Risk management

Risk management is either a regulatory or best practice requirement for charities. The headline links below give you access to articles on key risk management priorities.

Click on the headlines of your choice.

Taking precautions against legacy fraud

Whilst a recent Supreme Court decision limits an insurer’s ability to avoid liability for fraud, you have to spot the theft in the first place to be able to seek redress. In autumn 2021, this journal reported on a Court of Appeal decision that a solicitor’s dishonesty alone is not a sufficient link between a number of claims for an insurer to aggregate those claims.

In other words, if a fraudulent solicitor has stolen from a number of estates they are administering, an insurer cannot seek to limit its liability on the basis that all acts by that solicitor (even if there is no connection between them other than the solicitor) should be considered as one insurance claim, thus subject to one insurance limit.

If a law firm only has the minimum level of insurance in place (£2 million or £3 million for aggregated claims), it is astonishing how inadequate the insurance could be were it possible to consider all claims as one.

A theft from a deceased person’s estate is rarely an isolated event. The more likely scenario is that the solicitor steals again, whether from the same estate or a different one.

The thefts Linda Box committed (which led to the case mentioned above) smashed through the £2m insurance limit her firm had in place rapidly and that is where her firm’s insurer wanted its involvement to end.

Line drawn

The Court of Appeal did not allow that to happen and now the Supreme Court has drawn a line under the matter by way of its refusal of the insurer’s application for permission to appeal the Court of Appeal’s decision.

Whilst this is great news for beneficiaries of defrauded estates, a disproportionate percentage of which are charities, those charities can only make a claim if they notice that they have been a victim of fraud.

There is no getting away from the fact that charities are easy targets for those willing to commit legacy fraud. In the vast majority of cases, charity beneficiaries do not know how much the testator/testatrix was worth so have no idea what they should expect to receive as a share of residue.

Practical steps

However, there are a number of practical steps charities can take to guard against (or at least spot sooner) those who seek to exploit a charity’s vulnerable status.

COMPARE GROSS AND NET ESTATE VALUES IN ESTATE ACCOUNTS (OR SCHEDULE OF ASSETS AND LIABILITIES IF THAT IS PRODUCED FIRST) TO THE FIGURES ON THE GRANT OF PROBATE. Is there a significant drop in value that cannot be explained by events during the administration that you have been notified about, or the reasonable costs of an administration? Many executors never notice/forget about the figures on the grant and thus it can often not occur to a fraudulent executor that this may catch them out.

DO NOT ACCEPT PARTIAL ESTATE ACCOUNTS. A regular trick is to just deliver a distribution page from an apparently larger set of estate accounts, or a synopsis of a larger account (say a global figure for the total value of the alleged assets and a global figure for the total value of the alleged liabilities) to support the sum distributed. The chances are that a proper set of estate accounts does not exist or, if it does, the executor has a reason he/she does not want you to see it.

USE EXTERNAL SOURCES TO VALIDATE ENTRIES IN ESTATE ACCOUNTS. Estate agent websites and Google searches on properties can help substantiate figures in a set of estate accounts. You may discover that the deceased’s property is being marketed for sale for a considerably greater sum than is attributed to the property in the estate accounts. Alternatively, you may even discover that the deceased’s property has been sold by the executor and then immediately marketed for sale for a considerably greater sum.

Quick buck

There have been a number of cases where the executor has sought to make a “quick buck” with an initial sale as part of the estate administration to an accommodating third party, who promptly sells on with, one assumes, a cut of the gain making its way back to the executor.

ASK FOR DOCUMENTS TO SUBSTANTIATE THE VALUE ATTRIBUTED TO SIGNIFICANT ASSETS AND/OR LIABILITIES. As much as an executor may try to argue otherwise, you are entitled to such documents if it is reasonable to request them.

ASSESS THE RISK. The reality is that the risk of fraud is greater if an estate is not being dealt with by a professional, or there is a professional executor but they are operating alone (say a sole practitioner solicitor or a financial adviser).

By virtue of the involvement of other people it is considerably more difficult to steal from an estate if the executor works alongside others and, specifically, there is more than one person dealing with the administration.

Red flag

If you have a query about an administration, say an apparent lack of progress and/or incomplete information and you phone a small practice and are told there is only one person who knows about an administration and no one else can even access the file/papers, a red flag should be raised in your mind. If that set of circumstances has arisen and the executor is working absolutely alone, the red flag should be billowing forcefully in the wind.

BE WARY OF DELAY. We all know that it can take a considerable time to administer an estate. However, an unexplained delay or repeated prevarication should set alarm bells ringing. Sometimes estate administrators hope that if they stall for long enough charity beneficiaries will give up in preference for closing their files. Persistence will usually pay off in the end.

SCRUTINISE LIFETIME GIFTS. If there are instances where solicitors misappropriate funds from estates, then it is logical to assume that the same temptation is present, and acted upon, where professionals act as a deceased’s attorney during his or her lifetime. In these instances, it is helpful to know how long they acted in this capacity, the fees they charged and to what these charges related.

Request details

The legacy officer should ask for details of lifetime gifts, request IHT documents and scrutinise estate accounts for mention of unexpected IHT, even if this is mentioned by way of a rebate, indicating that some IHT was paid initially and thus gifts were allegedly made. There are strict rules on gifts to attorneys, so it is unlikely that the former attorney, now estate administrator, will be able to cover their tracks in this way.

GO WITH YOUR GUT INSTINCT. Sometimes it is hard to piece together all the information which one is given initially, but you can get a sense that something is not quite as it should be. Perhaps a will clause looks out of place, an estate account item does not feel right, or an estate administrator is being particularly evasive. If so, then it is worth asking questions. Whilst the vast majority of professionals are above board and working to a high standard, it is amazing what can be uncovered by a vigilant legacy officer.

FOCUS ON FEES. This can be such a hotly contested area and it is appreciated that the more complex the administration, then the higher the costs. If the charges rendered seem out of proportion to the work it seems to you the estate administrator did then, again, a red flag should be raised.

A breakdown of costs can put the legacy officer’s mind at rest (as there could well have been work carried out behind the scenes) but the red flag should be hoisted further where the breakdown is not provided or the information within it is opaque.

Eye-watering charges

Some of these charges are eye-watering and, whilst the professional is performing a chargeable service for which there is a contract, the charges must be fair and reasonable in the circumstances. The level and justifications behind the billed time do sometimes feed into the narrative of charities being easy targets.

ABOVE ALL, COMMUNICATE. Charities are great at doing this. Tell each other what information you have received and what distributions you have received. Do not assume your co-beneficiaries have received the same. It is astonishing how often executors will distribute different amounts to beneficiaries with the same interest and/or different estate accounts.

If executors have given you any cause for concern, e.g. they have been slow to notify you of a legacy; they are reluctant to part with information/documents; unresponsive to communications; displaying an attitude that you should just be “thanking and banking”, then it is worth checking in with your co-beneficiaries. There is strength in numbers and information is power.

Harsh reality

The harsh reality is that there is nothing you can do to protect your charity against some criminal activity. Linda Box’s victims had no way of knowing she had diverted the deceased's assets before they had even reached her law firm’s accounts (the fact that the appointment as a personal representative is a personal appointment, thus assets can be cashed in via cheques into that person’s own name, facilitates this).

Nor did the victims know, say, that the deceased person did not have an MBNA credit card liability (and that instead the bill was one of Linda Box’s which she was paying off via the estate). However, there are steps you can take, as outlined above, to remain vigilant and to enable you to take swift and decisive action when the circumstances justify it.

Wilsons’ Fiona Campbell-White and British Heart Foundation’s Kate Vowden – there is no getting away from the fact that charities are easy targets for those willing to commit legacy fraud.
"Sometimes it is hard to piece together all the information which one is given initially, but you can get a sense that something is not quite as it should be."

Understanding and reducing risk in charity care facilities

The number of risks faced by care providers in the charity sector can feel daunting, but there is much that can be done to mitigate the issues. Dealing with fraud, violence against staff, personal data, safeguarding and protection of service users are just some of the daily challenges charity care providers face. For trustees and managers, risk management plans and procedures are an important part of a charity’s governance requirements.

Effective risk management will not only reduce the likelihood of unexpected events, but it also removes many of the barriers to the charity’s development and future success.

Some risks can’t be insured in the traditional sense such as funding problems and austerity, loss of contracts and downturns in investment performance. However, insurance can protect against a wide range of potential risks most charities face.

Insurable risks that apply to most care charities include:

  • Responsibility to third parties – such as the risk of being sued by members of the public or service users if injured, negligent care provision and the risk of being sued for non-performance of professional duties.
  • Responsibility as an employer – such as the risk of being sued by an employee injured in the course of their employment.
  • Protection of assets – such as fraud or loss of money, damage to property and the costs associated with closure due to fire, flood and other causes.

