Log in

5 Tips Corner - IT risk management for nonprofits: Securing your technology and data

For many nonprofit organizations, the effects of the pandemic have been amplified by a general decrease in availability of funding. Personal and corporate budgets alike have tightened, greatly reducing the amount of individual giving, spending and programmatic funding, which is the lifeblood for so many nonprofits. At the same time, information technology (IT) risks have never been greater and only continue to escalate, and organizations must keep pace with threats and emerging regulatory requirements.

Unfortunately, many nonprofits have been forced to do more with less due to reductions in their already limited internal resources, increasing the difficulty of maintaining operations and potentially decreasing visibility into potential technology risks. In this challenging environment, your organization must understand how to implement strategies to protect your technology and information assets, allowing you to better accomplish your mission.

The IT concerns within many organizations center on three key areas: IT risk, IT strategy and IT security. In many cases, nonprofits do not have a defined IT risk universe or strategy, leading to unidentified risk exposures, activities and applications not aligned to mission-critical objectives, and not being able to efficiently access data when needed. In addition, many organizations do not establish key performance indicators (KPIs) that help drive better decisions or have systems that can scale with growth or automate manual processes.

While IT strategic and risk-based challenges can hinder operations, IT security issues can present significant threats to your IT environment, which may result in a loss of data, reputational damage, or even fines and penalties related to exposure of sensitive information. With outdated or ineffective technology in place, many nonprofits have vulnerable systems and weak controls, potentially exposing key donor, employee and volunteer information to unauthorized users and external threats.

In addition, data privacy regulations continue to evolve, yet many organizations are not aware of them, or don’t think they apply when, in reality, they do. For example, your IT systems may need to comply with myriad privacy regulations, such as the European Union’s (EU) General Data Protection Regulation (GDPR) which provides for protection of data for EU residents, no matter whether that data resides within the EU or not.

Similarly, the California Consumer Privacy Act (CCPA) was adopted in 2018 to protect California citizens’ personal data. While the act is generally not applicable to nonprofits, there are certain instances in which it is. Therefore, both GDPR and CCPA could be applicable to organizations that collect or process EU and California resident data, no matter whether they are based within those specific geographic bounds. Several additional individual states have enacted or are planning similar data privacy legislation, further complicating the landscape.

Your organization can implement multiple processes to secure the critical applications, supporting systems and databases to ensure the confidentiality of your key information assets. These include:

  • IT risk assessment: The technology risks you face are multifaceted and dynamic, from business continuity to cybersecurity. An important first step in addressing the risks that matter most is identifying and prioritizing them based on your exposure and potential impact on your organization. Performing a comprehensive IT risk assessment can help lay the groundwork for future strategic initiatives as well as identify areas of immediate importance for the organization to address.
  • IT gap assessment: An assessment will typically project your organization’s IT and system needs in future years. It will document opportunities to enhance your governance structure, policies and procedures, and evaluate the use of KPIs and dashboards to make strategic decisions that align with your business objectives and goals.

In addition, the gap assessment can focus on regulatory privacy expectations and general data protection expectations.

  • Comprehensive enterprisewide information security risk assessment: This assessment evaluates your entire security environment, and provides an understanding of the risks prevalent within your organization, evaluating threats so you can direct efforts and controls toward the most significant risks. This assessment also emphasizes documenting your organization’s processes and key controls to determine whether they mitigate your risks and effectively scale with growth.

As threats continue to evolve, the IT controls environment for nonprofits becomes more challenging to monitor and threatening to operations. To help identity and manage the most critical IT risks and achieve compliance with regulatory guidelines, organizations must implement an effective IT risk, security and privacy posture that considers both current needs and future demands. After all, an ounce of prevention is worth a pound of cure.

By Mike Tryon, Partner, RSM US LLP

FAR Headquarters

11709 Bowman Green Drive

Reston, VA  20190




FAR Board of Directors

FAR Committees


Wild Apricot development by Webbright