All charity boards need confirmation that their key risks are constantly being identified and managed, but how can they be assured that these risks are managed properly and effectively?
This is not a simple issue to tackle. Part of a charity board’s challenge is that all information on how risks are being managed is produced by the management team, but to what extent can and should they rely on management assurances?
This is where the board needs to have the confidence and ability to ask challenging, fair and constructive questions, and the management team must recognise that challenge is a key element of a board’s role. The style of governance needs to be balanced to allow for critique and not just criticism. The board needs to encourage managers to be honest and upfront with them, so that even if things aren’t on track, managers feel able and confident to report this, rather than reporting only good news.
Many larger charities will appoint an audit committee to provide oversight of the assurance processes and report into the board. The committee might look at one or two risks at each meeting and, with the support of the relevant managers, drill down into the underlying controls to check that the processes set up to manage the risks are operating as they should.
Some risks may be so integral to the charity that the Board may consider further independent assurance. For larger charities this can be provided by an internal audit function, resourced either by in-house staff or an external provider.
Different levels of internal audit
Internal audit activities can be undertaken at different levels and made to fit smaller organisations. Cost is a factor – the amount spent on assurance activities should not outweigh the benefits. If the risk profile of an organisation is low, then there is little benefit from a significant investment in assurance activities. Additional assurance activities should be focused on the high-risk areas and areas where management activities cannot provide sufficient assurance.
Starting from smaller, simpler operations, the scaling of assurance activities can be illustrated as follows:
Internal review of controls
For a small charity a review will provide information and evidence on the operation and effectiveness of basic controls. The Charity Commission publishes the guide ‘Internal Financial Controls for Charities’ (CC8) which contains a useful checklist for this. This could be the basis of an annual report to trustees providing comfort that proper financial controls are in place and being operated.
DIY internal audit toolkits
Organisations can develop their own or buy suitable toolkits for specific areas of operations such as charity shops, project management, health and safety, data protection and information security. These will not always be written specifically for a charity, but nonetheless may offer a framework. A member of staff may need to be trained to use them. Some quality assurance frameworks, such as PQASSO, may provide similar levels of assurance.
One-off independent reviews
There may be specific areas of risk requiring expertise and knowledge that you don’t have in-house, such as data protection or information security. Scoping a review to build in assurance activities is simple and an effective way of gaining high quality feedback on your systems and processes.
Outsourced internal audit
To commission services from an external provider, a charity will need to have good risk management processes in place or ask the provider to help improve their risk management as their first assignment. The internal audit plan should be risk-based to give the board assurance on the key risks and should build on the organisation’s assurance framework. The internal auditor should use the framework as a starting point and should test the effectiveness of the management of risk.
Cost effective ways of using an outsourced internal audit blend the use of DIY internal audit toolkits with the internal audit firm providing oversight and quality control on the internal activity. It can also be combined with specialist independent reviews and audits.
Full risk and assurance function
An in-house function needs to remain independent and should not be responsible for undertaking risk management. The people in the team can train managers and staff in risk management, but the focus of their activity needs to be on the provision of assurance that the planned management of risk is effective.
This can also provide support to managers to develop effective response plans (e.g. a fraud response plan) and play a role in whistle-blowing procedures. They can also investigate problems and help managers to respond to urgent issues.
Once the board has developed its approach to risk management it’s important to plan for assurance activities so that the board knows that all risk is being managed appropriately.
For further insights on risk management, Sayer Vincent has produced a guide to risk management entitled, ‘Rethinking Risk’.