Charities and Risk Management - Appendices I, II and III

Contents

If you wish to print off this page, please select the PDF version below to ensure that the tables are displayed in their entirety .

Appendix 1 Reporting of risk management in the trustees’ Annual Report

The Commission recognises that good practice in terms of form and content of reporting risk management in trustees’ Annual Reports will be developmental. The form and content of reporting is also likely to reflect the size and complexity of an individual charity’s activities and structure. The Commission is not seeking "template" reporting, or requiring a detailed analysis of the processes and results. A narrative style that addresses the key aspects of the SORP requirement can be regarded as an acceptable approach to reporting. That is:

  • an acknowledgement of trustees’ responsibility;
  • an overview of the risk identification process;
  • an indication that major risks identified have been reviewed or assessed; and
  • confirmation that control systems have been established to manage those risks.

It is recognised that some charities, particularly larger charities or those with more complex activities, will wish as a matter of best practice to expand on this basic approach in their reporting. Where this more detailed approach to reporting is adopted it will be desirable to address the following broad principles, describing how they have been incorporated into the charity’s risk management procedures:

  • the linkage between the identification of major risk and the operational and strategic objectives of the charity;
  • procedures that extend beyond financial risk to encompass operational, compliance and other categories of identifiable risk;
  • the linkage of risk assessment and evaluation to the likelihood of its occurrence and impact should the event occur;
  • ensuring risk assessment processes and monitoring that are ongoing and embedded in management and operational processes;
  • trustees review and consideration of the principal results of risk identification, evaluation and monitoring.

Most charities are already likely to consider risk in the context of their day to day activities. Even where a formal process has not been completed it will often be possible for these aspects of the charity’s approach to risk to be drawn out and for comment to be made as to further developments of the procedures being undertaken or planned.

Although the risk management statement forms an important part of the trustees’ Annual Report there is no requirement for the statement to be audited unless other requirements outside the Charities Act 1993 or the Companies Act 1985 apply (eg Housing Corporation requirements). The SORP requirement does not extend auditors’ duties but auditors who become aware of apparent misstatements or inconsistencies in the trustees’ Annual Report, based on their other audit work, will seek to resolve them and will need to consider the impact on their report, if such issues cannot be resolved. (see Practice Note 11 (Revised) - The Audit of Charities).

Appendix II Risk register pro-forma

Risk areas

Risk identified

Likelihood of occurrence (score)

Severity of impact

(score)

Overall

or "gross" risk

Control procedure

Retained or "net" risk

Monitoring process

Responsibility

Further action required

Date of review

E.g.

Lack of return/ diversity of investment portfolio

 

Medium

(4)

High

(4)

Medium/high

(16)

Investment policy set by trustees.

Written instructions to FSA authorized adviser.

Quarterly review by trustees.

 

Low

Performance reports reviewed quarterly by board.

Trustees/

treasurer

Quarterly agenda item for trustee meeting

Quarterly

E.g.

Unsatisfactory fundraising returns

 

Medium

(4)

High

(5)

High

(20)

Financial appraisal of new projects

Benchmarking of returns achieved.

Budget reporting by fundraising activity.

 

Medium

Financial reporting by fundraising activity

Quarterly reporting by fundraising manager to board/CEO

Fundraising manager /CEO

New initiatives to be approved by Board unless included in current business plan

Review of regulatory compliance of current methods

 

Ad hoc

 

 

 

Next board meeting

Appendix III Examples of potential risk areas, their potential impact and mitigation

The charitable sector is by its nature diverse. The nature of activities, funding base, reserves and structures will expose charities to differing areas of risk and levels of exposure. Whilst the areas of risk identified below will warrant consideration by most charities, this listing is not an exhaustive list of all potential areas of risk and should not be a substitute for a charity undertaking its own processes for risk identification.

This list is solely an indication of some of the main areas of risk that may need to be considered by trustees. Illustrative examples of potential impact are given, as well as some illustrative examples of controls or action that might be taken to mitigate the risk or impact. Some risks will fall into more than one category. Although the list may be long, it is not exhaustive, there will be other risks that apply to each particular charity derived from its own circumstances and activities. The charity should first concentrate on the major risks.

