View Video

Subscribe to our Youtube Channel here

Listen to podcast

In Part 1 you will learn to set priorities (it’s not as hard as you think) and start building a roadmap from those priorities. In Part 2, you learn how to allocate budget, time, and staff energy, how to gauge the capacity of your organization for change, and how to build a simple timeline for implementing your IT Roadmap. Part 2 also includes audience Q&A.

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Community IT CEO Johan Hammerstrom in a new webinar hosted by the Nonprofit Learning Lab.

Do you budget to replace a third of your laptops every year? Is your cybersecurity patching and antivirus up to date? How often to you hold cybersecurity staff trainings? How can you ensure your big IT migration doesn’t happen the same month as your big annual conference and stress everyone out?

To fully utilize the power of IT to support your nonprofit, you need to have a plan. You don’t have to be an IT expert to incorporate basic IT budgeting and timelines into your strategic planning.

Join Johan Hammerstrom, CEO of Community IT Innovators, to learn actionable first steps and view some templates for creating a simple IT Roadmap that can help your nonprofit succeed.

Design an IT Roadmap to Create Value
Hosted by Nonprofit Learning Lab

Start up and small nonprofits can often manage their own IT using free and low-cost tools. But as you grow, you will need to build a roadmap to strategize your investments and timeline for the IT you need to keep your nonprofit functioning.

Many clients come to us with substantial technical debt from years – even decades – of under-investment in their office infrastructure. If this describes your situation, you are not alone. And it is not as hard and overwhelming to get on the right IT path as you might think.

In this webinar, we walk you through the steps to create your own IT roadmap, and share resources and advice with you on how to incorporate IT strategy into your leadership and budget practice.

You do not need to be “the IT person” to manage IT at your nonprofit. Anyone can take some basic steps to create your own IT roadmap, which we share in this webinar.

CEO Johan Hammerstrom, an expert with 20+ years of experience supporting nonprofit IT, walks through how to budget and plan for your nonprofit’s future.

You will learn

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.


Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.

As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.

Johan graduated with Honors and a BS in Chemistry from Stanford University and received a master’s degree in Biophysics from Johns Hopkins University.

Johan enjoys talking with webinar attendees about all aspects of nonprofit technology. He is looking forward to sharing insights on how to design an IT roadmap to create value.

Carolyn Woodard managing Google Workspace and Office 365 together

Carolyn Woodard (moderator) is currently head of Marketing at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.


Carolyn Woodard: Welcome everyone, to the Community IT Innovators’ webinar. We’re so happy that you’re hosting us today, Nonprofit Learning Lab, and we’re going to be talking about creating value by designing an IT roadmap for your nonprofit. 

I know planning for IT is one of those things that nonprofits have to do, and it can be a little scary. It might make you feel like you have to do it, but it’s overwhelming. 

So, today we’re going to take you through 


I’m going to introduce myself. My name is Carolyn Woodard. I’m the Outreach director for Community IT, and I’ll be the moderator today. Before I came to Community IT, I was, believe it or not, the IT director at a couple different nonprofits, large and small. So, I know what you’re going through, and I’ve been there. I know it’s hard to figure out even how to put a roadmap together if you’re not an IT person, which I definitely was not. So, I’m very happy to be here today with Johan who’s going to help us think through it. Johan, would you like to introduce yourself?

Johan Hammerstrom: Thank you Carolyn. And my thanks to the Nonprofit Learning Lab for hosting this webinar today. We’re really excited to be presenting on this topic. I’m the CEO at Community IT. I’ve been with the company for over 20 years, actually started on the technical side and worked directly with a lot of nonprofit organizations in helping them to use technology more effectively. I moved into management about 15 years ago and became the CEO of Community IT in 2015 when our founder, David Deal, left and sold the company to the employees.

Carolyn Woodard: Before we begin, if you’re not familiar with Community IT, a little bit about us. 

We are big fans of what well-managed IT can do for your nonprofit. We serve nonprofits across the United States, and we’ve been doing this for over 20 years. We are technology experts and we are consistently given the MSP 501 rating for being a top MSP, which is a recognition we received again in 2022. I do want to remind everyone that for the purpose of these presentations, we are vendor agnostic. We only make recommendations to our clients once we have their IT roadmap in place of what they need to do and the licenses they need to have.