Identifying risk and implementation of procedures can be overwhelming. However, it is worthwhile being aware of the more common risks facing the sector and establishing robust procedures to reduce or eliminate them.

In this article, we’ll look at abuse, medical malpractice, breach of professional duty, fraud, and cyber and data risks in more detail, including a number of risk management strategies that will help guard against these eventualities.

Abuse and safeguarding

Abuse can be physical, emotional or sexual and can include service users being abused by employees or even by other service users.

There have been a number of high profile abuse cases in care in recent years. A 2019 Panorama investigation uncovered evidence of widespread abuse at Whorlton Hall, for example. A 2018 survey by University College London found that, in 91 out of 92 providers surveyed, staff had witnessed abuse of one form or another in the preceding three months – albeit many of the issues reported were low level forms of abuse relating to poor practice or service

Here is some abuse risk management guidance:

  • Appoint a safeguarding lead and integrate safeguarding within job descriptions.
  • Build in regular staff training sessions and cover safeguarding in inductions.
  • Understand what needs to be reportable under the charity’s safeguarding procedures and clarify the thresholds for reporting with the local authority safeguarding team.
  • Be clear on what notifiable safeguarding incidents should be reportable to CQC or OFSTED.
  • Keep good written accounts of events and always stick to the facts.

Medical malpractice

Medical treatment is an everyday requirement in many care charities, and can involve qualified healthcare professionals visiting the facility as well as employees performing more basic medical care.

Claims against care organisations can be commonplace and come in a variety of forms, including allowing bed sores to develop or administering medicines incorrectly. Causing bruising or fractures when moving a patient or missing signs of dehydration and malnutrition can also give rise to a claim, as can allowing an existing medical condition to deteriorate through negligent care.

Healthcare professionals must be members of their recognised UK governing professional body or association; and may be required to have their own malpractice insurance in place. Employees performing more basic medical care must have appropriate training for what they are expected to do.

Here is some medical malpractice risk management guidance:

  • Conduct checks on all medical professionals engaging with the charity to ensure they are fit to practice.
  • Ensure employees, contractors and volunteers understand the scope of their role and have appropriate and regular training to perform the tasks they are being asked to do.
  • Carry out appropriate checks on new recruits to be sure that their skills and qualifications are genuine.
  • Encourage employees to seek the help of a more senior individual if they are unsure about an action they are about to take.

Breach of professional duty

Professional negligence claims can arise when a client or beneficiary suffers loss, damage or injury caused by failure to perform to a required professional standard, or where there is a breach of duty of care.

Care organisations are challenging working environments and duty of care breaches can often arise. Inadequate care assessments or planning can result in a claim as can a failure to monitor and appropriately manage a service user’s care needs.

Here is some breach of professional duty risk management guidance:

  • Carry out all appropriate checks on new recruits to be sure that their skills and qualifications are genuine.
  • Ensure all employees, contractors and volunteers understand the scope of their roles and have appropriate and regular training to carry them out.
  • Encourage team members to seek the help of a more senior individual if they are unsure about an action they are about to take.

Fraud challenges

There are many reports of unscrupulous charity workers stealing from their employers and, according to the Annual Fraud Indicator, fraud costs UK charities over £2.5bn a year. A combination of easier access to cash, the trusting nature of the profession and exploitation of sometimes weak audit systems means that charities can be easy targets for fraud.

The fraud challenges for the charity sector as a whole of course apply to care charities. Common types of overall charity fraud include the internal misuse of a charity’s money, including stealing donated cash or misuse of credit cards or expense accounts. External fraud can occur through false supplier invoices (a particular risk for care charities) or hacking of e-mail accounts. Unauthorised fundraising where fraudsters ask for money in a charity’s name and pocket the cash themselves also takes place on frequent occasions.

Credit card scams are also worth highlighting. Here fraudsters pretend they wish to donate a large sum of money, but only if the charity sends a proportion to their other favourite charity. The bank details are the fraudster’s personal account, and the “donation” is made using a stolen credit card.

The following fraud risk management practices should be undertaken:

  • Ensure written references are obtained for employees with responsibility for money, stock or access to finance systems.
  • Audit the finance department, and anyone else with access to money, regularly and check for unusual transactions or unexpected patterns.
  • Ensure all expense claims are as described on the claim form, accompanied by a receipt and submitted within a reasonable time period.
  • Ensure all invoices are assigned an owner who can verify that services or goods have been received, before invoices are paid.
  • Look out for unusually large donations and complex donor terms and conditions.

Cyber and data risks

Cybercrime and data loss are high profile risks for all charities. An attack can result in the theft of personal data, access to records being blocked and other damaging incidents that can interrupt daily activity or impact the ability to care for service users. Reputations can be damaged and money lost through regulatory fines, legal and IT security costs.

Care charities need to be aware of several important risk categories including loss or theft of data where electronic or physical data lost through a stolen laptop or lost paperwork. Cybercrime is now a major issue and can result in data loss or compromised systems through hacking and/or the installation of malicious computer code.

Software vulnerabilities, especially where outdated protection exists, can leave computer systems vulnerable to hackers. And human error can cause data to be lost or compromised by emailing, posting or faxing it to the wrong recipient.

The Information Commissioner’s Office has not spared care charities fines when they have been deemed to be failing to comply with its rules.

Cyber and data risk management is highly technical but the following measures should be carried out:

  • Encrypt all electronic devices, but particularly those that can be removed from the premises, including laptops and mobile phones.
  • Install robust anti-virus and email security software.
  • Have controls in place in relation to electronic and physical data, and include procedures in staff hand books and induction sessions.
  • Deploy industry standard protocols for data and information back-ups.

Risk management is worth it

Adherence to risk management procedures does pay dividends as the following example shows.

In one case, a care worker sued their employer following an incident that resulted in the employee being injured and concussed. The claim alleged that the provider did not provide appropriate restraint training resulting in the employee being punched by a service user as they were trying to restrain them.

Following an investigation, it was found that the care provider had both a care plan and risk assessment in place for the service user involved in the incident. The employee had also received the relevant training, but had failed to implement the restraint correctly.

In this instance, the care provider was not held liable because it had put in place robust and detailed risk management procedures that, had they been followed, may well have helped to avoid the incident.

Wide range of scenarios

Care providers in the charity sector are exposed to risk on a day-to-day basis. Much of that risk is standard to all organisations but some is more prevalent in the care environment. Risk management needs to take into account a wide range of scenarios and, because the care sector is so diverse, there is rarely a one-size-fits-all approach. Each risk category requires thorough consideration and implementation of specific processes and procedures.

Deployed effectively, risk management can significantly reduce risk for charity care providers and, in this respect, needs to be high on the agenda of those who govern and manage such charities. Indeed, best practice will integrate risk management with delivery procedures and governance systems. Where monitoring and auditing processes are of a high standard the care charity will be more able to react decisively when something does go wrong to protect its dependants and reputation.

Markel’s Wendy Cotton – deployed effectively, risk management can significantly reduce risk for charity care providers.
"Claims against care organisations can be commonplace and come in a variety of forms, including allowing bed sores to develop or administering medicines incorrectly."
"Inadequate care assessments or planning can result in a claim as can a failure to monitor and appropriately manage a service user’s care needs."

Charities quantifying and responding to cyber risks

The cyber threats to charities are growing on an exponential basis annually. Many observers now believe that it is case of "when" rather than "if" a charity will be the subject of a direct cyber attack, while some charities have inevitably been caught up in the fallout from cyber attacks directed at other organisations, or by general cyber sabotage, e.g. international attacks.

Cyber breaches are a great threat to charities, yet only a few can truly quantify just how great the threats really are to themselves.

That being the case, how do charities know they are correctly prioritising their risk management efforts and insurance spend? Completely eliminating risk is impossible and this means discovering new methodologies to help them quantify their investment spending. Here we explore how charities can calculate and measure cyber exposures.

Assessing risks and remedies

Charities in particular are a high profile target as they hold information on volunteers, staff and donors and the implications of GDPR (General Data Protection Regulation) mean significant fines are on the horizon. Therefore it is critical to understand and mitigate the cyber exposure.

The first step in putting a financial figure on cyber risks is to identify your charity’s most important assets and its biggest vulnerabilities.

Cyber risks generally fall into two categories:

  1. Systems risks - those that involve services shutting down.
  2. Data risks - those that compromise information, ranging from sensitive data of your employees or volunteers to bank accounts.

But assumptions will differ greatly depending on the nature of employees, volunteers and donors.

The challenge is to build a smart, well designed cyber risk model that is able to capture and analyse potential direct revenue, liability and brand loss scenarios. Also important are probable ancillary costs related to fixing the problem: forensics, consulting costs, notification costs and potentially large regulatory fines.

Appreciating financial implications

To give you an idea of your exposure, below are the financial implications of cyber risk:

With third party liabilities, for instance, you might be asked to compensate partners with years of remediation, so alongside damages you will need to consider legal fees and credit monitoring expenses.

