Whilst the running of a small charity differs greatly to that of a national third sector organisation, there are some aspects that need to be the same across the board.
Legislation, for example. Smaller good causes need to abide by the same rules as household name charities, with the same legal paperwork, governance and constitutional make-up.
Small charities should also mirror larger ones when it comes to protecting their organisation against fraud and cybercrime.
A Scottish charity, HIV Scotland, recently sent out an email to more than a hundred people without hiding the individuals’ email addresses from each other. A simple error, perhaps, but the consequences saw the charity being handed a £10,000 fine by the Information Commissioner’s Office (ICO). A lot of money for any organisation, but more so when the income of said charity comes from big-hearted donors, who no doubt hand over cash with the intention of making the world a better place for the cause’s beneficiaries, rather than bailing out its mistakes.
When HIV Scotland’s policies and practices were reviewed, they were deemed to be lacking, as was the organisation’s commitment to staff training. Given that most data breaches arise because of human error, this is clearly a weak link. The charity now has a new team in place, as well as a fresh board of trustees. However, it states in this report that the ICO still found issues within HIV Scotland seven months after the fine was issued.
According to the Charity Commission, the third sector reported a staggering £8.6 million of ‘lost funds’ just last year alone, stemming from more than a thousand separate incidents. The pandemic was cited as one of the reasons this figure is so high, with charities blaming lax procedures on staff working from home.
Due diligence is a phrase that pops up a lot in the third sector, with the Charity Commission insisting on strict governance to grant charity status and funders requiring a raft of checks before issuing awards.
If the public knew how much fraud existed within charities, it’s highly likely this would affect the amount of donations they give. Charities need to take more precautions than any other type of organisation to avoid damage to their reputations and possible loss of income.
The chair of the Fraud Advisory Panel, David Clarke, says, ‘With fraud and cybercrime at record levels it has never been more important for charities to be aware of the risks and how they might be affected. As we emerge from the pandemic, charities need to recover and flourish without fear of fraud. Taking relatively simple measures can go a long way to protecting your charity and keeping it safe from harm. It is concerning that a small minority of charities still do not financially invest in fraud prevention activities. This shows that there is still more to be done.’
I completely agree. Here are some points I propose all organisations consider towards this aim.
Appoint a fraud officer
This person doesn’t have to be a former fraud detective, just someone who is perhaps good with numbers and who can second check grant applications, banking submissions and expense claims, etc. It would also be a good idea to have a third person spot check things of this kind every now and again. Though no charity would like to believe that their staff are anything less than straight-as-a-die honest, internal fraud is a huge problem in the third sector.
Credit card scams and money laundering is also rife, where stolen cards are used to make large donations. If anything looks suspicious, don’t give it the benefit of the doubt…check it out!
Don’t take everything at face value
Whilst it’s nice that the general public may wish to raise money in your charity’s name—for example, running a marathon, holding a table-top sale or undertaking a sponsored swim—hold relevant checks and ensure that the fundraiser’s campaign is all above board. There are many stories to be found of bogus fundraising events where the fundraiser(s) pocketed all the donations; because their campaign was in the name of a bona fide charity, the public were happy to hand over their money. Have a glance through the local news on a regular basis and do keyword checks on your charity’s name, so that you can be aware of everything that’s supposedly happening in the name of your organisation.
Install protection
To guard against cybercrime, install firewalls and anti-virus software on all staff machines, and ensure the whole team is properly trained in protecting data, spotting phishing emails and recognising scams. That staff work remotely shouldn’t increase the risk factor too much if proper measures are put in place. My advice would be to engage the services of a professional in this regard; this requires a little investment, but it’s much, much cheaper than paying a fine, like the one HIV Scotland received, if your organisation fails to protect sensitive or confidential data.
It’s always better to be safe than sorry, and being a small charity isn’t an excuse to not take your financial, confidentiality and security responsibilities seriously. If you would like help in ensuring your organisation is doing everything it needs to, contact me on 0114 350 3354 or email wendy@letssave.biz.