Risk registers, is yours working for you?
Many charities state that they have a risk register. Often when it is produced, it is a colour coded spreadsheet identifying risks and highlighting whether they are considered significant. For many it has become a tick box exercise of identifying risks but not actually managing them.
Instead of a traditional register (or in addition to), a risk policy might work better. A risk policy would involve the trustees asking themselves where they are willing to take risks. This therefore needs to be linked to strategy. Areas to be considered:
- financial sustainability
- specific risks.
It can be helpful to focus on three broad categories of risk: project risks, operational risks and strategic risks.
A charity’s approach to risk will usually encompass a level of risk taking. Trustees should decide where they are prepared to take risks in order to innovate and grasp opportunities but still be alert and respond to their strategic risks.
Is now the time to revisit what your charity does on risk?
Defending your reserves policy
As trustees, do you consider your reserves are something to protect or something to manage?
More often than not, reserves are considered as something to protect. The UK has been through an unpredictable decade with economic downturns, slow growth and more recently, significant Brexit uncertainty. A high level of reserves that a charity holds has often been defended as something that needs to be protected, a ‘rainy day fund’.
However is this how trustees should think about reserves? Reserves are unspent income. As a donor to a charity, you would expect a good reason for that income not to be spent on charitable activities. Should trustees think of reserves as an opportunity cost, what is the charity missing out on?
Trustees develop the overall strategy of the charity including the financial strategy. The level of reserves required should be directly related to this strategy. It has been found that high levels of reserves can lead to complacency and poor financial practices and potentially will also deter donors/grants makers.
Ultimately the level of reserves held should be supported by an intelligent reserves policy which incorporates a detailed understanding of income streams, the charity’s expenditure commitments and the level of risk, which links back to strategy. Where risks are identified, trustees should be trying to manage them without necessarily building up high levels of reserves. This could mean, diversifying income, partnering with another charity or altering its expenditure.
Does Wales need its own regulator?
Joe Saxton, founder of nfpSynergy, a research consultancy for the charity sector, made the case for creating a separate regulator for Wales at gofod3 on 21 March, an annual conference organised by Wales Council for Voluntary Action.
Creating a new regulator would also be in keeping with the pattern of other government bodies which are devolved, and Scotland and Northern Ireland have their own regulators, he added.
‘Having a charity commission that covers England and Wales is an anomaly.’
Joe Saxton lists ten reasons in a blog:
- Wales is not like England!
- The Welsh public prefer to support Welsh charities
- Other regulators and government bodies tend to be fully devolved or UK wide
- The Welsh charity sector needs and delivers a separate identity
- We need to know the size and shape of the Welsh charity sector
- The other devolved nations of the UK have their own charity regulator
- The public are reassured by knowing about charity regulators
- CCEW has no strategy for Wales
- CCEW delivers no Wales specific reports or content
- Charity regulation in Wales should be accountable to the Welsh Government.
A spokesperson from the CCEW responded by clarifying that it operates with four offices, one of which is based in Newport, Wales and which operates bilingually in Welsh and English.
Conflicts of interest
In a number of recent CCEW statutory enquiries, there has been a running theme of trustees not managing conflicts of interest. The findings are often coupled with breaches of trust and trustees not complying with their duty to apply charity funds. On too many occasions they point to trustees gaining personal benefit from transactions where clear conflicts of interest have not been managed.
The OSCR blog on ‘Trustee Governance – conflicts of interest and related party transactions’ highlights that charities often do have a register of trustee’s interests but the register is not regularly updated or not all trustees have returned their declarations.
OSCR proposes that trustees should complete ‘annual declaration of transactions the charity has had with, and donations the charity has received from, their related parties. This can also be combined with a declaration of expenses waived (which is also a required disclosure in the accounts).’
Of course, having annual declarations must be coupled with a policy of how to deal with such conflicts.
Links with non-charities
Further to a consultation last year, CCEW has updated its guidance for charities with close links to non-charitable organisations citing examples where charities have not sufficiently managed the links. In some cases this has allowed charities to be misused to further non-charitable interests, including commercial or private interests.
The new guidance does not set out new rules or regulations, but draws together relevant law and practice in setting out six principles to help trustees ensure the charity’s interests and independence:
- recognise the risks
- do not further non-charitable purpose
- operate independently
- avoid unauthorised personal benefit and address conflicts of interest
- maintain your charity’s separate identity
- protect your charity.
CCEW point out that charities can set up or keep a close connection with a non-charitable organisation in order to make a positive difference for their beneficiaries. Work with non-charitable organisations must always further the charity’s objectives. Trustees must not allow resources or activities to fund or support non-charitable purposes and should identify, properly address and review risks which come from the connection.
The guidance includes three checklists to help trustees assess whether the guidance has been applied. These checklists could also be used in other jurisdictions as a matter of best practice.
Free updated GDPR guidance
The Institute of Fundraising (IoF) has updated its GDPR guidance. A year since implementation of the legislation, the original guidance has been tweaked to include the latest thinking, and provide some more tips and advice.
The Information Commissioner’s Office made it clear that organisations will need to continue to update their policies and procedures at appropriate intervals to ensure they are compliant with data protection laws, and ‘just like a car needs regular servicing and an annual MOT, charities need to be regularly reviewing and checking that their processing of personal data is being done fairly and lawfully’.
The guidance includes new information on minimising data protection risks, advice about when to employ a data protection officer and how to assess a legitimate interest for direct marketing under GDPR.
Brexit related issues
At the time of publication, there is still no clear picture of the Brexit situation. If it has not been done already, it is recommended that charities spend time considering how all potential outcomes could affect them. There is a huge amount of helpful literature available.
More charities experiencing cyber breaches
According to the government’s annual survey, over 22% of charities have identified breaches or attacks (business sector: 32%). Although a lower percentage of charities identify breaches compared to business, the cost is higher (£4,180 for businesses and £9,470 for charities).
The most common attacks are:
- phishing emails (81% of charities experienced breaches or attacks)
- others impersonating their organisation online (20% of charities experienced this issue)
- viruses or other malware, including ransomware (18% of charities experienced this issue).
Although the survey notes that the GDPR, has helped to ensure charities take action on cyber security, there is still more that can be done, especially around staff engagement and training. The survey revealed that 49% of charity trustees are only updated once a year on cyber security (Business sector: 34%) and cyber security training has only been given to staff in 29% of charities.
There has been an increase in awareness with 75% of trustees and senior management stating cyber security is a high priority (2018: 53%). Awareness of this problem appears to correlate with the size of charity, with smaller charities not identifying this as such a high priority.
The government has published a helpful ‘10 Steps to Cyber Security’ but only 53% of charities have taken actions towards five or more of these steps.
UK’s first charity digital code of practice
The UK’s first charity ‘Digital Code of Practice’ has been developed to provide charities with practical advice on incorporating digital technology into their work. The code has been managed by a steering group of representatives from across the sector. It is voluntary and free to access for all charities and there are two versions available, one specifically for small charities.
The Lloyds Bank UK Business Digital Index 2017 showed only 48% of charities had full basic digital skills, and 50% of charity leaders lack confidence in introducing digital change.
The code has identified seven principles to be considered by charities wishing to develop their digital activity. The principles cover best practice relating to leadership, beneficiaries and other stakeholders, culture, strategy, skills, adaptability and managing risks and ethics. It also sets out how to measure success when making changes to digital activities.