IT Governance for (smaller) Nonprofits

IT Governance for (smaller) Nonprofits#12NTCITGov

Donny C. Shimamoto,CPA/CITP, CGMA

Evaluate This Session!Each entry is a chance to win an NTEN engraved iPad!

or Online at www.nten.org/ntc/eval

IT Governance for Nonprofits

#12NTCITGov

Speaker Biography

Donny C. Shimamoto, CPA.CITP, CGMA• Donny is the founder of IntrapriseTechKnowlogies LLC, a CPA firm focused on organizational

development and advisory services for the middle market. An active CPA, Certified

Information Technology Professional (CITP), and Chartered Global Management Accountant

(CGMA), Donny helps many organizations by bridging accounting and IT to strengthen

organizational governance and risk management, improve business processes through IT, and

increase the effectiveness of decision making through business intelligence.

• Donny was recognized as one of 25 Top Thought Leaders in Public Accounting by CPA Practice

Advisor in 2012, received the 2009-2010 President’s Award from the Hawaii Society of CPAs,

was named to CPA Technology Advisor’s 40 Under 40 list in 2007 & 2009 and was also a

Hawaii Top High Tech Leader in 2004.

• In the nonprofit world, Donny works with community foundations, social service agencies,

community centers, and membership associations.

IntrapriseTechKnowlogies LLCTechnologies and knowledge for synergizing your intraprise

www.intraprisetechknowlogies.com | Hawaii | California

Audience Polls – Demographics

• Organization Type/Size

– CPA Firm

– Small Nonprofit

– Medium Nonprofit

– Large Nonprofit

– Government

• Part of Organization

– Accounting/Finance

– Information Technology

– Programs

– Consultant or Auditor

• Role in Organization

– Lead Executive

– CFO/Controller

– CIO / IT Director

– Program Director/Manager

– Consultant or Auditor

Choose one from each set of options

that best matches how you view

your organization and your role at

work.

IT Governance for (smaller) Nonprofits

• Why IT Governance is important for Nonprofits

• IT Governance

– Defined & Adapted for (smaller) Nonprofits

• An IT Governance Framework for (smaller) Nonprofits

– How do we align the business and IT?

– How do we define and measure [IT] performance?

– How do we manage [IT-related] change?

– How do we organize [IT] decision rights?

– IT Governance in Action – a practical example

– What are the costs and benefits of improvement of IT governance?

• Call to Action – IT Governance

Why IT Governance is Important

• Myth: IT Governance is only for large companies

• Effectively managed IT can provide small businesses with a

competitive advantage, whereas ineffective management can

impair the business as a whole.

– ISACA Journal Online, 2009 Vol 4

– http://www.isaca.org/Journal/Past-Issues/2009/Volume-

4/Pages/JOnline-Small-Business-IT-Governance-Implementation.aspx

• Nonprofits that use IT as part of their daily operations need IT

governance:

– To help maximize the benefits of their IT investment, and

– Manage the risks that reliance upon IT introduces into their

organizations.

Why IT Governance is Important

• There are major forces driving the need for IT Governance in

Nonprofits

– Increased Compliance Requirements: Regulation, Privacy, PCI DSS

– Evolving Security Threat Landscape: PCI DSS, EFT Fraud

– Economic Unpredictability: IT Value Management

– Organizational Agility: Business Continuity, Project Execution

• By establishing a clear framework for IT-related decisions that

balances benefits, cost, and risk, Nonprofits can ensure better

alignment of their IT investments with their missions/business

strategy and improve the overall efficiency, effectiveness, and

agility of their business processes.

IT Governance – Definition

• The IT Governance Institute (ITGI) definition:

“the responsibility of executives and the board of

directors and consists of the leadership, organizational

structures and processes that ensure that the

enterprise’s IT sustains and extends the organization’s

strategy and objectives.”

Source: ITGI, 2003


Corporate Governance

IT Governance

IT Management

Subsumes

Is part of ..

