In almost every small and medium sized charity I have worked (and some big ones) with risk management has been, and seen to be, a chore; “something we have to do but which adds little value.” But it doesn’t need to be like that.
Risk is an everyday part of charitable activity and managing it effectively is essential if trustees are to discharge their core duties to oversee the achievement of the charity’s purposes and safeguard charitable assets. Put another way, effective risk management will help your charity achieve even more for your beneficiaries; good risk management is about enabling the organisation to grasp opportunities and meet urgent needs, as well as preventing disasters.
Equally, while charities are not required by law to have a risk management policy or process, the Charity Commission strongly recommends that they do so that they identify and manage all types of risks more effectively. Furthermore, charities with incomes of £500,000 or more must include a risk management statement in their trustees’ annual report, which should include:
Acknowledgement of the trustees’ responsibility to identify, assess and manage risks.
An overview of the charity’s process for identifying risks. Indication that major risks have been reviewed or assessed.
Confirmation of the systems and processes set up to manage risks.
Therefore, it is important that trustees regularly review and assess the risks facing their charity and ensure there are proportionate plans in place to manage them.
This does mean charities should seek to eliminate all risk but rather to understand the likelihood and impact of risks and put in place appropriate controls to manage them. For many this will mean maintaining a risk register to summarise the identified risks, their potential impact, the actions taken or plans to mitigate/manage them and who is responsible for those actions and plans. For some (particularly small charities) it may simply be about leaving space at Committee/Board meetings to discuss risks and how to manage them.
Risk management process
Risk is the uncertainty surrounding events and their outcomes that may have a significant impact, either enhancing or inhibiting a charity from achieving its charitable purposes is a risk. It should be considered within the wider environment in which the charity operates; financial climate, society and its attitudes, the natural environment and changes in the law, technology and knowledge. It may help to categorise risks, for example as:
Overall responsibility for the management and control of a charity rests with the trustees. Their involvement in risk management is essential, particularly in setting the charity’s risk appetite, providing accountability for the effective risk management and ensuring compliance with trustees’ duties.
This should not be interpreted as meaning that trustees undertake each stage of the process themselves, rather that it is their responsibility to ensure that the process is rigorous and implemented. Using a process such as that summarised in the diagram may be helpful:
Establish a Risk Management Policy.
Identify Risks, perhaps in a risk identification workshop involving senior staff, trustees (as appropriate) and others.
Assess Risks: Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. It may help to score them (e.g. on 1-4 scales) to help you prioritise them and a ‘heat map’ (see opposite) is often used to do that and ensure the most significant risks are brought to the Board’s attention (typically around 10 top risks with a score of 9 or more).
Respond to Risks by putting in place proportionate action/mitigation or contingency plans. This might involve:
Transferring or sharing the financial consequences to/with third parties, e.g. through insurance or outsourcing.
Avoiding the activity which gives rise to the risk, e.g. by not taking up a contract or curtailing/stopping a particular activity or service.
Managing or mitigating the risk by ensuring appropriate policies and operational procedures are in place and implemented.
Accept or assess it as a risk that cannot be avoided e.g. where trustees recognise that an activity carries an ‘acceptable’ level of risk.
It is essential that each risk is assigned an owner with overall responsibility for managing the risk.
Monitor/Control Risks and learn from experience. Risk management is a dynamic, cyclical process not a one-off event but rather a process that requires continual monitoring and assessment. You might consider programming it into board/committee meetings through:
A formal annual review of risks to revisit risk appetite.
A risk Identification workshop every couple of years.
Reporting changes to the risks to each Board meeting (e.g. using a risk register) together with an in-depth discussion of 1 or 2 top risks.
The core risk management control document for many organisations is the Risk Register. There are many formats for risk registers and for many something simple like the one below will be amply good enough.
Importantly the Risk Register is:
owned by the Chief Executive and senior management team;
overseen by the trustees, and
monitored by the senior staff (all significant risks) and Board of trustees (major risks).
Risk assessment is the process whereby the risks associated with an activity or event are considered in advance and plans are put in place to minimise, mitigate or negate the risk and its potential consequences. Again there are many formats and approaches but for most small and medium-sized charities considering the following will be sufficient:
What is the hazard?
Who is at risk?
What control measures are already in place or should be put into place?
Estimation of risk (calculated by considering the severity of hazard, the likelihood of event and the adequacy of controls).
What further precautions may be required?
It is then important to make sure that all staff/volunteers supporting the activity/event understand the risk assessment and implement the actions identified by it.