THE VERY GOOD BEAN (VGB) is a registered not-for-profit coffee collective with four stylish cafs across Melbourne's CBD and suburbs. The organization's main purpose is

THE VERY GOOD BEAN (VGB) is a registered not-for-profit coffee collective with four stylish cafés across Melbourne's CBD and suburbs. The organization's main purpose is to use its profits to combat the exploitation of coffee producers in developing countries. VGB sources single origin, traceable coffee beans directly from small-scale coffee farmers in Ethiopia & Kenya for import, roasting and retail sale at VGB's 4 retail outlets. On-shore VGBs network of cafés manages all their daily business activities and operations through a rapidly built, bespoke SQL database system and VPN, known in-house as VGBnet. VGBnet integrates HR, accounts and POS for front-counter service and back-of-house operations with VGB HQ. Café menus vary in each location and are constantly changing. There are hundreds of different products that are purchased and tracked through inbound logistics and distribution to locations (each item includes product information critical to operations and inventory management, e.g., ID numbers, goods description, expiry control dates, and costs that are crucial for inventory management). 

POS functionality handles bank reconciliation of customer card and touch payment and allows café staff to manage sales of food and beverages with mostly automated, synchronised inventory and order & supply management that provides timely payment of suppliers. Registration of café staff shifts in the system ensures all staff are paid on time and correctly. Recording the profits from sales and managing the disbursement of funds from the cafés is mission critical to VGB as they return all profits to farming communities in Ethiopia and Kenya, Africa. 

The not-for-profit ensures that all the coffee it sells is traceable to its origin and the inclusion of not only the full range of key business process data created in the acquisition, importance, and sale of coffee in VGBnet, but also the collection of stories (digital, multi-media, including photographs, maps, text-narrative, voice, and music files) about the Ethiopian and Kenyan communities supplying the coffee. VGB uses this information to curate exhibitions, about the VGB coffee for a social good journey, that is displayed on the walls of the cafés, on websites and shared through social media. VGB has a Facebook page with more than 12k followers and it is rapidly becoming VGBs major channel for brand management offshore VGB's focus is on community development activities in the marginalised rural areas of Ethiopia & Kenya where coffee is grown. 

The rapid growth of the business over the first two years quickly convinced the 4 founding members (now constituting the Board of Directors) that they needed a permanent presence in both countries to manage supply chain logistics and help in coordinating philanthropic spending. VGB has set up regional offices in both Addis Ababa and Nairobi to coordinate the purchase of coffee beans and community development programs. There is always one Australian Director on rotation in Africa and Australian program staff visit regularly to work with local office staff. The VGB network and its trademark are now recognised in Ethiopia & Kenya as a brand that is supporting local communities and increasing the bargaining power of farmers. 

Communications across VGBnet from Africa to Australia now run almost 24/7, ensuring that all business processes that are required for the order and delivery of coffee and the development of community programs are completed (e.g., purchase of materials, logistics records, maintenance, employment, granting of funds). VGB is diligent in paying customs duties and taxes for the coffee it exports and imports with processing automated by the VGBnet system. While the system does incorporate secure document locks and access management that permits and controls employee access, a hunger for rapid growth has often been at the expense of robust internal control. As VGB has grown the number and intensity of the reports that need to be processed and monitored have increased substantially. Processing these reports in an effective and timely manner has significant implications for the cost of operations as well as the implication for the subsequent distribution of funds from VGB HQ, Australia. VGBnet is built on a reasonably open architecture, and it is one of the few systems of its type supporting built-in access to WhatsApp, a social media application adopted widely in Australia, Ethiopia, and Kenya. This allows VGB staff ready access to communication in the field with various communities' members and it allows HQ staff to send and receive invoices, statements of account, receipts, confirmation of payment and other documents directly to external clients. 

VGBs operations currently span three countries, and it is subject to the laws and regulations of each. However, at the same time, VGB must comply with Australian law as its HQ is registered in Australia. This can be challenging in situations where VGB staff operating in the host country are required to share information with the local authorities, as it may be deemed inappropriate under Australian law (e.g., The Privacy Act (Cth) 1988). In these cases, VGB staff keep a record of the information they have shared with the host country, and they often need to communicate and consult with HQ in Australia about the best ways to handle information sharing. Information about each farming collective individual client case files, legal files and associated records all need to be kept both by regional officers and at Australian HQ. 

Staff are required to report to the local office periodically to provide updates on farms, supply logistics and community programs VGB field staff visiting farms and regions are equipped with a set of mobile communication devices that can be mission critical for day-to-day operations. This includes smartphones and/or satellite phones (in remote areas), and a laptop. VGB practice has always allowed its field staff to use their phones and laptops even when completing key operational functions simply because staff seem the happiest working with their own devices. 