Source: Roger Debreceny, Shidler Distinguished Professor of Accounting,

University of Hawaii at Manoa, Nov 2010


“the responsibility of executives and the board of directors and consists of the

leadership, organizational structures and processes that ensure that the enterprise’s IT

sustains and extends the organization’s strategy and objectives.”Source: ITGI, 2003

• Responsibility:

– Executives & Board of Directors

• Elements:

– Leadership

– Organizational Structures

– Processes

• Objective:

– Ensure IT sustains and extends the organization’s mission and strategy

IT Governance – Adapted

Definition for Smaller Nonprofits• Definition adapted to smaller Nonprofits:

IT Governance is the leadership, structures and processes that a

nonprofit’s executives and board of directors put in place to

ensure that their organization’s IT sustains and extends their

business strategy and objectives in achieving its mission.

• IT governance provides the framework to guide how

IT-related decisions are made. This is especially important

when there is someone who is making technology decisions

on behalf of a nonprofit’s management.

IT Governance – Adapted

Definition for Smaller Nonprofits

Corporate Governance

IT Governance

IT Management

binds/guides

Is part of ..

Adapted from: Debreceny, Nov 2010

IT Service Providers IT Manager

drives

IT Governance – Nonprofit Framework

Business Strategy

IT Governance

IT Infrastructure

IT Projects IT Risk

Management

IT Strategy

Compliance

Establish a

framework to

structure and

guide IT

decision-making

and how IT is

used as part of

the organization

value delivery

alignment

Source: IntrapriseTechKnowlogies LLC, 2011


• Establish a framework to structure and guide:

– IT decision-making; and

– How IT is used as part of the business.

• IT decision-making in Nonprofits

– IT Manager – usually technically focused

– IT Contractor – usually technically focused

– Key weakness: narrow perspective & lack of business acumen

• IT as part of the business

– Increasing pervasiveness of IT supporting business processes

– Increasing ease of access to data and applications

– Increasing dependence on IT service providers

– Key weakness: Lack of risk awareness and mature IT controls


• Consider the following BIG QUESTIONS:

– How do we align the mission/business strategy and IT?

– How do we define and measure [IT] performance?

– How do we manage [IT-related] change?

– How do we organize [IT] decision rights?

– What are the costs and benefits of improvement of IT

governance?Source: Debreceny, Nov 2010

These questions help to ensure greater alignment of

IT decision-making with the mission/business strategy,

and clear performance and accountability for IT.

How do we align Programs and IT?

• The corporate answer:

– Strategy Council

– Business involvement in

• Strategy planning

• Program management

• Project management

– Clear RACI planning

– Outward facing staff from IT to the BusinessSource: Debreceny, Nov 2010

• These can be overkill in a Nonprofit’s smaller, less complex environment,

but the intent and purpose of some of these structures must still be

considered—and sometimes reversed.

RACI defined:

• Responsible

• Accountable

• Consulted

• Informed

How do we align the Nonprofit and IT?

• Corporate answer:

– Strategy Council

– Business involvement in

• Strategy planning




– Outward facing staff from IT

to the Business

• Issues: (1) Business units and IT

operating in separate silos; (2) IT

function may be centralized or

decentralized

• SMB Nonprofit answer:

– N/A – usually not necessary

– IT Advisor’s involvement in

• Strategic planning




– Close relationships between

key IT service providers and

business managers

• Issues: (1) Programs operating with

an absence of IT expertise; (2)

Nonprofit is not highest priority of IT

service provider.


• Nonprofit considerations for programs/IT alignment:

– What role does IT play in achieving the mission/business strategy?

– Should IT be included in strategic planning?

• Does my IT Manager or Service Provider understand my mission? Can

they think strategically?

• Do I need an independent/objective IT Advisor?

– Are any of my programs/projects dependent upon IT?

• How will the technology utilized impact my IT environment?

• Is the technology utilized in accord with my IT strategy?

– Is responsibility for mission/IT alignment clearly defined?