We do consider ourselves a best of breed IT provider. So, it’s our job to know the landscape, what tools are available, reputable, and widely used. And we make recommendations on that basis for our clients based on their business needs, their priorities, and their budgets. 

I invite you to join us for our monthly webinar series where we cover other IT topics for nonprofits. You can check out our podcast. We have a YouTube channel as well, with lots of free resources. 

We really believe, and we are so lucky to be working with Nonprofit Learning Lab on this too, to provide a lot of resources free to our community so that everyone can do IT better.

Learning Objectives

All right, and with that, I want to go through our learning objectives for today. 

We have a lot that we’re going to cover today. We’re going to try to leave as much time as we can for some Q and A. And first we are going to start out with a couple of different polls. 


Poll 1: What is your role in your organization? 

The options are to be a 

  1. team member, 
  2. a manager,
  3. a director, 
  4. executive level, 
  5. CEO, or C level, 
  6. or this is not applicable. 

Johan, can you see that? And if you can, would you read the results?

What is your role in your organization?

Johan Hammerstrom: 40% of the respondents are team members. 20% are managers, another 20% directors, and another 20% at the executive level. So, pretty even distribution across those four different categories.

Carolyn Woodard: All right. And we’re going to skip right ahead to our next poll.

Poll 2: At your organization, who does IT report to?

And this really can be so different in different organizations. So, your options are,

  1. IT reports to the CIO, a chief information officer or the CTO, a chief technology officer. So, someone at the C level. 
  2. Number two, IT reports to an IT director who then reports to someone else.
  3. Number three, IT reports directly to the CFO, the COO or the executive director.
  4. Number four, which is also very common. There’s only me in my organization and I do it all. 
  5. And number five, other, or not applicable. So, you do have IT, but it doesn’t report to one of these different categories. 

I think that we have a pretty good response on this one as well. Johan, do you want to read the results?

Who does IT report to?

Johan Hammerstrom: Yep. 5% of respondents have IT reporting to the IT director. A quarter, 27% have IT reporting to the CFO, COO or executive director. Another quarter 23%, it’s only you and you do it all for IT. And then about half, 45% are other.

Carolyn Woodard: That’s great. Very interesting. So, everyone who’s out there doing it all yourself, we see you and we appreciate you. We have one more while we’re all feeling interactive. 

Poll 3: The third poll is how do you manage IT now? 

  1. We have a well-defined process annually. 
  2. Second option is we have an ad hoc process, 
  3. third option, it’s every department for themselves. So, there may be a process, but the different departments do their own thing. They may or may not have a process internally, but there’s no organization-wide process. 
  4. Number four, we don’t have an IT strategy. If that’s you, you’ve come to the right place. There’s no judgment and no worries, we’re here to help you. 
  5. And then number five option is other, or not applicable. 

You can see there’s a range. And I just want to emphasize again, there is no shame in falling in any of these categories. Nonprofits span from very large to very small and have all different levels of tech savviness. 

Just being in this webinar means that you want to have a good IT roadmap. Johan, would you like to read it?

How do you manage IT now?

Johan Hammerstrom: 5% have a well-defined process annually, about 50% have an ad hoc process, 40% don’t have an IT strategy, and then 10% are in the other category.

Carolyn Woodard: Excellent. That was really very informative, and I hope that you feel like there are other people who are in your same boat. That’s a good thing about doing those polls and showing people where they are in the process. 


Our learning objective that we’re going to start out with is setting priorities. Johan, I’m going to turn this over to you. 

We often say that people need to start with an assessment at their nonprofit. So, can you talk a little bit about how you do that and how people might go about it?

Johan Hammerstrom: Yeah, in some ways what a roadmap is, is a statement of priorities. What do you need to do and when are you going to do it? What comes first and then what comes next? At its simplest level, that’s basically what an IT roadmap is. And it’s helpful to have that written down so that it can be communicated to other groups in the organization, particularly leadership. 

With any luck, you have a board that’s engaged in a healthy way with the organization and might be interested in knowing what the IT roadmap is.