Using both internal and external data relating to the operations and the health of their organisation, charities should be able to predict their expected possible cyber losses over a one to three year period, just as they can forecast anticipated revenues. They should also be able to estimate what percentage of their income could suffer if their reputation was damaged.

Charities should also judge, in part from previous incidents even if not direct cyber attacks, which applications are at highest risk.

Risk management expenditure

With this information it will be easier for managers to gauge if their charities have the right level of cyber risk protection as well as help to budget for potential additional spending.

Questions like "how much should the charity invest in evaluating the state of its vendors’ and partners' cyber security?" and "at what cost is more authentication software appropriate given the likelihood that critical data will be accessed?" become much clearer.

Charities can also balance how much they should invest in training of employees and volunteers, or in more technical controls to monitor potential cyber breaches.

These quantification techniques really help to evaluate not only where investment pounds may be best spent but also often the viability of investing in a new product or service.

Cyber crisis management plan

An experienced insurance broker should work alongside a charity to create a plan tailored to the way the charity operates, to respond to a cyber incident. This should work in conjunction with the charity's existing business continuity plan.

The worst really can happen to a charity as this real life example shows:

A medium sized charity was subject to a ransomware attack and contacted its insurance broker for help as its outsourced IT firm was unable to provide meaningful assistance. The charity had not purchased cyber liability cover despite a competitive quotation provided in the previous months. However, the claim was made under the charity's special contingency policy. The insurer's emergency assistance providers were able to provide advice in dealing with the criminals and arrange for the bitcoin ransom to be paid.

A forensic IT firm was appointed to identify and remedy the breach as well as providing ongoing monitoring. The charity’s system was quickly back on line and it was able to continue with its humanitarian work both in the UK and overseas. The total claim cost was £80,000, of which £4,500 was the ransom paid.

Charities are just as vulnerable to cyber attacks as other organisations - and the precautions. consequences, responses and other issues which organisations have to contemplate relate to charities as well.

Necessary risk mitigation

99.3% of cyber attacks could be mitigated or partially mitigated by these basic five controls:

  1. Boundary firewalls and internet gateways. These are devices designed to prevent unauthorised access to or from private networks, but good set-up of these devices either in hardware or software form is important for them to be fully effective.
  2. Secure configuration. Ensuring that systems are configured in the most secure way for the needs of the charity.
  3. Access control. Making sure only those who should have access to systems have access and at the appropriate level.
  4. Malware protection. Ensuring that virus and malware protection is installed and is up to date.
  5. Patch management. Ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

Insurance perspectives

It will often be the case that cyber insurance represents great value for charities bearing in mind the potential financial liabilities from cyber risk.

The cyber insurance market has developed rapidly in the last few years with many new carriers entering the market. Every insurer has developed cover in their own way and comparing policy wordings is challenging and how insurers respond to various risks is not the same. Even so-called "best of breed" policies can have their drawbacks.

When placing cover the following must be taken into account:

Is social engineering (when a third party fraudster mimics legitimate correspondence) included and to what degree? How the business interruption cover work and when is it triggered? Are all notification costs covered or only those mandated by law?

Will the outsourced service provider be covered? This is particular important if the data is migrated to the cloud. Are payment card industry fines covered? What retroactive date will apply?

Are the policy conditions reasonable? Policy conditions such as: a confidentiality clause; a reasonable precautions condition precedent (the charity being required to take all reasonable precautions); searches required to identify prior circumstances; compliance with subrogation waivers (limiting the rights of the insurer) being prohibited – most policies contain this; the requirement to use the insurer's chosen experts; non-contribution (other covers for the same risk not operating) – this needs to dovetail with other policies.

Is contractual liability included? Is physical damage following a cyber attack included? Are forensic costs included? Are Information Commissioners Office investigation costs included? What is the situation regarding cyber extortion – in some countries it is illegal to insure against extortions, something to be examined if the charity is operating overseas and it has IT there which could be vulnerable. Is negligent transmission of virus included?

Immediate access to advice

The true value of a cyber insurance policy for a charity is the immediate access to expert advice following a breach. The more experienced cyber insurance brokers have providers in place to deal with all aspects of a cyber incident both in the UK and internationally.

So there are comprehensive insurance facilities available to charities in the event of a cyber attack - charities should make full use of them, but they do need to obtain the cover before they are affected by an attack.

Sutton Winson's Hamish Kent - the challenge is to build a smart, well designed cyber risk model that is able to capture and analyse potential direct revenue, liability and brand loss scenarios.
"It will often be the case that cyber insurance represents great value for charities bearing in mind the potential financial liabilities from cyber risk."
Samten Advert

The risk management imperative for charities

Funding, cyber security, partnerships… these are just some of the emerging risks that could plague a charity of any size, at any time. Like most organisations, the avoidance of significant interruption to day to day running is an absolute must. But are charities paying enough attention to keeping their risk management protocols up to date?.

Meaningful risk management is best achieved through a fine balance: manage too obsessively and a charity runs the risk of missing out on opportunities to innovate. Taking a more relaxed approach on the other hand leaves it unprepared for an incident.

The most recent annual Charity Risk Survey found that 52% of charities surveyed reported having used the same method of risk management as in the preceding year. This may not necessarily be a worrying trend – it could just suggest that charities feel their current methods are adequate.

However, the risk environment is continually in flux, and whilst even the best risk management strategy can rarely prevent incidents from occurring outright, it is vital that charities keep their strategy under constant review to ensure that the balance between managing risk and embracing innovation is struck.

New technology and risk

Continually evolving risk can impose an immense pressure on charities which want to change and innovate. In addition to an increasingly difficult funding environment, another ongoing consideration for charities is the need to navigate rapidly changing technological developments.

Social media, the growing threat of cyber crime, and the need to guarantee data security are creating new and unprecedented pressures for charities, and the public increasingly expect them to be on top of these issues.

Indeed, research into public trust in charities with regards to data security has found that more than two thirds (68%) of people would be discouraged from donating online or via mobile in the future in the event of a data breach. Perhaps even more concerning, four in ten (42%) stated that it would discourage them from donating by any means in the future.

It may be impossible entirely to prevent these technology led incidents from occurring, but it is crucial that charities recognise and understand such risks, and put in place sufficient precautions so that they are as well prepared as possible should an incident occur. The public generally accept that things sometimes go wrong, but what is often hard to explain is when an organisation was unprepared for an incident that had already been identified.

Keeping risks in focus

It is of course the case that funding difficulties, social media and other risks have bred incredible innovations from charities, searching for ways to adapt to, and make the most of changing circumstances. The challenge for charities is keeping up with the opportunities presented by change, while keeping risks in focus.

As already emphasised, it is important to ensure that a charity's approach to managing emerging risks doesn’t quash potential opportunities to innovate. Here are five practical questions a charity can ask itself in order to strike this balance:

  1. What risks have we seen emerge over the past one, three, five and ten years?
  2. What processes do we have in place for identifying and quantifying emerging risks?
  3. Who in our charity is responsible for overseeing this?
  4. How often are we refreshing our risk strategy to include emerging risks?
  5. How are we integrating emerging risks into our decision making process?

The ever-growing expansion of social media is an excellent example of a recent development that presents immense opportunities as a fundraising and campaigning tool for charities, but which also carries risk. For example, one much cited concern is the use of social media by volunteers working on a charity’s behalf.

Charities, big and small, have long recruited volunteers to help with their day to day operations like fundraising, administration or other essential roles. These volunteers, while informally employed, may choose to use their own social media profiles for this purpose, and identify themselves as working for the charity.

While this will in most cases be beneficial for the charity and not present any problems, it could open up charities to reputational damage if a volunteer acts inappropriately on social media in the charity’s name. With this in mind, it is crucial that a charity spots the risk of this kind of incident happening before one occurs, and take steps to ensure that that the volunteers are both aware of, and bound by some form of social media policy.

Embedding risk management

The Charity Risk Survey identified a number of barriers faced by charities to updating their approach to risk management. Some 61% of charities said they lacked the time necessary to implement new measures. Cost was flagged by 40%, while others also highlighted limited buy-in at a senior level.

If risk management is to work at its best, it should be the responsibility of everyone in the charity. It can often be challenging to secure buy-in from senior figures in an organisation who can be more concerned with strategic long term business aims than the perceived short term issues of day to day risk. However, given that those at the most senior level of a charity, i.e. trustees and top management, are most responsible for the smooth running of the organisation, it is even more essential that they are involved.

For example, the benevolent fund, IET Connect, ensure that its trustees are kept up to speed on new risks by holding five board meetings each year. At each, one of five aspects of risk from a pre-determined risk register is examined, and emerging risks are also discussed. The Charity Commission provides a useful example of such a risk register, which charities can use as a model to devise their own.

In an environment where rapid change is now the norm, all charities will be feeling the pressure. That said, the sector continues to tackle these issues head on and it is vital that charities continue to embrace change and use it to their advantage – all while keeping the accompanying risks firmly within their vision.

