The prevalence of cloud computing has increased to the point of transforming IT and business models in every industry,including the not-for-profit sector. Regardless of the size of your organization and its commitment to the cloud, consider adopting these risk management strategies and best practices:

1. 25
Natesh Ganesan, Senior Consultant, Not-for-Profit and Higher Education Practices,
Business Advisory Services
Mark Oster, National Managing Partner, Not-for-Profit and Higher Education Practices
The prevalence of cloud computing has increased to the point
of transforming IT and business models in every industry,
including the not-for-profit sector. In fact, cloud computing has
garnered enough attention in the not-for-profit sector to now
be considered a technology paradigm shift. Although not-for-
profits are not yet matching the adoption rate of for-profits,
investments in cloud computing are increasing, while spending
on traditional hardware infrastructure is decreasing.1
Cloud computing’s next step — Recognizing, managing risk
Similar to their counterparts in for-profit companies, many
not-for-profit organizations have generally chosen to start with
cloud deployments (e.g., software or infrastructure as a service)
in less-sensitive areas and in those that pose low risk (due to
either low complexity or non-business critical functions).
Some, however, are venturing further, housing critical systems
(e.g., accounting/finance and fundraising) in the cloud for
technology staffing cost savings and other benefits (scalability,
ease of upgrades, stronger redundancy, enhanced processing
capabilities, etc.). Some smaller organizations with fewer
staffing options are choosing to completely outsource their
entire IT infrastructure and applications.
Cloud computing is the technology that enables access to a
shared pool of information, applications, infrastructure
and/or services. Irrespective of whether the cloud is internal
and hosted by your IT staff or externally run by a third party,
your organization must remain responsible for ensuring that
appropriate controls are in place and maintained.
1
NTEN. The 8th Annual Nonprofit Technology Staffing and Investments Report, July 2014.
See www.nten.org/article/the-8th-annual-nonprofit-technology-staffing-investments-report/ for the survey.

2. 26
The State of the Not-for-Profit Sector in 2015
Regardless of the size of your organization and its commitment
to the cloud, consider adopting these risk management strategies
and best practices:
1. Prepare your IT function to embrace the cloud
Conventional constituent management and fundraising
methods are being replaced by online community
building and engagement, and crowdsourcing. Even
more fundamentally, the rapid evolution and increasing
affordability of alternative technology resources is allowing
organizations to change their methods of providing
programs and services to their constituents.
To be successful within this complex reality, IT needs the
appropriate talent, architecture and governance to provide
solid support while offering a high degree of agility and
flexibility. Provide IT with the budget and personnel
required to both manage external providers — outsourced
services and applications — and operate and support the
internal infrastructure, maintaining appropriate interfaces
between the two environments. IT must also have the
resources to evaluate, select, develop and implement new
technology. Your IT infrastructure and organization need
to be adaptable to changing demands, and your IT budget
needs to reflect that greater investments in cloud technology
may be needed to achieve downstream operational
savings, generate new revenue streams and deploy new
organizational strategies to remain competitive.
2. Ensure IT and business area management are
working collaboratively
In navigating this technology shift, success depends on
efforts being orchestrated across the organization. Bring
together IT and functional departments to properly identify
needs, manage risks and support change.
IT and management must partner on selecting cloud
services and remain in close communication throughout
implementation and continued operation. Business areas
should drive the selection of cloud computing vendors,
applications and services from a functional requirements
standpoint. IT must remain responsible for ensuring that
any selection is compatible with the overall technology
environment and architecture, and that potential solutions
meet technical requirements of integrity, reliability,
recoverability, etc. A strong relationship between functional
and technology areas will help to ensure that cloud decisions
are made in line with both business and infrastructure needs,
and that the technology budget is set at the right level.

3. 27
3. Elevate security, risk management and compliance
Even with heightened focus on information security, given
the extensive media attention to recent breaches, many
not-for-profit organizations have yet to adopt an IT risk
management program or methodology. The need to do so is
even greater when deploying cloud technologies and using
resources that are the responsibility of third-party vendors.
Your organization takes on regulatory and compliance risks
in relying on a service provider’s adherence to regulations,
such as the Payment Card Industry Data Security Standard
and HIPAA. Other risks worth taking seriously relate
to business continuity (ensuring key operations are not
disrupted during extended system downtime), cybersecurity
and malicious insider attacks, commingled data, and
compatibility issues with existing infrastructure.
To maximize protection of your organization in ensuring
data privacy, consider the security risks that are introduced
when information leaves the confines of your organization’s
security environment. Establish a comprehensive risk
assessment structure for identifying, evaluating, and
mitigating or managing IT risks, including potential for
loss of control of data placed in cloud technologies. Make
sure you understand how third parties secure your data and
which controls remain your responsibility.
Adopting cloud computing brings benefits, but also challenges
and risks. The protections you put into place will help your
organization move more securely into this environment.
• Hybrid cloud: This is a computing environment in which an
institution owns and manages some technology resources, either
internally or hosted externally by a third party exclusively for the
organization, and has others on the Internet provided by a public
third-party vendor. Gartner states that “while actual hybrid cloud
computing deployments are rare, nearly three-fourths of large
enterprises expect to have hybrid deployments by 2015.1
”
Not-for-profit organizations will not be an exception to this trend.
We expect that while certain systems and services will continue
to be kept within an organization’s internal infrastructure (or
on private clouds) due to mission criticality, complexity, cost
or risk issues, other services or applications will be shifted to
external clouds. The need to develop, implement and maintain the
interfaces between these two environments will become a key IT
management challenge.
• Computing everywhere: With the advancement of mobile
technology and the power of cloud computing, smartphones will
increasingly be used to deliver centrally coordinated applications
from the cloud. Organizations that invest now in cloud computing
will be ahead of the curve. Because of extended reach and
interaction, they can benefit from greater connected audiences
and constituents.
• Advanced data analytics and big data: Organizations can
leverage advanced analytics and big data to better understand
constituent behavior, improve engagement, and increase campaign
response rate and fundraising outcomes. This can be accomplished
by tapping into current organizational data and the data from
various other sources, such as social media, blogs and surveys.
1
Zeng, Evan, and Bittman, Thomas. “China Summary Translation: Private Cloud Matures, Hybrid Cloud Is Next,” Gartner, Oct. 17, 2014. Gartner subscribers can read the report; see
www.gartner.com/doc/2879517/china-summary-translation-private-cloud for more information.
Trends shaping the future of cloud computing in the not-for-profit industry