Serious incident reporting: what charities need to know

The Commission expects charities to have a serious incident reporting policy, which sets out the appropriate reporting lines within an organisation.

Broadly speaking, the ultimate responsibility for serious incident reporting lies with the charity’s trustees. In practice, this may be delegated to someone else within the charity or to professional advisers, but whoever reports will need the authority of the trustees. If trustees choose not to report or delegate and the Commission later becomes involved in the matter, the trustees will need to explain why they did not report at the time.

However, it is not just trustees that have a duty to report; auditors and independent examiners also have a duty to report ‘matters of material significance’ to the Commission.

For charities that have an annual income greater than £25,000, it is a statutory requirement that trustees declare whether or not there have been any reportable serious incidents during the year when they submit the annual return to the Commission.

The following are all incidents that should be considered serious enough to report to the Commission: 

• Incidents related to safeguarding; these include incidents which result in or risk significant harm to beneficiaries and/or other people who come into contact with the charity
• Financial crimes, such as fraud, theft, cyber-crime and money laundering, along with any large donations from unknown or unverifiable sources
• Seemingly non-criminal financial incidents, namely significant financial losses of £25,000 or more, or, if the charity’s annual income is less than £25,000, a loss of more than 20% of charity’s income
• Any links to terrorism or extremism
• Other significant incidents, for example, insolvency, significant data breaches or losses, and incidents involving partners that materially affect the charity

The Commission understands safeguarding as the range of measures a charity has in place to protect, from abuse and mistreatment of any kind, the people who come into contact with it through its work.

Safeguarding is not only a concern for charities working with children or vulnerable adults, and a serious incident report is needed if a safeguarding risk materialises. Further examples of such risks are:

• abuse of beneficiaries, whether someone under the charity’s care or someone connected to the charity is responsible for the abuse;
• abuse of others coming into contact with the charity or the charity’s activities; and
• breaches of procedure or policies which put people at significant risk of harm.

Where a charity works with or funds partners to carry out activities, it may need to make a serious incident report if it discovers that the partner has witnessed or been involved in an incident which either materially affects the charity, its staff, operations or finances, or that affects the charity’s reputation to the extent that it is serious enough to be reported.

Here, the definition of ‘partners’ includes delivery partners, trading subsidiaries, organisations receiving funding and any other organisations linked to the charity. It’s important to carry out due diligence on all partners to understand what internal policies and procedures they have, and include a reporting obligation in partnership and grant agreements.

Due diligence on partner organisations might include:

• requesting and reviewing governing documents, as well as evidence of governance and operational structures and practices;
• if applicable, checking the partner’s status as a charity;
• looking at the organisation’s latest accounts and financial position;
• identifying the partner’s directors, trustees, executive committee or other key personnel and internal financial controllers;
• examining relevant operational policies and procedures that the partner has in place, for example, in relation to safeguarding children and vulnerable adults, and on equality and diversity;
• taking the partner’s aims and values into account; and
• seriously considering any external risk factors.

Your charity should have a serious incident reporting policy, which should be carefully followed in the event of an incident. Consider whether an investigation is necessary and, if so, who it should involve,  i.e. should it be led by trustees or an external party, and should other agencies, such as the police or Fraud Action, be involved?

The timing of your report to the Commission is important as, depending on how much information you have, it may be a good idea to make an initial report before the investigation, and provide an update once the results are available.

PR or media statements may also need to be prepared, and it should be considered whether legal or accountancy advice is needed.

Preventing the same or similar events happening in the future is paramount, so review your organisation’s processes and procedures and assess whether they need to be reconsidered or amended.