it governance for (smaller) nonprofits
TRANSCRIPT
IT Governance for (smaller) Nonprofits#12NTCITGov
Donny C. Shimamoto,CPA/CITP, CGMA
Evaluate This Session!Each entry is a chance to win an NTEN engraved iPad!
or Online at www.nten.org/ntc/eval
IT Governance for Nonprofits
#12NTCITGov
Speaker Biography
Donny C. Shimamoto, CPA.CITP, CGMA• Donny is the founder of IntrapriseTechKnowlogies LLC, a CPA firm focused on organizational
development and advisory services for the middle market. An active CPA, Certified
Information Technology Professional (CITP), and Chartered Global Management Accountant
(CGMA), Donny helps many organizations by bridging accounting and IT to strengthen
organizational governance and risk management, improve business processes through IT, and
increase the effectiveness of decision making through business intelligence.
• Donny was recognized as one of 25 Top Thought Leaders in Public Accounting by CPA Practice
Advisor in 2012, received the 2009-2010 President’s Award from the Hawaii Society of CPAs,
was named to CPA Technology Advisor’s 40 Under 40 list in 2007 & 2009 and was also a
Hawaii Top High Tech Leader in 2004.
• In the nonprofit world, Donny works with community foundations, social service agencies,
community centers, and membership associations.
IntrapriseTechKnowlogies LLCTechnologies and knowledge for synergizing your intraprise
www.intraprisetechknowlogies.com | Hawaii | California
Audience Polls – Demographics
• Organization Type/Size
– CPA Firm
– Small Nonprofit
– Medium Nonprofit
– Large Nonprofit
– Government
• Part of Organization
– Accounting/Finance
– Information Technology
– Programs
– Consultant or Auditor
• Role in Organization
– Lead Executive
– CFO/Controller
– CIO / IT Director
– Program Director/Manager
– Consultant or Auditor
Choose one from each set of options
that best matches how you view
your organization and your role at
work.
IT Governance for (smaller) Nonprofits
• Why IT Governance is important for Nonprofits
• IT Governance
– Defined & Adapted for (smaller) Nonprofits
• An IT Governance Framework for (smaller) Nonprofits
– How do we align the business and IT?
– How do we define and measure [IT] performance?
– How do we manage [IT-related] change?
– How do we organize [IT] decision rights?
– IT Governance in Action – a practical example
– What are the costs and benefits of improvement of IT governance?
• Call to Action – IT Governance
Why IT Governance is Important
• Myth: IT Governance is only for large companies
• Effectively managed IT can provide small businesses with a
competitive advantage, whereas ineffective management can
impair the business as a whole.
– ISACA Journal Online, 2009 Vol 4
– http://www.isaca.org/Journal/Past-Issues/2009/Volume-
4/Pages/JOnline-Small-Business-IT-Governance-Implementation.aspx
• Nonprofits that use IT as part of their daily operations need IT
governance:
– To help maximize the benefits of their IT investment, and
– Manage the risks that reliance upon IT introduces into their
organizations.
Why IT Governance is Important
• There are major forces driving the need for IT Governance in
Nonprofits
– Increased Compliance Requirements: Regulation, Privacy, PCI DSS
– Evolving Security Threat Landscape: PCI DSS, EFT Fraud
– Economic Unpredictability: IT Value Management
– Organizational Agility: Business Continuity, Project Execution
• By establishing a clear framework for IT-related decisions that
balances benefits, cost, and risk, Nonprofits can ensure better
alignment of their IT investments with their missions/business
strategy and improve the overall efficiency, effectiveness, and
agility of their business processes.
IT Governance – Definition
• The IT Governance Institute (ITGI) definition:
“the responsibility of executives and the board of
directors and consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the organization’s
strategy and objectives.”
Source: ITGI, 2003
IT Governance – Definition
Corporate Governance
IT Governance
IT Management
Subsumes
Is part of ..