Zurich Municipal's Amy Brettell - it is vital that charities keep their risk management strategy under constant review to ensure that the balance between managing risk and embracing innovation is struck.
"If risk management is to work at its best, it should be the responsibility of everyone in the charity."
national army museum

Charity risk management in a more unstable world

Global charities increasingly operate in situations of greater political risk, including in conflict and post-conflict environments. This can negatively impact their plans to assist some of the world’s most vulnerable communities. According to a new Worldwide Risk Index, 21% of surveyed risk managers in large charities and corporations said they have reconsidered expanding operations into new countries due to heightened political risk.

Responding effectively to political risk, including unrest and even violence, is especially difficult for international charities. Donors are placing evermore emphasis on assisting vulnerable people in conflict and post-conflict environments and even charities accustomed to working in high risk countries need to evaluate the risk to employees (and volunteers) and potential liability that could affect all of these operations.

Protecting employees (and volunteers) is more difficult in conflict situations, for obvious reasons. The heightened risk of direct violent harm is further complicated by charities’ cooperation with local and international security forces. While “civ-mil cooperation” is an issue of active and even heated debate within the global NGO community, it increasingly occurs in unstable and violent environments.

On the most basic level, charities need to know security forces’ location and if their actions could impact the communities with which charities work. Charities often need to go further, explicitly cooperating with security forces that deliver goods and services to those harmed by disaster.

Preventing avoidable tragedies

This cooperation, even if it’s simply information sharing designed to prevent avoidable tragedies and assist with logistics, can make charities appear less than independent to certain groups. The result is increased attacks against aid workers. Terrorist and other groups have entered a new phase of deliberately targeting aid workers.

According to the Aid Worker Security Database, the year 2013 set a new record for violence against civilian aid operations, with 264 separate attacks affecting 474 aid workers. Of the 474 victims, 155 aid workers were killed, 178 were injured, and 141 were kidnapped. Overall this represents a 65% increase in the number of victims from 2012. While the figures declined in 2014, they remain at levels well above the average of the past decade.

The need for heightened security, including private security, can add other complications to charity-donor relationships. Donors have intensified their oversight, with a particular emphasis on overhead costs. While charities cannot fulfil their missions in insecure environments, the cost of protecting staff can make them look less efficient and cost conscious than they are.

The media are often keen to publicise cases of such “waste”- even while demanding that aid workers receive all the protection possible from their charity employers. This also has a direct effect on a charity’s trustees who have a fiduciary responsibility to monitor the expenses of the charity but also to show “duty of care” as it relates to the charity’s employees.

Medical infrastructure crippled

Additionally, the medical infrastructure where these charities are operating is often crippled because of ongoing conflict in the Middle East, natural disasters in Nepal, or pandemics in Africa. Charities are increasingly seeing the need to use medical evacuation for both international and national staff in the case of a medical event. This is another significant cost that must be factored into the cost of expansion or charities risk liability because of neglect of “duty of care” for their employees.

What can charity managers do to help manage this new world of instability, donor expectations and higher medical and security costs, including increased insurance premiums?

First, managers should invest more in risk management overall. This means emergency planning, training, security and other techniques to manage and reduce risk. This includes testing an emergency plan, which typically highlights gaps.

To achieve the level of management commensurate with heightened risk, more charities need to elevate the role of risk management within their organisations. While security is central to risk management, risk managers are more than simply security compliance officers. They can and should play a key role during programme planning and implementation.

This enables risk managers to help shape programmes that reduce the need for “security,” both before and after things go wrong in the field and ensure evacuation plans for all types of contingencies are in place should the need arise.

Next, charity risk managers should consider retaining the services of the growing number of political risk, insurance and security consultancies which provide political intelligence and situational analysis. Although these companies’ quality varies, the experienced firms can provide useful insights into potential risks charities might encounter, especially when starting operations in a new location.

These companies can also provide specific expertise in the event of a kidnap and ransom situation or a medical or political evacuation. With the right international insurance, these types of services would be covered under the insurance policy.

As events in Tunisia, Thailand and other countries make clear, executives need to integrate into their business operations the fact that no country is absolutely “safe” anymore. In a different dimension, the ghastly events in Paris underline this in a grim way. There is significant risk nearly everywhere. Charities have a fiduciary duty to properly evaluate and manage risk, and the new breed of political risk analyst can help fulfill that duty.

Review insurance programmes

Finally, charity risk managers should review their international insurance programmes. There are new ways to protect employees and organisations. These include political violence and risk, kidnap and ransom (K&R), evacuation and related policies. While new insurance covers will raise costs in the short run, they will likely lower them in the long run. For example, the Ebola crisis opened many charity managers’ eyes to the direct cost of evacuating staff under crisis conditions.

The most forward-looking charities link their brokers or insurance companies to their overall risk management strategy. The best brokers and companies act as operational partners. They become familiar with charities’ operations and actively recommend ways to reduce risk. This not only lowers insurance costs. Additional overhead costs, including security, are often reduced when operations are improved to make them more stable and predictable.

Global charity operations are more dependent on particular political factors than at any time in modern history. Tragically, for both charities and the beneficiaries they serve, these political factors often include violence by both the states and groups that challenge them. Political unrest and instability are the new “normal” realities in increasingly large areas of the world.

Charity managers need to get serious about bringing their business operations into line with the “facts on the ground.” Risk management, including insurance, should be at the center of those business strategies.

Clements Worldwide's Ibrahim Ozkaratan - terrorist and other groups have entered a new phase of deliberately targeting aid workers.
"The need for heightened security, including private security, can add...complications to charity-donor relationships."
"To achieve the level of management commensurate with heightened risk, more charities need to elevate the role of risk management within their organisations.."

Protecting charity data in the face of disasters

Modern charities are in possession of large amounts of data. Employees, volunteers, beneficiaries and donors all spend time engaging with the charity, sharing their personal data with it.

Charities are no different from a large corporation or a small business in this regard – they are responsible for a large amount of personal and professional data, both from their user base and employees/volunteers/donors.

Therefore, in practical terms, just like any other organisation, they need to take precautionary steps to keep this data safe in the event of disaster. From catastrophic weather affecting data centres, to hackers looking to breach your infrastructure security and wipe or steal your records, data disasters can happen at any time with devastating consequences.

Donors could have their bank details stolen, beneficiaries’ contact details could be wiped (losing out on welfare from the charity) and the internal documents of a charity(marketing collateral, administrative files etc.) could be left vulnerable or missing.

Disasters like this can seriously impact the trust between a charity and its donors, the ability of the charity to perform its tasks and the ongoing momentum of the organisation. Clearly, these outcomes are far from ideal.

The problem of data loss is so severe that regulatory bodies are taking steps to ensure that the sector has the capability to manage and protect sensitive information. The Charity Commission has set out a standard that requires charities to meet certain criteria when it comes to systems of risk management - including data backup and disaster recovery.

Unless charities meet these expectations, they can expect to face large fines or other reprimands for non-compliance. Indeed, the Information commissioner has shown no mercy to charities it deemed failing in data protection care, with some heavy fines imposed.

With pressure on charities to protect the data they are responsible for, what are some of the major solutions available? Modern technological advancements have given new strategies to charities for managing the risks they face. Cost effective and robust data backup and protection strategies have enabled charities to develop strong and sophisticated disaster recovery plans to protect their organisations and personnel in the face of catastrophe.

Backup data centres

When using physical data centres, charities are continually facing the danger of their systems becoming damaged or otherwise unusable. Bad weather, power surges or poor maintenance can leave a data centre, containing important information for a charity, unusable. This is obviously bad news.

One way to protect against this is to have more than one data centre, both storing the same information. If they are both in separate enough locations, should the worst come to pass, it is likely that one data centre will still be usable, enabling the charity to continue its operations.

Providing that the locations of the data centres face different risks (i.e., if one is in an area with the possibility of flooding the other should not be), this is a well-worn method for maintaining strong protection against data disasters.

However, for charities this is a difficult strategy to recommend. Data centres are expensive both to buy and maintain. For charities with their tight controls on expenditure, justifying additional data centres bought in case of system failure isn’t usually possible.

Not directly contributing to a charity’s output, such a purchase could also detract from the impact of a charity’s work during the purchase period. Not only that, but as a precautionary measure they are not failsafe – what if disaster strikes in both locations rather than just one?

Backup storage on separate media

A far cheaper alternative to additional data centres is to ensure that data is backed up on separate media such as hard drives, SSDs, DVDs, memory sticks or similar.

Without the high costs of a physical data centre, media such as this can store sensitive or important information in case of emergency or calamity. If disaster strikes, data can be re-uploaded onto a new data centre and enable a charity to continue functioning if the worst should happen.

Unfortunately, as with a secondary data centre, this solution is far from perfect. While in the short term this method is less expensive than a whole physical data centre, there can be long term costs involved as media becomes outdated or is no longer supported on modern hardware.

