Skip to main content
main content, press tab to continue

Protect and preserve: Defending your charity from five key risks

By Sam Haslam and Rachel Phillips | September 15, 2023

What are the major charity risk areas and how can you navigate them to ensure you can operate sustainably, remain financially sound, and achieve your objectives?
Environmental Risks|Facultative|Benessere integrato
ESG In Sight|Insurer Solutions|Risk Culture

For many charities, being able to help beneficiaries relies on factors that unwittingly open them up to increased risks to their viability: relying both on the time and skills of volunteers to deliver services and oversee governance, and depending on public and institutional trust for funding. Also, in common with commercial businesses, charities need to comply with potentially challenging governance demands while operating with tighter budgets.

But should things go wrong, neither their operational constraints nor charitable status tend to afford those running charities automatic defence or mitigation against criticism, adverse publicity and, importantly, organisational or even personal liability.

The charity sector is seeing funding streams hit, with research indicating charities' income could fall by £2.2bn by end of 2023/24. Meanwhile, some charities have been rocked by damaging failures that have impacted their ongoing ability to offer services to their beneficiaries.

In this insight, we examine the current major charity risk areas and offer guidance on navigating them to support the long-term viability and success of your charitable organisation.

The risks

  1. 01

    Governance failures

    A 2022 Charity Commission report on former charity Kids Company concluded it ran a “high-risk business model” with a heavy dependence on donations, a reliance on a key individual for fundraising, coupled with low reserves which ultimately led to the charity being closed down.

    Kids Company faced a common challenge we see many charities encounter: trustees maintaining oversight of key risks with limited training and resources. This pattern can arise from fears that spending on trustee or executive training risks will curtail resources available to service users, or is driven by worries over how training spend might be perceived externally.

    However, examples such as Kids Company serve to illustrate that without adequate oversight expertise, charities’ long-term sustainability may be at risk. Cost-cutting on trustee training can prove a false economy.

  2. 02

    Financial mismanagement

    This risk is another element of governance failure but is worth considering independently. ‘Financial mismanagement’ is also readily understood by the media, donors and volunteers and can all-too-easily cause lasting damage.

    The example of Hope House, a small charitable school for children with special educational needs, reminds us of both the importance of proper financial management and the fact trustees are personally liable for both their own and their charity’s failings.

    The Charity Commission’s report on the Hope House inquiry led to some school trustees being unable to act as charity trustees for at least eight years. The report found one trustee was able to take decisions in breach of the charity’s own financial control policy, while others failed to manage conflicts of interest by allowing one of them to sign cheques made out to their family members and to also take family on overseas trips.

    Adhering to the Charity Governance Code will help prevent such scenarios at your charity. Designed as a practical tool to help charities and their trustees develop high standards of governance, the code recognises good governance is fundamental to a charity’s success and the ability to fulfil the charity’s vision over the long term.

  3. 03

    Cybercrime and charities

    Identify the vulnerabilities and bridge the gaps in your cybersecurity.

    Charities are tackling many of the same financial and data-loss cyber risks as big corporates. In addition, and perhaps unlike corporates, the Charity Commission has previously reported how many charities are victims of cyberattacks without realising it, giving cybercriminals extra opportunity to cause harm.

    Ensuring you have an up-to-date view of the most significant risks in your IT environment, and the effectiveness of your technical (such as website security) and non-technical (such as training programmes) responses is vital. Given a charity is four times more likely to discover cybercrime through internal IT controls or by staff raising concerns than all other external sources combined ensuring these are regularly reviewed is also an important mitigation.

  1. Prevention is better than cure. Review your protection, understand what your insurance does and does not cover, and learn what you can from any sectors peers recently targeted by cybercriminals. Being alert to the latest threats will support you in identifying the vulnerabilities and bridging the gaps in your cybersecurity.

  2. 04

    Charities and climate risk

    Climate risk reporting requirements for longer-term viability.

    Charities face a range of specific environmental risk issues, including how to deal with waste from unusable donations to their retail outlets, and many charities are facing stakeholder pressure to develop or refine their sustainability strategies to transition to net zero. This is in addition to facing increasing climate risk reporting obligations.

    The Streamlined Energy and Carbon Reporting (SECR) requirements have been introduced to monitor organisation-specific carbon and energy usage. It applies to all U.K. companies, including charitable organisations deemed ‘large’ because they have met at least two out of three of the following Companies Act 2006 size criteria for two years in a row:

    • A turnover or revenue of £36m or more
    • Total assets of £18m or more
    • Average number of employees of 250 or more.

    Charities that meet these criteria are required to report publicly on their U.K. energy use and carbon emissions within their trustees’ report. The Environmental Reporting Guidelines state that a widely accepted approach is to divide this into three ‘scopes’:

    • Scope 1 – Direct emissions
    • Scope 2 – Energy indirect emissions
    • Scope 3 – Other indirect emissions.

    Meanwhile, the Taskforce on Climate-related Disclosures (TCFD) requirements deal with reporting of climate-related threats and opportunities to the organisation and is mandatory for larger U.K. organisations, including larger charities.

    Regardless of your size, adhering to climate risk reporting requirements can position your charity for longer-term viability can support its long-term ability to thrive and meet the expectations of both regulators and stakeholders.

  3. 05


    Review measures in place to prevent harm and keep service users safe.

    Allegations of safeguarding failures can have a significant impact on large charities as a 2019 Charity Commission report on Oxfam served to illustrate. But safeguarding risks can also impact smaller charities.

    Let’s imagine the impact a scenario could have on a smaller charity with less resource and funds where a service user alleges they came to physical harm at the hands of a volunteer at a smaller charity. The volunteer’s line manager decides they are ‘innocent until proven guilty’ and allows the volunteer to continue in post and does not inform executives or trustees about the situation until the outcome of their informal investigation is known.

    In the meantime, word gets round service users that this volunteer is still working at the charity. Their trust is lost, and would-be beneficiaries stop using the service in large numbers. The local press hears about this, and the first trustees know of any of the matter is when they are approached for comment by a journalist.

    Time and again we hear of situations where a delay in responding to allegations has led to the escalation of claims and reputational harm. Likewise, not having clear policies and procedures around what happens to the accused individual, exactly which people are informed when incidents occur, how trustees are involved in the process, and what measures are in place to prevent harm and keep service users safe to begin with.

Neither the Charity Commission nor the Health and Safety Executive are likely to accept staffing challenges as excusing a lack of Disclosure and Barring Services (DBS) checks, or why staff were unaware of the correct safeguarding processes. Robust processes and controls around onboarding and maintaining checks will help your charity navigate safeguarding risks.

For smarter ways to manage charity sector risk with advice and support across both insurable and non-insurable risk, education, training and awareness for trustees and boards, get in touch.


Risk Management Executive,

GB Health and Social Care Leader

Contact us