Health and community services

In today's rapidly evolving business landscape, boards of directors are more than just stewards of governance—they are the strategic compass guiding an organization toward enduring success. As the challenges facing companies grow increasingly complex, from disruptive technological trends to shifting societal expectations, the board's role has never been more critical.  

This series is designed to empower board members with the insights and tools necessary to navigate change with confidence. Our experts, each a leader in their respective fields, will share real-world examples, practical frameworks, and actionable advice in a Q&A format, as well as lessons learned from their personal and professional journeys. 

Embedding security awareness and risk into organizational culture 

For the latest installment of our board leadership series, BerryDunn Financial Services Practice Group Senior Manager Lindsay Francis shares key insights on information security awareness and risk, including how to embed it in your organizational culture.  

Q. What is the current risk landscape and how do employee behaviors (e.g., phishing clicks, weak passwords) contribute to organizational exposure? 

A. Risks are part of everyday business and require an organizational culture of awareness and a commitment to staying up to date on changes—whether these are security risks directly affecting you or those that trickle down from your vendors. It’s important for every member of the organization to remain aware that their actions, or inactions, both help to protect and have the potential to undermine the security controls you or your vendors have put in place to protect your environment.  

There are times when security controls can seem cumbersome and appear to slow down processes, but when designed properly—which requires a balance of protection and allowing business-critical objectives to continue in a reasonable manner—those security controls help to keep the day-to-day processes running as smoothly as possible. Security incidents slow down the ability to perform important responsibilities.

Both phishing clicks and weak passwords continue to contribute to a large proportion of security breaches. Although this is not a new concept, security fatigue has added another risk where employees are overwhelmed by the constant threats, the need to scrutinize every email, and the long list of passwords and multifactor authentication techniques required to perform everyday tasks. This can lead to employees looking for loopholes, ignoring important security measures, or failing to identify threats. Organizational culture should help employees embrace the mindset that investing time in prevention is crucial to helping avoid incidents.

Q. How do you differentiate information security awareness from general IT training or technical cybersecurity programs? 

A. Information security awareness focuses on culture. The key is to help employees recognize risks and respond appropriately. IT training is more technical, with the purpose of teaching specific skills and procedures. Cybersecurity programs are broader, covering the technical aspects with security controls, incident response, and compliance, as well as education goals and training schedules to promote ongoing security awareness. 

Q. How does an organization help ensure security awareness is part of a broader, ongoing effort to build a security-conscious culture and not a one-time initiative? 

A. Security awareness needs to be included throughout the lifecycle of employees—from onboarding to regular training, as well as ongoing communications. Continuous learning cycles, including short learning modules and periodic phishing simulations, help reinforce secure behaviors. Leadership must champion security as a core value, and metrics should be used to measure progress. 

Q. What cultural challenges are organizations facing in terms of encouraging secure behaviors and how can they be addressed? 

A. Challenges can include resistance to change, security fatigue, a lack of understanding of the direct consequences to the employee’s day-to-day tasks in the event of a security incident, and insufficient leadership support. Addressing these requires leadership engagement, highlighting why it’s important, continuous training delivered in small exercises, and a focus on positive reinforcement. This last part is key—when employees feel punished for failing a training exercise, their attitudes can become another obstacle to overcome. When remediation training is required, it should be posed as a supportive measure to help create engagement and reeducation. Lastly, measuring and reporting on culture, not just compliance, is crucial to understanding where resistance and fatigue may linger. 

Q. How do organizations stay current with emerging security threats and adjust awareness training to address these new risks (e.g., AI-driven attacks, deepfakes)? 

A. Typically, the teams within IT, Risk, and/or Compliance are keeping up to date with new security trends and threats. It’s essential for organizations to use that knowledge to update awareness programs, communicate those to the organization, and coordinate with any training vendors on how to include new threats like AI-generated phishing and deepfakes into the ongoing training modules. Incident response exercises and real-world case studies can help employees recognize and respond to evolving risks. 