A charity would need to continually update its backup media, which could lead to high long term costs. And if a charity overlooks this need to update its backup media, it could be left unable to use such devices in the future, with dire consequences.

Boston Computing found that in 2014, 93% of companies that could not properly recover their data within 10 days or more due to a disaster filed for bankruptcy within one year. Charities will be no different.

Aside from the need to update your backup media, this solution raises another problem – what would happen if your backup media were lost, stolen or ended up in the wrong hands? The contact information, financial details or other personal data about donors, beneficiaries, volunteers or employees would be insecure and in danger of exploitation.

Secure cloud storage solutions

In light of this, the widespread use of cloud computing technologies can help alleviate the financial pressures and responsibilities of backing up physical data centres, media or other on-site storage devices. Through a third party cloud services provider, charities can store their IT data within an off-premises data centre to be accessed online.

This removes the burden on a charity's finances and conscience in purchasing and maintaining on-site facilities. Cloud providers can also offer responsive disaster recovery plans, enabling a charity to get back on its feet efficiently if the worst should happen.

For some charities, utilising the cloud in order to store sensitive data might be a major concern. This is a common feeling within charities, with research suggesting that security concerns are a primary stumbling block to charities embracing the cloud.

However, in most cases cloud service providers have the capacity to employ very high levels of security protocols around their clients’ data, protecting them from both hacking attacks and natural disasters.

In fact, an organisation would need to invest significant funds in order to match the safety of many providers’ measures. Employing the services of a cloud provider could prove a cost effective and secure solution for charities looking for a strong data protection and recovery plan.

For today's charities, data security is a growing priority. It is vital for charities to keep their data secure and quickly recoverable in case of a disaster. While traditional protection and recovery methods, i.e. on-site data centres or backup media, are expensive and leave the charity shouldering significant risks and responsibilities, newer solutions from cloud service providers are a great way forward for a charity’s disaster recovery plan.

Databarracks' Oscar Arean - modern technological advancements have given new strategies to charities for managing the risks they face.
"The problem of data loss is so severe that regulatory bodies are taking steps to ensure that the sector has the capability to manage and protect sensitive information."
"...the widespread use of cloud computing technologies can help alleviate the financial pressures and responsibilities of backing up physical data centres, media or other on-site storage devices."

Being ready for the unexpected

Your charity has survived the recession and probably emerged stronger than ever thanks to sensible financial planning, a tighter rein on costs and a clear fundraising strategy.

Although it may be tempting to believe that with the worst behind us your charity is safe, have you considered what else could come out of the blue to threaten its operation or the assets that your charity's trustees are duty bound to protect?

Many charities at some point will face potential threats in the same way as commercial businesses. Those threats can to a large extent be managed through forward planning, early recognition and seeking out professional advice before it's too late.

"Scenario planning" should be high on your list of priorities as a first step to protecting your charity.

Here are some examples of potential threats to charities – and how you can best plan to avoid and overcome them.

Withdrawal of government support

THE SCENARIO. If your charity is mainly dependent on government funding and statutory income, the withdrawal of a grant or contract for services could have a terminal outcome.

While there would be some warning of this, it may well be that other income sources - such as through fundraising or other charitable or non-charitable income generation, or even through an emergency appeal or by setting up a non-charitable trading activity -could generate enough replacement income quickly enough.

HOW TO AVOID THIS SCENARIO. Charity trustees must assess their cash reserves and spending plans to work out whether there is a sufficient contingency for such an event. If not, the trustees should seek professional advice as to how they might generate a contingency fund or scope out how replacement funding streams could be secured at relatively short notice and whether any costs savings could exist, if needed.

Charities are allowed to carry reasonable and justifiable reserves against contingencies and charity trustees should consider adopting a reserves policy that clearly sets out their approach.

Consider how the charity could come up with funds at short notice and if appropriate, rehearse a theoretical "what if" strategy ahead of the income stream being pulled. If it is possible to establish diverse sources of alternative income, this could protect the charity from an insolvency outcome in the event that a major source of funding stops.

Key to the charity's survival will be adaptability and charity trustees should think ahead about new and innovative ways of generating income to enable them to deliver their charitable purposes.

Departure of key management

THE SCENARIO. When key members of management have to move on for any number of reasons (including that their set term in office is due to lapse), this can be a major problem on a practical level. If the executive management of the charity is carried out by its charity trustees, this can also have significant impact on a legal level, if it will leave the charity with insufficient charity trustees as required by the charity's governing document.

HOW TO AVOID THIS SCENARIO. Succession planning must be carefully managed at key levels. The charity's governing document should be checked to ensure that everyone is aware of the minimum number of trustees needed by it and so that there is an appropriate strategy in place to deal with the replacement of departing trustees. Many charities use a system of rotation at board level to ensure continuity of knowledge and leadership.

If the governing documet does not have adequate provisions for replacing trustees, charity trustees should act now to update their governing documents, trustee recruitment, selection and induction policies and procedures. Specialist legal advice should always be sought as soon as you are aware that there could be a problem.

On a practical level, consider ahead what disruptions and reputational impact there could be to the charity if key management were to leave and how the changes could be best managed and communicated with staff, volunteers, significant funders and other stakeholders.

A pension deficit emerges

THE SCENARIO. A pension deficit can unexpectedly arise for a charity, particularly one that is in a multi-employer defined pension scheme where the number of employees suddenly reduces below the minimum threshold. This could be because of retirement, resignations or redundancies. Even if the charity's short term cash flow is not affected, the pension deficit could render the charity insolvent on a "balance sheet" test whereby its assets are insufficient to meet all of its actual and anticipated liabilities.

HOW TO AVOID THIS SCENARIO. Charity trustees and the senior executive team should be aware of proposed triggers under a pension scheme and as far as possible plan the charity's business strategy around such potential events. However, if a pension deficit exists or suddenly becomes anticipated, the charity trustees should immediately seek professional advice from an insolvency specialist to determine the circumstances in which the charity can continue to operate and also to protect their own position.

Directors of charitable companies will have to take care not to trade beyond the point that they knew or ought to have known that the charity could not avoid insolvent liquidation. Similar rules apply for trustees of charitable incorporated organisations.

Personal liabilities may arise for charity trustees of unincorporated charities which do not have the advantages of a limited liability corporate structure to protect them from the financial implications of insolvency.

The deficit may be managed through cash contributions but charity trustees will need to financially plan for potential increases. In some cases a coordinated restructure of the charity will need to take place with the right professional advice. It is important that charity trustees have a clear plan for dealing with the pension deficit and be ready to communicate that in their Trustees' Annual Report so that donors and beneficiaries remain reassured.

The "unexpected" incident

THE SCENARIO. An accident or incident could strike a charity at any time which could result in a claim against the charity for losses to third parties, damage to the charity's property or even its reputation when caused by a scandal or bad publicity. The type of threat will depend on the charity's activities and the day to day issues that it faces.

HOW TO AVOID THIS SCENARIO. Charity trustees should frequently carry out a thorough risk assessment of the charity's activities and assets in order to establish what risks could lead to damage to charity property, its reputation or losses to third parties which could ultimately threaten the viability of the charity's operation.

Where appropriate charity trustees should take professional advice as to how to manage such risks and, in particular, trustees of unincorporated charities will need to consider their exposure to personal liability. Unless its governing document expressly prohibits this, the charity will be able to take out specialist charities' insurance if the payment of the insurance premium is reasonable and can be justified in the charity's interests.

There are other types of "unforeseen" incidents which could threaten a charity on a reputational basis but which the charity isn't or can't be insured against. Charity trustees should make sure that they are ready to act in a responsible and quick manner and with the right professional advice on the unfortunate occurrence of such an event. In order to prioritise their needs, it may be possible to maintain services to beneficiaries through a merger or collaboration with another charity, for example.

The "unexpected" funding freeze

THE SCENARIO. Certain threats to funding simply cannot be foreseen by a charity but would seriously threaten its operation. Take for example the sudden collapse of the Icelandic bank Kaupthing, Singer and Friedlander, which in 2008 resulted in a number of large charities not being able access its significant cash reserves to carry out their day to day functions.

HOW TO AVOID THIS SCENARIO. Sensible planning should be undertaken so that charity trustees are aware of how their cash reserves and resources can be utilised at short notice and whether there are any restrictions placed on funds.

While affected charities are unlikely to be criticised for not having planned for such an incident, charity trustees and members of the senior executive team should on a "scenario planning" basis consider that if a sudden funding freeze was to strike, what would the charity trustees' strategy be to manage the crisis, how would they access alternative funds and where would they seek advice as soon as it happened.

