Technology Considerations for Not-For-Profit Organizations

As seen in the CPA Journal

Not-for-profit organizations continue to face an ever-evolving and challenging landscape. Executives and audit committees must deal with concerns ranging from attracting and retaining donors and grants, achieving operational and programmatic goals, and ensuring compliance with regulatory requirements. One item often overlooked by many not-for-profits is the impact that technology can have on their success. The role of new technology and its use must be a priority for organizations.

It’s All about the Data

Not-for-profits are awash in a sea of data related to their programs and operations, information about current events, research and commentary affecting the organization’s mission and constituents, and regulatory requirements.

Controllers and CFOs are skilled at utilizing this data to assess and correlate various components of the organization:

• Are ratios and key performance indicators in line with budget and industry benchmarks?
• Are controls designed appropriately and operating effectively to protect the organization from malfeasance and fraud?
• Are reporting responsibilities and compliance obligations being met?

Along with financial data, operational professionals including CEOs, executive directors, program directors, and department managers rely on operational data, information, metrics, and analytics to drive the organization forward:

• Are programs effectively helping to achieve the organization’s mission?
• Are development efforts and campaigns adequately meeting the organization’s funding needs?
• Are physical facilities and human resources enabling the organization to operate efficiently?

Boards of directors rely heavily on both financial and operational information to fulfill their fiduciary responsibility of overseeing the organization as well as their strategic role of advising the organization’s leadership team.

Donors and beneficiaries increasingly expect to be provided with information about the organization’s programs and financial operations; the ease with which an organization’s Form 990 can be accessed online furthers the need to provide the public with information that is both accurate and transparent. Recent changes in not-for-profit reporting requirements intended to enhance transparency and public usability are forcing many organizations to revise internal data flows and their charts of accounts. 

As the amount of data and information available continues to grow, and as not-for-profit organizations face increased reporting scrutiny and budgetary pressure, new tools and methods are becoming critical to organizations’ financial and operational efficiency:

• Dashboards can deliver up-to-the-minute information about significant data, key performance indicators (KPIs), and metrics so that financial and operational management can immediately be aware of activities or trends that require attention or intervention.
• Big data and business intelligence (BI) tools can help management analyze and understand the disparate data collected by an organization to spot and understand trends and anomalies.
• Artificial intelligence (AI) has the potential to automate repetitive tasks, screen job applicants, and establish more efficient workflows (e.g., automated acknowledgements sent upon capture of donations).

The key is for not-for-profit organizations to manage the processes used to collect data and the processes applied to transform the data into information that can be measured, analyzed, and used to optimize the organization’s operations and further the organization’s mission.

Plan Strategically

Not-for-profit boards and management teams are charged with developing strategic plans to meet programmatic goals, achieve operational and financial viability, and ensure regulatory compliance. It is critical to understand the metrics and analytics that will be needed to execute strategic plans; failure to measure and understand the organization’s activities and progress materially reduces the likelihood of optimizing results. Aligning technology with an organization’s strategic plans to facilitate management of operational and financial activity can be instrumental in helping the organization achieve its objectives. 

Identify Gaps 

Many organizations rely on several systems, often including Excel spreadsheets, to generate and capture data, transform it into information, and measure and analyze it. The use of discrete, nonintegrated systems introduces inefficiencies and risks of data inconsistencies. Equally important is to identify the impact that current system limitations may be having on an organization:

• Determine what information, analysis, or reporting is difficult or time consuming to obtain, or worse yet, simply unavailable.
• Assess the importance and value of having better and timelier information.
• Evaluate whether existing systems and workflows can be enhanced, or whether system replacement may be warranted.

Define the Organization’s Requirements

The first step to evaluating whether existing systems and workflows require enhancements, or whether systems need total replacement, is determining what specifically the organization desires from its current system. Written, detailed documentation of requirements in functional terms (not computer terms) is crucial:

• If the organization needs to revise its financial reporting to meet new regulatory
  requirements, identify specific capabilities that will be required in the chart of accounts, such as fund, department, or program segmentation.
• If better metrics and analytics are needed to manage fundraising efforts, identify how campaigns, programs, and events are correlated, as well as how the efficacy of the development office is to be measured.
• Determine what the organization needs in order to more effectively communicate
  information to donors and constituents and to promote better engagement, both through traditional methods (e.g., newsletters) and new technologies (e.g., social
  media).

Evaluate and Select Software

Once the system requirements have been identified and documented, determine whether existing systems can be enhanced or if replacement is warranted. The process of evaluating software consists of identifying potential solutions, evaluating those solutions against the organization’s requirements, then selecting a system that represents the best fit and most cost-effective solution. When comparing software to the organization’s requirements, consider the importance of the features that the system does not provide and factor in the cost of customization. Consider ease of learning, ease of use, and technical proficiencies that may be required to operate the system, as well as the time and interest (or lack thereof) that may be required to tailor the system to the organization’s specific needs. For some organizations, an ideal solution may be a system that requires much fine-tuning, yet yields extreme flexibility. For other organizations, a more appropriate solution may be a less flexible system that essentially runs itself.

