IT Governance for(smaller) Nonprofits#12NTCITGovDonny C. Shimamoto,CPA/CITP, CGMA
Evaluate This Session!Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/evalIT Governance for Nonprofits#12NTCITGov
Speaker BiographyDonny C. Shimamoto, CPA.CITP, CGMA• Donny is the founder of IntrapriseTechKnowlogies LLC, a CPA firm focused on organizational development and advisory services for the middle market. An active CPA, Certified Information Technology Professional (CITP), and Chartered Global Management Accountant (CGMA), Donny helps many organizations by bridging accounting and IT to strengthen organizational governance and risk management, improve business processes through IT, and increase the effectiveness of decision making through business intelligence.• Donny was recognized as one of 25 Top Thought Leaders in Public Accounting by CPA Practice Advisor in 2012, received the 2009-2010 President’s Award from the Hawaii Society of CPAs, was named to CPA Technology Advisor’s 40 Under 40 list in 2007 & 2009 and was also a Hawaii Top High Tech Leader in 2004.• In the nonprofit world, Donny works with community foundations, social service agencies, community centers, and membership associations. IntrapriseTechKnowlogies LLC Technologies and knowledge for synergizing your intraprise www.intraprisetechknowlogies.com | Hawaii | California
Audience Polls – Demographics• Organization Type/Size • Role in Organization – CPA Firm – Lead Executive – Small Nonprofit – CFO/Controller – Medium Nonprofit – CIO / IT Director – Large Nonprofit – Program Director/Manager – Government – Consultant or Auditor• Part of Organization Choose one from each set of options – Accounting/Finance that best matches how you view – Information Technology your organization and your role at – Programs work. – Consultant or Auditor
IT Governance for (smaller) Nonprofits• Why IT Governance is important for Nonprofits• IT Governance – Defined & Adapted for (smaller) Nonprofits• An IT Governance Framework for (smaller) Nonprofits – How do we align the business and IT? – How do we define and measure [IT] performance? – How do we manage [IT-related] change? – How do we organize [IT] decision rights? – IT Governance in Action – a practical example – What are the costs and benefits of improvement of IT governance?• Call to Action – IT Governance
Why IT Governance is Important• Myth: IT Governance is only for large companies• Effectively managed IT can provide small businesses with a competitive advantage, whereas ineffective management can impair the business as a whole. – ISACA Journal Online, 2009 Vol 4 – http://www.isaca.org/Journal/Past-Issues/2009/Volume- 4/Pages/JOnline-Small-Business-IT-Governance-Implementation.aspx• Nonprofits that use IT as part of their daily operations need IT governance: – To help maximize the benefits of their IT investment, and – Manage the risks that reliance upon IT introduces into their organizations.
Why IT Governance is Important• There are major forces driving the need for IT Governance in Nonprofits – Increased Compliance Requirements: Regulation, Privacy, PCI DSS – Evolving Security Threat Landscape: PCI DSS, EFT Fraud – Economic Unpredictability: IT Value Management – Organizational Agility: Business Continuity, Project Execution• By establishing a clear framework for IT-related decisions that balances benefits, cost, and risk, Nonprofits can ensure better alignment of their IT investments with their missions/business strategy and improve the overall efficiency, effectiveness, and agility of their business processes.
IT Governance – Definition• The IT Governance Institute (ITGI) definition: “the responsibility of executives and the board ofdirectors and consists of the leadership, organizational structures and processes that ensure that theenterprise’s IT sustains and extends the organization’s strategy and objectives.” Source: ITGI, 2003
IT Governance – Definition Corporate GovernanceIs part of .. IT Governance Subsumes IT Management Source: Roger Debreceny, Shidler Distinguished Professor of Accounting, University of Hawaii at Manoa, Nov 2010
IT Governance – Definition “the responsibility of executives and the board of directors and consists of theleadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategy and objectives.” Source: ITGI, 2003• Responsibility: – Executives & Board of Directors• Elements: – Leadership – Organizational Structures – Processes• Objective: – Ensure IT sustains and extends the organization’s mission and strategy
IT Governance – Adapted Definition for Smaller Nonprofits• Definition adapted to smaller Nonprofits:IT Governance is the leadership, structures and processes that a nonprofit’s executives and board of directors put in place to ensure that their organization’s IT sustains and extends their business strategy and objectives in achieving its mission.• IT governance provides the framework to guide how IT-related decisions are made. This is especially important when there is someone who is making technology decisions on behalf of a nonprofit’s management.
