What is Resilience?
Organisational resilience has been defined as “the ability of an organization to anticipate, prepare for, and respond and adapt to everything from minor everyday events to acute shocks and chronic or incremental changes”. (British Standard 65000: 2014 Guidance on organizational resilience).
The concept of resilience also carries with it the sense of being adaptive and agile, including being proactive and flexible in the face of a changing context or operating environment. In practical terms, this means that you are better equipped as a charity to manage any type of crisis or incident, however large or small, because you have anticipated and prepared for it. This is significant because increased resilience means that you are more likely to be able to carry out your normal business operations and to pursue your charitable mission in such circumstances, with minimal or at least less disruption and adverse impact (e.g. reputationally, financially).
For example, the Covid-19 health pandemic is impacting significantly upon many aspects of routine business for many organisations, including charities. This is taking many different forms, such as changes in legislation and statutory regulations, reduced available funding, staff sickness, reduced input by volunteers, or having to implement different working practices. Such changes can also create associated unplanned for threats, risks, and potential vulnerabilities for your charity which need to be considered. For instance, how to mitigate additional cyber security risks with accompanying data breach vulnerabilities, or manage staff well-being remotely with the associated legal and insurance implications of lone/home working.
In such circumstances, the degree to which you are resilient as a charity may be the determining factor as to whether or not you continue to operate effectively or, in some instances, even survive in the face of increasing uncertainty.
The R4C Resilience Journey
At R4C, we have developed our own unique risk and resilience audit matrix tools. Not only do these seek to identify the principal threats, risks, gaps and vulnerabilities facing your charity and its ability to deliver on its charitable mission, but they do this in a comprehensive, integrated and practical way.
Though we consider compliance related issues as part of your audit, increased compliance is not our primary destination; rather, it is only one of the stepping-stones on your journey towards increased organisational resilience. We are concerned also with identifying other forms of potential threat, risk, and vulnerability which could impact significantly upon your charitable objectives and operations if not addressed. These include identifying the relationship between different areas of risk and compliance which may not be immediately apparent, but which may nonetheless create important vulnerabilities for your organisation if not addressed.
Common Charitable Threats, Risks, and Vulnerabilities
An essential part of the journey towards increased resilience, which is commonly overlooked or insufficiently understood by many organisations, is to identify all principal sources of potential threat and risk to your charitable objectives and operations, including related vulnerabilities. Without this initial assessment, you cannot effectively plan or prepare for or respond to issues or incidents which may impact negatively upon your charity.
The primary areas of risk facing a charity typically fall into the categories of governance, finance, human resources, compliance, IT/cyber and business continuity management. These risks and related vulnerabilities will commonly manifest in the following forms:
- Inadequate financial controls and due diligence, resulting in a regulatory breach or fraudulent conduct;
- A safeguarding incident involving children or an adult with care and support needs, without having the correct systems and procedures in place;
- A church worker or volunteer listed on the sex offender’s register being involved in the provision of pastoral care because correct Disclosure and Barring Services checks were not carried out, posing a risk to more vulnerable members of your congregation or community;
- A failure to take reasonable precautions in response to a foreseeable health and safety risk, resulting in a serious accident;
- An employee disciplinary or grievance issue, made worse by having insufficient mechanisms in place to ensure procedural transparency and fairness which may provide grounds for further complaint or legal proceedings;
- An employee or contractor dispute caused by having no or inadequate contracts in place, resulting in significant loss and / or disruption to your organisation;
- A significant personal data breach caused by a cyber incident involving your organisation’s database, without having the necessary insurance policy in place to cover the cost of potentially significant liabilities under data protection legislation (GDPR);
- Not having the correct policies, systems or training in place to demonstrate the necessary level of due diligence expected or required by insurance underwriters, which may impact upon if / what may be claimed under your insurance policy in the event of a claim; and
- Insufficient planning or preparation for disruptive events to business continuity, impacting negatively upon the ability of your charity to respond to or recover from incidents in the most effective way to minimise resultant loss and damage.
Everybody makes Charity happen. But the public support that charities rely on to survive and thrive cannot be taken for granted.
To rebuild and maintain the resilience of charitable institutions as the vehicles of social and public good in a post-pandemic world – we must learn from this experience and convert those lessons into opportunities to build back better."
Baroness Stowell, Chair of the Charities Commission, Speech for the Annual Public Meeting, 1 October 2020