Recently, however, as VGB has grown issues have started to crop up. Some of the issues are in the form of compatibility, different document, and file formats, and sometimes field staff working with different types of applications forgetting to save the files to VGBnet applications. In a few cases, malicious software has been introduced into the system and has affected local and regional operations significantly. Last year HQ's POS and accounts system was infected and although no significant damage or loss of financial data was identified the more than 24 hours of downtime that resulted was costly. Allegedly the malicious code was brought in by a privately-owned laptop of a VGB Australian staff member returning from an overseas assignment. For better or worse, the issue of the use of personal devices at work remains somewhat vexed and unregulated. 

For recording income and meeting financial reporting and disclosure requirements, VGB must meet the reporting requirements of the ACNC (https://www.acnc.gov.au/for-charities/manageyour-charity/obligations-acnc). Where it is needed VGB has worked with local communities to provide funding and support to build key facilities such as schools, clean water wells, sanitary facilities, and health clinics. VGB uses information from the school's programs not only for evidentiary purposes but also to share the good news about its work with Australian consumers. GROWING CONCERN Accountability and transparency are very high concerns in the not-for-profit sector and VGB is no exception to this. The Directors want to know how much in every dollar that they provide is being used to support the cause they have chosen instead of being trimmed through selfish or fraudulent behaviour. However, shortcomings and errors that have been identified in VGBnet's community program management module have recently caused the postponement of several major program initiatives because of an inability to accurately track who has accessed funds and how all funds were used. As a result, the funding of major programs has been temporarily frozen while the issue is addressed. Uncertainty around system access overall has become a very serious dilemma for VGB staff at home and abroad. The founders are aware of the issue although normally they would plead ignorance when it comes to IT and the operational aspects of IT are rarely discussed in detail at Director meetings. 

There is no IT representative to the Board of Directors, nor does IT report to the board. IT department interests are represented by the managing accountant who generally is not keen on occupying the Director's time with "non-strategic" issues. However, the Managing Director is aware of the current fund management issue and has commissioned a newly appointed IT Manager to improve the fund's module and access management as soon as possible. There are growing concerns across the organisation that while VGBs integrated database system served everyone well in the early days, it is now becoming a liability that may need to be radically updated or replaced. 

In the meantime, VGB's HR manager has recently attended a presentation regarding Software as a Service (SaaS) in the HR area and is impressed with the benefits that could be gained by using a cloud-based/SaaS HR platform. She has initiated a discussion with Workday, a US-based SaaS provider. Ultimately, she has intended to get funding from the Manager of Accounts directly and use that to purchase a SaaS service from one of the Human Resource Management Systems providers. According to one of her contacts in the HR profession, Workday's Human Capital Management is a good solution for her contact's company. There was a discussion about the data centre and the server is in the US as the list of Australian clients is not big enough to justify an infrastructure presence here, but she doesn't care about that. All she wants is better functionalities for her team. 

The management of VGB is aware of the importance of its data, and it believes VGB has a good data backup strategy in place. The backup of company data which is now vast (it comprises operational data from multiple countries, transactional data from partners, goods and services providers, program information and more) is done monthly. The data backup service is provided "pro bono" by a small start-up company located in the Dandenong Range supportive of the VGBs mission and has leased enough bandwidth from an ISP to perform off-site backups on regular basis. 

One aspect of IT that everyone at VGB is proud of is the move from a static website to an interactive online shop front and exhibition space that integrates seamlessly with the VGB mobile app and social media accounts, providing a more personalised customer experience for lovers of good coffee and good causes alike. While the online store will also need to be integrated with VGBnet and VGBs data management procedures this hasn't happened yet.

The recently appointed IT manager has been asked to investigate best practice management of VGBs information assets, systems security, and the integration of the online shop with existing systems &/or the development of new solutions, and importantly, where to host VGBs systems - on an external cloud service or their internal servers?

 

The report should provide the answer to the following tasks:

Identify the key roles and responsibilities of individuals and departments within the organisation as they pertain to risk assessment, 

Carefully audit and analyse the case evidence, undertake an inventory, and identify information assets that include VGB's most significant, physical &/or logical information resources, information of value and the information systems that must be accounted for in any approach to risk management, 

Identify risks: provide an analysis of the threats and vulnerabilities that pose the greatest risks to VGB's most important information assets (both information and information systems), 

Prioritise the most 5 significant risks for VGB to manage in order in your assessment table.