As the COVID-19 pandemic called many not-for-profits to serve more needy clients and change the way they sought donations, it also led them to invest in themselves — especially in their technology.
Six in 10 respondents to BDO's not-for-profit benchmarking survey said they accelerated their investments in technology in 2021. And in both 2020 and 2021, 64% of the not-for-profit respondents said they planned to invest in new technology.
"You're at a very opportune time for organizations to go through various digital transformations," said Andrea Wilson, a partner with BDO who co-leads the firm's Nonprofit and Education Practice along with Adam Cole, CPA, who also is a partner.
When the pandemic brought a rush of panicked work-from-home decisions requiring technology for connectedness, many not-for-profits were caught off guard. Not-for-profits don't have the reputation for being early adopters of technology, as they try to maximize the funding of their missions and often don't have a budget for big spending. As a result, some of them spent their early pandemic days with employees working on their home laptops and limited access to key systems.
Many large not-for-profits were still running paper checks and working on manual systems.
"For years, organizations really were hesitant to invest in themselves," Wilson said. "Every dollar went toward mission, and few dollars and even few cents went to really investing into the organization themselves, which included the technology to support the organization."
The pandemic prompted many not-for-profits to invest in technology. In the BDO survey, accelerated investments in technology were reported in 2021 by:
- Half of not-for-profits with less than $25 million in annual revenue;
- 60% of not-for-profits with $25 million to $75 million in annual revenue; and
- 65% of not-for-profits with more than $75 million in annual revenue.
These investments need to be made carefully and deliberately, though. Choosing technology that doesn't fit organizational purpose or match the not-for-profit's needs can result in wasted funding and suboptimal productivity gains.
Wilson and Cole say not-for-profit leaders who wish to get the most out of their technology spending need to develop a comprehensive strategy, consider cybersecurity, and recruit technology experts for the board.
A technology strategy
Rather than thinking just about their basic financial package or their traditional enterprise resource planning (ERP) system, Wilson said leaders should consider all the technology that fuels the not-for-profit.
This might include point-of-sale, budgeting, customer relationship management, document management, robotic process automation, and other systems.
"Take a moment to understand all the interconnectivity and interdependencies and really understand how you maximize information," she said. "… How do we use that throughout the organization to become more sustainabile and more thriving, and meet the true mission?"
Wilson also encourages not-for-profit leaders to think in broad terms about how technology can support their mission and culture. For example, if an organization prides itself on personal service to clients, perhaps it's not best to install a new phone system that makes it nearly impossible to speak with a human being.
Not-for-profits are high-value targets for cybercriminals because they often store personal data such as Social Security numbers, birth dates, and credit card numbers. Sometimes the individuals not-for-profits serve are children, seniors, or adults with disabilities, who can be easy targets for data thieves.
"You have to create a structure to make sure you develop new protocols to protect this data," Cole said. "… The hackers are getting smarter, and organizations need to stay ahead."
Systems need to be walled off to prevent bad actors from gaining access through vendors that have unwittingly been hacked. Backups need to be created, updated, and maintained so that a hacker can't grind operations to a halt with ransomware. Organizations also need a documented, well-rehearsed plan in place for what to do when it experiences a breach.
Ultimately, though, people are the most vulnerable, primary access point to systems, Wilson said. That makes training them one of the most important tasks of cybersecurity work. A not-for-profit's employees (and board members and volunteers) need to understand that they should not open suspicious emails, click on unfamiliar links, or send money to anyone until the source of a request can be identified as authentic.
And empoyees need to be suspicious of unexpected emails from vendors requesting payments. They must also confirm requests for money transfers and other items that appear to come from within their own company.
"They [hackers] come disguised as your CEO or your supervisor," Cole said.
Employees then don't confirm the request with their CEO or supervisor because management is busy and employees don't want to bother them. They send the money, and it's gone.
"They're not following the protocols," Cole said. "You have to put all the processes and procedures in place. But I saw two to three instances where people … just weren't following their own protocols, and this happened."
The right expertise on the board
It has long been a given that boards need members with financial expertise, and that's why so many CPAs are recruited for service on boards of all types.
The proliferation of technology throughout organizations now makes tech expertise a must for any board as well. Many boards of larger organizations even have a technology committee.
"You need to have boards take responsibility and make sure management is following all the proper protocols and rules and that they have controls in place," Cole said.
Boards need to have experts who understand technology basics such as infrastructure, social media, cybersecurity, and the intricacies of connecting with customers through e-commerce. Fortunately, the proliferation of technology through every organization has led to a wealth of individuals with knowledge in these areas, but some of them will be more familiar with technology than with what's required of a board member.
A strong onboarding system may be necessary to help them understand a board member's responsibilities.
"It's making sure there's enough skill set within the board to really support management and provide critical questions, being able to advise management in their role, making sure they're really deploying risk mitigation activities," Wilson said
— To comment on this article or to suggest an idea for another article, contact Ken Tysiac at Kenneth.Tysiac@aicpa-cima.com.