Return to top of page | Close all

Blake Morgan's Elizabeth Davis (left) and Melia Hirst - threats can to a large extent be managed through forward planning, early recognition and seeking out professional advice before it's too late.
"Charities are allowed to carry reasonable and justifiable reserves against contingencies and charity trustees should consider adopting a reserves policy that clearly sets out their approach."
"Charity trustees and the senior executive team should be aware of proposed triggers under a pension scheme and as far as possible plan the charity's business strategy around such potential events."

Managing the risks facing charities

The current insurance market for charities is in a bit of turmoil. Key suppliers have now pulled out of the market due to both professional and medical risks involved within charities. Insurers consider the risk of malpractice, abuse and prescription of drugs as extremely onerous yet insurance solutions have, up to this point, been low priced. This has led to well known insurance companies specialising in the charity sector to pull out or refine their appetite.

Charities, per se, need the same insurances and risk management services as commercial entities but subject to their function. Charities are often asked to be risk-aware and to undertake risk management, whilst under the Statement of Recommended Practice (SORP), only just reissued in two versions for January 2015 onwards, they have to report their risk management policies.

Unfortunately, while being risk aware should not make charities risk averse, there is a real concern that this is happening. The cost of insurance is often a prime decision driver for smaller charities and this mindset can sometimes backfire.

What about insurance for volunteers?

Consideration needs to be given to insurance for voluntary workers and their obligations in a charity environment. A charity will know that employer’s liability insurance is compulsory and solely covers an employer’s liability to his employees for death or bodily injury sustained while engaged in working for the employer. With that said, it’s not compulsory to insure against damage to the employee’s property, although obviously it is prudent to do so.

However, when volunteers are involved then everything changes. When it comes to talking insurance, it must be taken into account that volunteers are not employees, although it is easy to lose sight of the distinction between the two. Volunteers need to have clear guidelines in place so they ensure that they remain treated as volunteers and not employees.

So what should you do about insurance for volunteers? One option is, if individuals are looking to volunteer as a trustee on a more formal basis, charitable trustee’s indemnity insurance. This can often be provided by the charity to cover an individual’s personal liability whilst acting on behalf of the charity. This form of insurance covers your duties as a director or trustee director, shadow director, officer or member of the management committee.

Charitable trustee’s indemnity insurance will be needed by anyone who is in a position of trust or leadership within the charity or who has other legal responsibilities. This covers them for civil liability arising from their mismanagement of the charity and the cost of defending those claims.

Whilst it's important to highlight what's covered in this form of insurance, it is equally important to note what isn't included. Not included are: loss resulting from events that existed prior to the commencement of cover and losses where indemnity may be provided elsewhere, such as under an employer's liability or public liability insurance. In addition, criminal, dishonest, fraudulent or reckless acts are also excluded from charitable trustee's indemnity insurance cover.

What about care homes?

There are brokers and insurers who specialise in the charities sector and there was an insurer which was the largest provider of insurance specifically in the UK care home sector. However, that insurer announced in December 2013 that it would withdraw from the care home insurance market, with the exception of charity operated care homes. This change, which was confirmed in March 2014, has had and will continue to have considerable implications both for the insurance market and for care homes.

The care home insurance market is hardening as insurers seek to lessen their exposure to risk after an explosion in the number of claims.

Care home owners seeking to ensure they have the appropriate insurance cover in place and secure lower premiums will increasingly be assessed on an individual basis, making it imperative for them to implement rigorous risk management policies.

With that said, these recent and unfortunate developments have no doubt come from a perceived increased risk in the care home sector driven by some high profile claims which have caused insurers to realign their position. Unfortunately for care home operators, we are now likely to see rates increase in the coming months, with the remaining insurers within the market carefully reviewing their position.

During this time of uncertainty it is important to take steps to protect your care charity and ensure that you can continue to operate, without your insurance premiums sky-rocketing. However, there are plenty of opportunities for brokers - backed by supportive insurers - to provide critical community enhancing advice and products for the charity sector.

What about SORP and risk management?

When the SORP – or a Statement of Recommended Practice (specifically for charities entitled "Accounting and Reporting by Charities") - was last updated back in 2005, it brought risk management high up the agenda for all charities. The guidelines published were seemingly reviewed regularly by those who needed risk management, which enabled them to quickly identify the risks to which they were exposed.

However, the interest in SORP 2005 has unforgivably waned somewhat with many preferring to look at it on an annual basis. This error of judgment and almost lackadaisical approach means that charities may not be making the most of the benefits that risk management under SORP 2005 can bring.

SORP 2005 requires charity trustees to make a statement in the Annual Trustees' Report of their annual financial statements. Here, they need to confirm that the major risks to which they are exposed, as identified by the trustees, have been reviewed and the systems have been implemented to manage those risks.

This has been repeated in the two new SORPs - Charities SORP (FRSSE), "Financial review" section 1.47, and Charities SORP (FRS 102), "Financial review" section 1.46. These two SORPs are effective from 1 January 2015. In particular the Annual Trustees' Report must contain "a description of the principal risks and uncertainties facing the charity and its subsidiary undertakings, as identified by the charity trustees, together with a summary of their plans and strategies for managing those risks".

SORP 2005, or the relevant SORP in 2015 onwards, shouldn’t just be about compliance – it must be a document reviewed on a regular basis. It should be one of the first things read by the risk management team within a charity.

Return to top of page | Close all

UNA's Tim Ryan - it must be taken into account that volunteers are not employees, although it is easy to lose sight of the distinction between the two.
"Care home owners...will increasingly be assessed on an individual basis, making it imperative for them to implement rigorous risk management policies."

The necessity of business continuity planning for charities

In my last article for Charities Management magazine I discussed how a charity’s reputation could be protected with risk management and I touched upon the importance of business continuity planning (BCP) and the advantages, if done properly, it could bring to your charity. I now want to talk about this in greater detail as it is a vitally important concept for your charity, although this is not always appreciated.

Business continuity planning is often misunderstood and dismissed as a waste of time, on the basis that management already know what action would be needed in the event of a major business disruption. Statistics however show that a large number of organisations affected by an adverse event never fully recover, and many fail within 18 months.

A major activity (business) disruption might impact your governance, operations, finances, reputation or your relationship with your donors, and your compliance with the law or regulations. But this aside, there are some very real and financial benefits to be gained from planning for a major business disruption.

Benefits of disruption planning

• Increased resilience – giving yourselves the best possible chance of recovery, thus protecting the interests of stakeholders, trustees, your employees and volunteers.

• Donor confidence – donors want to be confident that a charity can fulfil its obligations, and indeed interested third parties are increasingly asking for sight of a business continuity plan (BCP).

• Improved access to finance – banks, grant-makers and other financial providers will look more favourably on a charity which is able to demonstrate it has planned for a major business disruption, this being particularly true since the credit crunch.

• Meeting the terms of public service delivery tenders – even if not specified, the existence of a business continuity plan will help address the issues of capability and reliability.

• Reduced uninsured costs – having Business Interruption insurance in place will pay for increased costs of working for a pre-defined period after an “insurable event” like fire, explosion, storm, flood, etc. but it won’t protect your reputation, donor loyalty or retention of your key staff.

• Potential for reduced insurance premiums – having an effective BCP in place is viewed very positively by insurers who may be persuaded to offer advantageous terms as a result.

Charities with overseas operations expose their people to different risks compared to when charities only operate in the UK. For example, there may be the risks of war outbreak, kidnap, terrorism, natural disasters or diseases, all of which need to be mitigated in some way. Having a BCP in place including your overseas operations will help you respond faster and appropriately, as well as it will show better credibility to your partners.

Good practice guidelines

If you are taking external advice, your adviser should work to the Good Practice Guidelines set out by the Business Continuity Institute, in order to bring the most value to the charities that they work with. There are many “advisers” around who do not, and are focused solely on writing a plan and collecting a fee, without properly understanding the organisation. Your adviser should help you to embed business continuity management (BCM) into your charity’s day-to-day culture and develop an ongoing programme of awareness and commitment.

EMBEDDING BUSINESS CONTINUITY MANAGEMENT. A good professional adviser should also walk you through five stages of BCM, which are:

Stage 1 – Aligning a BCM policy to your organisational culture, which will include help with certain aspects of your annual report and accounts.

Stage 2 – Creation of your BCM policy, which will set out objectives, methods and standards and nominate a person with the overall accountability.

Stage 3 – Creation of a business impact analysis and continuity requirements analysis, evaluating threats through risk assessment, and identifying and selecting strategies to protect the continued delivery of your charity's services.

Stage 4 – Developing and implementing a BCM response which should include an emergency response, incident management and planning for continuity, recovery and resumption.

Stage 5 – Exercising, reviewing, testing and auditing the BCP, followed by building awareness of BCM within all areas of your charity.

These stages could be completed over a relatively short term of three months or staggered over a longer period of six months to fit around the day-to-day demands of your activities.

Avoiding a piecemeal approach

Business continuity planning is a natural extension of your insurance and general risk management so it's helpful if you can have all from one source, to achieve proper coordination and ensure that nothing gets missed. But this does mean you have to find an insurance broker which specialise in charities and has expertise in putting together BCPs.