IT Governance – Adapted Definition for Smaller Nonprofits Corporate GovernanceIs part of .. IT Governance binds/guides IT Management IT Service Providers IT Manager Adapted from: Debreceny, Nov 2010
IT Governance – Nonprofit Framework Establish a framework to Business Strategy structure and guide IT decision-making and how IT is alignment Compliance used as part of the organization IT Governance value delivery IT Strategy IT Projects IT Risk Managementdrives IT Infrastructure Source: IntrapriseTechKnowlogies LLC, 2011
IT Governance – Nonprofit Framework• Establish a framework to structure and guide: – IT decision-making; and – How IT is used as part of the business.• IT decision-making in Nonprofits – IT Manager – usually technically focused – IT Contractor – usually technically focused – Key weakness: narrow perspective & lack of business acumen• IT as part of the business – Increasing pervasiveness of IT supporting business processes – Increasing ease of access to data and applications – Increasing dependence on IT service providers – Key weakness: Lack of risk awareness and mature IT controls
IT Governance – Nonprofit Framework• Consider the following BIG QUESTIONS: – How do we align the mission/business strategy and IT? – How do we define and measure [IT] performance? – How do we manage [IT-related] change? – How do we organize [IT] decision rights? – What are the costs and benefits of improvement of IT governance? Source: Debreceny, Nov 2010 These questions help to ensure greater alignment of IT decision-making with the mission/business strategy, and clear performance and accountability for IT.
How do we align Programs and IT?• The corporate answer: – Strategy Council RACI defined: • Responsible – Business involvement in • Accountable • Strategy planning • Consulted • Program management • Informed • Project management – Clear RACI planning – Outward facing staff from IT to the Business Source: Debreceny, Nov 2010• These can be overkill in a Nonprofit’s smaller, less complex environment, but the intent and purpose of some of these structures must still be considered—and sometimes reversed.
How do we align the Nonprofit and IT?• Corporate answer: • SMB Nonprofit answer: – Strategy Council – N/A – usually not necessary – Business involvement in – IT Advisor’s involvement in • Strategy planning • Strategic planning • Program management • Program management • Project management • Project management – Clear RACI planning – Clear RACI planning – Outward facing staff from IT – Close relationships between to the Business key IT service providers and business managers• Issues: (1) Business units and IT • Issues: (1) Programs operating with operating in separate silos; (2) IT an absence of IT expertise; (2) function may be centralized or Nonprofit is not highest priority of IT decentralized service provider.
How do we align the Nonprofit and IT?• Nonprofit considerations for programs/IT alignment: – What role does IT play in achieving the mission/business strategy? – Should IT be included in strategic planning? • Does my IT Manager or Service Provider understand my mission? Can they think strategically? • Do I need an independent/objective IT Advisor? – Are any of my programs/projects dependent upon IT? • How will the technology utilized impact my IT environment? • Is the technology utilized in accord with my IT strategy? – Is responsibility for mission/IT alignment clearly defined? • Who is accountable for achieving alignment? • What are the consequences if alignment is not achieved? – Is there clear communication between IT and programs?
