Donor-Advised Fund Giving Holds Strong
Charles Burke, CPA
Inflationary concerns may have cut into some giving to not-for-profits, but donor-advised funds (DAFs) continue to provide strong support. Schwab Charitable reports that its donors increased their grants by 27%, to more than $4.7 billion, for the fiscal year ended June 30, 2022. They recommended 993,000 grants to 117,000 charities, a 24% jump in the number of grants over 2021. Donors averaged 13 grants each. Notably, unrestricted grants accounted for 72% of the total, giving recipients greater flexibility.
Fidelity Charitable has reported similarly impressive figures. In the first half of 2022, its donors made almost a million grants totaling $4.8 billion — an 11% increase from the first half of 2021. Fidelity’s total giving in 2021 was a record-setting $10.3 billion, 41% more than in 2019. The 2.2 million grants in 2021 went to 187,000 organizations. According to Fidelity, the giving was the result of an average 12.4 grants per account.
Related Read: Donor-Advised Funds: How They Work and How to Land Them
Age and trust in not-for-profits
More than half of U.S. adults (57%) still trust not-for-profit organizations. That’s one of the positive findings from the Most Trusted Brands 2022: Trust in Nonprofits survey and analysis, conducted by Morning Consult, a Washington, D.C., research and technology firm. The report also includes some warnings, though.
For example, the average level of trust in not-for-profits varies greatly by generation. Baby Boomers have the highest level of trust (67%), but only 46% of Gen Z adults trust not-for-profits. The younger cohort is less aware of the 50 not-for-profits included in the survey than the general public. Their plans to give, however, are in line with or higher than those of other generations. Morning Consult’s analysis concludes that Gen Z should be a priority for not-for-profits as they seek to build their reputations with the next generation of donors and volunteers.
Board Oversight of Cybersecurity
Caitlin Gibbs, CPA
The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated. It is also important for the board to evaluate existing experience and skills, identify gaps and address those gaps through succession planning or leveraging advisors. Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks.
We have prepared the following compilation of critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. These questions may be useful as a starting point for boards to use in their discussions with and in the oversight of management’s plans for addressing potential cyber risks.
- What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
- Is the cyber risk management plan documented, including the identification, protection and disposal of data?
- Has the cyber risk management plan been tested?
- Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
- What percentage of our IT budget is dedicated to cybersecurity?
- Does that allocation conform to industry standards?
- Is it adequate based on our threat profile?
- What is the interaction model between senior management and the board for communications regarding cybersecurity?
Board Cybersecurity Oversight
- How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
- Is there a cyber expert on the board?
Overall Cybersecurity Strategy
- Does the board play an active part in determining the organization’s cybersecurity strategy?
- What are the key elements of a good cybersecurity strategy?
- Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
Risk Assessment: Risk Profile
- What are the potential cyber threats to the organization?
- Who is responsible for management oversight of cyber risk?
- Has a formal cyber assessment been performed? Does it need to be updated?
- Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
Risk Assessment: Cyber Maturity Oversight
- Who is accountable for assessing, managing and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
- Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
- Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?
- Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
- What is the ongoing practice for gathering, monitoring, analyzing and reporting risks?
- How effective are the organization’s risk management activities and controls identified in the assessment?
- How does the company remain apprised of laws and regulations and ensure compliance?
- What cloud services does our organization use and how risky are they?
- How are we protecting sensitive data?
External Dependency Management
- What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
- What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?
Cyber Incident Management & Resilience
- How does management validate the type and volume of cyber-attacks?
- Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders – both internal and external? Does it include a business disaster recovery communication process?
- How does an incident response and recovery plan fit into the overall cyber security strategy?
- Is there a culture of cyber awareness and reporting at all levels of the company?
- Is the company adequately insured and is coverage reviewed at least annually?
- How does the board remain current on cybersecurity developments in the market and the regulatory environment?
- Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
- Is regular cybersecurity education provided to the entire organization including the board?
- Has oversight of cybersecurity reporting been defined for management and the board?
- Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
- Does the company have a mechanism for timely reporting of material cybersecurity incidents?