But fundamentally, an IT roadmap is a statement of organizational priorities. What’s the most important thing that the organization needs to work on? 

In order to make those decisions and identify what needs to be focused on first, what are the highest priority items that the organization has, you have to know where you are. You have to have an understanding of where things stand with it in the organization. And that’s why an assessment is so important. 

We typically recommend an assessment as the first step in developing an IT roadmap. And that sounds fancy. I think sometimes people get intimidated by, oh, an IT assessment! I’m going to have to go hire an expensive consultant to come in and it’s going to cost a lot of money, and I’m going to have a long document. That may be true for larger organizations that are more complex in their structure and the work that they’re doing.

But for smaller organizations, an assessment could just be very simple, just a one page, two page word document where you try to document as best you can, the IT that the organization has.

That snapshot is a great place to start. Now, for more mature and more sophisticated organizations, that extensive report may be necessary. So, it really depends on the size of the organization, your operational maturity. You’ll have the best sense of what is going to be appropriate for you all. 

Whoever has responsibility for IT for your organization, whoever’s solving the IT problems as they come up, maybe your IT department, you may have outsourced IT, you may have an accidental techie in the organization; you may be the accidental techie. Anyone who’s responsible for IT should be the first place you go to develop the assessment. 

They should have the expertise and the understanding of IT in the organization to put together a list like an inventory. Here are all the IT systems that we have that the organization uses. That can be hardware, software, it can be cloud applications. Just make it as exhaustive a list as you can. 

And then for each system, ask is it meeting our needs? Is it not meeting our needs? Is there a risk involved in this system, or is it relatively stable? Are there gaps? Are there things that the organization is trying to do that it can’t do because it doesn’t have the IT system in place? 

That’s essentially at a very basic level what the assessment is, and it’s something that’s going to be unique to your organization. 

And as I mentioned earlier, once you get that list, that inventory of IT systems with an evaluation of where the systems are and how well they’re meeting the needs of the organization, then you can start to prioritize that list and that leads you into developing the roadmap.

Carolyn Woodard: I love saying that it can be a Word document, because I think a lot of people think, oh, there’s a template or there’s a specific way that I have to document this. And really you can just sit by yourself or with some people in your department or in your organization and do it on a whiteboard, you can do it with post-its, you can do it in a Word document. Just take a note of all of the IT questions that are out there and what you know you have. Johan, do you want to talk a little bit more about setting priorities once you have that list?

Setting Priorities

Johan Hammerstrom: Yeah, this isn’t a universal recommendation. There are situations where it doesn’t necessarily go in the order that we’ve listed it here, but in our experience, the top priorities are the hardware infrastructure. 

Set Priorities

For organizations that still have an office, that might include 

There are probably exceptional cases where that isn’t necessary. We have not really run into those ourselves. But I can imagine circumstances where BYOD (bring your own device) is an appropriate approach to staff and their computing equipment. But in our experience with small and medium sized nonprofits that almost never works out. The organization is much better off providing laptops for their staff to work on. 

If you go through that assessment list and you see that you’re either not providing laptops for your staff, you’re maybe providing laptops for some staff, but not all staff, or the laptops that are being provided are five or six years old, that would be something to prioritize. Because if the hardware isn’t working, nothing else is going to work.

And we’ve seen it over and over again: situations where organizations are just stuck in the mud with their IT because they haven’t prioritized investing in hardware. Once you make those investments, it really takes you to the next level. We recommend replacing laptops every three to four years and desktops every four to five years. So, you’re replacing a third to a quarter to 20% of your computer equipment every year. That’s our recommended approach. And it becomes part of your ongoing operating budget. 

Once you’ve got that system in place and it is running in maintenance mode and once you’ve done that for your networking equipment as well, then you can start to focus on your existing services.

The services that you’re using for email, for security, to protect the data of the organization, services that you’re using for managing projects and initiatives, services that you’re using for managing donations and funding, for program delivery or for financial management, basically all of the different organizational functions that your nonprofit has, most likely have some IT service corresponding to that organizational function. 