Q. How do software vendors fit into the cybersecurity ecosystem and what should the Board know about vendor risks? 

A. Gaining advantages in technology, operational efficiencies, and expertise does not come without a downside—vendor use comes with its own layer of risks. Although Software-as-a-Service (SaaS) providers are hosted in the cloud, which means they are not within your network, this does not prevent a breach of your vendor from reaching your network. Your security is only as strong as your weakest vendor’s security. Each vendor should be properly vetted from an information security perspective before a contract is signed. Functionality of the software cannot be the only driving factor.

The Board should review the organization's vendor management program and processes to look for gaps in both the initial scoping and onboarding steps, including whether a cross-functional approach is used to perform due diligence, as well as what the ongoing due diligence entails. For example, has research been performed on whether the vendor has experienced any security incidents prior to signing a contract, and how will your organization be informed if there is a future event, and is this stated in your contract? Does the organization require multifactor authentication for all vendor software to help prevent hackers from taking advantage of weak passwords?  

Annual updates should be provided to the Board on the risk ratings for each vendor, the mitigation controls in place for high-risk vendors, and the organization’s actions in response to any vendor security incidents. In addition, the Board and management should consider vendor software availability during the annual review and update process when ranking the risks of each vendor. For example, do you have a plan if your vendor is suddenly unavailable? Have you tested a disaster recovery scenario with the vendor, or do you have a manual process to keep your daily tasks on schedule in the meantime while the vendor works to restore its service? 

Q. What role should the Board play in driving security awareness throughout the organization? 

A. The Board should set the tone for security, ensure regular training, and require reporting on the organization’s security posture. Board members must be cyber-literate and engage with security leaders to understand risks and mitigation strategies.

Q. How often should the Board receive updates on security awareness, and in what format? 

A. Best practice is quarterly updates, at a minimum, with additional briefings after major incidents or regulatory changes. Formats can include dashboards, executive summaries, and presentations that highlight key metrics, trends, and action items. Another helpful tool can include Board-specific training to help brush up on cybersecurity knowledge to keep the Board up to date on trends and industry-specific risks.

Q. How do organizations ensure that security awareness is integrated into overall organizational governance, risk management, and business continuity planning? 

A. Security awareness is an imperative part of the organization’s governance framework, which should include embedding awareness into operational policies as well as the risk management program, incident response plan, disaster recovery plan, and business continuity plan. Training should align with risk assessments, with higher attention given to higher-rated risks, and provide multiple reminders throughout the year of the key steps all employees should know about reporting suspicious activity or security events. Annual disaster recovery and business continuity exercises should include multiple departments to help ensure high collaboration during a real-life event. In addition, this context reinforces a security awareness mindset and may help provide a better understanding of the challenges and consequences of failing to prevent an incident.

About Lindsay 

As a member of BerryDunn’s Financial Services Practice Group, Lindsay helps clients identify improvements in information security, operational efficiency, and IT service delivery. She has worked across multiple industries—including banking, healthcare, public gaming, and higher education—to help clients gain control of IT and financial operations. This, coupled with Lindsay’s experience working with complex organizations to meet regulatory and industry standards, provides clients with a unique and valued perspective. Learn more about Lindsay. 

BerryDunn partners with organizations to create work environments where business success and personal growth coexist and where people are confident knowing their workplace positively contributes to their well-being. We take a comprehensive approach to our workforce and well-being work, considering how business needs, organizational capacity, and the employee experience work together to drive your business forward. Learn more about our workforce and well-being team and services.

Local governments across the United States are facing a historic workforce transition. With nearly 38% of the local government workforce expected to retire within the next five years, the sector is confronting what experts have dubbed the “Silver Tsunami.” This wave of retirements, driven by an aging workforce and accelerated by post-pandemic burnout, is creating a perfect storm of staffing shortages, institutional knowledge loss, and increased pressure on remaining employees. 

