Tackling Governance, Risk & Compliance in Charitable Organisations

5 Min Read

Charitable organisations have a responsibility to use their resources as effectively as possible and comply with complex regulations which is why effective management of governance, risk & compliance is key. In this blog, we explore some of the key risk & compliance challenges facing the NGO/Not for Profit sector and explain how digitising and streamlining processes can help them remain compliant, build trust with donors & investors, and implement worthwhile initiatives that help them to deliver on their key objectives.

With 2023 forecasted to be a year of economic uncertainty amidst the threat of a looming recession, charity and non-profit organisations are experiencing a period of unrelenting change driven by factors such as the growing demand for demonstrable impact of their activities, visibility into their spend and ethical standpoint, and calls for proof of compliance within an increasingly complex regulatory environment.

From humanitarian aid and international development, to healthcare, children and youth membership groups, and charities supporting a range of disabilities, charitable organisations – regardless of size and profile – must contend with onerous challenges in inflation, rising costs, cyber threats, donor hesitancy, and reductions in government funding.

Given the current global events plus an increasingly stringent regulatory and operating landscape for the non-profit sector – charities now more than ever need to focus on implementing robust governance, risk & compliance practices to provide visibility into their operations and built trust.

Many charities and NGOs are relying on spreadsheets & manual processes or outdated legacy systems to manage risk and compliance. Manual risk and compliance processes result in copious time spent on admin and reporting preventing organisations from getting a consolidated view of risk and hampering effective decision-making and risk-mitigation.

Here we explore some of the key risk & compliance concerns for NGO’s and not for profit organisations and share some of the ways the right GRC software can help organisations in this sector cut back on the red tape to get the oversight they need.

Robust Risk Management

Risk is an everyday part of charitable activity – and managing risk effectively is key if charity trustees are to achieve their key objectives and safeguard their charity’s hard-earned funds and assets.

The structure of charitable organisations and their activities, funding bases, and reserves, open up these organisations to differing areas of risk and levels of exposure. Due to the nature of their work, they must consider risks relating to lack of funding, unethical management of funds, bribery & corruption, and conflicts of interest. There are also operational risks to the large-scale humanitarian projects and charitable events organised by these associations that must be carefully managed to ensure the most vulnerable are not impacted. These organisations must also consider the risk of non-compliance with various laws, regulations, and policies, and ESG risks relating to environmental impact and their ethical stance.

The risks that a charity faces depend on the nature, size, and complexity of the activities it embarks on and its finances.  The charitable sector is by its nature diverse – and faces differing exposures to risk arising from their various activities & projects and each organisation will have different capacities to tolerate or absorb risk. For example, a non-profit with sound reserves could embark on a new project with a higher risk profile than a charity having to contend with financial difficulties.  As a rule of thumb, the more complex, diverse, or larger charity activities are – the more risks they will face, making regular risk assessments and on-going monitoring a high priority.

A smart charitable organisation will regularly review and assess the risks it faces across all areas. This is why the implementation of an effective risk management programme is crucial to ensure that a charity is fit for purpose.  They must maintain an up-to-date risk register to categorise and rate risk and monitor it on an ongoing basis. They must perform regular risk assessments, checks, questionnaires, and surveys to ensure risk is not reaching an intolerable level. Of course, like all organisations they will need to absorb a certain degree of risk to remain operational and achieve their strategic objectives, therefore mapping risk to clearly defined parameters and aligning it with strategic goals will be beneficial to any risk management programme. Risks can be high when working in war torn countries and sufficient controls must be put in place to protect the staff and volunteers involved.

GRC software can help not-for-profit organisations implement best-practice risk management processes to get a consolidated view of risk. These tools enable organisations to:

  • Set up an online risk register, to identify, track and monitor risk.
  • Perform online risk assessments, questionnaires, and surveys – with all data feeding directly into the tool.
  • Define KRI’s and set controls to detect potential risk indicators in transactional and operational data that feed into the tool via API integrations with other data sets and systems.
  • Use automated workflows & alerts to send notifications when risk reaches an intolerable level.
  • View built-in dashboards & reports to get complete oversight into your risk profile – allowing budget & resources to be spent in the most critical areas to reduce risk.