How do we align the Nonprofit and IT?• Clear and open communication between Programs and IT is especially important for Nonprofits – Most nonprofit executives and boards don’t have a deep enough understanding of IT to adequately perform alignment • An IT Advisor may need to be engaged to help translate between the programs and IT and facilitate alignment – A majority of IT capabilities is usually outsourced and IT service providers are servicing multiple customers • The Nonprofit may not be a priority for the service provider • The IT service provider is an external party so requires additional effort to coordinate communication/activities – While the risk of a Nonprofit IT failure is usually lower, the impact of failure is often higher due to smaller economic resources to absorb the failure or re-perform the project • Failure could be a non-realization of expected benefits
How do we define and measure [IT] performance?• Part of defining responsibility and accountability is having a clear definition of performance – Availability – it’s available for use when I need it; “uptime” – Accessibility – it’s usable where I need to use it – Functionality – it provides the functionality I need • Accuracy – computations are performed correctly • Integrity – the integrity of my data/files is maintained • Usability – it is easy to use and intuitive • Responsiveness – actions are completed within a reasonable time / within the expected time – Security – data/files are kept secure (including addressing confidentiality and privacy)• Most nonprofit users don’t want to understand the technology, they just want it to work when they need it and as they expect it to
How do we define and measure [IT] performance?• Nonprofits should define their business requirements for IT performance based on their mission/business strategy• Availability – it’s available for use when I need it – During what times do systems need to be available? • What are the organization’s hours of operation? • Are there times when the organization doesn’t operate? • Are there times when certain business functions can be down? – What level of downtime is acceptable? • Remember that most systems need some kind of scheduled maintenance and backup window • Is the impact of downtime offset by the cost of additional availability measures? – Is a business continuity plan in place to mitigate the risk of downtime? Disaster recovery plan, in case of major outage?
How do we define and measure [IT] performance?• Nonprofits should define their business requirements for IT performance based on their mission/business strategy• Accessibility – it’s usable where I need to use it – Do I need access outside of the office? • Traditional solution: VPN • Cloud computing is increasing the accessibility of applications and data beyond the office network – Do users need offline access? (e.g. at client/constituent’s place) – Do users need access on mobile devices? – If client/constituent facing: • How are my clients/constituents accessing the system? • How do clients/constituents expect to access the system? – Are accessibility (security/confidentiality/privacy) risks appropriately mitigated?
How do we define and measure [IT] performance?• Nonprofits should define their business requirements for IT performance based on their mission/business strategy• Functionality – it provides the functionality I need – Accuracy – computations are performed correctly – Integrity – the integrity of my data/files is maintained – Usability – it is easy to use and intuitive – Responsiveness – actions are completed within a reasonable time / within the expected time• Most Nonprofits are used to working with these performance measures – These requirements should be defined and used as the basis for software/vendor selection. Since most Nonprofits are probably not doing custom development, it is important to find the best fit solution—and often it will not be a 100% solution.
How do we define and measure [IT] performance?• Nonprofits should define their business requirements for IT performance based on their mission/business strategy• Security – data/files are kept secure (including addressing confidentiality and privacy) – Are there regulatory or other compliance requirements associated with your data? – Have privacy controls been designed to address both technical and non-technical data/file risks? – If data is stored in the cloud or on a vendor’s systems: • What measures has the vendor taken to ensure security? • Is a Service Organization Controls report (SOC) or SSAE 16 report (if financial-related) available? • Have management controls been mapped to the SOC report and vendor control structure?
How do we define and measure [IT] performance?• Establish responsibility and accountability by clearly defining performance criteria for each application/system used by the business – Availability – it’s available for use when I need it; “uptime” – Accessibility – it’s usable where I need to use it – Functionality – it provides the functionality I need • Accuracy – computations are performed correctly • Integrity – the integrity of my data/files is maintained • Usability – it is easy to use and intuitive • Responsiveness – actions are completed within a reasonable time / within the expected time – Security – data/files are kept secure (including addressing confidentiality and privacy)• Define these in “business” not “technical” terms
How do we manage [IT-related] change?• To ensure that the full benefits of an IT-related initiative can be realized, remember to consider the impact of the change to: – The organization itself – Employees – Clients and Constituents – The organiation’s IT environment and risk posture• In Nonprofits, both executives/program management and IT service providers often forget that while simpler, the Nonprofit environment is also smaller. – A small change can sometimes have a much bigger impact. – A stone in a lake, can cause tidal waves in a puddle.
