How to Make the Case to Your Board for a Technology Review
If you're reading this, there's a good chance you already know your charity's technology needs attention. Maybe you've inherited systems you don't fully understand. Maybe staff are working around tools that don't quite fit. Maybe a data incident at another charity made you realise you're not sure how protected you are.
But knowing something needs to happen and getting your board to agree to spend money on it are two different things. Boards are rightly cautious about expenditure — especially on something that feels intangible. "We need a technology review" can sound like "we want to spend money and we're not sure what we'll get."
Here's how to frame the conversation in a way that resonates with trustees.
Lead with risk, not technology
Most trustees aren't technologists, and that's fine — they don't need to be. But they do understand risk, and that's the language to use.
Technology risk in a charity context means things like: sensitive data about vulnerable people being inadequately protected. Key systems that depend on a single person's knowledge. No tested plan for responding to a cyber incident. Software subscriptions that nobody has reviewed or justified. Policies that are out of date or missing entirely.
Frame the conversation around what you don't currently know rather than what you want to buy. The board's job is to govern, and governance means understanding risks. Right now, you can't give them a clear picture of your technology risks — and that's exactly the problem a review solves.
Connect it to existing obligations
Your board already has obligations around data protection, safeguarding, and financial oversight. A technology review doesn't create new obligations — it helps you meet the ones you already have.
Under UK GDPR, your charity is required to implement appropriate technical and organisational measures to protect personal data. The Charity Commission expects trustees to manage risks, including operational and data risks. Many funders now ask about digital maturity and data governance as part of grant applications.
A technology review gives you documented evidence that you're taking these obligations seriously. It's not an indulgence — it's due diligence.
Quantify what you can
Boards respond to numbers. You may not have all the answers yet — that's partly the point of doing the review — but you can probably estimate some of the following:
How much does your charity spend on software subscriptions each year? Do you know if all of those tools are actually being used? How many hours per week do staff spend on manual workarounds — exporting data, copying between systems, compiling reports by hand? What would a data breach cost in terms of ICO fines, reputational damage, and operational disruption?
Even rough figures help. If you're spending £15,000 a year on software and you can't confirm that all of it is needed, a £3,000–£6,000 review that identifies savings is easy to justify. If a single data breach could cost tens of thousands in ICO fines and months of operational disruption, the prevention case writes itself.
Show that it's contained and specific
One of the reasons boards hesitate about technology work is that it can feel open-ended. "Let's sort out our IT" could mean anything from buying new laptops to a two-year digital transformation programme.
A Digital Governance Review is none of those things. It's a fixed-scope, fixed-fee engagement with a clear deliverable and a defined timeline. The board is approving a specific piece of work — not an ongoing commitment, not a software purchase, and not a blank cheque.
Make sure your board understands what they're saying yes to: a 4–6 week review, a written report with scored assessments and prioritised recommendations, a walkthrough session, and template documents they can adopt. That's it. What happens next is a separate decision, informed by the findings.
Address the "can't we do this ourselves" question
Someone on your board will probably ask whether you could do a self-assessment instead. It's a fair question. The Charity Digital Code of Practice is publicly available, and you could certainly work through it internally.
The honest answer is: you could try, but you probably won't get the same result. Self-assessments tend to be generous. Organisations struggle to see their own blind spots. Staff who built or chose the current systems have a natural bias toward defending them. And most importantly, nobody on your team has the independent perspective or sector-wide experience to know what "good" looks like for an organisation of your size.
An independent review brings objectivity, expertise, and benchmarking that you can't replicate internally. The output is also more credible — to funders, to the Charity Commission, and to the board itself.
Use the output as a strategic tool
Finally, help your board see the review not as a cost but as a strategic input. The report gives you a prioritised roadmap — not just a list of problems, but a sequenced plan for addressing them, with estimated effort and suggested ownership for each recommendation.
That roadmap becomes a governance tool. The board can use it to track progress, make informed decisions about technology investment, and demonstrate to funders and regulators that the organisation takes digital governance seriously. It turns technology from a vague anxiety into a managed, visible part of your governance framework.
A suggested approach
If you're preparing a paper for your board, here's a structure that works:
The problem: We rely on technology to deliver our mission, but we don't have a clear picture of our technology risks, our data compliance position, or whether we're getting value from our current tools.
The proposal: Commission an independent Digital Governance Review — a fixed-scope, fixed-fee assessment against the Charity Digital Code of Practice.
The cost: £3,000–£6,000 depending on our size and complexity, agreed upfront.
The output: A scored assessment, detailed findings, prioritised recommendations, and template policies we can adopt immediately.
The benefit: A clear, evidence-based understanding of where we stand, a roadmap for improvement, and documentation we can share with funders and regulators.
If you'd find it helpful to talk through any of this before going to your board, book a free discovery call. I'm happy to help you frame the case — with no obligation.