case study

THE SPROUT FOUNDATION The Sprout Foundation (TSF) is a tier-2 not-for-profit (NFP) charitable organisation. TSF's vision and mission are all about promoting a society where every child (hence the origin of the word "Sprout") gets a chance to have a fair go in life and for them to grow as a young adult with dignity and adequate skills to enrich themselves and their community. As a charity, TSF is focused on community development activities in marginalised areas in developing countries. The focus of its mission is mainly in the Pacific and Asian region. TSF has a presence in all major cities in Australia, Pacific, and Asian countries to coordinate fund-raising campaigns and community development activities (CDA). TSF offices in some of the Pacific and Asian countries are there mainly to arrange, monitor, and maintain its community development activities for those places. For recording income and meeting financial reporting and disclosure requirements TSF is classified as a small to medium tier-2 charity (https://www.acnc.gov.au/). Even so, the Foundation has achieved revenue of roughly AUD230 million per annum for the last 5 years and on a growth trajectory that looks like continuing. While income from registered donors accounts for much of the increase, TSF has also been successful in winning a number of long-term Wold Bank and UNDP grants that are supporting growth. Revenue has enabled TSF to improve and extend its CDA. One of its more prominent CDA is child education and sponsorship where certain arrangements are made with a local school so that a community's children can study while their cost of education, including associated study costs for uniforms, books, technology access and meals are being subsidised by TSF. Where it is needed TSF has worked with local communities to provide funding and support to build key facilities such as schools, clean water wells, sanitary facilities, and health clinics. Two years ago, TSF successfully launched a new Community Co-Operatives Improvement Programme (CCOIP) which aims to encourage under-developed communities to work together in a co-op model to produce certain products (e.g., crafts and natural produce) and sell products, to a regional market. The TSF SPROUT branded co-operative model provides a readily identifiable trademark that is supporting increases in the bargaining power of communities (instead of individuals of the community selling a product at a lower quantity and price) and benchmarks quality control of products for sale. The TSF philosophy is to ensure co-operatives are communityled however it maintains a closely linked partnership for the purposes of branding, benchmarking and cooperation among the TSF value network of partners, donors and distributors and with the wider network of Pacific and Asia communities. The TSF partner network is critical not only to the operation of the CCOIP programme but to TSFs entire mission where TSF is dependent on local, regional, and international cooperation. There is an ongoing communication between TSF and its partners covering not only key processes pertinent to assistance and aid distribution (e.g., purchasing of materials, logistics, maintenance), but in the case of CCOIP also covers the business processes and activities that coordinate the buying and selling of CCOIP products produced by the local communities. Some of the CCOIP products are exported, distributed, and sold globally via the network of TSF partners. In this regard, TSF's role is limited only to the initial negotiation of terms and conditions of the relationships and to coordinate and facilitate the transaction between CCOIP communities and the partners. To ensure the benefits will go back to the CCOIP communities, TSF also relies on its partners to regularly report their sale of CCOIP products back to TSF. Recording the return from sales proceeds that go to the CCOIP communities in different regions and how that income is used, to improve basic facilities or to fund education of the children and young adults in the communities is a TSF responsibility. Obviously with the growth experienced by TSF, especially the CCOIP, the number of reports and the intensity of the reports that need to be processed and monitored have increased quite substantially. Processing these reports (and other information provided by TSF partners) in an effective and timely manner is important for TSF. It has an implication to cost of operations as well as implication to the subsequent processing of the funds generated from the sales of CCOIP products. As TSF operations span across multiple countries, it is subject to the law and regulation of the countries in which it is operating in. However, at the same time, TSF must comply with Australian law as its HQ is registered in Australia. This is particularly challenging in situations where TSF's staff who are operating in the host country are required to share information with the local authorities of the host country, as it may be deemed inappropriate under Australian law (e.g. The Privacy Act (Cth) 1988). In these cases, TSF staff must keep a record of the information they have shared with the host country and are often required to communicate and consult with headquarters in Australia about the best ways to handle information sharing. Individual client case files, legal files and associated records may need to be kept both in regional officers and at Australian HQ. Where World Bank and UNDP grants apply to an initiative TSF officers are also required to report back to these organisations. TSF has always relied on field staff to work remotely and with a high reliance on mobile networked technology. In its current operations, TSF officers operating in different countries are normally equipped with a set of mobile communication devices that can be mission critical for day to day operations. This includes smart phones and/or satellite phones (for those going to remote areas), and a laptop. Staff are required to report to the local and/or regional office periodically to provide updates on the CDA, the communities, the team, and themselves. Maintaining operations during COVID-19 hasn't been easy, field staff have found themselves in-country for longer periods of time than usual with travel restrictions limiting the normal rotation of staff. The main impacts have been in Australia where TSF office staff have also commenced working remotely form their own homes. one of them main changes to creep into the work place during this time has been the use of a range of new online meeting and collaborative work technologies including Zoom, WebEx and MS teams. The problem is no one has settled on just which meeting technology to use and there a lot of questions to be answered yet, which is the more secure platform, which is the better system of record, and how can the technology be integrated into TSFs work environment. The ad-hoc nature applied to choosing meeting and communication software at TSF is unfortunately not a new issue, the organisation has always struggled with rogue IT. Staff have been allowed to bring their own phones and laptops into key operational areas for reasons that have been lost in a poorly documented corporate memory (although one staff recalls that it might have been a "cost consideration", e.g., staff BYOD = less financial commitment from the organisation to provide a device for the staff member). Often staff bring in their own devices, citing "familiarity with the