Source: Roger Debreceny, Shidler Distinguished Professor of Accounting,
University of Hawaii at Manoa, Nov 2010
IT Governance – Definition
“the responsibility of executives and the board of directors and consists of the
leadership, organizational structures and processes that ensure that the enterprise’s IT
sustains and extends the organization’s strategy and objectives.”Source: ITGI, 2003
• Responsibility:
– Executives & Board of Directors
• Elements:
– Leadership
– Organizational Structures
– Processes
• Objective:
– Ensure IT sustains and extends the organization’s mission and strategy
IT Governance – Adapted
Definition for Smaller Nonprofits• Definition adapted to smaller Nonprofits:
IT Governance is the leadership, structures and processes that a
nonprofit’s executives and board of directors put in place to
ensure that their organization’s IT sustains and extends their
business strategy and objectives in achieving its mission.
• IT governance provides the framework to guide how
IT-related decisions are made. This is especially important
when there is someone who is making technology decisions
on behalf of a nonprofit’s management.
IT Governance – Adapted
Definition for Smaller Nonprofits
Corporate Governance
IT Governance
IT Management
binds/guides
Is part of ..
Adapted from: Debreceny, Nov 2010
IT Service Providers IT Manager
drives
IT Governance – Nonprofit Framework
Business Strategy
IT Governance
IT Infrastructure
IT Projects IT Risk
Management
IT Strategy
Compliance
Establish a
framework to
structure and
guide IT
decision-making
and how IT is
used as part of
the organization
value delivery
alignment
Source: IntrapriseTechKnowlogies LLC, 2011
IT Governance – Nonprofit Framework
• Establish a framework to structure and guide:
– IT decision-making; and
– How IT is used as part of the business.
• IT decision-making in Nonprofits
– IT Manager – usually technically focused
– IT Contractor – usually technically focused
– Key weakness: narrow perspective & lack of business acumen
• IT as part of the business
– Increasing pervasiveness of IT supporting business processes
– Increasing ease of access to data and applications
– Increasing dependence on IT service providers
– Key weakness: Lack of risk awareness and mature IT controls
IT Governance – Nonprofit Framework
• Consider the following BIG QUESTIONS:
– How do we align the mission/business strategy and IT?
– How do we define and measure [IT] performance?
– How do we manage [IT-related] change?
– How do we organize [IT] decision rights?
– What are the costs and benefits of improvement of IT
governance?Source: Debreceny, Nov 2010
These questions help to ensure greater alignment of
IT decision-making with the mission/business strategy,
and clear performance and accountability for IT.
How do we align Programs and IT?
• The corporate answer:
– Strategy Council
– Business involvement in
• Strategy planning
• Program management
• Project management
– Clear RACI planning
– Outward facing staff from IT to the BusinessSource: Debreceny, Nov 2010
• These can be overkill in a Nonprofit’s smaller, less complex environment,
but the intent and purpose of some of these structures must still be
considered—and sometimes reversed.
RACI defined:
• Responsible
• Accountable
• Consulted
• Informed
How do we align the Nonprofit and IT?
• Corporate answer:
– Strategy Council
– Business involvement in
• Strategy planning
• Program management
• Project management
– Clear RACI planning
– Outward facing staff from IT
to the Business
• Issues: (1) Business units and IT
operating in separate silos; (2) IT
function may be centralized or
decentralized
• SMB Nonprofit answer:
– N/A – usually not necessary
– IT Advisor’s involvement in
• Strategic planning
• Program management
• Project management
– Clear RACI planning
– Close relationships between
key IT service providers and
business managers
• Issues: (1) Programs operating with
an absence of IT expertise; (2)
Nonprofit is not highest priority of IT
service provider.
How do we align the Nonprofit and IT?
• Nonprofit considerations for programs/IT alignment:
– What role does IT play in achieving the mission/business strategy?
– Should IT be included in strategic planning?
• Does my IT Manager or Service Provider understand my mission? Can
they think strategically?
• Do I need an independent/objective IT Advisor?
– Are any of my programs/projects dependent upon IT?
• How will the technology utilized impact my IT environment?
• Is the technology utilized in accord with my IT strategy?
– Is responsibility for mission/IT alignment clearly defined?
• Who is accountable for achieving alignment?
• What are the consequences if alignment is not achieved?
– Is there clear communication between IT and programs?
How do we align the Nonprofit and IT?