Whether it’s something advanced like Razor’s Edge for fundraising management or something simple like a spreadsheet. A lot of organizations will start with using a spreadsheet, which I’m personally a big fan of. I think that can be a great way to start tracking data and information, particularly at an early stage of using an information system, especially for smaller programs.

But you need to prioritize making sure that those existing services are paid for, are being well supported, are secure, and are being well managed. And it’s possible for a service to be deployed and then not really managed very well. So, you want to identify those services in that assessment and identify services that may need additional attention. 

And then once you’ve prioritized that you can focus on new initiatives. Are there new programs that your organization is pursuing that are going to require new IT systems? Or are there new ways of collaborating? 

A cliché example would be the shift to remote work that happened in 2020 as a result of the pandemic. In a sense that was a new initiative because for a lot of organizations, it was a whole new way of working. And there was a new IT system that went along with that shift, which was Zoom for a lot of organizations; Microsoft Teams, Google Meet for other organizations. 

There was a new way of working and it had an IT system that needed to be purchased and deployed and supported and invested in that went along with it and that’s a good reminder that the best laid plans, right? You can put your roadmap together, but the unexpected will come up. The nice thing about having a roadmap is that when the unexpected does arise, you can see how it fits into the overall capacity of your organization to manage IT.

Carolyn Woodard: I know we had at least one client in 2020 that already had their roadmap in place for going to remote service over the next four years. So, when they had to approach their funder, I remember they were able to take that to them and do it in four months, or something like that. They knew what they had been planning to spend on their new equipment and their ability to do this remote service. It really was helpful to them that they already had the roadmap in place and were able to just take that to their funder and talk about what they already had planned to do. So, that’s another good thing about having the roadmap in place. 

We’ve been talking kind of abstract about this. So, designing an IT roadmap from your priorities if you are a visual learner, once you’ve put those priorities in place and thought about those levels that Johan was just talking about, this is an example of what it might look like. 

IT Roadmap Example

Johan Hammerstrom: Yeah. You inventory all of your IT systems, hardware, software services. You do an assessment of those systems and then based on that assessment, you develop a list of recommendations. These are essentially improvements that need to be made. 

For example, the first item here is laptop encryption. It’s a critical security need that every organization should implement. So, maybe you did the assessment and you were looking at your laptops and identified that the laptops aren’t encrypted and your staff work from home. If the laptop gets stolen or lost or misplaced with organizational data on the laptop in an unencrypted form, particularly if you’re working with PII (personally identifiable information), that becomes a disclosure incident and you have to disclose that the PII that your organization works with was stolen. If the laptops of your staff are encrypted, then the disclosure requirement is no longer there.

If you’re managing donations and you have your donor’s name and address, that’s PII. Probably the most high profile example of PII is HIPAA, you know, the health data that exists in electronic medical records. 

That’s just one example. We’ve listed a variety of different recommendations that were made by whoever put the assessment together. Some of these are technical tasks that need to be completed. Some of them are improvements to existing services. Some of them are adjacent to IT, but essential to using IT effectively, like developing an IT acceptable use policy or developing an incident response plan.

Once you’ve come up with that list of recommendations, then the next step is to prioritize. 

We like to categorize recommendations in these three different categories

Urgency is, how important is this? How, how critical is it? What’s the level of risk associated with this recommendation? For example: laptop encryption, high risk. It’s pretty urgent. It needs to happen quickly. 

Server decommissioning. If you have critical information on an old server that’s out of warranty, that’s at risk of failure, that’s pretty high risk as well. 

The managed printer solution, that’s maybe not as urgent. That could even be low urgency if no one’s really coming into the office. I know printing is one of those things that can be a lot of work to troubleshoot and fix and if you don’t have a lot of people coming into the office, it may not be worth it. 

Looking at urgency is important and then looking at the complexity. This really refers to the level of effort that’s going to be required to do the work. Maybe developing an IT acceptable use policy is highly complex for your organization. If you’re a small organization and you already have an employee handbook, you could get a template for the acceptable use policy, put that in place and you’re good to go. So, that may be an item of low complexity for your organization. 

