Charity Serious Incident Reporting UK 2026: What to Report and When
The four reportable triggers for UK charity serious incidents. Reporting process, free template, and what happens after the report.
Charity Serious Incident Reporting UK 2026: What to Report and When
Trustees have a legal duty to report serious incidents to the Charity Commission. The four reportable triggers, the report itself, and what happens next.
Last reviewed: 29/06/2026 · Written by Ivan Siyanko, CEO, CharityIQ.
TL;DR
– All UK charity trustees have a duty to report serious incidents to the Charity Commission promptly.
– The four reportable triggers are: significant harm, significant financial loss, criminal activity within the charity, and significant reputational damage.
– Charities that report promptly are treated more leniently than those that hide incidents.
– This post covers what counts, the reporting process, and recovery — plus a free template for the report itself.
What “serious incident” means
A serious incident is any event in your charity that’s resulted in, or risks resulting in, significant harm or loss. The Charity Commission’s serious incident reporting guidance frames it as a duty of trustees, not a discretionary choice.
Most UK charities never have a serious incident. The duty exists for the rare day when one occurs — and how you respond defines whether it stays a contained issue or becomes a crisis.
The four reportable triggers
The Charity Commission identifies four trigger thresholds. Any one of them, on its own, means you should report.
1. Significant harm to a beneficiary, staff member, volunteer, or person connected with the charity
Examples:
– Safeguarding incident affecting a child or adult at risk
– Death or serious injury of a beneficiary, even if unrelated to charity activity, where charity may be implicated
– Significant breach of duty of care
– Bullying or harassment leading to serious harm
Key threshold: significant. A minor incident with no harm doesn’t typically rise to reportable. Anything resulting in police involvement, hospital treatment, or formal complaint usually does.
2. Significant financial loss
Examples:
– Theft or fraud — internal or external, regardless of who recovers it
– Significant misappropriation of funds
– Material loss through serious mismanagement
– Cybercrime resulting in financial loss (e.g., CEO fraud, ransomware payment)
Key threshold: the Commission’s published guidance suggests amounts greater than £25,000 for medium-sized charities, but proportionality matters — a £5,000 loss on a £30,000 income charity is significant.
3. Criminal activity by trustee, staff, or volunteer
Examples:
– Theft, fraud, or financial crime
– Serious data protection breach
– Sexual misconduct or assault
– Other criminal activity in connection with the charity
Police involvement is a trigger almost on its own — though some incidents reported to police may still not rise to “serious incident” if isolated and recoverable.
4. Significant reputational damage
Examples:
– Media coverage of misconduct or wrongdoing
– Public allegations leading to loss of donors or beneficiaries
– Trustee or senior staff conduct attracting public criticism
– Serious complaint from a regulator other than the Commission
Key threshold: loss of public trust at scale, not minor PR issues.
What you must do — the reporting process
The Charity Commission’s expectation:
Step 1 — Immediate action. Whatever the incident, the first priority is safety, security, and limitation of damage. Police, safeguarding, IT, etc. before reporting.
Step 2 — Document. Write down what happened, when you became aware, who’s involved, what you’ve done so far.
Step 3 — Report to Commission. Via the online serious incident reporting form. The form asks for:
– Charity registration details
– Nature of the incident
– When it happened
– Who’s affected
– What action you’ve taken
– What further action is planned
Step 4 — Continue cooperation. The Commission may contact you for follow-up. They may also direct you to other regulators (ICO for data breaches, FCA for financial crime, police for criminal matters).
Timing: “promptly” is the legal standard. In practice, within 5-10 working days of becoming aware. For ongoing incidents (e.g., active cybercrime), the report itself can be a “what we know now” interim update.
From CharityIQ. CharityIQ tracks your incident log, reporting timelines, and follow-up actions — so trustees can demonstrate due diligence. See compliance →
What happens after a report
The Commission’s response is proportionate to the incident:
Most reports: acknowledged, no further action. Commission tracks but doesn’t intervene.