• Clear and open communication between Programs and IT is
especially important for Nonprofits
– Most nonprofit executives and boards don’t have a deep enough
understanding of IT to adequately perform alignment
• An IT Advisor may need to be engaged to help translate between the
programs and IT and facilitate alignment
– A majority of IT capabilities is usually outsourced and IT service
providers are servicing multiple customers
• The Nonprofit may not be a priority for the service provider
• The IT service provider is an external party so requires additional effort to
coordinate communication/activities
– While the risk of a Nonprofit IT failure is usually lower, the impact of
failure is often higher due to smaller economic resources to absorb
the failure or re-perform the project
• Failure could be a non-realization of expected benefits
How do we define and measure
[IT] performance?• Part of defining responsibility and accountability is having a
clear definition of performance
– Availability – it’s available for use when I need it; “uptime”
– Accessibility – it’s usable where I need to use it
– Functionality – it provides the functionality I need
• Accuracy – computations are performed correctly
• Integrity – the integrity of my data/files is maintained
• Usability – it is easy to use and intuitive
• Responsiveness – actions are completed within a reasonable time / within
the expected time
– Security – data/files are kept secure (including addressing
confidentiality and privacy)
• Most nonprofit users don’t want to understand the technology, they just want it to
work when they need it and as they expect it to
How do we define and measure
[IT] performance?• Nonprofits should define their business requirements for IT
performance based on their mission/business strategy
• Availability – it’s available for use when I need it
– During what times do systems need to be available?
• What are the organization’s hours of operation?
• Are there times when the organization doesn’t operate?
• Are there times when certain business functions can be down?
– What level of downtime is acceptable?
• Remember that most systems need some kind of scheduled maintenance
and backup window
• Is the impact of downtime offset by the cost of additional availability
measures?
– Is a business continuity plan in place to mitigate the risk of downtime?
Disaster recovery plan, in case of major outage?
How do we define and measure
[IT] performance?• Nonprofits should define their business requirements for IT
performance based on their mission/business strategy
• Accessibility – it’s usable where I need to use it
– Do I need access outside of the office?
• Traditional solution: VPN
• Cloud computing is increasing the accessibility of applications and data
beyond the office network
– Do users need offline access? (e.g. at client/constituent’s place)
– Do users need access on mobile devices?
– If client/constituent facing:
• How are my clients/constituents accessing the system?
• How do clients/constituents expect to access the system?
– Are accessibility (security/confidentiality/privacy) risks appropriately
mitigated?
How do we define and measure
[IT] performance?• Nonprofits should define their business requirements for IT
performance based on their mission/business strategy
• Functionality – it provides the functionality I need
– Accuracy – computations are performed correctly
– Integrity – the integrity of my data/files is maintained
– Usability – it is easy to use and intuitive
– Responsiveness – actions are completed within a reasonable time /
within the expected time
• Most Nonprofits are used to working with these performance
measures
– These requirements should be defined and used as the basis for
software/vendor selection. Since most Nonprofits are probably not
doing custom development, it is important to find the best fit
solution—and often it will not be a 100% solution.
How do we define and measure
[IT] performance?• Nonprofits should define their business requirements for IT
performance based on their mission/business strategy
• Security – data/files are kept secure (including addressing
confidentiality and privacy)
– Are there regulatory or other compliance requirements associated
with your data?
– Have privacy controls been designed to address both technical and
non-technical data/file risks?
– If data is stored in the cloud or on a vendor’s systems:
• What measures has the vendor taken to ensure security?
• Is a Service Organization Controls report (SOC) or SSAE 16 report (if
financial-related) available?
• Have management controls been mapped to the SOC report and vendor
control structure?
How do we define and measure
[IT] performance?• Establish responsibility and accountability by clearly defining performance
criteria for each application/system used by the business
– Availability – it’s available for use when I need it; “uptime”
– Accessibility – it’s usable where I need to use it
– Functionality – it provides the functionality I need
• Accuracy – computations are performed correctly
• Integrity – the integrity of my data/files is maintained
• Usability – it is easy to use and intuitive
• Responsiveness – actions are completed within a reasonable time
/ within the expected time
– Security – data/files are kept secure (including addressing
confidentiality and privacy)
• Define these in “business” not “technical” terms
How do we manage [IT-related] change?
