From a misguided tweet to conflict of interest and even fraud, dealing with risk is part and parcel of the operation of every charity. As part of their governance function, all charity trustees should be engaged in exploring, scoring and recording risks to their organisation. For this reason we regularly address the subject with new and existing charity clients, and in our public seminars.

At our recent charity trustee training session we reviewed the burden of risk and liability in order to help trustees understand their potential personal exposure. For every charity, regardless of size, the key indicator is the charity's legal structure. The Scottish Charitable Incorporated Organisation (SCIO) is fast becoming the most popular legal form for new charities, precisely because of the SCIO's separate legal personality and the attraction of limited liability status (previously only afforded to charitable companies, industrial providents and Royal Charter bodies). But the majority of charities on the Scottish Register are not incorporated – trusts and associations – and here lurk the pitfalls of personal exposure to liability if duties are not performed properly or risks are not properly addressed.

Areas of potential risk for charities range far and wide, but much will depend on the nature of activities and the complexities of operations or specific projects. To take a couple of the queries raised at our seminar:

  • Data Protection: The charity trustees' duty to"comply with the general law" is all encompassing. All areas of law relevant to the charity must therefore be considered. The Data Protection Act 1998 imposes an obligation on charities to protect personal information which it holds (say, of its members or beneficiaries). Practical steps, set out in updated policies for staff and trustees alike, should be adopted. These will include having secure methods of storage and appropriate levels of encryption of data. Official guidance for charities can be found here.
  • Overseas projects: When applying charitable funds abroad, two particular points come to mind – exposure to liability for operations"on the ground" and tax.
  • Be wary about division of responsibility when carrying out projects and activities with others: is your charity acting solely as funder, or is it involved in some way in the delivery of work? Either way, while local law applies, UK standards may well be higher and a failure to meet the standards expected at home could give rise to exposure from bad publicity: public perception and mitigating reputational risk are important factors in maintaining good relations with funders and the public.
  • HMRC will closely examine payments made outwith the UK. By virtue of UK tax legislation such payments shall not be treated as charitable expenditure unless the funding charity takes such steps as may be reasonable in the circumstances to ensure that funds will be applied for charitable purposes as defined in the UK. An official receipt or acceptance of conditions by the donee body might not suffice.

We continue to learn much about the importance of adopting a robust risk management strategy through news highlighting the challenges or failings of others. While difficult for those involved, the glare of a Regulator's inquiry will often provide essential sector insight into the valuable lessons in managing risk. OSCR's paper 'Who's in Charge' which provides some useful guidance, can be found here.

The themes from recent case studies are apparent; managing risk effectively is an essential function of charity governance and responsibility for this rests firmly at board level. So, at your next trustees' meeting please spare a thought for risk.