Please note: the following table is available in pdf format which may provide improved viewing and printing on some computers. Please click here for pdf version


Potential risk

Potential impact

Steps to mitigate risk

Governance and management

The charity lacks direction, strategy and forward planning.

  • The charity drifts with no clear objectives, priorities or plans.
  • Issues are addressed piecemeal with no strategic reference.
  • Needs of beneficiaries not fully addressed.
  • Financial management difficulties.
  • Loss of reputation.
  • Creation of a strategic plan which sets out the key aims, objectives and policies.
  • Creation of financial plans and budgets.
  • Use of job plans and targets.
  • Monitoring of financial and operational performance.
  • Feedback from beneficiaries and funders

Trustee body lacks relevant skills or commitment

  • Charity becomes moribund or fails to achieve its purpose.
  • Decisions are made bypassing the Board.
  • Resentment or apathy amongst staff.
  • Poor value for money on service delivery
  • Skills review.
  • Competence framework and job descriptions.
  • Trustee training.
  • Recruitment processes.

Board of Trustees dominated by one or two individuals, or by connected individuals.

  • Trustee body cannot operate effectively as strategic body.
  • Decisions made outside of trustee body.
  • Conflicts of interest.
  • Pursuit of personal agenda.
  • Culture of secrecy or deference.
  • Arbitrary over-riding of control mechanisms
  • Consider the structure of the Board and their independence.
  • Mechanisms agreed to deal with potential conflicts of interest.
  • Recruitment and appointment processes and constitutional validity.
  • Procedural framework for meetings and recording decisions.

Trustees are benefiting from charity (eg remuneration)

  • Reputation, moral and ethos.
  • Impact on overall control environment.
  • Conflicts of interest.
  • Regulatory action.
  • Ensure legal authority for payment or benefit.
  • Consideration of alternative staffing arrangements.
  • Terms and procedures to authorise/ approve expenses and payments.
  • Procedures and methods to establish fair remuneration conducted separately from "interested" trustee eg remuneration committee/ benchmarking exercise.

Conflicts of interest

  • Charity unable to pursue its own interests and agenda.
  • Decisions may not be based on relevant considerations.
  • Impact on reputation.
  • Understanding of trust law.
  • Protocol for disclosure of potential conflicts of interest.
  • Procedures for standing down on certain decisions.
  • Recruitment and selection processes.

Organisational structure

  • Lack of information flow and poor decision making procedures.
  • Remoteness from operational activities.
  • Uncertainty as to roles and duties.
  • Decisions made at inappropriate level or excessive bureaucracy.
  • Organisation chart and clear understanding of roles and duties.
  • Delegation and monitoring consistent with good practice and constitutional or legal requirements.
  • Review of structure and constitutional change.

Activities potentially outside objects, powers or terms of gift ( restricted funds)

  • Loss of funds available for beneficiary class.
  • Liabilities to repay funders.
  • Loss of funder confidence.
  • Potential breach of trust and regulatory action.
  • Loss of beneficiary confidence.
  • Taxation implications (if non-qualifying expenditure).
  • Protocol for reviewing new projects to ensure consistency with objects, powers and terms of funding.
  • Financial systems to identify restricted funds and their application.

 

Loss of key staff

  • Experience or skills lost.
  • Operational impact on key projects and priorities.
  • Loss of contact base and corporate knowledge.
  • Succession planning.
  • Documentation of systems, plans and projects.
  • Training programmes.
  • Notice periods and handovers.
  • Recruitment processes.

Reporting to trustees

(accuracy, timeliness and relevance)

  • Inadequate information resulting in poor quality decision making.
  • Failure of Board to fulfil its control functions.
  • Board becomes remote and ill informed.
  • Proper strategic planning, objective setting and budgeting processes.
  • Timely and accurate project reporting.
  • Timely and accurate financial reporting.
  • Proper project assessment and authorisation procedures.
  • Regular contact between trustees and their managers.
Operational risk

Contract risk

  • Onerous terms and conditions.
  • Liabilities for non performance.
  • Non- compliance with charity’s objects.
  • Indirect subsidy of public provision.
  • Cost/project appraisal procedures.
  • Authorisation procedures.
  • Professional advice on terms and conditions.
  • Performance monitoring arrangements.
  • Insurable risks cover.