As part of the software evaluation, determine whether the solutions being considered are cloud based or require on-premises servers. Neither model is inherently better, but along with security, scalability, reliability, and performance considerations, on-premises solutions necessitate capital expenditures, whereas cloud-based systems introduce recurring operating expenses.

It is important to recognize that the cost of purchasing the software and any additional hardware often represents only a small portion of the total expense of implementing a system, and to budget accordingly. Fees associated with mapping data and processes to the new system, designing and implementing changes to workflows and controls, and training staff to use a new system often exceed direct software and hardware costs.

Following a formal system evaluation strategy—understanding the required information, metrics, and analytics to further the organization’s mission and operations, explicitly defining the organization’s requirements, then selecting software based on the specific requirements—yields the greatest likelihood of implementing a system that will increase effectiveness, efficiency, and fiscal insight.

Systems and Infrastructure

Storing, accessing, managing, and using all the data that a not-for-profit organization collects requires computer infrastructure that has adequate capacity and is both reliable and secure. Both on-premises and cloud-based solutions to providing this infrastructure exist, ultimately driven by the software the organization is using, the existing internal or outsourced IT support resources, and decisions about incurring capital versus operating expenses.

Review the organization’s systems and infrastructure periodically and determine the following:

• Do the existing systems and infrastructure provide adequate speed, capacity, scalability, and functionality to support the organization’s information management, data storage, and data analytics needs?
• Are the existing systems and infrastructure still being supported by the manufacturers and vendors, including continual issuance of security and maintenance upgrades?
• Are the costs to maintain the existing systems and infrastructure acceptable to the organization and competitive to current offerings?

Failing to have and maintain suitable systems and infrastructure introduces material risks:

• Systems that are not supported by their manufacturers and vendors expose the organization to cybersecurity risks.
• Older software systems may limit the organization’s ability to develop and deploy dashboards for real-time management, and may limit its ability to efficiently derive other useful information (e.g., metrics, analytics) from its data.
• Older hardware systems are prone to physical failure, leading to downtime, staff and workflow disruption, and risk of data loss.

What about Cybersecurity?

From the largest multinational corporations to the smallest not-for-profit organizations, nobody is immune from a cyberattack or a cyberbreach. The best an organization can do is understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach.

In order to manage cybersecurity risk, it is important to first understand what cyber-security is and the specific impact it can have on a not-for-profit. Cybersecurity encompasses not only the protection of hardware and network devices, but also data stored and transmitted throughout the organization. While data privacy is most commonly understood as the focus of cybersecurity, there are three cybersecurity objectives:

• Confidentiality—ensuring that data can only be seen, accessed, and used by authorized individuals
• Integrity—ensuring that data cannot be modified by unauthorized individuals, and
  that it is not inadvertently modified by authorized individuals
• Availability—ensuring that data is accessible when needed.

All companies and organizations are subject to specific cybersecurity-related compliance requirements, including state privacy laws. Organizations that accept credit cards for donations and program-related revenues are subject to Payment Card Industry Data Security Standard requirements. Not-for-profit healthcare organizations face mandatory Health Insurance Portability and Accountability Act security and privacy regulations. Organizations with donors or constituents in the European Union are required to comply with new General Data Protection Regulation privacy rules.

The costs of a cyberbreach are significant and may include fines and penalties, technology expenditures, forensics and legal costs, constituent notification requirements, operational downtime, and distraction from the mission.

One of the most significant costs to a not-for-profit is the reputational damage that can result from a breach. Donors and constituents entrust the organization with their money and with personal, and sometimes confidential, information; if the organization can’t protect this information while staying focused in its mission, donors and constituents will find another organization that can.

What Can a Not-for-Profit Do to Protect Itself?

Although there is no way to fully protect an organization’s data, there are best practices that will help to manage risk and mitigate losses in the event of a breach:

• Make cybersecurity awareness a part of the organization’s culture. One of the authors’ clients has a policy that every meeting starts with a reminder about
  cybersecurity, even if it’s as simple as asking each attendee at the meeting when
  they last changed their password, or if they locked their computer screen before coming to the meeting.
• Understand what information the organization has, where the data is stored, who
  has access to it, how it is protected, and what regulations and standards apply to
  the data and to the organization.
• Develop and enforce written cybersecurity policies and procedures.
• Enforce the use of complex passwords, firewalls, antivirus and antispam software,
  data encryption, and comprehensive data backups.
• Understand and evaluate the cybersecurity controls of vendors and service providers; remember that they often have access to the organization’s information.
• Don’t collect or retain more data than necessary, and limit access to that data.
• Social engineering techniques are very effective at tricking people into opening
  attachments, clicking on links, and otherwise disclosing confidential information,
  including network credentials. Users are the weakest link in cybersecurity. Train staff and volunteers to be aware and alert.
• Audit and test cybersecurity controls repeatedly to ensure that they’re being followed.

Managing cybersecurity risk is an iterative process. Especially in the not-for-profit sector, budget and resources are always constrained and optimally dedicated to mission-supporting programs and activities. But by understanding the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible