25 July 2018 by Cecile Gillard
But there is a wealth of guidance available to help
The Charity Governance Code points out that good governance is fundamental to the success of charities and promotes a healthy culture from within. Alongside this, as charities face income and other resource pressures plus a challenging operational environment, they need to make the best possible use of the opportunities that digital communications offer – in their governance and operational activities but also in developing and strengthening relationships with their stakeholders. Digital technology can and does enable charities to have a better and further reach into places of need.
However, charities are not immune from the challenges and risks of the digital world. Across all sectors, the National Crime Agency reports that cyber crimes now outnumber physical crimes. The Information Commissioner’s Office figures for April 2016–17 demonstrate a two-thirds annual increase in the number of charities experiencing a data breach incident.
Key areas of digital and cyber risk for charities are:
Risk is an inevitable reality in a charity’s activities and digital risk is a growing proportion of any charity’s risk profile.
Managing such risk effectively is an essential part of the good stewardship required of charity trustees and a key part of their governance responsibilities.
As the Charity Commission points out in CC26 ‘Charities and Risk Management’: ‘Charity trustees should regularly review and assess the risks faced by their charity in all areas of its work and plan for the management of those risks’.
Particular focus is needed on major risks – those that would have a probability of occurring and would have a major impact if they did become reality. Most forms of cyber risk fall within this definition of major risk, so it is an area that deserves sufficient board-level attention.
The Charity Governance Code’s fourth principle highlights this, encouraging all boards to ensure that controls and risk assessments are robust and effective.
In recent research, ‘Taken on Trust: The awareness and effectiveness of charity trustees in England and Wales’, a lack of relevant digital skills at board level was identified by trustee boards as a key skills gap area. Recognising the risks to their charities from fraud and cyber attack, many boards are concerned about their relevant skills proficiencies to address these risks effectively, as well as to ensure their charities take the many opportunities that digital communications offer.
Responding to this finding, the Charity Commission commented that: ‘[It] speaks to the need to expand the pool of talent [on trustee boards]; the future is digital, and technology offers opportunities not only in fundraising and service delivery, but also for improving charities’ governance, and helping trustees make better decisions.’
Board effectiveness can be enhanced or hindered by data provision and use, processes, skills, knowledge, teamwork and the quality of decision-making.
Digital communications and data provision can be very helpful tools in the context of preparation for and participation at board meetings and can be used to widen diversity amongst trustees.
The trustee learning and development opportunities these tools can offer should also be considered.
The underlying aim of the proposed new Charity Digital Code of Practice is to make digital more accessible to all charities, helping them develop skills, enhance sustainability and increase the level of digital activity across the sector.
Best practice guidelines will be a key feature and there will be versions for both larger and smaller charities. The hoped for ‘top-level’ benefits to the charity sector include increased impact and improved sustainability.
“Technology offers opportunities for improving charities’ governance and helping trustees make better decisions”
Specific ambitions include additional accessibility for beneficiaries, new engagement with funders and enhanced collaboration amongst charities
Consultation on a draft of the proposed code, developed by a steering group, following user research and testing with more than 30 organisations is open for responses until 25 September.
Against a background of growing but still often untapped digital opportunities, significant cyber and data challenges and risks, plus increasing expectations in areas of governance and accountability, boards would do well to reflect on what ‘good’ might look like in their charities in digital and cyber security matters.
Matters for consideration include:
For those working in information security in charities and not-for-profits.
Resources include ‘Cyber security and risk management’ and ‘Charity Cyber Guide: Your defence against risk’.
Toolkits, checklists, guidance notes and other resources for charities.
Useful research report: ‘Cyber Security Among Charities’.
Resources include ‘Charity Sector Threat Assessment’ and ‘Cyber Security: Small Charity Guide’, which offers helpful material for all charities.