How do we manage [IT-related] change?• IT-related change can impact the organization and its employees and clients/constituents in many different ways – Changes to business processes and procedures – Different tools / application used to complete a task – Increased / decreased access to data / information• Common staff complaints about IT-related change – Nobody told us it was changing! – Yes, the technology is good, but the impact to our procedures wasn’t considered until the new technology was already here. – We didn’t receive any training for the new technology. – The data is organized differently from the old system. – The computations are performed differently from the old system. – I can’t get the same reports that I used to from the old system.
How do we manage [IT-related] change?• In addition to user-side impacts, consider the impact to the overall IT environment: – Have we increased our reliance upon a system—thereby increasing the potential impact of an availability issue? – Have we increased the accessibility of information? • Do we need to consider any additional mobile device risks? – Has the change in functionality impacted the efficiency, effectiveness, or agility of our business processes? – Does the change introduce any data-related risks? (e.g. privacy, confidentiality, security, backup, recoverability)• How do the changes impact the organization’s overall IT environment risk posture? – Is this an acceptable part of the business strategy? – Do we need to take any additional risk mitigation measures?
How do we manage [IT-related] change?• Every change has risks associated with it – Just because a change has risks, it doesn’t mean that you shouldn’t do it—work to manage risk, not eliminate it• Manage risk by evaluating the risk and taking the appropriate mitigation steps to minimize the negative impact of the change – Balance cost of mitigation with benefits of managing the impact• Sometimes not making a change is a risk in and of itself— consider the cost/impact of not changing – Lack of change and lead to stagnation• Remember to consider the people and process aspects of the change, not only the technology.
How do we organize [IT] decision rights?• There are usually two different approaches to IT decision-making by smaller Nonprofits 1. Minimal Involvement by executive or board • Just wants to know what it will cost and as long as reasonable (i.e. cost doesn’t seem excessive) then will approve • For the most part, decision authority rests with the IT manager or IT service provider 2. High Involvement by executive or board • Wants to understand everything that is being done • Will approve once it makes sense to them and they can validate the cost • Decision authority rests with the executive—IT Manager / IT Service Provider must “convince” the executive of necessity
How do we organize [IT] decision rights?• There are inherent flaws in both approaches 1. Minimal Involvement • Requires a high-level of trust in IT Manager/Service Provider • Requires a highly competent IT Manager/Service Provider • Usually a spend-based decision 2. High Involvement • Executive/Board usually lacks expertise to adequately evaluate options • Cost validation usually doesn’t involve apples-to-apples • Usually a spend-based decision• Both approaches often lack – Consideration of mission/business strategy – Consideration of IT-related business risks – Longer term cost management perspective
How do we organize [IT] decision rights?• The better approach is to identify business-focused parameters that provide a basis for decision-making – Strategic Alignment – IT Performance – IT Risk Management – Change Management – Cost Management• The Board of Directors should identify the key parameters that drive what is considered in evaluating options – IT Manager/Service Provider prepares an analysis of options based on the parameters – CEO/Executive Director is briefed on options based on parameters and recommendation from IT Manager/Service Provider – CEO/Executive Director makes final decision
IT Governance in Action a practical example• Consider the following scenario: A small nonprofit wants to enable its staff of 10 people to have access to their e-mail anytime, anywhere on their laptops and mobile devices• It is considering three solution options: 1. Microsoft Small Business Server (SBS) 2. Microsoft Office 365 3. Google Apps for Nonprofits The business currently uses POP e-mail boxes provided by its Internet Service Provider (ISP) and Microsoft Outlook 2007.