The numbers are stark. The median age of local government employees is 45, and nearly half are over 50. In states like Washington, this translates to tens of thousands of experienced workers nearing retirement. These employees often hold deep institutional knowledge—insights into community history, operational processes, and policy nuances—that are difficult to replace. Without structured succession planning, which only 12% of government organizations currently have in place, this knowledge is at risk of vanishing as employees exit the workforce. 

The impact of this demographic shift is already being felt. Public safety, skilled trades, IT, healthcare, and education support roles are among the hardest to fill. Many agencies report a lack of qualified applicants, high turnover rates, and increasing time-to-hire. Over half of government managers say they frequently have to reopen job postings due to insufficient candidate pools. This not only delays service delivery but also increases workloads for remaining staff, contributing to burnout and further attrition. 

Younger generations, particularly Millennials and Gen Z, bring different expectations to the workplace. They prioritize work-life balance, career development, and purpose-driven organizational cultures. To attract and retain this talent, local governments must evolve—offering flexible work models, investing in professional development, and fostering inclusive environments that support employee well-being. 

So, how can local governments respond to this workforce crisis? 

Strategic solutions for a resilient local government workforce 

Invest in training and upskilling: New hires often lack the specialized skills required for public-sector roles. Governments must invest in training programs, certification access, and leadership development to build a future-ready workforce. 

Modernize HR systems: Centralized, integrated HR platforms can provide better visibility into workforce trends. Predictive analytics can help forecast retirements, identify skill gaps, and support data-driven succession planning. 

Embrace flexible work models: Hybrid and remote work options are increasingly expected. Providing collaboration tools and focusing on outcomes rather than micromanagement can help retain younger workers. 

Prioritize employee experience: Burnout is real—77% of employees report that turnover has increased their workload. Wellness programs, engagement surveys, and recognition initiatives can improve morale and retention. 

Work smarter with AI tools: AI can automate repetitive tasks like document processing, permit approvals, and meeting transcription. It can also power chatbots that handle resident inquiries 24/7, freeing up staff for more complex work. In HR, AI tools can assist with resume screening, onboarding, and even personalized learning paths for employee development. 

By integrating AI into daily workflows, local governments can reduce administrative burdens, improve decision-making, and enhance the employee experience. More importantly, it allows human workers to focus on what they do best—serving their communities with empathy, insight, and dedication. 

What's ahead for the local government workforce? 

The workforce revolution in local government is not a distant threat—it’s happening now. Whether this transition becomes a crisis or a catalyst depends on how leaders respond. With strategic planning, a commitment to employee development, and the smart use of technology like AI, local governments can not only weather the storm but also emerge stronger, more agile, and better equipped to serve the public in the years ahead. 

Focused on inspiring organizations to transform and innovate, BerryDunn’s Local Government Practice Group can help you solve your biggest challenges for your organization as a whole and in specific areas. Our team is comprised of broadly specialized consultants and former local government employees that exclusively serve local government clients. Learn more about our services and team. 

Read this if you are a manager, executive director, or CFO at a private foundation. 

Private foundations are vital players in the philanthropic landscape, channeling resources toward charitable, educational, and scientific causes. However, to maintain their tax-exempt status and avoid excise taxes, these organizations must comply with strict IRS rules—particularly those governing qualifying distributions. In the second installment of our trilogy, we will follow the McQueen Family Foundation to determine their qualifying distributions. As a non-operating foundation, this is a crucial step in their annual compliance requirements. 

What are qualifying distributions? 

A qualifying distribution is a payment or expenditure made by a private foundation that directly furthers its charitable mission. These distributions are essential to meet the foundation’s annual payout requirement, which is generally 5% of the fair market value of its non-charitable-use assets from the preceding year. 

The IRS mandates these distributions under Internal Revenue Code (IRC) Section 4942, which aims to ensure that foundations actively use their resources for public benefit rather than accumulating wealth. To that end, qualifying distributions must be paid out in cash and cannot be accrued to be paid out later. 

Calculating the distributable amount 

In the first installment of our trilogy, we explored calculating the McQueen Family Foundation’s minimum investment return. Based on the average fair market value of their assets not used directly for charitable purposes, the Foundation’s minimum investment return is $526,975. The next step is to calculate the distributable amount that must be paid by the end of the following taxable year. 