Some GRC software platforms enable non-profit organisations to link risk management processes to their strategic objectives. This essential mapping enables them to take a certain degree of risk in pursuit of their strategic goals & objectives, whilst mitigating critical risks that could have a detrimental impact on their strategy.

By having clear visibility of their visions, goals, and objectives – and understanding how it relates to risk – NGO’s can align their planning and reporting frameworks, achieve real-time savings, maximise buy-in for the risk management process, support trustees in making data backed decisions, and support leaders to deliver on the strategy.

Cyber & IT Risk

Charities hold a huge amount of personal data on beneficiaries, donors, and employees & volunteers. Each of these groups has its own set of privacy concerns which must be addressed with stringent data handling procedures and security measures.

Charities and NGO’s must ensure compliance with data privacy policies and regulations like GDPR, NIST and PCI DSS. Non-compliance may result in reputational damage, and regulatory scrutiny.

As technology becomes increasingly pervasive in charity operating models, the need to focus on the cyber security of IT systems and infrastructure – which are relied upon to safeguard information and to maintain continuity – is growing. The need for ongoing monitoring of IT risk, threats, and vulnerabilities is critical, as is the need to ensure that staff & relevant third parties adhere to key IT policies.

An integrated approach using GRC software can simplify the IT risk & compliance process enabling organisations to easily monitor IT risk, perform data checks & control tests, and quickly identify & address any gaps in data processing activities.  Adopting purpose-driven software establishes a central structure of the overall IT and cyber hierarchy – simplifying monitoring and providing a framework for various IT related risk management and compliance activities.


Compliance is a key concern for charitable organisations. Not only do they have to comply with a whole host of regulations to keep their charitable status, but they must have robust policies in place to address key issues around bribery & corruption, money laundering, and conflicts of interest – while ensuring they have a comprehensive code of conduct for staff to follow.

Charities are built on having good ethics – this is the way these organisations demonstrate their commitment to accountability and transparency and show the public they are worthy of its trust and confidence. Without it, the public simply wouldn’t give to charities – and the sector’s programmes and services could never be provided.  Accountability and transparency are important factors in establishing non-profit governance. Conflicts of interest and financial mismanagement in charities can cause real problems if not addressed.

GRC software can support NGOs to address their compliance concerns in several ways:

Compliance Obligations Library – Using the latest GRC technology, charitable organisations can set up an online obligations library of applicable regulations, policies, and procedures – enabling them to monitor compliance.

Policy Management – With so many policies and regulations in place, keeping track of policy owners, changes, approvals, and expiry dates can be a challenge. The policy management capabilities available with GRC software will ensure policies remain up to date, automate approval processes, and enable on-line policy attestations.

Regulatory Change Management – NGO’s and charities are subject to many regulations. Implementing a regulatory change programme that maps relevant regulations to processes and procedures can help organisations keep up with regulatory change through automated approvals & alerts – providing a complete audit trail of when changes were implemented.

Anonymous reporting & whistleblowing – Many GRC tools offer online portals where staff can report incidents and compliance problems discreetly and facilitate anonymous whistle blowing to ensure problems are highlighted and addressed.

ESG Reporting

Up until quite recently, Environmental, Social and Governance (ESG) reporting has largely been the domain and focus of publicly listed corporate entities. Today however there is an increasing pressure from investors and donors for non-profits, and charity organisations to embrace the practice.

A recent report by RSM, titled, “What does ESG mean for the charity sector” analysed over 114 charities annual accounts and found that non-profits have a head start when it comes to ESG – as the purpose of charity is to provide for public benefit and cause no harm to the environment – making it quite clear that the purpose of ESG aligns seamlessly with the objectives of charitable organisations.

ESG reporting should be approached as an opportunity to integrate key environmental and social sustainability principles into a charitable organisations lifecycle to ensure programmatic success and donor retention for years to come.  But how can charitable organisations prove their ESG credentials?

GRC technology with ESG capabilities can help organisations monitor progress against their ESG initiatives. The tools offer best-practice frameworks to help organisations:

  • Define an ESG strategy with a series of goals & objectives.
  • Set Key Performance Indicators (KPI’s) to visualise progress.
  • Monitor compliance with ESG related obligations.
  • Log ESG related incidents.
  • Track and monitor ESG related risk.