Service provision – Customer satisfaction

  • Beneficiary complaints.
  • Loss of fee income.
  • Loss of significant contracts or claims under contract.
  • Negligence claims.
  • Reputational risks.
  • Quality control procedures.
  • Complaints procedures.
  • Benchmarking of service.

Project or service development

  • Compatibility with objects, plans and priorities.
  • Funding and financial viability.
  • Project viability.
  • Skills availability.
  • Project appraisal and costing procedures.
  • Authorisation procedures.
  • Monitoring and reporting procedures.

Competition

  • Loss of contract income.
  • Reduced fund-raising potential
  • Reduced profile.
  • Profitability of trading activities.
  • Monitoring performance and quality of service.
  • Review of market and methods of service delivery.
  • Fund-raising strategy.
  • Regular contact with funders.
  • Public awareness and profile.

Suppliers, dependency, bargaining power.

  • Dependency on key supplier.
  • Lack of supplier to meet key operational objectives.
  • Non-competitive pricing/quotes.
  • Insufficient buying power.
  • Use of competitive tendering for larger contracts.
  • Procedures for obtaining quotations.
  • Authorised suppliers listing.
  • Monitoring of quality/timeliness of provision.
  • Use of service level agreements.
  • Use of buying consortia.

Capacity and use of resources including tangible fixed assets.

  • Under-utilised or lack of building/office space.
  • Plant and equipment obsolescence impacting on operational performance.
  • Mismatch between staff allocations and key objectives.
  • Spare capacity not being utilised or turned to account.
  • Building and plant inspection programme.
  • Repair and maintenance programme.
  • Capital expenditure budgets.
  • Efficiency review.

Security of assets

  • Loss or damage.
  • Theft of assets.
  • Infringements of intellectual property rights.
  • Review of security.
  • Asset register and inspection programme.
  • Facility management arrangements.
  • Safe custody arrangements for title documents.
  • Management of patent and intellectual property.
  • Insurance reviews.

Fund-raising

  • Unsatisfactory returns.
  • Reputational risks of campaign or methods used.
  • Actions of agents and commercial fund-raisers.
  • Compliance with law and regulation.
  • Appraisal, budgeting and authorisation procedures.
  • Review of regulatory compliance.
  • Monitoring of the adequacy of financial returns achieved (benchmarking comparisons).
  • Complaints review procedures.
  • Stewardship reporting in annual report.

Employment issues

  • Employment disputes.
  • Health and Safety issues.
  • Claims for injury, stress, harassment, unfair dismissal.
  • Equal opportunity issues.
  • Adequacy of staff training.
  • Child protection issues.
  • Low morale.
  • Recruitment processes.
  • Reference and qualification checking procedures, job descriptions, contracts of employment, appraisals and feedback procedures.
  • Job training and development.
  • Health and safety training and monitoring.
  • Staff vetting and legal requirement checks.

High staff turnover

  • Loss of experience or technical skills.
  • Recruitment costs and lead time.
  • Training costs.
  • Operational impact on staff moral and service delivery.
  • Interview and assessment processes.
  • Fair and open competition appointment for key posts.
  • Job descriptions, performance appraisal and feedback
  • Conduct "exit" interviews
  • Consider rates of pay, training, working conditions, job satisfaction.

Volunteers

  • Competences and training.
  • Vetting and reference procedures.
  • Recruitment and dependency.
  • Assessment of role, competencies.
  • Vetting procedures:
  • Training and supervision procedures.
  • Development and motivation.

Health, safety and environment

  • Staff injury.
  • Product or service liability.
  • Ability to operate (see Compliance risks).
  • Compliance with law and regulation.
  • Compliance officer and training.
  • Monitoring and reporting procedures.

Disaster recovery and planning

  • Computer system failures or loss of data.
  • Destruction of property, equipment, records through fire, flood or similar damage.
  • IS recovery plan.
  • Data back up procedures and precautions.
  • Insurance cover.
  • Disaster recovery plan for alternative accommodation.

Procedural and systems documentation

  • Lack of awareness of procedures and policies.
  • Actions taken without proper authority.
  • Proper documentation of policies and procedures.
  • Audit and review of systems.