• Who is accountable for achieving alignment?

• What are the consequences if alignment is not achieved?

– Is there clear communication between IT and programs?


• Clear and open communication between Programs and IT is

especially important for Nonprofits

– Most nonprofit executives and boards don’t have a deep enough

understanding of IT to adequately perform alignment

• An IT Advisor may need to be engaged to help translate between the

programs and IT and facilitate alignment

– A majority of IT capabilities is usually outsourced and IT service

providers are servicing multiple customers

• The Nonprofit may not be a priority for the service provider

• The IT service provider is an external party so requires additional effort to

coordinate communication/activities

– While the risk of a Nonprofit IT failure is usually lower, the impact of

failure is often higher due to smaller economic resources to absorb

the failure or re-perform the project

• Failure could be a non-realization of expected benefits

How do we define and measure

[IT] performance?• Part of defining responsibility and accountability is having a

clear definition of performance

– Availability – it’s available for use when I need it; “uptime”

– Accessibility – it’s usable where I need to use it

– Functionality – it provides the functionality I need

• Accuracy – computations are performed correctly

• Integrity – the integrity of my data/files is maintained

• Usability – it is easy to use and intuitive

• Responsiveness – actions are completed within a reasonable time / within

the expected time

– Security – data/files are kept secure (including addressing

confidentiality and privacy)

• Most nonprofit users don’t want to understand the technology, they just want it to

work when they need it and as they expect it to


[IT] performance?• Nonprofits should define their business requirements for IT

performance based on their mission/business strategy

• Availability – it’s available for use when I need it

– During what times do systems need to be available?

• What are the organization’s hours of operation?

• Are there times when the organization doesn’t operate?

• Are there times when certain business functions can be down?

– What level of downtime is acceptable?

• Remember that most systems need some kind of scheduled maintenance

and backup window

• Is the impact of downtime offset by the cost of additional availability

measures?

– Is a business continuity plan in place to mitigate the risk of downtime?

Disaster recovery plan, in case of major outage?




• Accessibility – it’s usable where I need to use it

– Do I need access outside of the office?

• Traditional solution: VPN

• Cloud computing is increasing the accessibility of applications and data

beyond the office network

– Do users need offline access? (e.g. at client/constituent’s place)

– Do users need access on mobile devices?

– If client/constituent facing:

• How are my clients/constituents accessing the system?

• How do clients/constituents expect to access the system?

– Are accessibility (security/confidentiality/privacy) risks appropriately

mitigated?




• Functionality – it provides the functionality I need

– Accuracy – computations are performed correctly

– Integrity – the integrity of my data/files is maintained

– Usability – it is easy to use and intuitive

– Responsiveness – actions are completed within a reasonable time /

within the expected time

• Most Nonprofits are used to working with these performance

measures

– These requirements should be defined and used as the basis for

software/vendor selection. Since most Nonprofits are probably not

doing custom development, it is important to find the best fit

solution—and often it will not be a 100% solution.




• Security – data/files are kept secure (including addressing


– Are there regulatory or other compliance requirements associated

with your data?

– Have privacy controls been designed to address both technical and

non-technical data/file risks?

– If data is stored in the cloud or on a vendor’s systems:

• What measures has the vendor taken to ensure security?

• Is a Service Organization Controls report (SOC) or SSAE 16 report (if

financial-related) available?

• Have management controls been mapped to the SOC report and vendor

control structure?


[IT] performance?• Establish responsibility and accountability by clearly defining performance

criteria for each application/system used by the business

– Availability – it’s available for use when I need it; “uptime”

– Accessibility – it’s usable where I need to use it

– Functionality – it provides the functionality I need

• Accuracy – computations are performed correctly

• Integrity – the integrity of my data/files is maintained

• Usability – it is easy to use and intuitive

• Responsiveness – actions are completed within a reasonable time

/ within the expected time

– Security – data/files are kept secure (including addressing


• Define these in “business” not “technical” terms

How do we manage [IT-related] change?

