top of page

When Governance Comes Too Late: A Charity Risk Case Study

  • Writer: Julien Haye
    Julien Haye
  • Jun 9, 2024
  • 5 min read

Updated: Sep 29

Cover image for blog post “When Governance Comes Too Late: A Charity Risk Case Study.” Abstract background with multicolored hand sculptures symbolising trustees, governance, and oversight. Subtitle: “A case study on delayed risk action, board oversight, and lessons for trustees.”
Charity Governance and Risk Assessment

Is your board truly equipped to protect your charity when risks escalate?


For one mid-sized UK charity, the answer came too late. Trustees had focused heavily on finances while overlooking outdated risk registers, weak data protection, and unclear governance practices. By the time Aevitium LTD was brought in to refresh oversight and run a governance maturity assessment, the structural gaps were already critical. This case study shows how delayed action on risk and governance can expose trustees to liability, threaten resilience, and in this case, contribute to closure. As we keep seeing in our work, delaying governance reviews amplifies the potential risks charities manage from financial exposures to data protection failures.

 

Please note that we have "neutralised" the following case study and documents to protect the charity's anonymity.


Background


A mid-sized UK charity with annual revenues of around £250,000 approached Aevitium LTD to update its policy framework. During our initial consultation, it became clear that the core issue was deeper: the governance arrangements and risk register had not been reviewed for years. Charity trustees are required to regularly review whether governance arrangements are fit for purpose and aligned with regulatory expectations (read more about trustees' responsibilities)


The CEO recognised that these weaknesses needed urgent attention before any new policies could be credible. At the same time, the charity was under financial pressure following COVID, with trustees focused almost exclusively on stabilising the organisation’s finances rather than addressing wider risks.


Curious how your charity measures up? Take our free Charity Governance Maturity Assessment and see how your practices compare to sector benchmarks.


Promotional banner for Aevitium’s Risk & Governance Maturity Assessment for charities and non-profits. The image features volunteers working together, highlighting how trustees can strengthen governance, demonstrate Charity Commission compliance, and build public trust.


Why Governance Needed Urgent Attention

 

During the consultation, it became clear that the charity’s challenges extended far beyond outdated policies. Years of financial focus had left critical areas of governance neglected:


  • Risk Register: The register had not been updated since the CEO’s arrival and was a confusing mix of generic risks and detailed control standards. It had been shelved almost immediately after being produced and never used again until we requested it. We redesigned the risk register using a clear risk register template to create a practical risk management process that supported effective risk management at board level (read more about charity risk register)

  • Data & Cybersecurity: On joining, the CEO raised concerns about data management and weak cybersecurity. The board agreed to migrate personal and membership data from a vulnerable on-premises database to a secure SaaS solution.

  • Regulatory Requirements: Although trustees signed audited accounts and approved the mandatory risk statement, in practice they had not reviewed risk management processes for many years.

  • Insurance Coverage: Neither the CEO nor trustees had clarity on whether existing insurance adequately covered the charity’s exposures.

  • Board Dynamics: Trustees lacked the risk skills to engage with these challenges, often limiting their support to short-term financial oversight rather than broader governance improvements.


Boards that wait too long to address governance risk expose themselves to avoidable closures. Trustees who treat compliance and oversight as an active part of their governance cycle not only protect their mission but also demonstrate maturity to funders and regulators. [Book a free consultation] to review your board’s governance readiness and strengthen your charity’s oversight practices.



The Intervention

 

To break through board inertia, the CEO sought an independent perspective on governance and risk. Aevitium LTD was engaged to provide both analysis and practical tools:

  • Governance Maturity Assessment: We introduced the first version of the Charity Governance Scorecard. Eight participants — trustees and senior managers — completed a self-assessment, answering ten questions covering governance, strategic planning, risk, and culture. This created a shared view of the organisation’s current maturity.

  • Risk Register Redesign: Working through workshops with the CEO, we simplified the outdated risk register into two levels:

    • Top Strategic Risks: Four themes identified as board-level priorities.

    • Operational Risks: A more detailed register for day-to-day management.

  • Action Mapping: For each strategic theme, we documented risks, potential triggers, impacts, and both current and planned remediation activities. This provided the CEO with a structured way to engage trustees in forward-looking governance.


The Outcome

 

The CEO had decided to use the outcome of the assessment to support a discussion with their board and the organisation’s audit and risk committee. We prepared the following artefacts to support their discussion.

 

We carefully crafted the agenda to ensure the CEO could


1) Educate the board of trustees and remind them of the most basic but fundamental requirements, legal obligations, and associated personal liabilities.


Governance and Risk Management Requirements by the UK Charity Commission
Governance and Risk Management Requirements by the UK Charity Commission

2) Introduce the maturity assessment to ensure that participants understand its structure and what it means for the charity.


Charity Risk Maturity Levels
Charity Risk Maturity Levels

 

3) Present the results of the self-assessment. Here were the objectives:

  • Create a common and agreed-upon understanding of the organisation's current diagnostics.

  • Establish a desired level of maturity. 


Governance Assessment Scorecard Results
Governance Assessment Scorecard Results

4) Present the updated risk register and the top four strategic themes. Here were the objectives:

  • Create a common and agreed-upon understanding of the current risk profile.

  • Initiate a discussion on remediation activities, letting the company's board and management define them.


Charity Top Risks Overview
Charity Top Risks Overview

Charity Top Risk Detailed by Risk Type
Charity Top Risk Detailed by Risk Type

Charity Risk Register - Board Presentation
Charity Risk Register - Board Presentation

As we were preparing for the committee meeting, we received news from the CEO that the Board of Trustees had decided to close the organisation. To quote them: 

“The work you were so kindly doing for us around risk was unfortunately started by the charity too late in the day to salvage the organisation.”

This is a reminder that risk management is, by its very nature, a pro-active, people-centric mindset. Many charities find staying on top of governance and risk management difficult. Often, they lack the resources and expertise to assess themselves on their own. And sourcing external assistance can be beyond their financial reach.


Smaller charities often lack resources to build structured risk management processes, while larger charities must demonstrate effective risk management across health and safety, finance, and data protection to reassure funders.

 

Aevitium launched the free Charity Maturity Assessment Scorecard and our risk/governance risk management solutions for charities and profits to help you improve their governance and risk management. Though we were too late to save this organisation, we hope that this new tool can help many other organisations continue providing their great contribution to our society!

 

Not sure your charity's governance and risk management is mature enough to protect you? Take our free charity risk and governance maturity assessment.


About the Author: Julien Haye


Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.



FAQs


Q1. Why is governance critical for UK charities?

Governance is a legal duty for trustees. It protects against personal liability, ensures compliance with the Charity Commission, and strengthens funder confidence.


Q2. What happens if a charity delays addressing governance risks?

Delays can escalate financial, operational, and reputational risks. As this case study shows, late interventions often limit the ability to recover and may even lead to closure.


Q3. What tools can help trustees improve governance?

A governance maturity assessment and updated risk register give trustees a clear baseline, practical roadmap, and evidence of oversight maturity.


Q4. How can boards demonstrate maturity to funders and regulators?

Boards that embed compliance into their governance cycle show accountability and foresight. This reassures regulators and funders about long-term resilience.


bottom of page