I know a lot of organizations that rely on their CRM support provider almost as much as they rely on their CRM.

Smart decision?

Of course, systems need support. But the problem with outsourcing that support to an external provider is this:

It does not lead you to master your own systems.

The organizations I've seen who are happiest with their open-source CRMs — who are getting the most value out of their systems — are the ones who handle their support internally, and rely on external expertise only for strategic decisions and planning.

Naturally you can get some cost-savings by bringing CRM operations in-house. But that's not the primary value.

The primary value is in increasing institutional knowledge of your systems and how they work.

How you decided to do this will depend on your situation, but here are some ideas:

• Designate someone in your organization to be the point person for these tasks. All questions come to them, and they become, in time, the in-house expert.

• Work out a job description for a new hire that includes these tasks, either as a primary function or along with other responsibilities.

• Start taking on these tasks yourself. This may be the best option if you're running a very small operation.

Here’s the thing:

One of the great benefits of running open-source tools is that you own the data and the systems, which gives you extraordinary stability and freedom.

But if you're not mastering those systems over time, can you really say that you own them?

All the best,
A.

Convenience and security are trade-offs.

Giving everyone in your office a key to the front door certainly adds convenience. But if you've got 200 people in your office, you probably want to think twice about the security implications.

Not long ago one of my clients had their website defaced. Someone had guessed the password for one of their user accounts, and used it to add spam links to a gambling website in every page on the site.

That user account wasn't even in use anymore. But nobody had thought to disable it.

Here's the thing:

Tightening security can cause some inconvenience.

• Somebody has to remember to disable unused accounts.

• Two-factor authentication makes logins just a little more cumbersome.

• Some of your board members may be unhappy learning they don't have absolute carte blanche access to change anything on your site.

But considering the implications of a security breach, isn't it worth thinking carefully about the trade-offs between security and convenience?

All the best,
A.

How would you find out if your site were off-line?

Would you get an email from one of your members? Would you get a phone call from your board chair? At 10 pm?

Sites go down. It happens. And usually, someone needs to take action to get it online again (or, you could just, you know, wait and see).

Here’s the thing:

If you’ve got a site you care about, you need to make sure someone’s monitoring it. Someone who can take action quickly in case it goes off-line.

For Joinery’s hosting clients, my team and I receive phone notifications within a minute or less if the site goes off-line.

For sites you’re not hosting with Joinery, you can still use a monitoring service (Joinery uses UptimeRobot) to keep on top of things. So you can take quick action.

It’s a lot better than hearing about it from your board members.

All the best,
A.

If you're still not sure that it's worth paying someone just for their advice, think about the ways people already do this all the time.

Fishing guides. Fashion advisors. Sports trainers. Personal tour guides. Real estate agents. Business coaches and mentors.

All of these people offerable a valuable service, none of which is actually doing the work.

Sure, I can hire a fisherman to go out and catch me a swordfish, and deliver it to me ready to mount on my office wall.

But if I hire a guide instead, I've got a good chance of getting that swordfish myself. And learning how to get more along the way.

All the best,
A.

I'm a big fan of managing your projects in-house, where possible.

It's one of the best things you can do to grow your institutional knowledge of your systems, which is a huge value long term.

But of course it's not always possible.

Some projects just involve too much new and specialized knowledge that you don't have in-house.

So what to do?

Fortunately, it's not always a stark choice between doing everything yourself and outsourcing the entire project.

Hiring a technical advisor can be a great choice. In this arrangement, you still do all the hands-on work in-house, so you get the cost savings of using your own staff and the long-term benefit of retaining institutional knowledge.

What the advisor provides is a voice of experience, to ensure that your progress is not blocked by surprises and beginner mistake. That all of that in-house work you’re doing is built around ideas that will work. That your project is not a series of hit-or-miss trials and errors.

Here's the thing:

Even on the most complex and mission-critical projects, there are ways to divide the work, and still focus on building institutional knowledge along the way.

All the best,
A.

Risk management is not something you want to leave as an afterthought.

• You probably have a routine to keep your smoke alarm batteries fresh — like changing them when you change your clocks for daylight saving time.

• You probably have a way to keep your car insurance premiums current — like putting them on auto-pay.

It’s great. You don’t have to think about it. Or remember it. Or risk putting it off. And important stuff gets done.

But what about software security updates?

CiviCRM releases security updates a few times a year. So do Drupal and WordPress.

But unlike insurance premiums and battery replacement, these security updates come on an unpredictable schedule.

If you don’t have a system in place to make sure they get installed on a timely basis, it’s easy to be unaware of them. Or put them off. Or forget about them.

That’s why thousands of site owners regularly fail to apply these updates in a timely manner – and as a result, thousands of those sites get compromised by hackers every year.

Here’s the thing:

It’s not easy to keep up with this stuff, until you make it easy.