When all of this is managed within one platform, it creates a single source of truth for all ESG related activity.

Leveraging an integrated GRC tool with strong ESG capabilities can support charitable organisations to demonstrate their values, culture, and ethics. By developing an ESG strategy and framework, they can track progress and report on key initiatives, centralise all ESG data via API integrations, manage ESG risk & third-party ESG compliance, and meet ESG regulations.

The charity sector makes a marked difference in the social sphere – which is why ESG credentials can not only help these organisations guard against possible unethical and unsustainable practices but also highlight the numerous contributions the sector makes to the broader society to optimise future donor investments.

Project Management & Project Risk

Charitable organisations constantly run the risk of not receiving donations and must contend with a wide variety of ‘project risk’ as they seek to implement large capital projects, galas, and functions to get funds and help the vulnerable people they are working to support.

When it comes to implementing some of their larger global projects, GRC software with project management capabilities can equip them with the tools they need to deliver projects on time and build stakeholder trust – making it easy to plan projects like fundraising events, deliveries of aid packages & food, and even large-scale humanitarian projects like building infrastructure in underdeveloped areas.

By opting to adopt a GRC platform with strong project management capabilities, projects of all sizes can be mapped out with key timelines, deliverables, and budgets. Automated workflows enable collaborative working, and any project risks can be added to the risk register and monitored. Progress can easily be viewed, and controls can be set to flag problems like missed deadlines and overspends. Projects can easily be prioritised to ensure budget and resources can be allocated to the most critical initiatives. Project management tools make collaborating on large projects easy and provide leaders with critical insights into project status – cutting back on lengthy progress meetings and updates.

To ensure the successful delivery of large-scale humanitarian projects and fundraising events, charities and NGOs must carefully manage the associated risks. Organisations should identify potential ‘project risk’ and establish Key Risk Indicators (KRIs), they should also create a risk register & framework to categorise & prioritise risk. They should carry out regular risk assessments & checks to monitor risk levels and implement workflows to ensure problems are addressed and resolved quickly. Manging project risk using a GRC platform allows organisations to automate the risk management process using control monitoring and automated workflows & alerts, it also enables organisations to integrate project risk into their wider risk management programme.

By anticipating potential project risks and having a plan in place to mitigate or avoid them, project managers can make informed decisions, allocate resources effectively, and ensure that the project is completed on time, within budget, and to the desired quality standards.

Embarking on GRC Automation

Because charitable organisations enjoy advantageous financial privileges such as tax exemptions and access to public funding, non-profits are routinely held to a high standard by both the public and regulatory watch dogs to ensure these privileges are not abused and are put to good use.

Today, the three pillars of governance, risk and compliance are critical for the long-term success of non-profit and charitable organisations. Strong governance depends on robust risk management capabilities to maintain stability as it charts a course into an uncertain future while good compliance helps to maintain its advantageous financial positions.

Leveraging GRC technology is essential for non-profit organisations to develop an efficient, agile, and collaborative reporting framework.  By centralising GRC processes into a single unified platform, NGO’s can greatly benefit from the resulting visibility and mapping of various risk & compliance processes, highlighting the relationships between them, reducing manual effort, and providing enhanced overall risk awareness.

A charity that consolidates its GRC processes into an integrated platform creates a single source of truth, full traceability & audit tracking for all GRC processes, improved information & analytics to drive better decision making, and a massive reduction in time spent on administrative activities.  

This integrated and flexible approach produces heightened visibility into risk relationships through a series of insightful dashboards and reports, supporting risk-based decision-making.

Implementing a GRC platform like Camms.Risk will support NGO’s and charities to implement best-practice processes across, risk management, compliance, incident reporting, ESG, project management, and strategic planning.

The technology can support charities to reduce manual effort and save the time spent on administrative activities. This, along with the centralised risk repository, can improve data integrity, empowering teams to leverage analytical tools to derive actionable intelligence and make informed business decisions.

Camms’ are committed to helping organisations to advance on the GRC maturity journey with standardised processes and frameworks, automated workflows, and improved information sharing. To discover more reach out for a demo today. Find out more about how the Camms GRC platform is helping charities and not for profit organizations.

Daniel Kandola

Vice President, EMEA

Share blog post

Subscribe to our newsletter


You might also like…

Scroll to Top