• To ensure that the full benefits of an IT-related initiative can be

realized, remember to consider the impact of the change to:

– The organization itself

– Employees

– Clients and Constituents

– The organiation’s IT environment and risk posture

• In Nonprofits, both executives/program management and IT

service providers often forget that while simpler, the Nonprofit

environment is also smaller.

– A small change can sometimes have a much bigger impact.

– A stone in a lake, can cause tidal waves in a puddle.


• IT-related change can impact the organization and its

employees and clients/constituents in many different ways

– Changes to business processes and procedures

– Different tools / application used to complete a task

– Increased / decreased access to data / information

• Common staff complaints about IT-related change

– Nobody told us it was changing!

– Yes, the technology is good, but the impact to our procedures wasn’t

considered until the new technology was already here.

– We didn’t receive any training for the new technology.

– The data is organized differently from the old system.

– The computations are performed differently from the old system.

– I can’t get the same reports that I used to from the old system.


• In addition to user-side impacts, consider the impact to the

overall IT environment:

– Have we increased our reliance upon a system—thereby increasing

the potential impact of an availability issue?

– Have we increased the accessibility of information?

• Do we need to consider any additional mobile device risks?

– Has the change in functionality impacted the efficiency, effectiveness,

or agility of our business processes?

– Does the change introduce any data-related risks? (e.g. privacy,

confidentiality, security, backup, recoverability)

• How do the changes impact the organization’s overall IT

environment risk posture?

– Is this an acceptable part of the business strategy?

– Do we need to take any additional risk mitigation measures?


• Every change has risks associated with it

– Just because a change has risks, it doesn’t mean that you shouldn’t do

it—work to manage risk, not eliminate it

• Manage risk by evaluating the risk and taking the appropriate

mitigation steps to minimize the negative impact of the change

– Balance cost of mitigation with benefits of managing the impact

• Sometimes not making a change is a risk in and of itself—

consider the cost/impact of not changing

– Lack of change and lead to stagnation

• Remember to consider the people and process aspects of the

change, not only the technology.

How do we organize [IT] decision rights?

• There are usually two different approaches to IT

decision-making by smaller Nonprofits

1. Minimal Involvement by executive or board

• Just wants to know what it will cost and as long as reasonable (i.e.

cost doesn’t seem excessive) then will approve

• For the most part, decision authority rests with the IT manager or

IT service provider

2. High Involvement by executive or board

• Wants to understand everything that is being done

• Will approve once it makes sense to them and they can validate

the cost

• Decision authority rests with the executive—IT Manager / IT

Service Provider must “convince” the executive of necessity


• There are inherent flaws in both approaches

1. Minimal Involvement

• Requires a high-level of trust in IT Manager/Service Provider

• Requires a highly competent IT Manager/Service Provider

• Usually a spend-based decision

2. High Involvement

• Executive/Board usually lacks expertise to adequately evaluate options

• Cost validation usually doesn’t involve apples-to-apples

• Usually a spend-based decision

• Both approaches often lack

– Consideration of mission/business strategy

– Consideration of IT-related business risks

– Longer term cost management perspective


• The better approach is to identify business-focused parameters

that provide a basis for decision-making

– Strategic Alignment

– IT Performance

– IT Risk Management

– Change Management

– Cost Management

• The Board of Directors should identify the key parameters that

drive what is considered in evaluating options

– IT Manager/Service Provider prepares an analysis of options based on

the parameters

– CEO/Executive Director is briefed on options based on parameters and

recommendation from IT Manager/Service Provider

– CEO/Executive Director makes final decision

IT Governance in Action

a practical example• Consider the following scenario:

A small nonprofit wants to enable its staff of 10 people

to have access to their e-mail anytime, anywhere

on their laptops and mobile devices

• It is considering three solution options:

1. Microsoft Small Business Server (SBS)

2. Microsoft Office 365

3. Google Apps for Nonprofits

The business currently uses POP e-mail boxes provided by its Internet

Service Provider (ISP) and Microsoft Outlook 2007.


a practical example• How do we align the Nonprofit and IT?

