Charities in the UK are facing challenging times as the sector tries to navigate the technological, regulatory, operational, economic, and environmental changes happening not just within the country’s borders but also globally.
To paint a clearer picture of the sector’s risk landscape and help non-for-profits better prepare for the challenges ahead, the charity internal audit team at global accounting and advisory organisation Grant Thornton interviewed representatives of 10 of the country’s most prominent charities about what they thought were the sector’s biggest risks.
Although the organisations vary in scope, the researchers identified several key risks areas that were consistent across the board. Here are some of the biggest risks charitable institutions in the UK are working to mitigate based on the team’s benchmarking exercise, along with an analysis from Paul Rao, director and UK head of not-for-profit at Grant Thornton.
Risk 1 – Income and financial sustainability: Insufficient income and reserves for the charity to achieve its strategic objectives and maintain its operations
Income and financial sustainability have traditionally been among the top risks associated with charities. However, the economic disruption caused by the COVID-19 pandemic has exacerbated funding concerns.
“Many organisations within the charity sector have had to reduce, in some cases drastically, their forecasted income for 2020 and cancel or re-invent their flagship fundraising events to account for social-distancing requirements and the uncertainty that coronavirus has created,” Rao wrote in his analysis.
He added that even before lockdowns were imposed, many charities were already revisiting the diversity and sustainability of their sources of income.
Risk 2 – Data Protection compliance and GDPR: An event or incident such as an external data breach or inadvertent internal error resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data
The UK’s adoption of the General Data Protection Regulation (GDPR) has been a key regulatory focus for the charity sector in the past few years, according to Rao.
“We often think of GDPR as something that is most relevant to private companies, but it is just as relevant to charities: voluntary sector organisations often hold substantial amounts of personal and sometimes sensitive special category data related to their donors, beneficiaries, and volunteers. They also often undertake significant marketing activity,” he noted.
“GDPR is not just about protecting access to data, but also regulating how it is obtained, processed, transferred, and how long it is retained. It also has stipulations on the assessments and staffing that should be in place to handle data, and what to do in the event of a breach.”
Rao added that compliance with this “complex regulation” would continue to be a top management focus as the expectations of the Information Commissioner’s Office (ICO) continued to evolve, particularly the technical measures required for personal data protection.
Risk 3 – Organisational change and digital transformation: The failure to execute organisational change and transformation programmes effectively and achieve the intended benefits of these, resulting primarily in inefficient use of the charity’s resources
Rao described digital transformation as a common trend across the charity sector. However, organisations currently differ on the level of adoption and implementation.
“Many are either advanced, in the middle of, or planning their digital transformation programmes to enable more effective engagement with donors and beneficiaries, as well as streamlined ways of working,” he wrote. “As a result, technology is becoming ever more pervasive within operating models.”
Rao added that this increasing reliance on technology raises the need for charities to focus on cybersecurity and the resilience of IT systems and infrastructure, which are vital in safeguarding information and maintaining business continuity.
“There’s also an increasing need to ensure that outsourced IT service suppliers are managed well, contractual arrangements are fit for purpose, and that the outsourced supplier adheres to the key policies of the charity,” he wrote. “For example, data protection policies where non-compliance by the supplier may result in reputational damage to the charity, regulatory sanctions, and fines.”
Risk 4 – Safeguarding: Failure to safeguard a charity’s beneficiaries or associated vulnerable persons, including children, from abuse and maltreatment
Safeguarding represents a key source of risk for not-for-profits that work with adults at risk and children, and the relevance of this issue for specific charities depends on several factors, including their size and activities, according to Rao.
“The most critical danger of safeguarding failures is the significant personal impact on individuals that weren’t properly protected,” he wrote. “Charities also need to think about the long-term damage to their reputation that may make it more difficult to deliver their services as a result.”
Rao cited recent media attention arising from a range of concerns involving high-profile charities, which made safeguarding a particular concern for the Charity Commission. He added that risk registers could also involve employees and volunteers over issues such as workplace harassment and bullying.
Risk 5 – People, leadership, and culture: Weaknesses or failure of leadership, inability to develop and retain talent effectively, and an organisational culture that is not an enabler in the pursuit of a charity’s strategy and objectives
Rao noted how charities were paying more attention to effective leadership because of its significant impact on the organisation’s culture.
“The tone from the top and consistency of messaging and role modelling of desired behaviour is key to retaining and attracting staff in both crisis and normal times,” he wrote. “Underpinning an effective culture where staff are motivated, productive, and stakeholders’ needs are met, requires effective alignment of all areas of people management, including performance and talent management.”
In terms of talent management, Rao observed how succession planning had become a common concern, with many charities worried about being unable to retain their top employees and recruit new leaders when the need came.
He added that many charities, particularly the larger ones, were investing substantial time and resources in projects “to understand and evolve” their culture.
Risk 6 – Regulatory: The charity fails to comply with applicable regulatory requirements, leading to reputational damage and financial penalties
Apart from GDPR, there have been other important changes in the regulatory landscape that impact charitable organisations, according to Rao.
These include the Code of Fundraising Practice released by the Fundraising Regulator and the Charity Commission in October 2019, which requires charities to reference the fundraising standards they follow in their annual reports. Doing so allows their supporters to know if they are implementing best practices in the area.
The new legislation came after the regulator’s research found that many charities did not report on what they were doing to protect vulnerable people and the public when raising funds and that very few charities reported on how they monitor fundraising carried out on behalf of the charity.
Risk 7 – Cybersecurity: Cyber incidents executed by external or internal parties that negatively impact the confidentiality, integrity, and availability of a charity’s information systems and data
Although Rao described cybersecurity as an issue that “has been embedded in charities’ risk awareness for several years,” he admitted that the biggest challenge was that cybersecurity risk was “constantly evolving.” Because of this, he said charities could not afford to be complacent with their existing cybersecurity measures.
“An appropriate cybersecurity training and awareness programme is one of the most effective preventive control measures against cyberattacks,” he wrote. “It should emphasise that cyber risk and assurance must be driven by the board. However, we find this is also a common area of weakness for charities.”
Read more: Charities open to cyber risk
Risk 8 – Reputation: A range of occurrences, including incidents, events and outcomes that may consequently damage a charity’s reputation
Rao noted that reputational risk was largely a consequence of other risk events materialising. But during their benchmarking exercise, the charities that participated were including it as a specific type of risk.