You can subscribe to CiviCRM’s Security Notifications list to get advance notice of security updates, and then plan accordingly. (Drupal and WordPress have similar offerings.)

You can assign a member of your internal team to be responsible for performing security updates.

You can subscribe to Joinery’s Proactive Security Updates service and let me handle that for you. (Or hire some other CiviCRM Partner to handle it.)

Whatever it is, make a system, and stop putting off these updates for lack of a plan.

It’s just one more worry you can cross off your list.

And who doesn’t want that?

All the best,
A.

Trying something new entails risk.

At the very least there's the risk that you'll put in time, money, and mental effort, and you won't get anything out of it.

To mitigate that risk, start small.

Train one department or one staff member in a new technique. Roll out a feature to a fraction of your constituents. Adopt one new workflow for yourself.

By starting small, you limit your investment.

And as a bonus, since you're measuring outcomes (you are, right?) you can compare the benefit of this new idea to doing it the old way.

Risk mitigation and measurement of outcomes? Double win.

All the best,
A.

One of the most common risks on software projects is cost overruns.

Many projects begin with a simple idea for a feature improvement, for which you would then get an estimate of work, to be billed hourly.

The big unknown here is in the estimate — after all, it's just an estimate.

Nobody, and I really do mean nobody, can know if that estimate is accurate, until the project is done.

So it should be obvious that nobody knows what the total billables will be, until the work is complete.

Naturally this leads to a significant risk of cost overrun.

How can we mitigate that risk?

Simple:

Stop relying on hourly estimates.

Find a provider who's willing to give you a price. For a specific set of deliverables. Which you’re confident will help you meet a specific business goal.

That price may come out a little higher, or even a lot higher, then whatever lowball estimate you might get from someone who “really needs the work.”

But we're not just hoping for the best here. We're creating plans to mitigate risk. And then it's up to you to decide whether that mitigation is worth it. (Hint: It usually is.)

All the best,
A.

Would you drive across the desert without a spare tire? You could. But I wouldn't recommend it.

Would you operate your mission-critical CRM without a system of daily backups and a way to recover those backups in an emergency? You could. But I wouldn't recommend it.

Would you embark on a project to create custom features for your systems without a Plan B just in case everything goes wrong? You could. But ... Well, you get the idea.

It's natural to hope that everything will go according to plan. But the smart choice is to prepare, in case it doesn't.

Here’s the thing:

Every endeavor comes with some risk.

And while you can't prepare for every possibility, and you can’t afford to be paralyzed by endless what-ifs, there are probably some simple precautions you can take to mitigate some of that risk.

What steps are you taking to ensure that your plans, systems, and projects will be protected in case of the unexpected?

All the best,
A.

One of the cool things about open-source software is that developers in the community work together to address issues when they come up. (The recent team effort to solve card testing abuse is a great example.)

And of course you as an open-source software user get to benefit from those efforts. Somebody else has just fixed your problem, and they’re giving the solution away to everyone for free.

But to take advantage of that, you have to stay aware.

The official blog at CiviCRM.org is a great resource for keeping up. So are the CiviCRM StackExchange, and the online discussions at chat.civicrm.org.

Having an expert on your team, internal or external — someone who keeps up with developments in the community — is an important part of staying aware and ensuring you get these benefits.

How are you keeping up with developments for your open source tools?

All the best,
A.

In the past few weeks many CiviCRM sites using the Stripe payment processor have had serious troubles with a kind of abuse called card testing.

It's not the kind of thing that could allow someone to break into a site, or steal user data, but on many sites it has been aggressive enough to bring them to a crawl, and occasionally to a halt. Or get their Stripe account suspended. Or other troubles.

Developers in the CiviCRM community got together pretty quickly and worked out a solution. You can read about it in my blog post on civicrm.org: Stripe: Solving Card-Testing and Fraudulent Transactions

If you're processing payments through Stripe on CiviCRM, you really should give that a look and apply that fix on your site.

If you need help with that, you should reach out to your support team.

You do have a support team right?

All the best,
A.

The great thing about an open-source CRM is that you can make it do pretty much anything you want it to do.

But just because you can, does that really mean that you should?

In the world of CRM, trying to make your tools do everything your way can become an expense that quickly exceeds the value.

That's why in many cases I recommend just doing it the software's way. Adapting your workflow to the software usually gets you more value than adapting the software to your workflow.

And when it doesn't — when you've got a clear business case for customization — you'll know it, because you can state plainly the business value of what you're hoping to achieve.

Until then, it's okay to work with what you have. No system will ever be perfect, resources will always be limited, and smart improvements are driven by measurable business goals.

What measurable goals are you pursuing now?

All the best,
A.

If you're running CiviCRM, you should know that the project has released a security update as of today.

I'm updating all of my clients’ sites, today.