Information Technology

  • Systems fail to meet operational need.
  • Failure to innovate or update systems.
  • Loss/corruption of data eg donor base.
  • Lack of technical support.
  • Appraisal of system needs and options.
  • Security and authorisation procedures.
  • Implementation and development procedures.
  • Use of service and support contracts.
  • Disaster recovery procedures.
  • Outsourcing.
  • Insurable loss.
Financial risks

Budgetary control and financial reporting

  • Budget does not match key objectives and priorities.
  • Decisions made on inaccurate financial projections or reporting.
  • Decisions made based on unreliable costing data.
  • Inability to meet commitments or key objectives.
  • Poor credit control.
  • Poor cash flow and treasury management.
  • Ability to function as going concern.
  • Budgets linked to business planning and objectives.
  • Timely and accurate monitoring and reporting.
  • Proper costing procedures for product or service delivery.
  • Adequate skills base to produce and interpret budgetary and financial reporting.
  • Procedures to review and action budget/cash flow variances.

Reserves policies

  • Lack of liquidity to respond to new needs or requirements.
  • Inability to meet commitments or planned objectives.
  • Reputational risks if policy cannot be justified.
  • Reserves policy linked to business plans, activities and identified financial and operating risk.
  • Regular review of policy.

Cashflows sensitivity

  • Inability to meet commitments.
  • Lack of liquidity to cover variance.
  • Impact on operational activities.
  • Adequate cash flow projections ( prudence of assumptions).
  • Identification of major sensitivities.
  • Adequate information flow from operational managers.
  • Monitoring arrangements and reporting.

Dependency on income sources

  • Cash flow and budget impact of loss of income source.
  • Identification of major dependencies.
  • Adequate reserves policy.
  • Diversification plans.

Pricing policy

  • Reliance on subsidy funding.
  • Cash flow impact on other activities.
  • Loss of contracts if uncompetitive.
  • Affordability of services to beneficiary class.
  • Costing of services and contract.
  • Comparison with other service providers.
  • Procedures to notify and agree price variations with funders.
  • Monitoring of funder satisfaction.

Borrowing

  • Interest rate movements.
  • Ability to meet repayment schedule.
  • Security given over assets.
  • Regulatory requirements.
  • Appraisal of future income streams.
  • Appraisal of terms (rates available, fixed, capped, variable etc.).
  • Appraisal of return on borrowing.
  • Proper advice procedures.

Guarantees to third parties

  • Call made under guarantee.
  • Lack of reserves or liquidity to meet call.
  • Consistency with objects and priorities.
  • Approval and authority procedures.
  • Procedures to ensure consistency with objects, plans and priorities.
  • Financial reporting of contingency and amendment to reserves policy.

Foreign currency

  • Currency exchange losses.
  • Uncertainty over project costs.
  • Cash flow impact on operational activit
  • Cash flow management and reserves policy.
  • Currency matching.
  • Forward contracts for operational needs.

Pension commitments

  • Under-funded defined benefit scheme.
  • Impact on future cash flows.
  • Failure to meet due dates of payment.
  • Regulatory action or fines.
  • Actuarial valuations.
  • Review of pension scheme arrangements ( eg money purchase schemes).
  • Procedures for admission to scheme and controls over pension administration.

Inappropriate or loss-making non-charitable trading activities

  • Resources withdrawn from key objectives.
  • Resources and energy diverted from profitable fund-raising or core activities.
  • Regulatory action, and accountability.
  • Reputational risk if publicised.
  • Monitoring and review of business performance and return.
  • Adequacy of budgeting and financial reporting within the subsidiary or activity budget.
  • Adequate authorisation procedures for any funding provided by charity ( prudence, proper advice, investment criteria)
  • Reporting funding and performance as part of charity’s own financial reporting system.
  • Viability appraisal

Investment policies

  • Financial loss though inappropriate or speculative investment.
  • Financial loss through lack of investment advice, lack of diversity.
  • Cash flow difficulties arising from lack of liquidity.
  • Investment policy.
  • Proper investment advice or management.
  • Diversity, prudence and liquidity criteria.
  • Adequate reserves policy.
  • Regular performance monitoring.

Protection of permanent endowment

  • Loss of future income stream or capital values.
  • Buildings unfit for purpose.
  • Income streams inappropriate to meet beneficiary needs.
  • Investment policy.
  • Proper investment advice or management.
  • Diversity, prudence and liquidity criteria.
  • Regular performance monitoring.
  • Maintenance and surveyor inspection of buildings.
  • Insurance.