Some reports: request for further information. Commission asks for additional context to assess.
Serious cases: regulatory action. Could include direction to take specific steps, removal of trustees in serious breach, or formal inquiry.
Reputation/criminal cases: the Commission may publish a regulatory case report — a public statement of findings. These are searchable.
The Commission’s stated philosophy: charities that report incidents in good faith are treated supportively. Charities that hide incidents and are caught later face more serious consequences.
Free template — your serious incident report
SERIOUS INCIDENT REPORT — [CHARITY NAME]
To: Charity Commission for England and Wales
Date: [date of report]
CHARITY DETAILS
- Charity name: [name]
- Charity registration number: [number]
- Reporting trustee: [name + position + contact]
INCIDENT SUMMARY
[1-2 sentences: what happened, when]
INCIDENT DETAIL
- Date(s) the incident occurred:
- Date charity became aware:
- Brief description of what happened:
- Who is affected (numbers and categories):
- Estimated financial loss (if applicable): £
- Any other regulatory bodies involved (police, ICO, etc.):
WHICH TRIGGER APPLIES (tick all that apply)
[ ] Significant harm to person(s)
[ ] Significant financial loss
[ ] Criminal activity by trustee/staff/volunteer
[ ] Significant reputational damage
ACTION TAKEN SO FAR
- Immediate steps:
- Safeguarding/security measures:
- People notified:
FURTHER ACTION PLANNED
- Investigation:
- Policy changes:
- Recovery actions:
- Timeline:
CONTACT FOR COMMISSION FOLLOW-UP
- Name:
- Email:
- Phone:
Reported on behalf of the Trustee Board.
[Reporting Trustee signature]
Common mistakes UK charities make
1. Delaying the report. Hoping it goes away. It doesn’t.
2. Reporting too narrowly. Focusing on what happened to the charity, not the affected individuals.
3. Self-investigating before notifying police. For criminal matters, police first.
4. Treating the report as the end. Internal review and policy update should follow.
5. No incident log. The pattern of small “near-miss” incidents is itself information.
When NOT to report
Some incidents don’t rise to “serious”:
- A minor bookkeeping error caught and corrected
- A volunteer leaving on disputed terms with no harm
- A small donation refunded due to donor change of mind
- A complaint from a beneficiary you’ve resolved internally
- A minor data protection issue with no individual harm
When in doubt: report. The Commission is far more comfortable with charities erring on the side of disclosure than with charities making judgment calls that turn out wrong.
Frequently asked questions
Q: Who actually files the report?
A: A trustee, on behalf of the board. Best practice: the chair, or a trustee with a relevant role (chair of audit committee for financial loss).
Q: Does reporting create liability?
A: No. The Commission’s guidance is explicit: reporting in good faith is a duty, not an admission. Failure to report can create much bigger liability.
Q: Will the report become public?
A: Most reports stay internal between charity and Commission. Some, especially leading to formal inquiry, become public. The Commission is upfront about which cases will be published.
Q: What if we discover an old issue?
A: Report when you become aware, regardless of when it happened. The Commission cares about the response date, not the original date.
Q: How does this interact with insurance?
A: Notify your insurer in parallel — most charity insurance policies require notification of incidents that might lead to claims.
What to do this week
Three actions, even if you’ve never had an incident:
- Adopt an incident log (Google Sheet, paper). Record every concern that crosses the trustee threshold.
- Brief trustees on the four reportable triggers — most boards don’t know them precisely.
- Save the Charity Commission reporting form link somewhere your CEO and chair can find quickly.
Compliance built into your workflow. Start a free 14-day CharityIQ trial. Incident log, policy version control, deadline tracking. Join Waitlist →
Written by Ivan Siyanko, founder of CharityIQ.
Related: Trustee Duties Explained · Charity Commission Annual Return 2026 · Cyber Security for UK Charities 2026
Sources:
– Charity Commission — How to report a serious incident
– Charity Commission — Reportable serious incidents (examples)
– Charity Commission — Regulatory casework