IT Governance in Action a practical example• How do we align the Nonprofit and IT? – Strategic imperative • Enable staff to spend more time with clients/constituents • Be more responsive to client/constituent requests • Business need = anytime, anywhere access across devices – Analysis of current ISP provided POP mail • Provides this at a basic level (e-mail can be accessed anywhere with an Internet connection) • Doesn’t allow for easy synchronization of data across devices — contacts and calendar entries must be entered separately on each device or synced via USB cable – All solutions considered enable synchronization across devices and provide anytime, anywhere access • All align at a high level with the mission/business strategy
IT Governance in Action a practical example• How do we define and measure IT performance? – System availability or “uptime” is a key metric • Clients/constituents are in multiple time zones • Staff has flexible work schedules, so some work at night too – Based on the answer to this question: • SBS is an on-premise solution and the cost of making it highly available would make the cost of SBS far exceed the other two – Office 365 and Google Apps become the two leading options • Google Apps provides a 99.9% uptime guarantee, including maintenance windows • Microsoft Office 365 provides a 99.9% uptime guarantee, excluding maintenance windows • Microsoft Office 365 actually has a lower actual uptime if you adjust it for the maintenance windows
IT Governance in Action a practical example• How do we manage IT-related change? – The organization’s staff is very competent, but they are not all particularly technology-savvy – Switching to a Google Apps solution • Potentially requires the staff to learn a new system • Gmail web interface/functionality very different from traditional POP web mail • Potential incompatibility with historical e-mail / archives – Switching to Microsoft Office 365 or SBS • Staff continue to use Outlook on their computers • Outlook Web Access (web mail) looks like Outlook – Mobile device e-mail functionality will depend on which kind of mobile device is used
IT Governance in Action a practical example• How do we organize IT decision rights? – While this question is really speaking more toward decision-making authority, in this example we can also interpret it as:• What are the criteria for choosing a solution? – Strategy = Google Apps for Nonprofits or Microsoft Office 365 – Uptime = Google Apps for Nonprofits – Change = Microsoft Office 365 – Cost & Cash Flow • Gmail is Free (<3000 users) vs Microsoft Office 365 is $48/user/year – Security / Compliance • Microsoft Office 365 has options that meet ISO 27001, FIPS 140-2, HIPAA, FERPA, ITAR
IT Governance in Action a practical example• What would you purchase?• Each organization’s situation is different – Different business strategies – Different key factors / considerations – Different staff competencies – Different technology platforms – Different IT Manager / service provider competencies – Different cost / cash-flow management situations• An IT Governance framework helps to ensure all of these differences are considered in making an IT decision
What are the costs and benefits of improvement of IT governance?• IT governance doesn’t have to cost a lot – It does involve some up-front time to answer the questions – It does require some heavy thinking to answer them “right”• IT governance helps ensure IT value – Manage the costs of non-compliance – Balance short-term savings with long term value – Manage indirect costs of change – Balance benefits, cost, and risk• IT governance enables strategic advantage – Better alignment of IT with missions/business strategy – Improve the efficiency, effectiveness, and agility of business processes
Call to Action – IT Governance• Nonprofit leaders must guide the decision-making and actions of their IT manager or IT service providers – Establish clear expectations and accountability for IT – Prevent a fragmented IT environment – Mitigate IT-related risks – Manage IT-related costs – Ensure alignment of IT with mission/business strategy• Proper governance of IT maximizes the benefits of your IT investments and helps you better achieve your mission
Thank you for your attention and participation!Donny C. Shimamoto, CPA.CITP, CGMAdonny@intraprisetechknowlogies.com(808) 735-8324 voice IntrapriseTechKnowlogies LLC Technologies and knowledge for synergizing your intraprise www.intraprisetechknowlogies.com | Hawaii | California Any Questions?