• To ensure that the full benefits of an IT-related initiative can be
realized, remember to consider the impact of the change to:
– The organization itself
– Employees
– Clients and Constituents
– The organiation’s IT environment and risk posture
• In Nonprofits, both executives/program management and IT
service providers often forget that while simpler, the Nonprofit
environment is also smaller.
– A small change can sometimes have a much bigger impact.
– A stone in a lake, can cause tidal waves in a puddle.
How do we manage [IT-related] change?
• IT-related change can impact the organization and its
employees and clients/constituents in many different ways
– Changes to business processes and procedures
– Different tools / application used to complete a task
– Increased / decreased access to data / information
• Common staff complaints about IT-related change
– Nobody told us it was changing!
– Yes, the technology is good, but the impact to our procedures wasn’t
considered until the new technology was already here.
– We didn’t receive any training for the new technology.
– The data is organized differently from the old system.
– The computations are performed differently from the old system.
– I can’t get the same reports that I used to from the old system.
How do we manage [IT-related] change?
• In addition to user-side impacts, consider the impact to the
overall IT environment:
– Have we increased our reliance upon a system—thereby increasing
the potential impact of an availability issue?
– Have we increased the accessibility of information?
• Do we need to consider any additional mobile device risks?
– Has the change in functionality impacted the efficiency, effectiveness,
or agility of our business processes?
– Does the change introduce any data-related risks? (e.g. privacy,
confidentiality, security, backup, recoverability)
• How do the changes impact the organization’s overall IT
environment risk posture?
– Is this an acceptable part of the business strategy?
– Do we need to take any additional risk mitigation measures?
How do we manage [IT-related] change?
• Every change has risks associated with it
– Just because a change has risks, it doesn’t mean that you shouldn’t do
it—work to manage risk, not eliminate it
• Manage risk by evaluating the risk and taking the appropriate
mitigation steps to minimize the negative impact of the change
– Balance cost of mitigation with benefits of managing the impact
• Sometimes not making a change is a risk in and of itself—
consider the cost/impact of not changing
– Lack of change and lead to stagnation
• Remember to consider the people and process aspects of the
change, not only the technology.
How do we organize [IT] decision rights?
• There are usually two different approaches to IT
decision-making by smaller Nonprofits
1. Minimal Involvement by executive or board
• Just wants to know what it will cost and as long as reasonable (i.e.
cost doesn’t seem excessive) then will approve
• For the most part, decision authority rests with the IT manager or
IT service provider
2. High Involvement by executive or board
• Wants to understand everything that is being done
• Will approve once it makes sense to them and they can validate
the cost
• Decision authority rests with the executive—IT Manager / IT
Service Provider must “convince” the executive of necessity
How do we organize [IT] decision rights?
• There are inherent flaws in both approaches
1. Minimal Involvement
• Requires a high-level of trust in IT Manager/Service Provider
• Requires a highly competent IT Manager/Service Provider
• Usually a spend-based decision
2. High Involvement
• Executive/Board usually lacks expertise to adequately evaluate options
• Cost validation usually doesn’t involve apples-to-apples
• Usually a spend-based decision
• Both approaches often lack
– Consideration of mission/business strategy
– Consideration of IT-related business risks
– Longer term cost management perspective
How do we organize [IT] decision rights?
• The better approach is to identify business-focused parameters
that provide a basis for decision-making
– Strategic Alignment
– IT Performance
– IT Risk Management
– Change Management
– Cost Management
• The Board of Directors should identify the key parameters that
drive what is considered in evaluating options
– IT Manager/Service Provider prepares an analysis of options based on
the parameters
– CEO/Executive Director is briefed on options based on parameters and
recommendation from IT Manager/Service Provider
– CEO/Executive Director makes final decision
IT Governance in Action
a practical example• Consider the following scenario:
A small nonprofit wants to enable its staff of 10 people
to have access to their e-mail anytime, anywhere
on their laptops and mobile devices
• It is considering three solution options:
1. Microsoft Small Business Server (SBS)
2. Microsoft Office 365
3. Google Apps for Nonprofits
The business currently uses POP e-mail boxes provided by its Internet
Service Provider (ISP) and Microsoft Outlook 2007.
