With the rising popularity of ChatGPT, I was curious how it might describe the top three issues facing community foundations. To my surprise, the results aligned closely to my own thoughts, further validating what I knew from experience to be true. While ChatGPT’s responses are restricted to information available through September 2021, I have found the three issues it highlighted are still relevant today: donor engagement and retention, evolving community landscapes, and sophisticated investment management.
How can community foundations best address these hurdles then? From my own experience as a consultant, I’ve found the majority are responding by focusing on risk management, technology improvements, and organization-wide infrastructure.
Has your organization identified and assessed your risks?
Risk management is one of those overarching terms that encompasses quite a lot, but ultimately it requires a community foundation to identify, assess, and address risks. Over the last few years, we have seen community foundations completing one or more of the following projects to address risk management:
- Engaging in a full risk assessment using the COSO framework – The five principles of the COSO framework include control environment, risk assessment, control activities, information, and communication. Additionally, a full risk assessment includes monitoring activities.
- Completing an internal control review – Tests are conducted of specific internal functions, like payroll and accounts payable processes.
- Conducting a penetration test – Using an outside consultant, a real-world cyber-attack is simulated to discover any vulnerabilities.
- Performing SOC audits – A Systems and Organization Controls (SOC) audit is an independent assessment of the risks associated with using third parties for financial reporting or handling sensitive information.
- Addressing where grantee bank account information is stored for security purposes.
- Determining the best way to report grants – Knowing the best way to report IRS Form 990, Schedules F, and Schedule I is important to proactively manage public scrutiny of grant activities, while meeting IRS reporting requirements.
- Conducting cybersecurity assessments – The assessment should be an organization-wide review of the security processes and practices leveraging various control frameworks.
Does your organization have a list of all systems used in the organization that includes the staff owner, the data held, and which systems the data is being shared with? If so, has it been turned into a visual?
Community foundations are no longer looking at systems discretely: they are holistically evaluating all systems being used together to best understand organizational needs and the dependencies between systems. While that doesn’t mean changing everything all at once, it does mean stepping back and looking at what is best for the organization and the experience of donors and grantees.
To support a hybrid workforce, we are seeing movement toward cloud-based technology. We are also seeing investment in efficiency reviews of existing technology. Organization leaders can take advantage of existing functionality by training staff to better utilize systems, rather than relying on spreadsheets or additional technology workarounds.
Do you have processes in place to aid in the success of your employees, donors, and vendors?
Community foundations are intentionally focusing on strengthening their infrastructure. Among their primary concerns is reviewing policies and procedures and updating systems to incorporate a remote workforce.
Foundations are also concerned with streamlining their donation process. By providing consistency in donor advised funds, barriers are reduced, and money can more easily move out the door. This process is especially important for organizations that are changing technology to ensure they are documenting donor recommendations on money coming in and out, with a lens of ease and efficient internal controls.
I’ve also noticed organizations using more consultants with their projects. In seeking consultants, I encourage the use of a Request for Information (RFI) versus Request for Proposals (RFPs). Preparing and/or reviewing an RFP requires a lot of staff time from the organization, and completing them requires a lot of time from the third-party provider. Overall, we have found that RFPs take away from the opportunity to develop a relationship and learn more about an organization’s culture. If you’re a member of the AICPA NFP Member Section, this is a great article outlining RFI and RFP benefits.
Further, the cost of professional services is increasing, so ensure you are entering into a collaborative relationship versus a transactional one when securing new services. Look for value-added services, such as not getting charged for quick questions, having access to training opportunities in the not-for-profit sector, and working with professionals that are on top of emerging issues at a national level.
To successfully make improvements to the risk management, technology, and infrastructure concerns your community foundation is facing, we recommend you:
- Put together a plan to address any gaps or vulnerabilities;
- Build time in the workday to focus on your plan;
- Be accountable in resolving issues as they arise; and
- Be open to pivoting when needed.
If you are interested in a thought leadership conversation, send me an email, and I’d be happy to chat!
© Clark Nuber PS, 2023. All Rights Reserved.