The way that Price Waterhouse did it was they looked at all the financial transactions in the finance system. And they had a table of keywords. So if the transaction had “laptop”, or if it had “Internet Service Provider” or “ISP”, they had a whole table of terms, so that if that term appeared somewhere in the description of the financial transaction, it was probably IT-related. And they could then sum all that up. So they did a grand database analysis. And came back and said 53% of the technology spending in the organization… Well, first of all, they could say here really is what you're spending on IT, the true total, which was the combination of those and of that true total, here's the portion that's IT-managed. And here's the portion that's shadow IT. And are we running a risk of duplicate expenses? Or worse yet, are we running the risk of things going in separate directions, that then system-wise become very difficult to integrate, or connect when they need to be? Not everything needs to be connected, but a fair amount of things do. How do we ensure that there is good enterprise architecture, for example, so if we don't have it right, will that be an additional expense?

For example, if there is a finance subsystem that exists somewhere in the field organization, and then to connect the data. And let's say there's some new finance rules that come in that the organization needs to comply with. How does finance, and the finance has to make the change, ensure that it's throughout the organization? That's a risk. You have the same from InfoSec as well. It's a risk.

Interestingly, nonprofit senior management teams and boards of directors respond pretty well to risks and that they then believe that this needs to be addressed because we need to reduce that risk. And so sometimes describing situations in terms of risk to the organization, risk to the enterprise, is a strategy for unifying things or at least connecting things more.