And then finally, the impact. And this means impact in a change management sense. What will be the impact on staff? For example: laptop encryption, that’s something that might require you to touch every laptop. You might need to have everybody bring their laptop into the office and you’re running the encryption on the laptop, it could take a day. 

That could have a high impact. It could be something that’s difficult to do. Whereas implementing Office 365 managed backup that runs behind the scenes, it’s not really something that anyone’s going to notice. That has a low impact. 

So, it’s important to look at these three different categories: urgency, complexity, and impact, because they give you a sense of how quickly we need to do this, how much effort is going to be required to do this, and the impact on the organization of implementing this recommendation.

Complexity or the effort required ultimately comes down to either an in-house person’s time or an outsourced provider’s costs. So, there’s budgetary and resource allocation considerations that need to be taken into account when you’re looking at complexity and you can’t do everything at once. 

You want to manage or plan out your roadmap so that maybe this quarter you’re going to do one complex initiative and one less complicated initiative. And by the same token, you also don’t want to plan initiatives that have high impact at times when the organization is really busy. You don’t want to do a major migration right before your organization’s fundraiser or conference or board meetings. Making sure that you’re looking at when staff have time to absorb the change that comes from pursuing IT initiatives is going to be important as well.

Do You Need an IT Roadmap?

Carolyn Woodard: I think that’s something that we’re going to touch on a little bit more in the second half, but I wanted to give everyone a quick quiz here that’s a perfect segue to Johan talking about your IT strategy and your roadmap creation. 

Do you need an IT roadmap? I hope that people on the webinar will agree that yes, yes, you do. 

Can you make one yourself or do you need IT consultants? I think it’s kind of mixed. I love the idea that you can just use a spreadsheet. And so, depending on the size of your organization, how many staff you have, how complex your IT is, you may be able to just put that together yourself. But if you do have IT consultants or feel that you need someone with more experience who knows the landscape and all the different systems that you’re using, you could still ask for this in a spreadsheet. In whatever format you’re going to get this in, it needs to be something that you can understand and follow. Then we’re going to use it later in this presentation to talk about how you create the steps of how to tackle this roadmap. 

What skillset and background does someone need to take on an IT planning role? I hope that the people in this webinar are getting a sense that you need to learn enough about IT so that you can manage it, but you don’t need to be an IT person in order to take on an IT planning role. In fact, it’s something that leadership at every nonprofit needs to feel responsible for. Your IT is your office. We can’t operate without IT. 

Putting it like, oh, that’s the IT person’s job to do that. Well, it’s strategic and it’s planning and it’s budgeting, so it really falls on leadership. 

Budget, Time, Staff Energy Allocation

Now we’re going to talk about allocating budget, time and staff energy. 

As a nonprofit, you have three really precious resources, 

We’re going to talk about your budget and your budget process in a minute. But I wanted to make sure to mention, as I said, leadership responsibility to help staff carve out the time that is needed for change. 

Those are all things to think about as we go forward and talk about this. 

Poll 4: How you are doing your budgeting

But now we’re going to do another poll just to get a feel for how you’re doing your budgeting. I’m going to go ahead and read these options now. When you see the poll, they’ll be abbreviated. 

  1. So, your first option is finance. Someone in the finance department takes the amount from last year that you spent on IT and increases it. 
  2. Second option is your leadership meets with all the stakeholders, and together you review your roadmap, your strategic plan, and make the changes and allocate the budget to it that way. 
  3. Three, your option is when something breaks, we fix it. When someone needs a new tool, their department approves it. 
  4. The fourth option is we have outsourced IT and they charge us for every little thing. So, kind of a situation where you don’t totally know what your budget is going to be and what the strategic plan is, 
  5. or five other, or not applicable. 

I want to make sure to clarify. *Some outsourced IT causes a situation where they don’t tell you exactly what you’re paying for. That is not the way that Community IT operates. We have very transparent communication with our clients and we work on strategic plans with them. In fact, that’s where a lot of this presentation is coming from today. 

Johan, can you read the results?

How do you budget for IT now

Johan Hammerstrom: Yeah, 20% of attendees, their finance department takes last year’s budget and increases it slightly. 25% have a roadmap review by leadership and stakeholders, 30% are taking a break-fix approach where every department selects its own IT, 10% have outsourced IT and 20% are using something else.

