These are challenging times for everyone, and the charity sector is no exception. To help you visualise the sector's risk landscape and better prepare for coming challenges, our charity internal audit team have spoken confidentially to 10 of the UK's most high-profile charities about their risks.
From humanitarian and international development, healthcare, children and young people, membership organisations and those supporting a range of disabilities, this benchmarking exercise identified that the key areas of risk proved to be consistent across the board.
While the organisations we spoke to within the charity sector were all large-scale or high profile, the same risk-mitigation strategies are likely to benefit charities of all sizes and profiles.
Much of the analysis for our benchmarking exercise was performed during the first half of 2020, coinciding with the onset of the COVID-19 lockdown. Charities were revisiting their existing top risks in an effort to understand how they were evolving, thereby determining what impact coronavirus was having on the likelihood and impact of their existing top risks.
The risk profile largely reflects the shared nature of risks across the charity sector. Let's explore these in more detail:
The charity sector is experiencing a period of unrelenting change.
This is driven by factors such as:
These factors are forcing charities to adapt and to respond in ways that protect their operations, while also continuing to focus on the needs of their beneficiaries.
These challenges are reflected in risks related to governance and strategy, organisational change and reputation.
If there is an organisational focus area that has become undeniably more challenging due to the effects of coronavirus, it is the charity sector’s operations.
Furloughing employees has required a significant management effort extending beyond human resource functions, diverting focus from other operational activities.
It is not surprising to see that business continuity, people and wider organisational risks are included in the top risks.
Many organisations within the charity sector have had to reduce, in some cases drastically, their forecasted income for 2020 and cancel or re-invent their flagship fundraising events to account for social-distancing requirements and the uncertainty that coronavirus has created.
Even before lockdown, many charities were also revisiting how diverse and sustainable their sources of income were.
Over the last few years, a key regulatory area of focus for the charity sector has understandably been the General Data Protection Regulation (GDPR).
This complex regulation will continue to require management attention as the expectations of the Information Commissioner’s Office (ICO) continue to evolve, particularly in relation to the technical measures required for personal data protection.
Additionally, there have been other recent and important changes in the regulatory landscape and expectations of regulators.
In October 2019 a new Code of Fundraising Practice was released by the Fundraising Regulator and the Charity Commission. This code has advocated increasingly for the need for robust charity governance in the wake of some high-profile news stories and the need for trustees to have effective oversight of their charities.
Furthermore, the Charity Governance Code, updated in December 2020, focuses on integrity (principle 3), and equality, diversity and inclusion (principle 6).
Equality, diversity and inclusion, in particular, is an area we see charities focusing on and investing in.
Digital transformation is a common trend across the charity sector. Many are either advanced, in the middle of, or planning their digital transformation programmes to enable more effective engagement with donors and beneficiaries, as well as streamlined ways of working.
As a result, technology is becoming ever more pervasive within operating models. This increases the need to focus on cyber security and the resilience of IT systems and infrastructure, which are relied upon to safeguard information and data, and to maintain business continuity.
There's also an increasing need to ensure that outsourced IT service suppliers are managed well, contractual arrangements are fit for purpose and that the outsourced supplier adheres to the key policies of the charity.
For example, data protection policies where non-compliance by the supplier may result in reputational damage to the charity, regulatory sanctions and fines.
Within this landscape, our respondents advised us of the 10 key risks the charity sector is working to mitigate:
| 10 key risks | |
| 1 Income and financial sustainability | Insufficient income and reserves for the charity sector to achieve its strategic objectives and maintain its operations |
| 2 Data Protection compliance and GDPR | An event or incident such as an external data breach or inadvertent internal error resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data |
| 3 Organisational change and digital transformation | The failure to execute organisational change and transformation programmes effectively and to achieve the intended benefits of these, resulting primarily in inefficient use of the charity’s resources |
| 4 Safeguarding | Failure to safeguard a charity’s beneficiaries or associated vulnerable persons, including children, from abuse and maltreatment |
| 5 People, leadership and culture | Weaknesses or failure of leadership, inability to develop and retain talent effectively and an organisational culture that is not an enabler in the pursuit of a charity’s strategy and objectives |
| 6 Governance | The charity does not achieve its strategic, charitable, regulatory and ethical objectives due to inadequate governance at the board and senior management or operational levels |
| 7 Regulatory | The charity fails to comply with applicable regulatory requirements, leading to reputational damage and financial penalties |
| 8 Cyber security | Cyber incidents (typically unauthorised or inappropriate access to an organisation’s network) executed by external or internal parties that negatively impact the confidentiality, integrity and availability of a charity’s information systems and data |
| 9 Business continuity incidents | The occurrence of incidents that limit an organisation’s ability to operate as it normally would in business as usual situations |
| 10 Reputation | A range of occurrences including incidents, events and outcomes that may consequently damage a charity’s reputation. Reputation risk is largely a consequence of other risk events materialising. However, our study identified that charities are including it as a specific risk. |
Following on from this introduction to the benchmarking exercise, Paul Rao will be publishing a series of short insights that explore these 10 risks, and in particular, considerations for management and trustees.
This will include ‘five questions to ask’ for each of the risks and will be published over the next six months.
The risks that the charity sector is facing are becoming increasingly challenging and are changing in nature and severity as the external environment evolves.
We have a broad experience delivering internal audit reviews of the risk areas defined above, including to many of the largest and highest-profile charities in the UK and globally, and can advise on pragmatic organisational measures for managing these risks.
For help managing these and other charity sector risk trends, contact Paul Rao.
