But there is a wealth of guidance available to help
The Charity Governance Code points out that good governance is fundamental to the success of charities and promotes a healthy culture from within. Alongside this, as charities face income and other resource pressures plus a challenging operational environment, they need to make the best possible use of the opportunities that digital communications offer – in their governance and operational activities but also in developing and strengthening relationships with their stakeholders. Digital technology can and does enable charities to have a better and further reach into places of need.
However, charities are not immune from the challenges and risks of the digital world. Across all sectors, the National Crime Agency reports that cyber crimes now outnumber physical crimes. The Information Commissioner's Office figures for April 2016–17 demonstrate a two-thirds annual increase in the number of charities experiencing a data breach incident.
Key areas of digital and cyber risk for charities are:
- Effective protection of those with vulnerabilities to exploitation, abuse and other forms of harm
- Avoiding dangers to financial stability, funds
- Risks to reputation and risks of damage to the confidence and trust in charities of their beneficiaries, other stakeholders and the wider public.
Risk is an inevitable reality in a charity's activities and digital risk is a growing proportion of any charity's risk profile.
Managing such risk effectively is an essential part of the good stewardship required of charity trustees and a key part of their governance responsibilities.
As the Charity Commission points out in CC26 'Charities and Risk Management': 'Charity trustees should regularly review and assess the risks faced by their charity in all areas of its work and plan for the management of those risks'.
Particular focus is needed on major risks – those that would have a probability of occurring and would have a major impact if they did become reality. Most forms of cyber risk fall within this definition of major risk, so it is an area that deserves sufficient board-level attention.
The Charity Governance Code's fourth principle highlights this, encouraging all boards to ensure that controls and risk assessments are robust and effective.
Board skills gaps
In recent research, 'Taken on Trust: The awareness and effectiveness of charity trustees in England and Wales', a lack of relevant digital skills at board level was identified by trustee boards as a key skills gap area. Recognising the risks to their charities from fraud and cyber attack, many boards are concerned about their relevant skills proficiencies to address these risks effectively, as well as to ensure their charities take the many opportunities that digital communications offer.
Responding to this finding, the Charity Commission commented that: '[It] speaks to the need to expand the pool of talent [on trustee boards]; the future is digital, and technology offers opportunities not only in fundraising and service delivery, but also for improving charities' governance, and helping trustees make better decisions.'
Board effectiveness can be enhanced or hindered by data provision and use, processes, skills, knowledge, teamwork and the quality of decision-making.
Digital communications and data provision can be very helpful tools in the context of preparation for and participation at board meetings and can be used to widen diversity amongst trustees.
The trustee learning and development opportunities these tools can offer should also be considered.
Digital code of practice
The underlying aim of the proposed new Charity Digital Code of Practice is to make digital more accessible to all charities, helping them develop skills, enhance sustainability and increase the level of digital activity across the sector.
Best practice guidelines will be a key feature and there will be versions for both larger and smaller charities. The hoped for 'top-level' benefits to the charity sector include increased impact and improved sustainability.
Specific ambitions include additional accessibility for beneficiaries, new engagement with funders and enhanced collaboration amongst charities
Consultation on a draft of the proposed code, developed by a steering group, following user research and testing with more than 30 organisations is open for responses until 25 September.
Against a background of growing but still often untapped digital opportunities, significant cyber and data challenges and risks, plus increasing expectations in areas of governance and accountability, boards would do well to reflect on what 'good' might look like in their charities in digital and cyber security matters.
Matters for consideration include:
- Sufficient resources should be devoted to enhancing skills and competencies
- Insight and wisdom should be exercised in identifying what external advice and support the charity needs in what can be highly technical areas, beyond the detailed knowledge and experience of both trustees and staff
- Trustees should ask pertinent questions and also should never be afraid to say when they are not comfortable with the current situation or proposals for the future
- Boards should nurture a culture of constructive challenge at board level – challenge to data, underlying assumptions and options available.
For those working in information security in charities and not-for-profits.
Resources include 'Cyber security and risk management' and 'Charity Cyber Guide: Your defence against risk'.
Toolkits, checklists, guidance notes and other resources for charities.
Useful research report: 'Cyber Security Among Charities'.
Resources include 'Charity Sector Threat Assessment' and 'Cyber Security: Small Charity Guide', which offers helpful material for all charities.
Cecile Gillard is legal manager, charities and civil society at Burton Sweet
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.