IT Governance in Action
a practical example• How do we align the Nonprofit and IT?
– Strategic imperative
• Enable staff to spend more time with clients/constituents
• Be more responsive to client/constituent requests
• Business need = anytime, anywhere access across devices
– Analysis of current ISP provided POP mail
• Provides this at a basic level (e-mail can be accessed anywhere with an
Internet connection)
• Doesn’t allow for easy synchronization of data across devices — contacts
and calendar entries must be entered separately on each device or synced
via USB cable
– All solutions considered enable synchronization across devices and
provide anytime, anywhere access
• All align at a high level with the mission/business strategy
IT Governance in Action
a practical example• How do we define and measure IT performance?
– System availability or “uptime” is a key metric
• Clients/constituents are in multiple time zones
• Staff has flexible work schedules, so some work at night too
– Based on the answer to this question:
• SBS is an on-premise solution and the cost of making it highly available would make
the cost of SBS far exceed the other two
– Office 365 and Google Apps become the two leading options
• Google Apps provides a 99.9% uptime guarantee, including maintenance
windows
• Microsoft Office 365 provides a 99.9% uptime guarantee, excluding
maintenance windows
• Microsoft Office 365 actually has a lower actual uptime if you adjust it for
the maintenance windows
IT Governance in Action
a practical example• How do we manage IT-related change?
– The organization’s staff is very competent, but they are not all
particularly technology-savvy
– Switching to a Google Apps solution
• Potentially requires the staff to learn a new system
• Gmail web interface/functionality very different from traditional POP web
• Potential incompatibility with historical e-mail / archives
– Switching to Microsoft Office 365 or SBS
• Staff continue to use Outlook on their computers
• Outlook Web Access (web mail) looks like Outlook
– Mobile device e-mail functionality will depend on which kind of
mobile device is used
IT Governance in Action
a practical example• How do we organize IT decision rights?
– While this question is really speaking more toward decision-making
authority, in this example we can also interpret it as:
• What are the criteria for choosing a solution?
– Strategy = Google Apps for Nonprofits or Microsoft Office 365
– Uptime = Google Apps for Nonprofits
– Change = Microsoft Office 365
– Cost & Cash Flow
• Gmail is Free (<3000 users) vs Microsoft Office 365 is $48/user/year
– Security / Compliance
• Microsoft Office 365 has options that meet ISO 27001, FIPS 140-2, HIPAA,
FERPA, ITAR
IT Governance in Action
a practical example• What would you purchase?
• Each organization’s situation is different
– Different business strategies
– Different key factors / considerations
– Different staff competencies
– Different technology platforms
– Different IT Manager / service provider competencies
– Different cost / cash-flow management situations
• An IT Governance framework helps to ensure all of these
differences are considered in making an IT decision
What are the costs and benefits of
improvement of IT governance?• IT governance doesn’t have to cost a lot
– It does involve some up-front time to answer the questions
– It does require some heavy thinking to answer them “right”
• IT governance helps ensure IT value
– Manage the costs of non-compliance
– Balance short-term savings with long term value
– Manage indirect costs of change
– Balance benefits, cost, and risk
• IT governance enables strategic advantage
– Better alignment of IT with missions/business strategy
– Improve the efficiency, effectiveness, and agility of business processes
Call to Action – IT Governance
• Nonprofit leaders must guide the decision-making and
actions of their IT manager or IT service providers
– Establish clear expectations and accountability for IT
– Prevent a fragmented IT environment
– Mitigate IT-related risks
– Manage IT-related costs
– Ensure alignment of IT with mission/business strategy
• Proper governance of IT maximizes the benefits of your IT
investments and helps you better achieve your mission
Thank you for your attention and
participation!
Donny C. Shimamoto, CPA.CITP, CGMA
(808) 735-8324 voice
Any Questions?
IntrapriseTechKnowlogies LLCTechnologies and knowledge for synergizing your intraprise
www.intraprisetechknowlogies.com | Hawaii | California