Carolyn Woodard: Awesome. So, you can see there’s a variety, and as I said earlier, nonprofits have a variety of how they approach this. So, all right, so Johan, I think you wanted to talk more about budgeting in these categories.


Johan Hammerstrom: Yeah, and this comes with a big caveat. One of the things I’ve learned over the years having worked with hundreds of nonprofit organizations is that there are a lot of different approaches to budgeting. A lot of different ways to structure and organize a budget. A lot of different budgeting processes as we just saw on the previous poll. This is not meant to be prescriptive. At the end of the day, the budget categories that work best are the ones that fit into the approach that your organization is already taking to budgeting. But this is intended to be a way of translating, a way of broadly categorizing the things you need to think about budgeting for in your IT. And, then that can get translated into the specific format that your organization uses for budgeting.

IT budget categories

And those four categories are 

And in fact, the third one is probably the one that is becoming less and less relevant, or it’s merging with services. Those last two are really merging together. 

Personnel are the people who are going to be responsible for IT for the organization. Depending on the size of the organization, that might be an in-house team. It might be a hybrid team involving some in-house and some outsourced IT support, or it may be an outsourced third party IT support provider. Making sure that you are accounting for those costs in the budget is important. 

And as Carolyn mentioned earlier, if you have it, it’s helpful to distinguish between ongoing support costs, like what is required to maintain the status quo, provide routine maintenance on the systems and respond to incidents and support requests as they come up. And then what’s going to be needed for doing some of the major projects and initiatives on top of the ongoing support that’s being provided. So, it’s really helpful to distinguish between those two.

[Here is a longer video just about budgeting for IT]

Carolyn Woodard: I really love that you have to do your budget at least annually. If you’re a little bit worried about creating an IT roadmap or what it entails, the fact that you can bundle it into budgeting, can make it easier for people. Because as you said earlier, if you know that you have to replace your laptops, a third of them every year, then that’s just a budget item that you can put in very easily. 

Change Management

But I want to make sure that we get to the issues of change management and the capacity of your nonprofit for change. 

We know, Johan, there are four categories of nonprofits, in particular sizes of staff and maturity, that tend to have similar issues and similar approaches. So, if we wanted to talk a little bit about the capacity for change for nonprofits.

Does your nonprofit know your capacity for change?

Johan Hammerstrom: And, there are always exceptions. These are generalizations. Your organization may have 15 staff and been around for 30 years, or we work with an organization that’s about a year old and has 75 staff. So, it varies. 

But just thinking broadly about these different size and age categories can be helpful because new organizations can move more quickly. Change management is often easier at smaller organizations because everybody can just get in a room and say how they feel. In some ways it’s easier because you can also just tailor what you’re doing to each individual person in the organization. You know everybody, you know their names off the top of your head, and you can just think specifically about how we need to manage this new security training solution for this particular person. That no longer becomes possible as you start to get above the 15 person sized organization.

Certainly as you get into the 50, 60 range then you start needing to be more cautious in how you deliver new IT solutions and in how you manage IT solutions. There’s a management requirement that starts to grow with organizations of that size. And that’s important to keep in mind with your budgeting. 

If you’re a growing organization you want to make sure that you include that personnel budget for management. Because once you get to that size, IT isn’t just going to run on its own. Someone needs to manage all of the different parts that go into IT being successful. 

And then when you get up into the mid-market range and you have over a hundred staff, or you’re a more mature organization, you have more departments, more stakeholders, then having a more formal change management approach becomes really necessary. And the documentation requirements become more strict at that level. Organizations of that size probably have more formal change management processes for making changes to the system. 

Understanding your organization, its capacity for change and how it handles change in non-IT arenas should help influence and inform how you think about implementing an IT roadmap and the change that goes with it.

Carolyn Woodard: Yeah, that makes a lot of sense. We have some more change management resources on our website as well. But, change management for anything is change management and there are a lot of resources out there. 

I think sometimes people have a mental block when it’s IT, often because people have had a bad experience in the past with an IT project that didn’t go very well, or where the stakeholders weren’t really involved, or it was solving a problem that didn’t exist or something like that. But if you can clear that barrier and just think an IT project is just like any other project, then approach the change management in a similar way. That can really help.

Build a Timeline

When we looked at the spreadsheet earlier with the IT roadmap, you put in what the project was, what it was going to do and its urgency and the impact that it was going to have. There was something missing from that of course, which was how are you actually going to do this? 

When are you going to undertake the things that you’re going to do? So, Johan, you were going to talk a little bit more about how to build out a timeline from that IT roadmap.

How to build out a timeline

Johan Hammerstrom: Yeah. And, that goes back to those questions of urgency, complexity and impact, and then matching that up with other things that might be going on in the coming year for your organization. 

This is a sample graphical representation of what a timeline might look like. You basically take the initiatives that came out of the assessment that have now been prioritized and scheduled, and you represent that in a timeline, so it’s easy to communicate to other stakeholders in the organization when these different things are going to happen. 

In this sample, upgrading the networking equipment at the Washington DC office has been identified as both something that’s urgent, but not a major impact on the staff. And so, that was scheduled to happen first.

And then the security initiatives were determined to be the next highest priority. Those are going to have a higher impact on staff. The password manager was scheduled for the end of the year, but the other security initiatives and completion of the password manager initiatives, those were pushed into the first quarter of the following year because a lot of organizations are very busy at the end of the year. They’re closing out their books, sending out final appeals for fundraising. People are getting ready to go away for the holidays. 

You’ll notice that in that Q4 column, there’s only one initiative. It could be that the work that’s being done at that point is mostly happening in the IT department and then delivered to the rest of the organization in the first quarter of the following year.

And then there’s a lot of back office items that weren’t as critical as some of the other items like decommissioning the equipment in your data center, for example. Maybe you’re not using that equipment anymore. Depending on the lease at your data center, that may be a high priority item, or if you’re in the middle of a two year lease, the equipment’s not hurting anybody. We can save that for when we have more time to work on it. 

Putting the timeline together in that way helps to line up your initiatives with the prioritization that you developed in the earlier part of the process.


Carolyn Woodard: I have a little quibble because I see that the policy issues were moved to be later. I think for a lot of organizations, for starters, if you don’t have a policy or your policies haven’t been updated in a while, especially if they haven’t been updated since you went to remote work or hybrid work, those are definitely as urgent as some of the security things. Having policies and making sure that everyone is on board with them and understands why you have policies and what the policies are is really crucial. 

And that can be a good exercise to get leadership really thinking about the rest of your strategy as well. So, if you’re pulling a group together, a committee to make sure that your policies are up to date, it can help them start thinking about what is the bring your own device policy and why is it that way? And other issues around acceptable use when people are working from home. So, that can be something that you can use to help jumpstart the process itself.

Johan Hammerstrom: Yeah, I think that’s a great point, Carolyn, because

if you were doing this in an ideal world, the policy would come first, because the policy should drive everything else. Well, strategy comes first and then policy. And then once the policy is in place, that really helps define what technology solutions you should be implementing. 

I think one of the challenges though with policy is that it often requires the executives to make decisions, like approving the policy. As crucial as policy is and as primary as it is to the process, there are certain dependencies around policy that don’t always exist with some of the other initiatives.

It can take longer. In this case it should be three quarters. The policy is going to happen over three quarters: one quarter to put the policy together, and two quarters to convince the C-suite to approve it.

Carolyn Woodard: Exactly. But making sure that you have a policy. Recently we’ve been seeing a lot with cybersecurity insurance, that it has been helping nonprofits of all sizes see where they have policy gaps and where they have to upgrade certain security issues to be able to meet those insurance requirements. Otherwise, they can’t get the insurance. 

If they don’t have the multi-factor authentication MFA on everybody’s accounts, and then they look at it and they’re like, oh, we don’t even know all of the accounts that people have, maybe they’ve been off boarding staff and they’ve never deleted those accounts. It can help spur organizations, it can be another external reason that you can use to convince people that they have to undertake the work to pull the strategy together.

Johan Hammerstrom: Yeah, totally agree. That’s a great point.

Carolyn Woodard: Okay, well let’s remind everyone of our learning objectives. 