device" as the main reason and the TSF coordinators have allowed this. In a lot of cases where staff are allowed to bring their own devices operational issues may appear. Some of the issues are in the form of compatibility, different document and file formats (sometimes staff working with different types of applications forget to save the files in the appropriate format prior to distribution to other staff local or regional offices and HQ), support for devices. In a few cases, malicious software has been introduced into the system and has affected local and regional operations significantly. Last year the system at Melbourne HQ was affected by this issue. Allegedly the malicious code was brought in by a privately-owned laptop of TSF field-staffer returning from overseas assignment. For better or worse, the issue of the use of personal devices at work is a somewhat vexed and unregulated issue. It is also crucial to understand the competitive environment surrounding the not-for-profit (NFP) and charity environment. A lot of people do not realise that competition for funding among the NFP and charity organisations are truly intense. COVID-19, inflation, uncertainties regarding the interest rates, high commodities prices, increasingly high cost of living, and job market uncertainties contribute to the concerns of the public which may/will influence their decision regarding donating money to any charity. Reputation of the NFP/charity organisation, how they disburse the fund, the cause they support, the area of operation, and numerous other reasons also play significant and influential roles in "convincing" donors/potential contributors to help funding a certain cause/CDA. Accountability and transparency around funds and their distribution is a very high concern for granting agencies, contributors and donors. They want to know how much in a dollar they have contributed is actually being used to support the cause they have chosen instead of going to the cost of administering certain community programmes (e.g., administrative cost, processing fee) or worse trimmed through fraudulent behaviour. Shortcomings in TSFs fund and initiative management system, TSF-ONE (a bespoke Internet based SQL database system) have recently been blamed for the postponement of several business and project initiatives due an inability to accurately trace who has accessed the fund management module of the system. Funds have been frozen while the issue is addressed, and it has become impossible to operationalise many proposed initiatives that are due to start soon. Uncertainty around access to the system has become a very serious dilemma for TSF staff, most of whom pride themselves on their genuinely altruistic motivations. The Board is aware of TSF-ONE issue, but the problem is a complicated one: TSF-One has developed overtime and now integrates HR, accounts and funds management with a range of back-of-house operations from stationary requisition to staff travel arrangements. Normally the Board is happily somewhat ignorant of IT issues and claim that "IT is an operational concern not required to be discussed at the level of the Board. This attitude is supported by the CFO who normally treats IT as a cost report. There is no IT representative to the Board, nor does IT report to the Board. The IT department interests are represented by the CFO who generally is not keen on occupying the Board's time with "non- strategic" issues. The Board is aware of the current TSF-ONE issue and management has commissioned the appointment of a new Business Information Systems Manager to improve the existing funds management system in the short term while exploring its replacement ASAP. In the meantime, TSFs Human Resource team (comprising 1 manager and 2 HR specialists), have decided not to wait for the arrival of proper functionality in a new system. They are seriously considering going to the cloud now. The HR manager has recently attended a presentation regarding Software as a Service (SaaS) in the HR area and are impressed with the benefits that could be gained by using a cloud-based/SaaS HR platform. She has initiated a discussion with Workday, a US based SaaS provider. Ultimately, her intention has been to get funding from the CFO directly and use that to purchase a SaaS service from one of the Human Resource Management Systems providers. According to one of her contacts in the HR profession, Workdays Human Capital Management is a good solution for her contacts company. There was a discussion about the data centre and the server being in the US as the list of Australian clients is not big enough to justify an infrastructure presence here, but she doesnt really care about that. All she wants is better functionalities for her team. The management of TSF is well aware of the importance of its data, and despite its problems the Charity believes TSF-One has a good data backup strategy in place right already. The backup of the corporate data (which is vast as it comprises operational data from multiple countries, transactional data from partners - e.g., CCOIP sales data -, transactional data from grantors, donors, donors list, donors information, project data and more) is done monthly. The data backup service is provided "pro bono" by a small company located in the Dandenong Range willing to contribute to TSF to aid social agenda of doing good. Although it is a start-up company, the Dandenong backup service has promised "excellent and reliable service to secure all corporate data and information" and "provide cost effective solutions to corporate data backup and restoration". Although its been a very hot summer, the company has an immaculate office in a beautiful part of the Range that so far as not been affected by recent fires; it has an impressive looking data backup infrastructure as per the information provided in their web page, and it has leased enough bandwidth from an ISP to perform off-site backups on regular basis. One aspect of IT that everyone at TSF is proud of, is the recent (4 months in operation now) establishment of the TSF data analytics team (TSF-DAT). The TSF-DAT department is located in the east wing of Melbourne HQ and is being used extensively to support and drive multiple aspects of the organisation's various operations and programmes through evidence-based data analytics. With a high-speed, high-capacity, integrated voice- video-data telecommunication facility, and RAID storage technology in place TSF-DAT has the capacity to take data sharing and communications with regional offices to new levels, allowing for an increasing amount of remote management directly from Australia. The value of TSFs data is being seen as a critically important business resource, not only for daily operations, but for winning future grants and projects. TSFDAT has a continuous redundant backup facility that is linked to the current Dandenong service provider via high-speed broadband connections, but this is operating separate from TFS-ONE. The recently appointed Business Information Systems Manager has been asked to investigate best practice management of TSFs information assets, systems security, and the integration of TSFDAT with existing systems &/or the development of new solutions, and importantly, where to host TSFs systems - on an external cloud service, or on their own internal servers.

Question (risk security and management )

Recommendations on an improved approach to information governance and risk`

management at TSF