Perhaps more striking is that 24% of respondents indicated cyber security is among their organizations’ top three concerns. The Nonprofit Times reports that leaders elaborated with write-in responses, citing the following security-related issues: securing IT, managing and retaining data, ensuring privacy, managing system implementation, managing IT investments and upgrades, preventing and responding to computer fraud, managing vendors and service providers, and leveraging new technologies.
Clearly, all things technology-related are growing concerns throughout the nonprofit sector. But where does the increasing burden land? Like angst about raising dollars, though, distress over cyber security seems to be delegated by most boards to staff functions. Lines of responsibility are fuzzy now not only between the board and the Development Director, but between the board and the IT Director or CIO as well.
According to the survey, governance and risk management issues are broad, critical concerns. While 87% of respondents reported the implementation of key governance initiatives, approximately 40% indicated they are either “somewhat” or “not confident” in their governance practices. Such “practices” include: social media policies (67%), a whistle blower policy (84%), a whistleblower complaint resolution process (77%); a formal record retention policy (90%); and a conflict of interest (92%) policy.
At the same time, the study shows over 60% of organizations lack an IT steering committee and almost half of respondents do not have, or don’t know if they have, a process in place to assess IT risk. That said, less than a third of respondents’ organizations conducted a risk management assessment.
The survey also revealed a surprising statistic about board education. While nearly 75% of respondents report an educational component to their annual board meetings, only half indicate the topic of governance is addressed in board meetings. Furthermore, less than 20% address risk management and only 25% discuss regulatory concerns.
Given the rise in cyber threats and other risks, CohnReznick recommends some best practices for boards:
- Assign risk management oversight to a board committee – often the audit committee, which should include directors with risk management skills, assumes this responsibility.
- Assign IT oversight to a board committee – whether finance, executive, or audit, the committee needs directors with professional IT experience as well as clearly-defined goals and monitoring responsibilities.
3. Conduct the following assessments:
- Risk management and cyber security policies and procedures
- Governance practices as they comply with current state laws and known best practices
- Board self-assessment
- Educate board members – during board meetings, include educational programs on risk management and cyber security to ensure leaders are apprised of potential threats and trends.
The CohnReznick survey was completed by 470 nonprofit executives and board members across the U.S. last spring. Among them, 70% describe their organizations as related to education, healthcare, social service, or other broad-based charities. Most (nearly 60%) report revenues in the $1-25M range, while 20% report $25-100M and 10% report over $100M.