What's your plan for keeping your systems up and running with the latest available security updates?

(BTW, if you’re already hosting with Joinery or subscribed to my Proactive Security Updates service, I’ve got you covered. You’ll be hearing from me soon when your update is complete.)

All the best,
A.

I've dug holes with a hammer, but it's not an exercise I would recommend to anybody. If you can, you should get the right tool for the job.

Sometimes you can't. Sometimes all you have is a claw hammer, and you need a hole right now.

It's okay to do it, but clearly it's not sustainable.

If you feel like you're fighting an uphill battle with your CRM, maybe you're trying to make it do something it wasn't designed to do.

That's where a little advice can come in handy.

Get familiar with the documentation on your tools. Find an online forum where you can ask for help. Book a call with an expert, to get a little coaching or strategic guidance.

Life is a whole lot better when you work with your tools instead of against them.

All the best,
A.

When you think you need some expensive help to handle custom project, ask yourself: What are the alternatives?

Could you hire an intern to throw some extra hours at it every week or every month?

Could you just live with it another 6 months or a year before deciding that you really need this?

Could you train your staff to make a little extra effort and be more careful about this thing or that thing?

Sometimes it's better to wait. But only you can decide that.

All the best,
A.

Are your systems user-friendly?

Probably yes, for some users. And probably no, for other users.

Truth is, there's no formal definition for “user-friendly.” There’s no universal standard.

It’s akin to asking whether a person is friendly or not. What passes for friendliness in New York City is not the same as in Muleshoe, Texas.

The meaning of “user-friendly” depends on a lot of factors. Who is the user? What do they want? How excited are they to learn new skills to get what they want?

What’s more, any system that’s user-friendly today could always be made more user-friendly tomorrow. How far would you like to take it?

Here's the thing:

Holding yourself to a poorly defined standard won't get you very much benefit.

Instead of asking whether your systems are “user-friendly,” try more specific questions, based on the business goals you’re aiming for:

Can your online donors complete a donation in less than 30 seconds? Can your members renew online without experiencing any error messages?

Defining specific goals, and attaching a real business value to those goals, is where winning happens.

All the best,
A.

Yesterday I mentioned reaching out personally to thank first-time donors.

It takes a little time, but it does sound like a good thing.

But I don't recommend starting out that way.

Instead, only thank half of them. Record which ones you thanked and which you didn't. And then measure the difference over the next several months in terms of metrics that matter to you:

How do they respond to other campaigns? How long until they give again? Is their second donation larger than their first?

See, here's the thing:

Thanking people individually takes time, and time is a limited resource.

How can you know it's worth your time if you're not measuring the benefit of spending that time?

If your measurements indicate it’s a big win, then you can start thanking everyone (and you can try measuring and comparing a couple of different methods: email vs. handwritten note vs. phone call, etc.).

And if they indicate just a small improvement, or none at all, you can have confidence in deciding to spend your limited time on something more effective.

All the best,
A.

Your members and donors probably never see your CRM, except to fill out a form now and then.

But obviously they're critical stakeholders in the system.

Could you do anything with your CRM to increase what they get out of joining or giving? (And don't fool yourself, even an anonymous donor "gets something" out of their giving.)

I've got a client who has her CRM email her every time someone new makes a donation. Then she reaches out right away to thank them personally.

It's a great idea. It recognizes the intangible value donors get out of giving (something like: the feeling of satisfaction knowing they've helped), it finds a way to augment that experience, and it relies on simple tools that already exist in her CRM.

But I don't recommend it for you. Not right away.

There's something else you should try first. Tomorrow I'll look at this again in terms of measurement.

All the best,
A.

Deciding on reasonable tolerances has a lot to do with the scale and nature of your operation.

If you're an eight-year-old kid running a lemonade stand on a summer weekend, you can get away with very loose tolerances on product quality, customer experience, and all the rest.

If you're running a nuclear reactor, then you probably need a little more attention to detail.

Chances are your organization is somewhere in between.

If you're spotting flaws in your systems, ask yourself how much of that kind of problem you're willing to accept. It's probably more than 0% and less than 100%.

If you can measure, or even estimate, the frequency and the impact of those flaws, then you're in a good position to start taking action.

There's nothing wrong with just going by feel. But measuring and monitoring can make it a lot easier to take specific corrective action when you want to.

All the best,
A.

By now you probably know that no software system is going to be perfect. You're going to have errors.

User errors, system errors, duplicate contacts, failed transactions, bounced emails. At one time or another some of these things are bound to happen.

So what's your limit? What's an acceptable percentage?

There is no universal standard for an acceptable set of tolerances. It's up to you to decide.

But here's the thing:

To make an informed decision on acceptable tolerances, and then to stay within those tolerances, you'll have to measure.

How are you measuring, in order to set reasonable goals, and then to ensure you're meeting those goals?

All the best,
A.