financial data, operational professionals including CEOs, executive directors, program directors, and department managers rely on operational data, information, metrics, and analytics to drive the organization forward:
Boards of directors rely heavily on both financial and operational information to fulfill their fiduciary responsibility of overseeing the organization as well as their strategic role of advising the organization’s leadership team.
Donors and beneficiaries increasingly expect to be provided with information about the organization’s programs and financial operations; the ease with which an organization’s Form 990 can be accessed online furthers the need to provide the public with information that is both accurate and transparent. Recent changes in not-for-profit reporting requirements intended to enhance transparency and public usability are forcing many organizations to revise internal data flows and their charts of accounts.
As the amount of data and information available continues to grow, and as not-for-profit organizations face increased reporting scrutiny and budgetary pressure, new tools and methods are becoming critical to organizations’ financial and operational efficiency:
The key is for not-for-profit organizations to manage the processes used to collect data and the processes applied to transform the data into information that can be measured, analyzed, and used to optimize the organization’s operations and further the organization’s mission.
Not-for-profit boards and management teams are charged with developing strategic plans to meet programmatic goals, achieve operational and financial viability, and ensure regulatory compliance. It is critical to understand the metrics and analytics that will be needed to execute strategic plans; failure to measure and understand the organization’s activities and progress materially reduces the likelihood of optimizing results. Aligning technology with an organization’s strategic plans to facilitate management of operational and financial activity can be instrumental in helping the organization achieve its objectives.
Many organizations rely on several systems, often including Excel spreadsheets, to generate and capture data, transform it into information, and measure and analyze it. The use of discrete, nonintegrated systems introduces inefficiencies and risks of data inconsistencies. Equally important is to identify the impact that current system limitations may be having on an organization:
The first step to evaluating whether existing systems and workflows require enhancements, or whether systems need total replacement, is determining what specifically the organization desires from its current system. Written, detailed documentation of requirements in functional terms (not computer terms) is crucial:
Once the system requirements have been identified and documented, determine whether existing systems can be enhanced or if replacement is warranted. The process of evaluating software consists of identifying potential solutions, evaluating those solutions against the organization’s requirements, then selecting a system that represents the best fit and most cost-effective solution. When comparing software to the organization’s requirements, consider the importance of the features that the system does not provide and factor in the cost of customization. Consider ease of learning, ease of use, and technical proficiencies that may be required to operate the system, as well as the time and interest (or lack thereof) that may be required to tailor the system to the organization’s specific needs. For some organizations, an ideal solution may be a system that requires much fine-tuning, yet yields extreme flexibility. For other organizations, a more appropriate solution may be a less flexible system that essentially runs itself.
As part of the software evaluation, determine whether the solutions being considered are cloud based or require on-premises servers. Neither model is inherently better, but along with security, scalability, reliability, and performance considerations, on-premises solutions necessitate capital expenditures, whereas cloud-based systems introduce recurring operating expenses.
It is important to recognize that the cost of purchasing the software and any additional hardware often represents only a small portion of the total expense of implementing a system, and to budget accordingly. Fees associated with mapping data and processes to the new system, designing and implementing changes to workflows and controls, and training staff to use a new system often exceed direct software and hardware costs.
Following a formal system evaluation strategy—understanding the required information, metrics, and analytics to further the organization’s mission and operations, explicitly defining the organization’s requirements, then selecting software based on the specific requirements—yields the greatest likelihood of implementing a system that will increase effectiveness, efficiency, and fiscal insight.
Storing, accessing, managing, and using all the data that a not-for-profit organization collects requires computer infrastructure that has adequate capacity and is both reliable and secure. Both on-premises and cloud-based solutions to providing this infrastructure exist, ultimately driven by the software the organization is using, the existing internal or outsourced IT support resources, and decisions about incurring capital versus operating expenses.
Review the organization’s systems and infrastructure periodically and determine the following:
Failing to have and maintain suitable systems and infrastructure introduces material risks:
From the largest multinational corporations to the smallest not-for-profit organizations, nobody is immune from a cyberattack or a cyberbreach. The best an organization can do is understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach.
In order to manage cybersecurity risk, it is important to first understand what cyber-security is and the specific impact it can have on a not-for-profit. Cybersecurity encompasses not only the protection of hardware and network devices, but also data stored and transmitted throughout the organization. While data privacy is most commonly understood as the focus of cybersecurity, there are three cybersecurity objectives:
All companies and organizations are subject to specific cybersecurity-related compliance requirements, including state privacy laws. Organizations that accept credit cards for donations and program-related revenues are subject to Payment Card Industry Data Security Standard requirements. Not-for-profit healthcare organizations face mandatory Health Insurance Portability and Accountability Act security and privacy regulations. Organizations with donors or constituents in the European Union are required to comply with new General Data Protection Regulation privacy rules.
The costs of a cyberbreach are significant and may include fines and penalties, technology expenditures, forensics and legal costs, constituent notification requirements, operational downtime, and distraction from the mission.
One of the most significant costs to a not-for-profit is the reputational damage that can result from a breach. Donors and constituents entrust the organization with their money and with personal, and sometimes confidential, information; if the organization can’t protect this information while staying focused in its mission, donors and constituents will find another organization that can.
Although there is no way to fully protect an organization’s data, there are best practices that will help to manage risk and mitigate losses in the event of a breach:
Managing cybersecurity risk is an iterative process. Especially in the not-for-profit sector, budget and resources are always constrained and optimally dedicated to mission-supporting programs and activities. But by understanding the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible