On many occasions, I talked to organizations new to Salesforce that were worried about storing their data online. At a very high level, this post presents the security in place with Salesforce.

When it comes to data, Salesforce and the cloud computing model mean that you are not storing your data on your own server and that multiple clients’ data could be stored on the same server. What it does not mean is that you give up control of who can access your data or that your data is more vulnerable. It is indeed the contrary. There are two levels of security in place. The first one comes to you out of the box and ensures the protection of your database. The second level provides you with tools to implement your specific permission requirements.

Level 1: Infrastructure

Because of the shared infrastructure, Salesforce has higher level of security than most organizations are able to implement independently. You can find a great description of this here but know it includes:

• Secure data centers.
• Secure transmission and sessions.
• Network protection.
• Disaster Recovery.
• Security Monitoring

Level 2: Your permissions

Obviously, any level of security requires consideration of different elements: user training, password policy, user permission, backup, etc.  And it is has to do as much with the tool you are using as the policy you put in place (we all know the old story of the monitor with a password written on a post- it).

This is an overview of the basic security controls Salesforce has to offer:

• User control. You decide who has access to your database by creating user logins.
• Application control.  Found in the Salesforce profiles, this helps you control which tabs and applications (the ones you build or the ones you download on the AppExchange) each user can see. For example, all users can see the Volunteer application but only the development team can access the Opportunity tab.
• Object permission control. Also found in Salesforce profiles, this allows the administrator to decide what general permission (Read, Create, Edit, Delete) per objects are available for a given user. For example, you might only allow some users full access to the Opportunity object (traditionally capturing more sensitive information such as donations).
• Record level security Control. Known as the organization wide defaults, this allows you to define who can see what record. For example, all organization records are shared among all staff except organization records created by the executive director.
• Field level security Control. This lets you decide the permission on individual fields. For example, everyone can see all contact records but only some can see the lifetime total amount donated field.

Salesforce provides a secured platform with ways to implement specific permissions which is usually sufficient for most. However each organization should decide whether or not this is adequate and I hope this post will help you understand some of the security controls available. More information can also be found in the Best Practices from Salesforce.

One of the great promises of using CRM for nonprofit program management is the ability to manage by metrics. In theory, if we could track all efforts and all outcomes in a system, then we could uncover those predictive indicators that lead to desired outcomes. We could then make adjustments to the program operations itself to reach those desired outcomes. To a great extent, this is possible, however, it is much more complex than it sounds. One of the root causes of the complexity is the fact that we often are not looking at all of the variables and are only looking at a subset. Making decisions on a subset of variables can sometimes lead to incorrect conclusions. Since I have seen this logic trail unfold a few times, I thought I would share an abstracted example of such a situation.

Take for example, Acme Org, a human services organization that has implemented a robust CRM solution that tracks almost all aspects of it’s program operations. Below is one of the critical reports reviewed by the Executive Team each month:

The organization is considering the use of these metrics for determining promotions, salary adjustments, and bonuses. After initial review, the Executive team expressed concern about Jon’s performance to Jon’s manager. Jon’s manager on the other hand knew that Jon’s metrics were low because he was always thrown on to the toughest cases. Being on the toughest cases each month meant that Jon would have to spend more time with each client and would be responsible for defining new engagement processes for working through complex cases. Unlike the other client service reps Jon spent a lot of time researching and speaking to industry experts to identify best practices that could be used by Acme to help future clients. In short, Jon was expanding the organizational knowledgebase, capacity, and quality of service delivery. Unfortunately, none of this was being recognized in the monthly report. Jon’s manager decided to add a new metric into the monthly report that would help recognize Jon’s efforts. The revised report is below:

The revised report gave the Executive Team more insight into Jon’s efforts and the demands placed on the Client Services staff.

The point of the example is to proceed with caution when using Metrics for Management level decisions. They can be a very powerful tool when well directed; however, there is usually a story behind every piece of data and it is critical that the entire story is understood before program level decisions are made.

At NPower, we have worked on a fair number of CRM projects and we are trying to figure out the question of CRM timing. When is the best time for an organization to implement a CRM solution? I have taken the OLC (Organizational Life Cycle) Model and mapped that against our experiences with CRM success.

Stage 1: Startup Stage – The organization is still figuring out it’s mission and funding streams. Operating procedures are in flux and can quickly change based on grants, board members or funders. Technology is not really a core requirement.
Stage 1 CRM Outlook: Investing in a CRM Solution typically doesn’t yield great results because many of the underlying assumptions will change over the next few years. A very simple fundraising CRM solution can be effective in this environment, however, using CRM for operational purposes may not yield a good ROI.

Stage 2: Growth – At this stage, the organization has proven that their mission is a sound business idea. They have proven that they have the operational know-how to execute on their mission. They have secured a stable base of funders and a good core of board members. Their attention has turned from survival to growth.
Stage 2 CRM Outlook: This is likely the stage at which a CRM solution can have the greatest impact on an organization. Implementing a CRM can provide substantial gains on the fundraising side, while also cataloging a history of all fundraising interactions. On the operations side the CRM can begin to model organizatonal procedures and collect valuable performance data. If the CRM solution is implemented in an intelligent manner, it can scale and flex as the organization grows and evolves.

Stage 3: Maturity – As an organization reaches a certain scale, it’s growth will slow. At this stage, the organization is very good at executing on it’s mission. It has an extensive base of funders and they have very specific expectations of this organization.
Stage 3 CRM Outlook: This is a very tricky stage for CRM deployments and a lot depends on the organizational culture and leadership. If the organization culture is receptive to change, then a CRM solution can serve as a great engine for operational improvements. If the org culture is not receptive to change, then a CRM solution will likely replace some existing systems and only provide marginal efficiency gains.

Stage 4: Decline – The organization begins to lose stable funders and board members. New startups take away fundraising streams and the organization is perceived to be less effective and not as innovative in a modern environment. The organization begins to cut back on programs, staff, and all non-essentials as it seeks to find a way to reach a stability point.
Stage 4 CRM Outlook: Surprisingly, this could be a great time for an organization to move towards a CRM solution. Organizations in this stage are often heading back towards stage 1. This leaves them open to process innovations and funding changes. This willingness to explore new paths can make a nimble CRM solution an effective solution to manage the massive changes that the organization must face. The difference between this type of organization and a stage 1 organization is that they also need to carry forward the massive amount of data and relationships that they have amassed over their years.

The above is not meant to be hard and fast rules about good and bad times to get into CRM. They are just some observations from our years of CRM consulting experience. There will undoubtedly be many organizations that are exceptions to the above rules for a variety of reasons.

It may take years to fully understand the impact of the CRM solution, however, the clear winners so far seem to be those organizations that are in a growth stage.

I recently spent some time learning more about Microsoft Dynamics CRM and I must admit the product looks very interesting! For those of you that are more familiar with Salesforce.Com, I will try and draw out some of the similarities and some of the differences. I haven’t had a chance to do a nonprofit implementation with Dynamics CRM, so this is very much just a first look based on information I have read and some online demos.

The first major difference between the two platforms is how they can be run. Salesforce is locked in to the On-Demand model. Microsoft offers the ability to run Dynamics CRM either as an Internal Application or as an On-Demand offering through their CRM Live service. At first glance, it appears as though Dynamics CRM would be more feature rich when run as an internal server based application. It derives its value from making the assumption that end users are most familiar with MS Office Suite of Products. It has very tight integration with MS Outlook and MS Excel. Below is a screenshot of how CRM Dynamics looks in a familiar MS Outlook Environment:
Read the rest of this entry »

Almost every time we encounter an organization with multiple applications running their operations, we always hear the same request for a fully integrated real time data solution with a CRM solution acting as the glue holding everything together. While this is technically possible, we rarely end up delivering this type of solution after going through a cost-benefit analysis with the organization. Below is some of what we consider and cover in that decision making process:

Step 1: Determine the Value Proposition of Integration

The first and most important consideration is to determine the real value that this integration will bring to your organization. In most cases we find that organizations are already generating integrated views of information even if they come from separate applications. This is often done with some manual analysis using Excel and other tools. The real value of a systems integration project can be measured in the following ways:

• Costs Savings – How much are you saving in labor costs by not making your employees do the extensive manual analysis to reconcile data from multiple applications?
• Time Savings – What benefit does having this data in real-time or near real-time provide to your organization?
• Accuracy – Does systems integration result in more accurate reporting? If so, how much in savings are you achieving through better information.

Step 2: Evaluate the Integration Approach Alternatives

Generally speaking there are three integration approaches we often discuss with organizations.

• Manual Integration – Allows you to synchronize data back and forth between systems, however, it is driven by a manual process. This is typically done on a weekly, bi-weekly, or monthly basis often with several tedious steps.
• Uni-Directional Integration – In this situation, we make a determination that one Application will be the primary and another one will be the secondary. The Primary application always sends data to the secondary application(s), however, it never receives any data back. Uni-directional integration can either be real-time or conducted in batches (such as nightly updates).
• Bi-Directional Integration – This is the most complex type of integration and also the most often requested. In this situation applications transact data (often in real-time) in both directions. For this to work effectively rules must be in place to resolve conflicts. A conflict is a situation in which both applications attempt to update the same information at roughly the same time. In this situation, we need to be able to establish an order of precedence as well as a transaction log so we can correct any mistakes.

Step 3:  Perform an ROI Analysis of the Alternatives

For each of the integration alternatives consider the Return on Investment (ROI). While you can consider an investment over a longer time horizon most IT investments are often evaluated on a 3 to 5 year time horizon.

The above chart is meant to be a hypothetical analysis of cost/benefit and ROI for an organization. Actual costs will depend on the complexity of your existing applications and the integration solutions you decide to go with. The above chart is also not meant to be an endorsement of Manual Integration. For many organizations this might be the right approach, however, that determination can only be made after a careful analysis of your integration options and your internal cost structures.  

