Charity Governance and Risk Assessment

Is your charity's governance as effective as you would like it to be?

For charities, establishing and running effective risk and governance arrangements is a legal obligation. It is striking to see how practices vary across sectors, with many founders, trustees, and CEOs of charities unaware of the risk they run and the potential personal impact if things go wrong. Aevitium LTD conducted an intervention in 2024 that served as the basis for this case study.

Please note that we have "neutralised" the following case study and documents to protect the charity's anonymity.

Background

A mid-size charity with about £250k in revenues approached us to update their policy framework. Following an initial consultation, the CEO recognised the necessity of reviewing their broader governance arrangements and updating their risk register prior to initiating any policy review. The charity had been experiencing financial difficulties for some time due to COVID, and the board of trustees had been highly focused on setting the organisation on a more sustainable financial path.

Why did they need a governance assessment?

During the initial consultation, the CEO came to realise their real challenge wasn’t with an out-of-date policy framework. The intense focus on financial strategy had overshadowed all other areas of risks.

• Risk Register: The organisation had not updated the risk register since the CEO's arrival. In addition, the risk register combined a mix of very granular and generic risk assessments, control assessments, and control standards. Consequently, the document was immediately shelved after being produced, never to be used again until we asked for it many years later. 

• Date and cybersecurity: Upon joining a year prior, the CEO had immediately raised some concerns with data management and protection, as well as the lack of cybersecurity capabilities. As a result, the board of trustees agreed to a plan to move membership and personal data from an on-premises database to a more secure SaaS solution.

• Regulatory requirements: The Board of Trustees had signed the audited financial accounts and incorporated the statement on risk management. But practically, they had not reviewed the organisation's risk management practices for many years, and they did not do what they really agreed to.

• Insurance Coverage: Due to the aforementioned circumstances, the CEO, as well as the board of trustees, lacked knowledge about the suitability of the charity's insurance coverage.

• Board dynamics and culture: Ultimately, the trustees lacked the necessary skills to comprehend these challenges and reluctantly supported any efforts on risk remediation beyond the ongoing management of the organisation's financial situation.

How does your organisation stand, and how can you improve your governance? Our comprehensive charity governance maturity assessment is quick, insightful, and free! Take the assessment today to get your score and gain practical insights on what's best in class and where you could do better.

Solutions Implemented

Practically, the CEO needed an independent view of the governance and risk management arrangements to help convince the board that a broader intervention was required.

• Governance Maturity Assessment: For this organisation, we designed the first version of the Aevitium LTD Charity Governance Scorecard. In total, 8 people from this charity took the assessment, mixing trustees and senior management. We invited the participants to self-assess their perceived maturity, followed by ten questions that covered risk and governance, strategic planning, and culture.

• Top Strategic Risk and Risk Register: We completely updated and simplified the risk register during a couple of workshops with the CEO, utilising strategic internal documents and annual reports. The risks were presented in the top 4 strategic themes the board needed to address as priorities, and a more granular risk register focused on the operational management of the charity. With our support, the CEO also mapped out existing remediation activities. For each of the top themes, we helped the CEO document what the associated risks were, how they would materialise, their impact on the organisation, and existing or future remediation and contingencies.
  

The Output and Next Steps

The CEO had decided to use the outcome of the assessment to support a discussion with their board and the organisation’s audit and risk committee. We prepared the following artefacts to support their discussion.

We carefully crafted the agenda to ensure the CEO could

1) Educate the board of trustees and remind them of the most basic but fundamental requirements, legal obligations, and associated personal liabilities.

2) Introduce the maturity assessment to ensure that participants understand its structure and what it means for the charity.

3) Present the results of the self-assessment. Here were the objectives:

• Create a common and agreed-upon understanding of the organisation's current diagnostics.

• Establish a desired level of maturity. 

4) Present the updated risk register and the top four strategic themes. Here were the objectives:

• Create a common and agreed-upon understanding of the current risk profile.

• Initiate a discussion on remediation activities, letting the company's board and management define them.

As we were preparing for the committee meeting, we received news from the CEO that the Board of Trustees had decided to close the organisation. To quote them: 

This is a reminder that risk management is, by its very nature, a pro-active, people-centric mindset. Many charities find staying on top of governance and risk management difficult. Often, they lack the resources and expertise to assess themselves on their own. And sourcing external assistance can be beyond their financial reach.

Aevitium launched the free Charity Maturity Assessment Scorecard to help charities improve their governance and risk management. Though we were too late to save this organisation, we hope that this new tool can help many other organisations continue providing their great contribution to our society!

Not sure your charity's governance and risk management is mature enough to protect you? Take our free charity risk and governance maturity assessment.