Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Build Confidence Without Complexity
If you are looking to strengthen compliance without adding operational burden, this framework offers a practical place to start, designed for UK charities and trustees.
Maintain Control Over Your Data
If your organisation’s data cannot move securely and independently, your flexibility is already limited. A clear backup exit strategy helps you retain control, reduce risk, and protect long-term decision-making.
For many charities, digital systems have become inseparable from day-to-day operations; supporting fundraising platforms, donor management, service delivery, and internal collaboration. Yet governance processes have not always evolved at the same pace.
In the UK, cyber risk is already widespread. According to the government-backed Cyber Governance Code of Practice, 50% of businesses and 66% of high-income charities report experiencing a cyber breach or attack in the last 12 months. This reflects a wider reality that digital risk is no longer hypothetical.
At the same time, trustees remain responsible for understanding and managing the risks facing their organisation, including those driven by technology. When digital risks are poorly defined or missing from the risk register, they are unlikely to receive the structured oversight they require.
This is why a dedicated, well-structured digital risk register is increasingly essential, not just for compliance, but for resilience.
Why digital risk needs to be visible at board level
Most charities already maintain a risk register. It is a core governance tool used to identify, assess, and manage organisational risks.
However, IT and cyber risks are often:
- Not clearly defined
- Treated as purely “technical”
- Separated from business risk discussions
This creates a governance gap.
Digital technologies underpin critical functions such as payroll, communications, and service delivery, yet many boards still lack meaningful visibility over how these risks are managed.
If risk is not visible at board level, it cannot be governed effectively. A digital risk register ensures that technology risk becomes part of strategic decision-making, not just technical troubleshooting.
What is a digital risk register?
A digital risk register applies this approach specifically to technology-related risks, bringing together:
- Cyber security risks
- IT operational risks
- Third-party and supplier risks
- Data protection and compliance risks
When designed effectively, it becomes:
- A single source of truth for digital risk exposure
- A framework for consistent risk scoring and decision-making
- A tool linking risks to owners, controls, and actions
Why charities must prioritise digital risk
Charities often face a unique combination of pressure and vulnerability:
- Limited budgets prioritising frontline services
- Heavy reliance on volunteers and hybrid working
- Increased use of personal devices (BYOD environments)
- High volumes of sensitive donor and beneficiary data
As highlighted in charity-focused NCSC-supported guidance, 30% of UK charities identified a cyber attack within a 12-month period, with many incidents impacting services directly.
This underscores a critical point:
Digital risk is not just a technical issue, it directly affects service delivery, trust, and outcomes for beneficiaries.
Step 1: Distinguish operational vs strategic IT risks
A common weakness in risk registers is failing to differentiate between types of digital risk.
Operational IT risks
These affect day-to-day delivery:
- System outages or service downtime
- Data loss or corruption
- Malware or phishing incidents
- Identity and access control failures
These risks typically result in immediate operational disruption.
Strategic IT risks
These affect long-term resilience and governance:
- Over-reliance on a single platform or supplier
- Lack of board-level oversight of cybersecurity risks
- Poor alignment between digital strategy and organisational goals
- Reputational damage following incidents
Strategic risks must be elevated to board level, as they influence funding confidence, regulatory compliance, and organisational sustainability.
Step 2: Assess third-party and platform risk
Charities increasingly rely on cloud platforms, SaaS tools, and external providers to operate.
This creates third-party risk, now recognised as a major contributor to digital exposure.
Key questions to capture in your register:
- How critical is this provider to operations?
- What data do they process or store?
- What happens if the service becomes unavailable?
- What security assurances are in place?
Step 3: Integrate disaster recovery into business continuity
A digital risk register should directly inform your business continuity and disaster recovery (BCDR) planning not sit separately from it.
Connecting these ensures:
- Risks are mapped to real recovery plans
- Critical services have defined recovery priorities
- Response actions are grounded in operational reality
Step 4: Make the register meaningful - not just compliant
To achieve this, your digital risk register should:
- Focus on material risks that impact outcomes
- Use consistent language and scoring
- Clearly define:
- Risk owner
- Existing controls
- Planned actions
- Be reviewed regularly and updated as risks evolve
A static document reviewed annually will not support resilience.
A living, board-facing tool will.
Bringing it together: From visibility to resilience
A well-structured digital risk register enables:
- Clarity – leadership understands digital exposure
- Accountability – risks are owned and actively managed
- Alignment – digital decisions support organisational goals
- Resilience – the organisation can respond and recover effectively
Without it, digital risk remains fragmented – often invisible until something goes wrong.