Example: 
The McQueen Family Foundation has used their minimum investment return of $526,975, reduced by the current year excise tax on net investment income of $5,000 and income tax on Unrelated Business Income of $0, to determine their distributable amount.  There is also an adjustment on line 6 for income required to be accumulated by judicial proceeding pursuant to IRC section 508(e). Based on the calculation below, the Foundation is required to distribute $521,975 by the end of the following taxable year. 

Types of qualifying distributions 

• Grants to public charities: Grants to organizations recognized as public charities under Section 501(c)(3) of the Internal Revenue Code are generally countable as qualifying distributions. 

• Grants to private foundations: Foundations can make grants to other private foundations, but certain conditions must be met for these payments to qualify. There may be prerequisite requirements or required expenditure responsibility, which will be explored in future articles. It is recommended to work with tax advisors when considering granting to other private foundations.  

• Direct charitable activities: Expenditures for charitable programs operated directly by the foundation, such as scholarships, direct services, or disaster relief. 

• Administrative expenses: Reasonable and necessary administrative costs incurred in making qualifying distributions may be included, such as staff salaries, office supplies, and consulting fees related to grantmaking activities. 

• Program-related investments (PRIs): In certain circumstances, loans or investments made to further charitable purposes count toward the distribution requirement. 

• Purchases of fixed assets: When fixed assets are purchased ito support the Foundation’s charitable purpose, the cost of the assets counts toward the total qualifying distributions. 

Non-qualifying expenditures 

Not every expenditure meets the definition of a qualifying distribution. For example, grants to individuals (unless made via a procedure approved in advance by the IRS), grants to non-charitable organizations, or funds used for lobbying or political activity do not qualify. Similarly, investment management expenses or costs related to fundraising are typically excluded. 

Timing and carryforward 

The IRS allows for some flexibility with timing. If a foundation distributes more than the required minimum in a given year, the excess amount can generally be carried forward for up to five years. Conversely, if the foundation fails to meet the distribution requirement in any given year, it must make up for the shortfall promptly, or risk excise tax penalties. 

Documentation and reporting 

All qualifying distributions must be meticulously documented. Foundations file an annual IRS Form 990-PF, which details assets, distributions, and activities. Accurate reporting is vital to maintaining compliance and public trust.

Proactively managing qualifying distributions 

For foundation managers, mastering the rules around qualifying distributions is not just about compliance—it is about stewardship. By proactively managing distributions, maintaining rigorous documentation, and staying informed on IRS updates, you ensure your foundation fulfills its mission and maintains its good standing. 

Our nonprofit tax team has deep expertise in private foundation compliance and strategy and understands the unique challenges that come with tax planning, governance, and financial sustainability. We provide specialized guidance on IRS regulations, minimum distribution requirements, excise taxes, and complex accounting matters, ensuring foundations remain compliant while optimizing their financial strategies. Learn more about our team and services and stay tuned for the final installment in our series, where we will dive into the McQueen Family Foundation’s charitable expenditures. 

Construction companies face distinct challenges that make them uniquely vulnerable to fraud. Multiple job sites, a mobile workforce, complex billing arrangements, and layers of subcontractors all increase the risks of misreporting, theft, or even errors and require specific oversight. The good news? By understanding the three most common risks, owners can take practical steps to protect both their business and their bottom line. 

1. Track every change, protect every dollar 

Change orders are a regular occurrence in any project. However, when they aren’t tracked carefully, they can create opportunities for fraud or financial loss. For example, a subcontractor may bill for extra work that was never approved, or a project manager might push through changes without proper documentation. 

How to protect your business: 

• Require written approval for all change orders before work begins. 
• Keep a central log that ties directly into the job cost system. 
• Review change order activity regularly to make sure what’s billed matches what was approved. 

