Updated Breach Management Framework

26 Mar 2024

Updated Breach Management Framework

As part of our ongoing commitment to regulatory compliance and risk management, we recently undertook a comprehensive review of our Breach Management Framework.  

This review, informed by consultations with key stakeholders, aims to make the framework more transparent and responsive, aligning it with industry best practices. 

Key highlights of the review process include: 

  • We've set up a clear, step-by-step method to handle breaches, with each step explained in detail for easy understanding and use. 

  • We're dedicated to following specific time limits for each step where possible, so Environmental Bodies (EBs) are aware how long each stage might take, and cases are not held open for unnecessary amounts of time. 

  • We've put in place a straightforward internal approval system to make sure everything is clear and transparent during the breach management process. 

  • We've provided clear instructions on when and how we'll update EBs, using both formal and informal methods of communication. 

  • We're using a customised approach for different kinds of cases, making sure our response fits the seriousness and complexity of each breach. 

Please find the updated Breach Management Framework in the attachment provided. Additionally, a summary is also provided below for your convenience. 

Breach Management Framework—Case Stages 

Stage 1: Initial Assessment 

Responsible Officer (RO) compiles and presents an initial assessment, categorising the case into type A, B, C, or identifying it as No Breach. 

Stage 2: Review 

RO reviews the case thoroughly, requests additional information if necessary, and creates a structured case file. 

Stage 3: Determination 

RO completes a determination matrix and holds an internal case conference to discuss findings. 

Stage 4: Review of Actions and Implementation 

Actions agreed upon with the EB are implemented. 

Stage 5: Closure 

Case closure details are presented at an internal final review meeting with the CEO. 

Each stage involves specific personnel for approval, including the Compliance Manager (CM), Policy and Regulations Manager (PRM), and in some cases, the CEO. 

Case Types 

The first page of the framework indicates that the level of seriousness will determine the appropriate action, building proportionality into the framework. The level of seriousness is determined on a case-by-case basis, but follows the general themes of the case types below: 

  • No Breach: When no breach is identified post-assessment.  

  • Type A: Minor or simple cases without a financial element.  

  • Type B: Medium complexity cases with no immediate risk of further breaches. 

  • Type C: Complex cases or cases with immediate risk of further breaches.  

For example, an accidental late form would be considered a minor case, whereas a deliberate attempt of fraud would be considered the most serious. 


Completion time varies from 2 weeks for simpler cases (Type A) to 12 weeks for more complex cases (Type C). 

Possible Actions for Each Case Type 

Actions depend on the type of breach and must be on a case-by-case basis due to each case having very specific elements to address. 

Responses range from an Advice and Guidance Letter for an unintentional administrative breach, to meetings with your EB board for items which might be classed as negligence or carelessness that leads to significant financial loss to the fund. 

External Interactions 

In serious cases, there might be involvement of the Entrust board and ultimately, referrals to HMRC. 

This framework provides a structured, tiered approach to breach management, ensuring that each case is handled with the appropriate level of scrutiny and action, based on its complexity and severity.