BUSTING THE MYTHS. There is a myth that producing a BCP requires considerable investment in time and resource; that it’s something only big organisations do and is not practical for smaller ones. This is untrue – certainly for charities.

Another myth is that it is a substantial and detailed document. It shouldn’t be. To be effective it should be as clear and concise as possible, so as to be understandable to all people in your charity. Nor is it a complicated exercise; it’s simply identifying the biggest threats to your charity and those assets that are critical to the organisation’s operations, and asking the question: “What would we do if…?”

Addressing the key aspects

You do not need to produce "template" reporting or a detailed analysis of the procedures and results. Addressing the key aspects of the requirements is usually acceptable and these should include:

• An acknowledgement of the trustees’/management's responsibilities.

• An overview of the risk identification process.

• Confirmation that the identified risks have been reviewed and assessed.

• Confirmation of established control systems that will manage those risks.
Although the risks that a charity might face are both financial and non-financial, a part of the ultimate impact of a major business disruption is financial in most cases. To help you transfer some of the financial burden it is advisable to have insurance in place.

It’s also advisable to consider the advantages of various insurance packages that have been specially developed for your type of charity. You really do need do this through an insurance broker which has gained good experience in this sector.

Since 1 April 2009, charities with an income of £500,000 or more, or gross income exceeding £250,000 with gross assets held exceeding £3.26 million, as stated by the Charities Commission, have been required by law to have their accounts audited. They must make a risk management statement in their trustees’ annual report confirming that the charity trustees have given consideration to the major incidents and other risks to which the charity is exposed and have satisfied themselves that systems or procedures are established in order to manage those risks.

Stating your commitment to BCM

Your charity’s annual report and accounts actually perform a number of functions apart from just compliance. Yes they do enable you to recap the achievements of the past year, but they are also a way of attracting money from organisations or people by showing you are doing all the right things. The annual report and accounts together constitute a statement that can provide accountability to your stakeholders in the widest sense, and help towards achieving your key objectives and safeguarding your funds and assets. So if you have proper risk management with business continuity management, state this clearly and boldly.

Smaller charities with gross income below the statutory requirements should adopt risk management as a matter of good practice. But whatever the size of your charity, business continuity planning is a key aspect of risk management.

Return to top of page | Close all

Hamish Kent
Sutton Winson's Hamish Kent – your adviser should help you to embed business continuity management into your charity's day-to-day culture and develop an ongoing programme of awareness and commitment.
"Charities with overseas operations expose their people to different risks than the ones which only exist in the UK."
"There is a myth that producing a business continuity plan requires considerable investment in time and resource; that it's something only big organisations do and is not practical for smaller ones."
"It's also advisable to consider the advantages of various insurance packages that have been specially developed for your type of charity."

Good travel risk management for charities

Every year thousands of British charity workers face potentially hazardous situations as they help areas of the world ravaged by war, natural disasters and disease. Whether it is helping to eradicate polio in Pakistan or Nigeria, helping the victims of earthquakes in Iran or providing aid to the displaced victims of the Syrian civil war the rewards are manifold. But, unfortunately, so are the risks.

High profile and tragic cases such as that of Khalil Dale, a British aid worker who was abducted and killed by the Pakistani Taliban last year while working in Quetta, bring home the dangers that charity workers face when working in the field.

Serious incident

Such extreme examples may be considered still relatively isolated and rare. However, a recent annual travel survey conducted with the charity sector revealed that more than a quarter of respondents (27.1) had been overseas when a serious incident occurred in the location in which they were travelling. This demonstrates there can be no complacency in the sector when it comes to mitigating risk and keeping workers safe.

Many international and humanitarian charities find themselves navigating difficult straits. On the one hand, they must make sure that they provide support for the areas which need it the most – no matter how lawless or dangerous these places are. On the other hand, they have not only moral, but legal duty of care obligations to their employees and volunteers which means they must demonstrate that due care and consideration has been given to minimising risk before employees and volunteers travel.

While there is no easy answer as to how to get the balance right there are very clear steps which charities can take to ensure that their workers are safeguarded as far as practically possible; that they are as informed and knowledgeable as possible about the potential risks they face and have a clear understanding of what to do in case of emergency.

The first steps

The crucial precondition for risk management in the charity sector is having in place an up to date and comprehensive travel policy.

A travel policy should consist of clear guidelines that staff members can consult and which relay the standards, protocols and risk management processes that employees should adhere to. For example, it should set out what the person should do if they find themselves in a difficult or dangerous situation – such as who to contact at the charity.

Setting out responsibilities and clear lines of communication is crucial should an emergency arise. In a dangerous situation where minutes count, staff should not be left confused as to who is in charge and who should be contacted back at the headquarters.

Travel policies should not be "one size fits all" and should be constantly monitored and changed to fit shifting circumstances. The policy should be accessible and easy to read, and it is crucial that employees are made aware of it before travelling – they must know it is there in order to comply with it.

Briefing and preparation

A travel policy is the first step in developing a good risk management strategy. However, charities should further this preparation with destination specific pre-trip briefings – particularly for trips to more isolated or dangerous parts of the world.

The above mentioned travel survey found that, in the charity sector, just over half of respondents (58.9%) were given destination training and briefings before they travelled.

Pre-trip briefings not only complement the information contained in the travel policy but can impart more in-depth and tailored advice about the destination. Information should include useful phrases in the local language – including those that can be used in case of emergency – information about social and religious customs and taboos, cultural and political facts, and up to date reports about potential risks and hazards in the country.

The briefings should also relay critical information such as contact details and addresses for embassies, consulates, hospitals and local emergency services as well as safe and reputable hotels and airlines that the traveller may need to use in an emergency.

Evacuation necessary

If a serious situation arises then the evacuation of charity workers may be necessary – this requires prior planning and swift lines of communication. Preparation should include the details of evacuation routes – for example, the location of the nearest airports, safe forms of transport and other key contact information.

To help with this preparation charities should make sure to have copies of their workers’ travel itineraries in advance and agree to check in with staff at pre-arranged times whether this is with a phone call, an email or a text message.

Any workers who are travelling should also be encouraged to do their own research into their destination, consulting sources such as the Foreign and Commonwealth Office and the World Health Organisation to find out about the latest health and security threats. Studying the local language and customs can also help avoid any misunderstandings, offence and upset while they are in their destination.

Many travel management companies and risk management consultancies also offer travel awareness programmes that can be taken on by whole organisations or individual travellers. These online risk management e-learning courses help staff familiarise themselves with the potential risks of travel. Where possible, training should be tailored to the destination and kept up to date.


Your employees or volunteers have now reached their destination. They have arrived well informed and briefed about the situation on the ground and are aware of what to do if the situation gets out of hand. What now?

The preparation, of course, is just the beginning. Whether a charity worker is in place for just a matter of days or for many months, constant monitoring and tracking of the situation where they are stationed is paramount during their visit, particularly if they are in remote areas.

Many travel management companies now provide risk alert software that will provide charities and individual travellers with accurate and real time information directly to a mobile phone. Such software can be matched to specific travel itineraries and, drawing on a variety of sources, will automatically alert the relevant contact at the charity should a threat arise which could place the traveller at risk.

Having such advanced monitoring in place not only provides peace of mind for charities and travellers alike but also means that workers can be steered away from any danger hotspots.

As well as general situation monitoring, software packages are also available that allow charities to track employee and volunteer movements. Such technology can allow the instant location of charity travellers, while other systems detail their itineraries and any flights, trains or other forms of transportation they may be taking. Used in conjunction with risk alert systems this can facilitate contacting employees by phone or email if an issue arises to give them instructions to take them out of harm’s way.

Of course, both the charity and the traveller should not over-rely on technology for safety – after all, mobile phones and laptop computers can be damaged, lost or stolen. In particularly impoverished and isolated areas internet and television access and even electricity supply will be difficult to come by. Travellers should therefore make sure that all the critical contact details are written down and easily accessible during an emergency.

The charity traveller should also keep paper back-up copies of all their important documents – including any insurance, travel and medical details as well as their passport.


No matter how well you prepare for and monitor a situation things can still go wrong. This could range from relatively minor inconveniences such as luggage being lost or transportation being cancelled to more serious incidents such as a medical emergency.

It is imperative that charities take out appropriate insurance cover for their workers to deal with any mishaps which may take place during their travels. Many travel insurance companies now offer specialised packages that cover charity staff and volunteers who are travelling and working abroad.

These packages can cover a variety of circumstances including kidnap and ransom, natural disasters and medical emergencies. Some insurance companies go further and offer extended war and terrorism insurance packages covering extremely high risk areas of the world such as Afghanistan, Iraq and Sudan.

Duty of care

Charities, as with all organisations, have a moral duty of care to all staff, whether at home or abroad, as well as statutory obligations under the Health and Safety at Work Act 1974 and the Corporate Manslaughter and Corporate Homicide Act 2007.

