Management considerations for managing governance risks
Perform a self-assessment against the Charity Governance Code, to determine whether your charity is in line with good governance practices.
Boards and their committees should perform an annual self-assessment of their effectiveness. While this will provide useful feedback to enhance governance effectiveness, self-assessments are limited by human biases that tend to result in an inflated outcome rating. To counter this, larger charities should commission an external review to get an objective assessment on a periodic basis, typically every three years.
Board and committee papers communicate critical information to trustees. Nevertheless, board and committee packs can be extensive and detailed, resulting in information overload. Critical information can be lost and not given the attention it requires.
Trustees and management should challenge their current board and committee reporting format to consider whether they're enabling effective communication and generating meaningful discussion. In working with a wide range of charities, we've observed organisations are actively trying to make their management information more concise, enabling decision-makers to spend more time on key issues.
Keep risks under ongoing review. In its recent communication to large charities, the Commission stressed the need for all charities to establish and maintain an effective risk management process. Tailored to suit individual charities, the process should allow for ongoing and iterative assessment of existing and emerging risks, ensuring trustees and senior management discuss topical risks.
The Audit Committee, or equivalent, is commonly the forum at which top risks are discussed, though we note the extent and quality of that discussion can be varied. Taking an exception-based approach to focus on the top risks will create more time to discuss the aspects that matter the most.
Questions for trustees and audit committees
- Does the organisation regularly assess the effectiveness of its governance arrangements, including periodic external assessments?
- Are the terms of reference and reporting lines clear between the various committees in place and is there regular reporting between committees?
- Have you revisited the frequency and length of committee and board meetings with members to determine if it remains appropriate?
- Do you regularly review your risk management framework to determine whether it remains appropriate? For example, your risk reporting, risk appetite, use of risk indicators, and risk training
New charity regulations are increasingly complex and have far-reaching organisational impact. For example, complying with the GDPR required large charities to invest significant time and resources, in addition to accelerating major systems upgrades and redesigning business processes to enable compliance.
While the level of effort required to comply can be significant, so are the range of consequences resulting from non-compliance. Charities risk fines, reputational damage and increased scrutiny by the media and the Charity Commission, particularly in the wake of its heightened focus on governance. Other areas of regulatory compliance we see charities focus on include fundraising and health and safety regulations. In both areas, during internal audit reviews, we often identify important weaknesses concerning compliance monitoring arrangements and awareness of applicable laws and regulations.
Management considerations for managing regulatory risks
Leveraging project management methodology when preparing for and embedding new regulations should help create the structure and rigour necessary to achieve compliance in a timely and cost-effective manner. Core elements of an effective project management methodology are clearly defined roles and responsibilities, project plans including key activities and milestones, such as Gantt charts, governance arrangements for monitoring and oversight, and a detailed understanding of the constraints and risks to achieving compliance in the required timescale.
New regulations can be extremely complex and updates to existing regulations can sometimes require a comprehensive review. Charities should undertake a detailed and documented impact assessment of new regulations to identify relevant changes and to understand how their policies, processes and charitable activities will be affected. The impact assessment should be led by an appropriately skilled and experienced individual, such as a legal director, and it should actively involve process owners to ensure operational impacts are identified and thoroughly understood.
Some of the key external reporting requirements most large charities need to be aware of include, but are not limited to, notification to the Information Commissioner's Office (ICO) in the event of a data breach, the Health and Safety Executive (HSE) for health and safety breaches, and serious incident reporting to the Charity Commission. The challenge with these reporting requirements, and particularly serious incident reporting, is that there is some ambiguity with regards to what to report and when. The Commission states a Serious Incident Report is required following an adverse event that results in or risks significant harm to beneficiaries, staff, volunteers and others in contact with the charity, loss of money or assets, and harm to a charity’s work or reputation. 'Significant' is defined as relative to the context of the charity. It's therefore important that charities incorporate triggers in their policies and procedures that help keep serious incident reporting at front of mind when dealing with a wide range of issues.
Questions for trustees and audit committees
- How do you keep trustee and other committee members abreast of new, emerging, and changing regulations?
- How do you ensure that the relevant directorates are adequately preparing for new regulations to avoid non-compliance risk when the regulations become effective?
- Have you performed a regulatory ‘rule mapping’ exercise to capture the relevant laws and regulations that your organisation must adhere to, and then an overview of the reporting and sources of assurance in place to determine compliance?
- Do your trustees or audit committee get adequate sight of regulatory breaches, any root causes and feedback from the regulator?
For more information and guidance on charity risk and regulation, get in touch with Paul Rao.
Need guidance on navigating charity risk?
Our insights provide advice on the highest rated risks for the charity sector so you can ensure that your risk management and control arrangements remain robust.