Learning Objectives

For this presentation, we wanted to 

That’s what we had for the learning objectives. Johan, thank you so much. I think we really hit on a lot of them and we have all of our past webinars on our website as well. As I said, we have a podcast, we have a YouTube channel as well. 

Q and A

Now I want to open it up to questions. 

Referring to that sample timeline that you shared a couple slides ago, they were wondering what did you use to create it? Was it Excel? It was very clear and easy to read.

Johan Hammerstrom: Don’t quote me on this, I think it was in Lucidchart. That’s online. You can make diagrams and other visual business documents in Lucidchart and they have a ton of templates that you can use. You could certainly create this in Excel. 

Carolyn Woodard: You could definitely do it in a spreadsheet if you wanted to. Just take the spreadsheet that you came up with where we put in the urgency and the impact. You could build that out as well with who is the point person for the different tasks and then you could build out when you were planning for that to happen. So, there’s lots of different ways to do it, but I think this is a really good visual. 

For those of you who are listening, we will have this visual in our transcript on our website and it’ll be in the video on the Nonprofit Learning Labs website as well.

How to build out a timeline

Someone said, we have a very small organization and we don’t prioritize designing our website and managing it. Would you recommend getting a website consultant?

Johan Hammerstrom: Well, Carolyn handles our website. Carolyn, do you want to answer this?

Carolyn Woodard: That’s a really interesting question because a website is technically IT, but it usually falls more in marketing, sometimes under the development department as well. 

If you have stakeholders that are feeling like they don’t have the technical skills or, for whatever reason, have a barrier to prioritizing it, there are a bunch of consultants out there. There are website organizations that build websites that are focused on nonprofits. 

Sometimes also with a barrier like that, it can be helpful to bring in an outsider. And if you got someone who did an assessment of your existing website and was able to present to the people at your organization the ways it could be better, sometimes that can help people kick-start wanting to make an update.

Johan Hammerstrom: And one thing to think about is the functionality of the website. Very simple websites that are just presenting information about your organization are going to be pretty inexpensive to create. When you’re delivering programs through the website or member services, those are going to start to get more complex and much more expensive. 

So, starting off with an understanding of the function of the website will help guide you to if it’s a more advanced need. Even if you’re a small organization, you might need a firm, but if it’s just providing information, then an independent consultant might be sufficient.

Carolyn Woodard: Also, again with leadership and prioritization, if you have someone in your organization that’s responsible for the website, but they’re not getting the time that they need to be able to keep it up to date, that might be a different issue. 

The last thing I’ll say is that there’s a lot of security around websites as well, so you don’t want your website to be hacked or taken over with ransomware. That’s another reason maybe to go to an expert to make sure that your site is secure. 

Someone was wondering what kind of education and/or resources would you suggest for nonprofits providing their staff to avoid cybersecurity incidents?

Carolyn Woodard: Oh, that’s a great question. On the website for Community IT, we have a bunch of free webinars and other articles, tips and links to other resources as well that can help you out. 

There is a national website with free resources on cybersecurity for small businesses that is really useful to nonprofits as well,

Johan Hammerstrom: Yeah, we did a webinar a year or two ago about developing a cybersecurity training curriculum, so you could go to our site and check out that webinar. 

TechSoup has put a lot of focus on cybersecurity. They have paid training courses not for staff, but for someone who’s developing training for staff. 

And then there’s also solutions we typically recommend. KnowBe4, which started off as a spearfishing solution. You could check on how likely your staff would click on a phishing email. But they’ve really expanded into providing almost a security learning management system where they also have trainings that they keep updated that you can assign to staff and manage. There are other solutions in addition to KnowBe4 that provide that as well. 

We consider it to be a pretty reasonable fee, because at the end of the day, the biggest threat to most organizations as far as security goes are the staff. You’re probably not going to have hackers trying to hack into your computers. You’re going to have criminals trying to steal money from your organization by ..

Carolyn Woodard: Just tricking your staff into clicking on something. Exactly.

Nonprofit Learning Labs: That will conclude this Q and A portion. Thank you so much for participating and again, thank you Carolyn and Johan for educating our community.