When it comes to travel, therefore, charities cannot just pay lip service to risk management – they must have demonstrable systems which are comprehensive, up to date and flexible. All staff travelling abroad must be given a travel policy with risk management protocols to consult and, ideally, have in-depth briefing and destination training before they leave. Monitoring and insurance are vital so that, where possible, risks can be avoided and workers are safeguarded should the worst happen.

No matter how rewarding, international charity work does come with its hazards and anxieties. Integrating the above steps into a risk management strategy will help ensure peace of mind for both charities and their workers in the field and minimise the risks they face.

Return to top of page | Close all

Steve Summers
Key Travel's Steve Summers – there are very clear steps which charities can take to ensure that their workers are safeguarded as far as practically possible.
"Setting out responsibilities and clear lines of communication is crucial should an emergency arise."
Peruvian children image
Children's smiley faces are always an encouragement for overseas charity workers, but a sudden emergency can arise concerning any matter – and for that there has to be a planned response.
"It is imperative that charities take out appropriate insurance cover for their workers to deal with any mishaps which may take place during their travels."
Sutton Winson advert

Protecting your charity’s reputation with risk management

Charities have always been acutely aware that every penny counts and in the current economic climate it's becoming increasingly difficult to secure funding. The Charities Aid Foundation recently reported "giving" fell by 20% during the last year, so it's more important than ever to protect your income.

Your financial well-being is inextricably linked to your reputation. To secure one – whether it's funding from the Government, organisations, businesses or individuals – you have to maintain and build the other. Reputation, however, is a very ethereal thing. You can't see it or touch it. It's built through years of painstaking work, yet can be destroyed in a matter of minutes.

In today's fast-moving media environment, negative feedback of any form can go viral instantly, reaching thousands if not millions of people around the world. If you're using social media for marketing, you can expect the same platform to be a conduit for bad news.

Charities, similar to businesses, have "supply chains" or "stakeholders" and if someone or something within this "chain" fails – whether in or out of your control – the financial and reputation consequences can be severe.

How you control a situation determines your future reputation, so have a public relations as well as disaster recovery strategy in place. Recent events with high profile celebrities linked to now defunct charities starkly illustrate the need for swift action to protect your reputation.

In independent surveys, companies cite "loss of reputation" as the greatest perceived risk facing their business. Two thirds of business leaders believe it's harder to recover from reputational failure than it is to build and maintain a reputation and they say it takes, on average, three to four years for a company to recover. However, if a crisis is handled well, it can enhance your reputation.

For charities, this risk and all its associated negative aspects are even greater – certainly in terms of impact.

Protecting its reputation should be at the heart of your charity's risk management and business continuity planning.

There are a number of growing areas of risk in the current climate which can affect your reputation, along with insurance policies available to protect against the financial consequences.


Austerity is biting and many charities are making redundancies. If you're cutting staff, does your human resources department comply with the appropriate legislation and is it up to date with latest developments? For example, in June this year, the Employment Rights Order 2012 came into force, increasing the maximum compensatory award for unfair dismissal cases from £72,300 to £74,200 and capping the weekly pay award at £450 instead of £430.

Whilst this may appear a small increase, for charities chasing every penny, it will soon bite into the donation pot – particularly as this sector appears to be responsible for a high number of employment tribunal cases, an example being the Charities Commission itself which is embroiled in long-running disputes with an employee, resulting in significant legal costs and reputational damage.

Ensure you have employment practices liability cover to help meet these costs, with access to specialist helplines with people who can advise and support you.

Protect yourself and employees/volunteers from any personal liabilities. With the "Big Society" push to take on greater responsibilities, consider what these are and cover yourself against any potential claims. For example, if you hold a senior position in your charity, will you be held personally liable for any failings? If so, trustees' indemnity cover may be needed.

Are your employees or volunteers involved in counselling or giving advice to others? If so, professional indemnity insurance is important.

Reputation for caring

As a charity, the foundation of your reputation is "to care" so be seen to adopt this same approach when it comes to those working alongside you. If staff or volunteers suffer an accident or illness, do you have mechanisms in place to provide for them financially (where appropriate) and help get them back on their feet as soon as possible? And what about if they suffer from stress – how do you support them?

As we all know, bad news spreads faster than good and disgruntled employees and volunteers who don't feel they've been treated fairly will be quick to complain.

Your coffers can be severely depleted by fraud and theft so assess what checks and balances are in place to reduce the likelihood of this, and look at what cover is in place to help "get you back in the position you were before the incident occurred".

This is the very ethos of insurance and whilst cynics may say "it's about insurers getting as much in premiums as possible", reputable insurance providers counter "it's about auditing what you need, no more or less, and sourcing cover at a fair price that provides a financial safety net against loss".


If you've international programmes or visit overseas it's likely you'll have a presence in riskier parts of the world suffering from conflict, poverty, corruption, natural or man-made disasters. Your duty of care to staff and volunteers crosses these borders and any safety breach could be put under the international spotlight.

To support those abroad and mitigate loss, you should provide:

• Risk assessments of the areas staff/volunteers are travelling to.

• Security briefs and appropriate procedures.

• Pre-medical screening of staff/volunteers and appropriate medical precautions.

• Training for situations that could be encountered.

• Advice on how to treat injured and ill staff.

• Guidelines on evacuation procedures.

• Insurance cover for kidnap and ransom.

• Travel arrangements for rest and recuperation.

If your charity's international, is your insurance? Whilst there are tight controls in the UK for buying and selling insurance, other countries may not have the same mechanisms in place. Do your cover and support services extend abroad? Policies arranged in the UK are unlikely to include overseas operations unless you specifically ask for this. Check with your insurance provider – there may be an overseas exclusion hidden in the small print.

Insurance providers specialising in the charities sector can guide you through this process and help you avoid the common pitfalls. These pitfalls include:

• Country-specific compulsory insurance which is not purchased due to a lack of knowledge.

• Employers' liability cover not including expats/secondees.

• Public liability, professional indemnity and trustees indemnity arranged in the UK with restricted geographical/territorial limits.

• Local regulations requiring insurance to be purchased in-country.

International charities should protect their liabilities on a global basis. Inadequate or simply wrong insurance may result in criminal action, fines or even unpaid claims – with a devastating effect on your reputation, as well as your reserves.


Whilst people are your greatest assets, property and contents are also assets to consider when auditing insurance liabilities. You may scrutinise your everyday bills, but do you do the same for your buildings and contents cover? Do you renew cover without asking your insurance provider to review your policy and premiums? If so, you may be paying over the odds for cover you don't need or be under-insured.

What business continuity plans are in place? If there's damage to your property or your computers are hacked, can you continue to run, support others and receive donations? Business interruption loses goodwill and money. Damage to premises can usually be repaired and to the "outside world" it's business as usual, but with cyber issues, it's a different matter.

In 2011 the Government estimated cyber crime cost the UK economy around £27bn a year. Businesses paid around £21bn, the Government £2.2bn and citizens £3.1bn. For businesses the bill breakdown comprised: intellectual property theft £9.2bn, industrial espionage £7.6bn, extortion £2.2bn, direct online theft £1.3bn and theft of customer data £1.3bn.

Charities are not exempt from these kind of risks, particularly online theft – including theft of client and supporter data. With the majority of charities undertaking financial transactions electronically, the prospect of having to shut down your systems due to a security breach is daunting.

However, insurers are beginning to recognise this emerging risk and offer policies which will:

• Enable you to detect and restore damaged information/communication systems.

• Reimburse lost profits following damaged systems or lost data.

• Provide access to experts in crisis management, public relations, forensics and security.

• Set up a temporary storage facility.

• Meet investigation costs and any Government or regulatory-imposed fines.

• Pay costs incurred in notifying data protection authorities and clients (in line with new European data laws), following a data loss.

• Pay for credit monitoring and setting up of a call centre to deal with customer enquiries.

• Manage and meet the costs involved with cyber extortion.

Watching your back

Whilst risk management, health and safety assessments and business continuity planning lessen the occurrence and impact of an incident, it's the insurance cover which picks up the financial pieces and helps rebuild your reputation as a charity. It covers the tangible and intangible – meeting the public relations costs associated in restoring your reputation and consequential loss in revenue.

Insurance brokers should "watch your back" and help protect your people, assets and reputation. Those experienced in this sector will spot potential issues, help you manage a crisis and rebuild your brand.

Return to top of page | Close all

Hamish Kent
Sutton Winson's Hamish Kent – protecting its reputation should be at the heart of your charity's risk management and business continuity planning.
"…it's harder to recover from reputational failure than it is to build and maintain a reputation…"
"Your duty of care to staff and volunteers crosses… borders and any safety breach could be put under the international spotlight."
"Whilst people are your greatest assets, property and contents are also assets to consider when auditing insurance liabilities."