Risk Management for Small Charities

Risk management (and assessment) is an essential element of the management of any organisation. We do it almost instinctively in daily life (to cross the road here or to move to the crossing) and with greater attention for more important matters. The same should apply to all our organisations. The size and complexity of the organisation will drive the scale of the risk management process.

There are a wide range of useful documents readily available to assist the process, from the Charity Commission’s essential guidance (CC26) through to some very useful and helpful documents produced by Sayer Vincent including “Rethinking Risk – Beyond the Tick Box”. Help is also available from Helen’s Headlines resource on Crisis Management. (See Signposts below for links).

 

Process

Every charity should have a process for identifying the major risks they face. The process should involve trustees and senior staff, but it can also be valuable to ensure that at some level all staff are involved in the process of risk identification and management. Ensuring that there is a regular risk process in place with regular updates should be the assigned responsibility of a member of the senior staff with support from trustees – but the process should be owned by both trustees and staff.

Risks can be analysed in several different ways; perhaps the most obvious is departmental or functional: financial, reputational, governance, IT, staffing, premises etc. Where you consider what risks are faced in each of these areas. This can be useful in both identifying risks and assigning responsibility for actions

However an alternative method is to consider the following 3 types of risk:

  • Strategic Risks – those that might reduce or eliminate the impact of the charity. These would include those things likely to impact the reputation of the charity or a lack of governance, loss of direction. These are going to be the risks that the Trustees need to consider and, where required, be reported in the annual accounts statement.

  • Operational Risks – those that effect day to day operations.  This can include a vast range of items including fraud, loss of IT or premises, loss of key staff, or even rain on the day of your garden party.

  • Project Risks – those that are associated with a particular piece of work (and where relevant should form part of the assessment of whether to apply for funding).

 

 

Identifying Risks

Perhaps the most usual way to start the process from scratch is to set aside time to brain storm with senior staff and trustees to identify the major risks (as each sees it) that the charity faces. Using post it notes to group similar risks can be helpful and makes a flexible outcome that can then be handed to individuals for taking further.

A session of 2/3 hours set aside should be sufficient to identify these risks and also to begin a process of assessment and impact. During this time it is important to drill down and not leave risk too generic or high level. For example “reduction in income” is clearly a risk to any organisation, but is insufficiently precisely defined to be able to either assess its probability or identify its mitigations. Where funding is solely or largely from one funder loss of that funder is a clearer risk but could be more precisely defined as “loss of funder’s interest in charity” or “loss or severe cut back in major funder’s available resources”. Mitigations / activities to address these two aspects of this risk are clearly different.

 

Assessment of Impact and Probability

Having identified the major risks and decided how to analyse/ report them, the next step is to assess how likely they are to occur (Probability) and the extent of their effect on the organisation (impact). This can either be done on a High / Medium / Low scale for both or a scale of 1-5 where 5 is very high impact (I) or very high probability (P). If a scale is used it is easier then to determine the overall priority by multiplying the one by the other (Impact x Probability).  As a high impact score presents a greater overall risk to the organisation than a high probability score some commentators consider that a scoring system of (Impact x Probability + Impact) gives a better basis of prioritising the outcome of the assessment process.

 

Mitigation and Actions to be taken

Having identified the major risks (and assigned responsibility to staff or trustees), actions should then be prioritised to reduce either (or both) of the impact or the likelihood of the risk occurring. These should be commensurate with the effect on the organisation, and can be recorded and monitored via the risk register (see sample in PDF below)

Some organisations have found it helpful to carry out a risk assessment in 2 stages; one before the actions taken (pre mitigation) and again afterwards (post mitigation assessment).

 

Monitoring and Updating

Risk reporting to the Board should be at least once a year and may be via a committee of the Board who monitor the register and actions more frequently. Senior staff should update risks as part of the normal business of the charity but a review of the register itself at least every 6 months (including as part of business planning and budgeting). A review and update of the overall process is also very helpful to ensure that it is still current and remains appropriate for the organisation.

 

Tips

  • Avoid overcomplicating the risk process and over lengthy risk registers

  • Ensure priority is given to those risks most likely to have a serious impact on the charity

  • Involve staff at all levels including trustees

  • Ensure there is a lead person for both risk and crisis management

  • Assign clear responsibilities for individual risk monitoring and actions to be taken to mitigate risk

  • Ensure risks (and actions to be taken) are sufficiently specific to be understood

  • Make risk management part of regular review meetings as well as part of annual business planning, budgeting etc

  • Keep risk register up to date … remove things as well as adding to them

  • Remember an insurance policy is one way of addressing a risk

  • Prepare a generic crisis management plan so that you aren’t starting from scratch in the event of a crisis

  • See risk management as a positive thing (even if it is looking at what could go wrong) to enhance the effectiveness and efficiency of the organisation

  • Consider how risk should be reported in your annual statements – don’t be too bland

  • Confidentiality of all or part of your risk register may be necessary – it is a balancing act with making sure your risk register is clear.

Glossary of terms

Risk: Anything that might prevent your organisation reaching its goal or reduce the impact of the work

 

Risk Management: System set up by an organisation to identify, prioritise, evaluate, mitigate and review the risks it faces

 

Risk Assessment: An assessment of the risk based on both impact it might have on the organisation if it occurs (Impact) and probability or likelihood that it will happen. The purpose of the assessment process is to focus attention on key risks and prioritise activity. Although often reported as a number this is essentially a subjective process at the individual level which is why a collaborative approach involving trustees and senior staff is an advantage

 

Risk Appetite: An organisation’s capacity to absorb risk. This can include the level of (usually unrestricted) reserves it holds or the flexibility of its operations in terms of how things are delivered.

Alternatively this term can be used for an individual’s approach to the assessment of risk – whether they are entrepreneurial in approach or naturally cautious. Note this can be a challenge for an organisation when different trustees or staff have different risk appetites (see Signposts)

 

Risk Register: A usually formal reporting of risks faced by the organisation together with an assessment of their priority, the actions to be taken and the ownership / individual who has responsibility. See PDF below

 

Risk Policy: A statement of the organisation’s approach to risk management

 

Heat Map: A pictorial representation of the spread of identified risks; can improve understanding and where activity should be focused. See PDF below.

 

Mitigation: Actions taken to reduce the impact and/or the probability of an identified risk occurring. 

 

 

Signposts to other resources

 

Author and copyright Alison Grieve 2019

Peer reviewed by Helen Calder