– Strategic imperative

• Enable staff to spend more time with clients/constituents

• Be more responsive to client/constituent requests

• Business need = anytime, anywhere access across devices

– Analysis of current ISP provided POP mail

• Provides this at a basic level (e-mail can be accessed anywhere with an

Internet connection)

• Doesn’t allow for easy synchronization of data across devices — contacts

and calendar entries must be entered separately on each device or synced

via USB cable

– All solutions considered enable synchronization across devices and

provide anytime, anywhere access

• All align at a high level with the mission/business strategy


a practical example• How do we define and measure IT performance?

– System availability or “uptime” is a key metric

• Clients/constituents are in multiple time zones

• Staff has flexible work schedules, so some work at night too

– Based on the answer to this question:

• SBS is an on-premise solution and the cost of making it highly available would make

the cost of SBS far exceed the other two

– Office 365 and Google Apps become the two leading options

• Google Apps provides a 99.9% uptime guarantee, including maintenance

windows

• Microsoft Office 365 provides a 99.9% uptime guarantee, excluding

maintenance windows

• Microsoft Office 365 actually has a lower actual uptime if you adjust it for

the maintenance windows


a practical example• How do we manage IT-related change?

– The organization’s staff is very competent, but they are not all

particularly technology-savvy

– Switching to a Google Apps solution

• Potentially requires the staff to learn a new system

• Gmail web interface/functionality very different from traditional POP web

mail

• Potential incompatibility with historical e-mail / archives

– Switching to Microsoft Office 365 or SBS

• Staff continue to use Outlook on their computers

• Outlook Web Access (web mail) looks like Outlook

– Mobile device e-mail functionality will depend on which kind of

mobile device is used


a practical example• How do we organize IT decision rights?

– While this question is really speaking more toward decision-making

authority, in this example we can also interpret it as:

• What are the criteria for choosing a solution?

– Strategy = Google Apps for Nonprofits or Microsoft Office 365

– Uptime = Google Apps for Nonprofits

– Change = Microsoft Office 365

– Cost & Cash Flow

• Gmail is Free (<3000 users) vs Microsoft Office 365 is $48/user/year

– Security / Compliance

• Microsoft Office 365 has options that meet ISO 27001, FIPS 140-2, HIPAA,

FERPA, ITAR


a practical example• What would you purchase?

• Each organization’s situation is different

– Different business strategies

– Different key factors / considerations

– Different staff competencies

– Different technology platforms

– Different IT Manager / service provider competencies

– Different cost / cash-flow management situations

• An IT Governance framework helps to ensure all of these

differences are considered in making an IT decision

What are the costs and benefits of

improvement of IT governance?• IT governance doesn’t have to cost a lot

– It does involve some up-front time to answer the questions

– It does require some heavy thinking to answer them “right”

• IT governance helps ensure IT value

– Manage the costs of non-compliance

– Balance short-term savings with long term value

– Manage indirect costs of change

– Balance benefits, cost, and risk

• IT governance enables strategic advantage

– Better alignment of IT with missions/business strategy

– Improve the efficiency, effectiveness, and agility of business processes

Call to Action – IT Governance

• Nonprofit leaders must guide the decision-making and

actions of their IT manager or IT service providers

– Establish clear expectations and accountability for IT

– Prevent a fragmented IT environment

– Mitigate IT-related risks

– Manage IT-related costs

– Ensure alignment of IT with mission/business strategy

• Proper governance of IT maximizes the benefits of your IT

investments and helps you better achieve your mission

Thank you for your attention and

participation!

Donny C. Shimamoto, CPA.CITP, CGMA

[email protected]

(808) 735-8324 voice

Any Questions?

IntrapriseTechKnowlogies LLCTechnologies and knowledge for synergizing your intraprise

www.intraprisetechknowlogies.com | Hawaii | California