TS-RDC-04
Trust & Stewardship
Risk, Data & Compliance
CORE
Compliance
v2.9.7
Serious-incident reporting & escalation
Assesses whether the organization has a clear, documented process for identifying, reporting, and escalating serious incidents to the board and all relevant regulatory bodies in a timely manner. The organization must maintain an ‘Applicable Regulators Matrix’ mapping its activities (e.g., children’s work, healthcare, housing, overseas operations) to relevant notification regimes (e.g., Charity Commission/OSCR/CCNI, ICO, HSE/RIDDOR, LADO/police, OfS, CQC/Ofsted/RSH, HMRC, Fundraising Regulator) to ensure precise compliance.
Compliance 6
-
Documented serious incident reporting (SIR) policy with an 'Applicable Regulators Matrix' reviewed annually.Documentation Essential
-
Clear definitions of what constitutes a serious incident aligned to specific regulator thresholds.Documentation Essential
-
Regulator-specific external reporting timelines: ICO (72h of awareness); RIDDOR (per HSE categories); Safeguarding (immediate/same-day); Charity Commission/OSCR/CCNI (‘as soon as reasonably possible’/target 5 working days).Compliance Essential
-
Safeguarding fast-track: Any allegation involving a child or at-risk adult triggers immediate safeguarding lead notification and same-day LADO/police/DBS referral; charity regulator reporting follows without delaying safety actions.Process Essential
-
GDPR Breach Protocol: Define ‘awareness’ per ICO guidance; require documented risk assessment within 24h; notify individuals without undue delay if high risk.Compliance Essential
-
Mandatory induction training within 30 days and annual refreshers for all staff, trustees, and relevant volunteers; role-specific training for SIR Lead.Training Essential
Good 7
-
Designated SIR Lead and Deputy SIR Lead to ensure continuity.Governance Essential
-
Internal notification to SIR Lead within 24h of ‘awareness’; board/Chair notification within 24h for high-severity incidents.Process Essential
-
Delegated Authority & Minimum Decision Set: Defined approvers for ‘report/not report’ decisions (SIR Lead + CEO; Chair/SIT if implicated); mandatory decision log entry within 24h including facts, harm/risk, and rationale.Governance Essential
-
Conflict-free escalation route to the Chair or Senior Independent Trustee if senior management/trustees are implicated.Governance Essential
-
Protected Speak-Up Channel: At least one 24/7 channel with anonymous option; board-approved non-retaliation statement; handling SOP with SLAs (acknowledge <2 days, triage <5 days).Accessibility Essential
-
Regular training for staff and trustees on identifying and reporting serious incidentsContinuous Improvement High
-
Maintain a standardised incident register capturing: date/time of awareness; category; severity; people affected; initial actions/containment; decision and rationale to report/not report (referencing 'al-umūr bi maqāsidihā' - judging by intent); regulator(s) notified and reference numbers; data classification; RCA method; corrective actions.Documentation High
Better 4
-
Embed 'Amr bil ma‘ruf' (enjoining good) culture that encourages reporting without fear of blameLeadership High
-
A log of all incidents (including near misses) to identify trendsContinuous Improvement High
-
Post-incident reviews (PIR) to implement lessons learned.Continuous Improvement High
-
Link SIR outcomes to enterprise risk register and BCP updates; cross-reference with safeguarding, data breach, H&S, whistleblowing, complaints, and media/comms policies.Integration High
Best 3
-
Annual tabletop exercise of a cross-regulator incidentTesting High
-
Independent review/audit of SIR process every 2–3 yearsAssurance High
-
Annual transparency statement to board (and public where appropriate) on incidents, lessons learned, and improvements.Transparency High
Related Criteria
Version
2.9.7
2025-11-05
Discussion (1)
Administrator
2026-03-07 11:07:51.096258
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.