Insight Article

IT risk management for not-for-profits

Securing your technology and data

April 08, 2021
#
Risk consulting Nonprofit

For many not-for-profit organizations, the effects of the pandemic have been amplified by a general decrease in availability of funding. Personal and corporate budgets alike have tightened, greatly reducing the amount of individual giving, spending and programmatic funding, which is the lifeblood for so many not-for-profits. At the same time, information technology (IT) risks have never been greater and only continue to escalate, and organizations must keep pace with threats and emerging regulatory requirements.

Unfortunately, many not-for-profits have been forced to do more with less due to reductions in their already limited internal resources, increasing the difficulty of maintaining operations and potentially decreasing visibility into potential technology risks. In this challenging environment, your organization must understand how to implement strategies to protect your technology and information assets, allowing you to better accomplish your mission.

The IT concerns within many organizations centre on three key areas: IT risk, IT strategy and IT security. In many cases, not-for-profits do not have a defined IT risk universe or strategy, leading to unidentified risk exposures, activities and applications not aligned to mission-critical objectives, and not being able to efficiently access data when needed. In addition, many organizations do not establish key performance indicators (KPIs) that help drive better decisions or have systems that can scale with growth or automate manual processes.

While IT strategic and risk-based challenges can hinder operations, IT security issues can present significant threats to your IT environment, which may result in a loss of data, reputational damage, or even fines and penalties related to exposure of sensitive information. With outdated or ineffective technology in place, many not-for-profits have vulnerable systems and weak controls, potentially exposing key donor, employee and volunteer information to unauthorized users and external threats.

In addition, data privacy regulations continue to evolve, yet many organizations are not aware of them, or don’t think they apply when, in reality, they do. For example, your IT systems may need to comply with myriad privacy regulations, such as the European Union’s (EU) General Data Protection Regulation (GDPR) which provides for protection of data for EU residents, no matter whether that data resides within the EU or not.

Similarly, the California Consumer Privacy Act (CCPA) was adopted in 2018 to protect California citizens’ personal data. While the act is generally not applicable to not-for-profits, there are certain instances in which it is. Therefore, both GDPR and CCPA could be applicable to organizations that collect or process EU and California resident data, no matter whether they are based within those specific geographic bounds. In Canada, the private sector is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) however many not-for-profits also need to consider the various provincial Acts (such as Alberta PIPA, BC PIPA, the Quebec Act and Ontario PHIPA).

Your organization can implement multiple processes to secure the critical applications, supporting systems and databases to ensure the confidentiality of your key information assets. These include:

  • IT risk assessment: The technology risks you face are multifaceted and dynamic, from business continuity to cybersecurity. An important first step in addressing the risks that matter most is identifying and prioritizing them based on your exposure and potential impact on your organization. Performing a comprehensive IT risk assessment can help lay the groundwork for future strategic initiatives as well as identify areas of immediate importance for the organization to address.   
  • IT gap assessment: An assessment will typically project your organization’s IT and system needs in future years. It will document opportunities to enhance your governance structure, policies and procedures, and evaluate the use of KPIs and dashboards to make strategic decisions that align with your business objectives and goals.
    In addition, the gap assessment can focus on regulatory privacy expectations and general data protection expectations.   
  • Comprehensive enterprise wide information security risk assessment: This assessment evaluates your entire security environment, and provides an understanding of the risks prevalent within your organization, evaluating threats so you can direct efforts and controls toward the most significant risks. This assessment also emphasizes documenting your organization’s processes and key controls to determine whether they mitigate your risks and effectively scale with growth.

As threats continue to evolve, the IT controls environment for not-for-profits becomes more challenging to monitor and threatening to operations. To help identity and manage the most critical IT risks and achieve compliance with regulatory guidelines, organizations must implement an effective IT risk, security and privacy posture that considers both current needs and future demands. After all, an ounce of prevention is worth a pound of cure.

RSM contributors

Insights featuring this contributor

Stay up to date on what matters most to your business.

Let us know your personal preferences for topics, industries and services to start receiving RSM updates in your inbox. Get the most from insights, events and offers from our team of first-choice advisors.