Last year, the Commission consulted on proposed changes to its serious incident reporting guidance. It has now published the final version, together with a report on feedback to the consultation.
Much of the content is the same as the previous version, but the structure of the guidance has changed and, on the whole, it is a more helpful document than its predecessor, in that it is a more practical guide on what constitutes a serious incident and how to report it.
What is the basis for reporting serious incidents?
The serious incident reporting regime arises from trustees' legal duty to submit an Annual Return to the Commission in such form, and containing such information, as may be prescribed by regulations made by the Commission; for its part, the Commission specifies that the information contained in the Annual Return should include details of all reportable incidents that have arisen during the year. Since the duty to submit an annual return only applies to charities whose annual income exceeds £25,000, it is arguable that small charities have no legal obligation to report serious incidents at all.
However, it is important to be aware that this is an area where the distinction between legal obligation and recommended good practice is increasingly blurred, as the Commission expects charities to report incidents promptly, and may treat failure to report as evidence of mismanagement. Taken in conjunction with the Commission's investigative and enforcement powers – recently enhanced by the Charities (Protection and Social Investment) Act 2016 – the consequences of failing to report in a way that the Commission considers to be appropriate are potentially wide-reaching for charities. Indeed, the Commission's recent Inquiry Report into the Grail Trust cited failure to identify and report a serious incident to the Commission as a "serious governance failure".
There is also an important strategic aspect to reporting serious incidents: the Commission points out that not only does timely reporting help trustees demonstrate that they are complying with their duties, it gives the Commission a chance to advise the trustees on how to handle the situation at an early stage. It also provides a mechanism whereby the trustees can explain the charity's position clearly, and can be seen to be acting proactively, thereby reducing the risk that the Commission is caught unawares and obliged to take a reactive approach if a report is made to it via other channels (including by the media).
Trustees are therefore advised to put systems in place to make sure serious incidents are brought to their attention as soon as possible and reported to the Commission in a timely way.
What sort of incidents should be reported to the Commission?
What constitutes a serious incident will to a large extent turn on the facts in each case, and trustees will need to exercise some discretion in assessing whether a particular incident should be reported. As an indication, the updated guidance says: "You should report an incident if it results in, or risks, significant loss of your charity's money or assets, damage to your charity's property or harm to your charity's work, beneficiaries or reputation", and lists six main categories of reportable incident:
- Financial crimes – fraud, theft and money laundering.
- Large donations from an unknown or unverifiable source, or suspicious activity using the charity's funds.
- Other significant financial loss.
- Links to terrorism or extremism, including "proscribed" organisations, individuals subject to an asset freeze, or kidnapping of staff.
- Suspicions, allegations or incidents of abuse involving beneficiaries.
- Other significant incidents, such as insolvency, forced withdrawal of banking services or actual/suspected criminal activity.
The updated guidance describes these in some detail, explaining what might count as a serious incident in each case. The Commission has also produced a table with illustrative examples of what should and should not be reported in the various categories. While the definition of what constitutes a "serious incident" will vary from case to case, the table and the descriptions of the types of incident the Commission wants to hear about go some way to helping trustees decide whether or not to report.
How to report
The updated guidance advises that trustees should report an actual or suspected incident "promptly", and "as soon as is reasonably possible after it happens, or immediately after you become aware of it". Broadly, trustees should feel able to take time to gather sufficient information to make a meaningful report; in some cases, it may be appropriate to make a short initial report identifying the incident and noting that a further report will follow when more information is available.
The guidance contains a helpful checklist of information that should be provided to the Commission when reporting a serious incident, and this should be followed.
At the moment, it appears that the only way to submit a report is by emailing [email protected]; however the Commission is in the process of developing an online reporting service which will ask different questions depending on the type of incident being reported.
Recognising that, for some charities, the nature of their work means that certain types of incident will occur frequently, the new guidance helpfully notes that it may be appropriate to allow these charities to make periodic "bulk" reports. The guidance recommends that charities likely to report more than 50 incidents a year should email the Commission (at the above address) with a request to discuss this option.
Reporting and Freedom of Information (FOI) requests
By their nature, many serious incident reports are likely to contain sensitive information, whether concerning a charity's operations, or individuals involved in the incident, or both. The Commission is a public authority, and as such is subject to the Freedom of Information regime whereby it is required to disclose information to the public upon receipt of a request to do so. Trustees may therefore hesitate to report certain incidents to the Commission due to concern that details may end up in the public domain via such a request, or indeed the Commission's policy on publishing its own decisions.
As a public authority, the Commission cannot avoid its FOI duties, but the revised guidance goes some way to alleviating these fears by explaining that the Commission will only disclose information in limited circumstances. The previous guidance was arguably more reassuring on this point and recommended that trustees tell the Commission if any information in a report was particularly sensitive or confidential. Although that recommendation has now gone, we recommend that trustees continue to flag any sensitive information and request that the Commission notifies them if it receives a request to disclose information to third parties.
This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2017