2. Payroll fraud and “ghost employees” 

With large crews and high turnover, construction payroll can be complex. Unfortunately, this can result in payroll fraud and errors. Examples include employees padding hours, supervisors approving overtime that wasn’t worked, or even “ghost employees” who are fictitious, exist only on paper but still receive a paycheck. 

How to protect your business: 

• Use timekeeping systems that require employees to clock in/out on-site. 
• Separate the duties of those who approve time from those who process payroll. 
• Review payroll change reports.  
• Have project managers compare labor costs to project progress to identify red flags. 

3. Kickbacks and questionable vendor relationships 

In some cases, a project manager or procurement officer might accept personal benefits (like cash or gifts) in exchange for steering contracts to a particular vendor or subcontractor, even if that vendor isn’t the most cost-effective choice. This can eat away at profits and hurt long-term relationships with other partners. 

How to protect your business: 

• Implement a clear policy on gifts and vendor relationships. 
• Rotate suppliers and obtain multiple bids for significant purchases. 
• Encourage a culture where employees feel comfortable reporting concerns. 

While these three types of fraud are common in the construction industry, they are avoidable. By implementing security measures that increase oversight now, you can safeguard your business for the future.  

BerryDunn works closely with professionals in every construction segment, including commercial builders, heavy and highway contractors, general contractors, and specialty subcontractors. We tailor our service to support your needs and share knowledge about best practices to make better business decisions, strengthen internal control, and improve reporting. Learn more about our services and team.  

When utilities launch a Customer Information System (CIS) project, it can feel like game day—high stakes, fast decisions, and a lot riding on the outcome. Just like championship teams, successful CIS projects require vision, leadership, adaptability, and a playbook built for tough calls and last-minute pivots. 

At BerryDunn, we’ve worked with utilities at every stage of the CIS journey, from kickoff to overtime. What separates fumbles from touchdowns? Preparation, teamwork, and the ability to adapt. 

Your CIS playbook: Three key phases 

1. Pre-game: Build a strong foundation 

• Assess your needs 
• Align stakeholders 
• Identify policy gaps 

• Consider integrations to enhance dataflow across systems and processes 

2. Game time: Execute with agility 

• Procurement, implementation, and change management should all have clear owners 
• Plan ahead for staffing needs throughout the game 
• Stay flexible and responsive 

3. Post-game: Focus on continuous improvement 

• Support your staff 
• Track KPIs 
• Refine processes over time 

Highlight reel: What winning teams do right 

Choose software wisely. 

Objective evaluation is critical. A vendor-neutral consultant helps ensure decisions are based on functionality, scalability, and long-term value, not vendor relationships. 

Put people first. 

Technology adoption is about more than systems. Embedding organizational change management (OCM) throughout the project, via clear communication, role-based training, and job aids, empowers staff and drives success. 

Leverage veteran experience.

Just as seasoned players elevate the level of the game, having a team with deep experience can make a decisive difference. Veteran team members bring valuable insights, anticipate challenges, and help guide newer staff through complex project phases, strengthening teamwork and adaptability.

Configure, don’t customize. 

Focus on configuration not customization to ensure long-term sustainability. That means taking time to consider current standard operating procedures (SOPs) and evaluating opportunities to streamline operations and apply data to drive decision-making. 

Final score: It’s about more than software 

CIS success isn’t just about choosing the right technology, it’s about building a resilient team, strong processes, and a clear vision. Whether you're gearing up for kickoff or heading into overtime, the right playbook sets you up for long-term success. 

Ready to build your CIS playbook? 

BerryDunn’s vendor-neutral guidance can help your utility achieve CIS success. Learn more about our team and services. 

About BerryDunn 

BerryDunn has a proven methodology for CIS system selection and implementation—one grounded in public sector experience and tailored to each client’s unique needs. Our independence from vendors ensures that every recommendation serves the best interest of our clients. From early assessment to go-live support, we guide local governments and utilities through transformative CIS projects with clarity, rigor, and collaboration. 

Focused on inspiring organizations to transform and innovate, our Local Government Practice Group partners with municipal, county, regional, and quasi-governmental entities throughout the US to help them meet their biggest challenges.