Information flow is the new cash flow, quite literally, in the case of electronic funds transfer. More metaphorically, in the case of the myriad of electronic transactions collecting, storing and analysing data or those that carry conversations to plan and make decisions.
In both cases, if the flow stops, the organisation stops. Yet Information and Communications Technology (ICT) governance lags far behind fiscal governance in most organisations. It begins and ends with minimising costs, fretting about social media and obtaining (often untested) assurances that the back-ups are regularly taken.
The ISO/IEC standard 38500 for corporate governance of information technology owes much to the earlier Australia standard AS 8015. It identifies three clear duties of ICT Governance as shown in Figure 1.
There is a clear advantage in having some technical skills around the board table to support the evaluation function. It is also the only cost effective way most charities can gain expert insight when developing plans and policies. The environmental scan needs expertise to answer strategic questions about which technologies have the potential to mitigate operational pressures and to meet mission needs. However, less specialist knowledge is required to direct and monitor ICT operations as a cash flow analogy shows. Boards may be surprised to know that by considering their information flow in the same way as their cash flow, they can strengthen their governance of ICT without additional training.
In some instances the words cash and information can simply be interchanged.
Both must be controlled. Policies and procedures are needed for cash or information to:
- ensure efficient and complete collection
- store safely and securely
- control access
- use (spend/report) effectively to supply business needs
- ensure sufficient is available at all times to meet operational needs
The analogy gets a little looser when you start to consider inflows and outflows. It’s less about positive and negative; more about collecting and reporting. Funders are never impressed if you can’t report accurately and in a timely manner and regular shortfalls may put the funding in jeopardy. Then there is the cost of collecting, storing, processing and using information. This may be more complex than bank charges and interest rates but value and performance are just as important.
The “hot topic” of privacy also stretches the cash flow analogy; moreso for charities than commercial organisations. Transparency of cost structures and distribution of spending often needs to be disclosed to donors; something a commercial company would consider commercially confidential. However the concept of keeping private information safely under lock and key does have similarities to the handling of cash. Your organisation needs to know where it is, who has access and must record transactions accurately. Those records and policies may not (yet) require auditing but you may need to justify events and security measures if a complaint is made.
Privacy is starting to generate a compliance burden. Legislators on both sides of the Tasman are strengthening provisions for audits, reporting standards and consumer rights. Privacy complaints need to be managed as carefully as consumer complaints. Both have a legislative framework. Both require that policies and procedures are in place to ensure complaints can be answered when they arise as well as determine how they will be dealt with. Refunds are not possible but disclosing and correcting information may be required. And then there are thefts or privacy breaches. There have been a lot of these in the news over the last few years and the reputational risk for not-for-profit organisations is clearly considerable. The media will be all over the situation, you’ll have to apologise to donors and other stakeholders for embarrassment or worse, you can be sued for damages and need to prove to others that you’ve repaired the damage in order to start restoring trust. In these circumstances, fundraising will suffer.
The final similarity is in the operational / governance split. Most of the work involved with cash flow is a management issue and so it is with information flow. But it is the board’s responsibility to provide strategic direction, ensure compliance and hold management to account.
Is your board as effective with information as it is with cash?
This article was originally published in the 2013 Better Boards Conference Magazine.