Compliance with donor imposed restrictions

  • Funds applied outside restriction.
  • Repayment of grant.
  • Future relationship with donor and beneficiaries.
  • Regulatory action.
  • Systems to identify restricted receipts.
  • Budget control, monitoring and reporting arrangement.

Fraud or error

  • Financial loss.
  • Reputational risk.
  • Regulatory action.
  • Impact on funding.
  • Financial control procedures.
  • Segregation of duties.
  • Authorisation limits.
  • Security of assets.
  • Insurable risks
  • Further advice is available in our guidance CC8.

Environmental/external factors

Public perception

  • Impact on voluntary income.
  • Impact on use of services by beneficiaries.
  • Ability to access grants or contract funding.
  • Communication with supporters and beneficiaries.
  • Quality financial, annual report and review reporting.
  • PR training/procedures.

Adverse publicity

  • Loss of donor confidence or funding.
  • Loss of influence.
  • Impact on moral of staff.
  • Loss of beneficiary confidence.
  • Complaints procedures (both internal and external).
  • Proper review procedures for complaints.
  • Crisis management strategy for handling, consistency of key messages, nominated spokesperson etc.

Relationship with funders

  • Deterioration in relationship may impact on funding and support available.
  • Regular contact and briefings to major funders.
  • Project reporting.
  • Meeting funders terms, conditions and requirements.

Demographic consideration

  • Impact of demographic distribution of donors or beneficiaries.
  • Increasing or decreasing beneficiary class.
  • Increasing or decreasing donor class.
  • Profiling of donor base.
  • Profiling and understanding of beneficiary needs.
  • Use of actuarial analysis to establish future funding requirements.

Government Policy

  • Availability of contract and grant funding.
  • Impact of tax regime on voluntary giving.
  • Impact of general legislation or regulation on activities undertaken.
  • Role of voluntary sector.
  • Monitoring of proposed legal and regulatory changes.
  • Membership of umbrella bodies.
Compliance risk (law and regulation)

Compliance with legislation and regulations

Consideration of law and regulations needs to be specific to each individual charity, as risk areas will be dependent on activities undertaken. The following examples should not therefore be used as a checklist.

  • Charity law
  • Companies Act
  • Own constitution
  • Data Protection Act
  • Disability Discrimination Act
  • Laws relating to care of beneficiaries (eg Childrens Act, care of elderly etc)
  • Employment Law (Redundancy, unfair dismissal, minimum wages)
  • Trustees Act
  • Human Rights Act
  • Race relations
  • Health and Safety law (Fire regulations etc)
  • Fines, penalties or censure from licencing or activity regulators.
  • Loss of licence to undertake particular activity (Link to operational risks).
  • Employee or consumer action for negligence.
  • Reputational risks.
  • Identify key legal and regulatory requirements.
  • Allocate responsibility for key compliance procedures.
  • Compliance monitoring and reporting.
  • Preparation for compliance visits.
  • Compliance reports from Regulators, auditors and staff considered and actioned at appropriate level.
    		•

    Regulatorary reporting requirements:

    Financial and other reporting requirements will be dependent on how the charity is constituted and may also vary according to funding arrangements.

    • Regulatory action.
    • Reputational risks.
    • Impact on funding.
  • Compliance procedures and allocation of staff responsibilities.
    		•

    Taxation

    • Penalties, interest and "back duty" assessments.
    • Loss of income eg failure to utilise gift aid arrangements.
    • Loss of mandatory or discretionary rate relief.
    • Failure to utilise tax exemptions and reliefs.
    • PAYE compliance procedures.
    • VAT review procedures.
    • Understanding of exemptions and reliefs available (direct tax and VAT).
    • Advice on employment status and contract terms.
    • Budget and financial reporting identifying trading receipts, and tax recoveries

    Professional advice

    • Lack of investment strategy or management.
    • Failure to optimise fiscal position.
    • Contract risks.
    • Failure to address compliance risks.
    • Identification and access to professional advice.
    • Identification of issues where advice is required.
    • Compliance reviews.

    © Crown Copyright

    © 2012 Crown Copyright          Copyright Notice, Disclaimer and Privacy Statement