Those performing activities
Whether staff, contractors or volunteers, if there are individuals and teams delivering activities that require knowledge of compliance risks, you need to know they have the skills and expertise to ensure they are managing compliance risk when performing these day-to-day activities.
Individuals should be responsible for keeping themselves updated on relevant requirements (typically through an approved training plan that includes mandatory training and CPD).
Individuals should also understand that they are responsible for working to the policies, procedures and guidance that have been agreed.
Management and governance bodies
The first step for charity governance bodies is to agree an oversight structure that will enable effective monitoring of compliance risk. There should be a free flow of information within this structure to enable both timely challenge and assurance.
Management should feel confident there is sufficient supervision of activities that support compliance. For example, assuring themselves they are confident that procedures and training reflect current compliance requirements, and that there are mechanisms for updating these, as soon as requirements change (or even in advance).
Charities also benefit from their managers being able to verify that training and current procedures have been understood. There should be supervision to quickly identify whether processes are being followed in practice.
Typically, a proportionate approach is taken to ensure the best use is made of the charity’s available resources. Good use can be made of a charity’s risk experts to support this process design.
Governing bodies may decide that specialist skills are required within the management tier to provide confidence that legal and regulatory risks are being managed. The structure shouldn’t disrupt the charity’s ability to be agile and respond to changes in the compliance risk environment through excessive oversight and there is a balance to be struck.
Perhaps most valuable, are compliance reporting mechanisms that directly relay how a charity is performing in managing its compliance risk. Reporting enables management and governance bodies to monitor and challenge performance.
We often see a disparate approach to reporting compliance activities in various parts of the organisation. We find management and trustees welcome a consolidated view on how a charity is managing its compliance risk. Consolidated reporting has the added benefit of supporting charities to spot themes that can be addressed more efficiently through an organisation-wide approach, rather than in silos.
Aligning risk and performance reporting is also helpful in providing a consolidated view. The two should be interdependent so that where performance reporting indicates there is a potential compliance risk, this informs the risk register and mitigations can be closely monitored.
The quality of compliance performance and risk data is key. Having risk expertise within a charity helps there to be robust challenge of the accuracy of information reported in relation to how well compliance risks are being managed. This is essential to support decision making.
To be able to manage its response to compliance risks, charities also need to be alert to the likelihood and impact of any compliance breach so that they can make appropriate decisions around the level of investment required.
Accepting an increased risk is typically more acceptable in some areas and functions than others, and mapping this can release funds for the organisation to divert elsewhere.
We typically see charities agree their risk appetite for compliance risk. This is then embedded into their risk management approach through assigning a target risk score on their risk register. Well performing charities then document and monitor key risk indicators to provide an early warning mechanism that the risk score may be increasing to an unacceptable level so that management and governance bodies are aware that attention is required.
Similarly, in high volume data-driven charities, a specialist performance reporting team may be required to provide assurance on the data being produced.
Importantly, governing bodies also need to ensure there is external assurance that will provide independent and objective challenge to the organisation about its key compliance risks.
Your internal auditors
Obtaining external assurance provides you with an independent and objective view, giving you confidence that your compliance risk is being well managed.
Depending on the nature of the compliance risk, you may particularly value a specialist opinion from experts that have a robust compliance methodology and insight into other charities’ approaches.
One of the many benefits of an internal audit service is that it can work with you in an advisory capacity to support you in designing your compliance framework to ensure you are set up for success.
You can then expect your internal auditors to give you confidence, through their assurance work, that your compliance picture is being reported accurately.
What kinds of questions can an internal audit help you to answer?
- How do you know that your methodology is compliant with regulatory requirements?
- How do you know the policies and procedures you have agreed, are actually being followed in practice?
- How do you know the performance and risk metrics being reported to you are accurate? Are they based on a full set of data and is the information verified for factual accuracy before being sent to you?
All of the above will support your commitment to continually improve how your charity is managing your compliance risk.
Case study – developing a charity’s compliance reporting framework |
We acted as a critical friend during the development of a charity’s compliance reporting framework. This included reviewing the collation of information to be reported, as well as the structure and flow of the information. One of the key outputs was to support headline reporting for trustees that rationalised detailed reports intended for operational use. This supported governing bodies to access the appropriate level of information required to be provided with confidence about the management of the charity’s compliance risk, as well as to facilitate the right level of challenge. From our validation of the report content, we identified that staff and volunteer vetting information was being inaccurately reported. From our discussions with the charity, it became clear that the root cause for this was a reluctance to inform trustees that the team had fallen behind in processing vetting applications. The charity was able to take swift action through a temporary investment of additional resources, but this exposed a wider concern about the culture and behaviours that resulted in a deeper dive and investment into managing the tone from the top. |
What’s the impact of investing in your monitoring and assurance activities?
First and foremost, what’s critical is that you can expect to enhance your compliance. Requirements are of course intended to best manage risks within the sector, and by increasing compliance, you can feel confident your arrangements reflect best practice. This should support you to deliver optimum services, maintain your reputation and therefore secure all the benefits that high public trust affords.
You can also expect to be able to spot issues before they become a problem, which will save the time and effort needed to firefight an issue (or multiple issues) later on.
Being able to act quickly when there is an issue may help you to ringfence the impact, preventing further immediate issues from arising. It will also help you to comply with any additional requirements, such as any prompt, full and frank disclosure to the Charity Commission via its Serious Incident Reporting [7] process and any other relevant regulators. In the case of any criminal concerns, it will enable you to notify the police for swift support.
You will also maximise the time available to proactively contact donors, beneficiaries and the general public, giving you the best opportunity to manage your reputation and messaging.
Of utmost importance is the tone from the top. Charity trustees need to promote a culture of compliance, requiring ethical behaviour and accountability to enable your compliance risk to be most effectively managed.
Sources
[3] Charities SORP
[5] Offence of 'failure to prevent fraud' introduced by ECCTA
[6] Data (Use and Access) Bill
[7] Report a serious incident on behalf of the trustee body
Get in touch
For more information about how we can support with developing your compliance reporting framework or providing independent assurance over your compliance management and reporting, please contact us today.
Sign up to hear more from us
Select your interests and receive our latest insights, event invitations, news and more.
Why internal audit matters for charities
Internal audit is increasingly recognised as vital to helping charities operate with integrity, effectiveness, and accountability. But what exactly is internal audit, and how can it help your charity navigate challenges and make the most of opportunities?
Charity sector insights
Read our latest charity sector insights.
Key contacts
Peter Cudlip Global Head of Public and Social Sector - Manchester
Graeme Clarke Partner - Risk Consulting - London