I was listening to a tech podcast the other day when they made reference to a story about Information Velocity. In this specific story, a CEO of an established tech company was transitioning to a new rising star tech company that was born in the Internet Boom. At the CEO’s first meeting he witnessed the senior staff arrive at the meeting with their laptops. At first, he was frustrated at the distracted focus in the meeting. Eventually he warmed to the idea that “Velocity” was so important in their business that laptops were sometimes necessary in meetings.

I often go to meet nonprofit executives to tout the values of a CRM solution. The value proposition that most often resonates with this group revolves around centralized information, information accuracy, flexibility, ease of use and reporting. We are not often asked about “Information Velocity”, however, that may be implicit in the requests and expectations of nonprofit executives.

In marketing, “information velocity” is a term used to discuss how quickly information about a new product disseminates through a target market. In the nonprofit context, “information velocity” can take on any of the following meanings:

- How quickly we act to reach out and convert a prospective donor once they indicate some interest about our organization or mission

- How quickly we identify and react to a distress indicator of a participant in our program

- How quickly we react to changes in our funding and operating environment

Nonprofit executives often tell us at the outset of a CRM Project that they hope the project will yield:

- Improved Productivity: Ability to serve more people or raise more money

- Improved Quality: Ability to serve people better or build more strategic relationships

- Reduced Cost: Doing both of the above while holding cost constant or reducing it

Information Velocity is implicit in all three of the aforementioned goals. The ability to more quickly transact information allows nonprofits to serve more people. NPO’s can also vastly improve their outcomes (both fundraising and programmatic) by more quickly identifying causal factors and acting on them. Information Velocity also saves money by reducing the time lag in responding to problems which are already in motion.

How can we achieve “Information Velocity” using CRM?

All the tools are available in CRM technology. It really is more a question of how the CRM is used.

In closing, consider Newton’s First Law of Motion which states the following:

Every object in a state of uniform motion (i.e. a steady state velocity) tends to remain in that state of motion unless an external force is applied to it.

Your CRM Project represents an opportunity to apply a positive external force on your organization’s current state of Information Velocity. The end goal of which is hopefully a paradigm shift in your organization which allows it to operate at a much higher velocity.

Here are a few tips we are sharing with our clients about keeping their CRM instances safe and secure. This is mostly targeted at organizations that are currently using the Salesforce platform.

We can broadly break up this topic into three areas:

Physical Security

Machine Access – If you or your staff operate in a fairly public environment where their machines could easily be accessed by others, you need to take extreme care to ensure that your users logout whenever they are away from their machines. Since it is likely that Users will forget to logout it would be prudent to setup a frequent Session Timeout. You can do this in Salesforce by going to Setup –> Security Controls –> Session Settings. We would recommend the 30 minute timeout for anyone who operates in a public or semi-public space.

Written Passwords – Ensure that your users are not writing their username and password on a sheet of paper which is next to their computer. We have witnessed this many times and it defeats even the best security measures!

Digital Security

Strong Passwords – We recommend that you set your password policy so that at least 8 characters are required with a mix of alpha and numeric. Never allow the password to be used as a part of the username or the security question. To manage password policies in Salesforce go to Setup –> Security Controls –> Password Policies.

Password Expiration – We recommend you have your passwords expire at least once every 90 days and more frequently if you organization can handle it. Please note that if you have external applications (such as a website) which interface with your CRM, you will also need to reset these passwords when they expire.

Disable Accounts – Don’t forget to disable accounts for former employees and consultants who may have been on the system in the past.

Audit Your Login History – Check out who is logging into your CRM instance by viewing the Login History or User Adoption Dashboards. You may even want to setup a report that you can check on a periodic basis.

Recovery

Backup Your Data – Please backup your data! If you are a Salesforce user, you can backup your data for free every week. Simply go to Setup –> Data Mgt –> Data Export. If your data changes so frequently that a weekly backup is insufficient, consider using a product such as Demand Tools or get an ODBC Driver which allow you to connect to your CRM and download all data on a more frequent basis.

Following the above tips should leave you in pretty good shape for your CRM security. Also, please be sure to read any security bulletins which your CRM vendor sends to you and alert your users to any new threats as they arise.

I want to show you how a particular nonprofit is using Apex code: the Center for Employment Opportunities (http://www.ceoworks.org).  They demo’d their Salesforce configuration at the NYC Nonprofit User Group (run by Lisa Glass-Kornstein, just back from her honeymoon!).  They use Apex to do complicated business logic like cross-object verification and data transfers based on triggers.  I know Jessie Grenfell from CEO is going to update this presentation, but I figured I’d get it out there so people can see it.

Are you using S-controls or Apex in your organization?  What business process are you solving with these tools? 

[slideshare id=153688&doc=ceo-119402083537717-1]

I thought this presentation from Susan Harrison at the NYC Department of Education was really interesting about how they use Salesforce in the Bronx Lab School, and several other NYC Public schools.  The principal, Marc Sternberg, was brought on stage during Marc Benioff’s keynote at Dreamforce.

http://www.slideshare.net/mbaizman/doe-10407

[slideshare id=135183&doc=doe-10407-1192470569779996-4&w=425]