Seven steps to help trustees manage risk in their charity.
All charities face risk. It could be the risk of losing money, bad publicity, or losing key staff or volunteers. Risk is not always a bad thing. Without risk there's often no reward.
Trustees must identify and manage risk. This is part of good governance and should be an ongoing process which is regularly reviewed.
The aim is not to get rid of all risks ‒ that would be very difficult and costly. The goal of risk management is to reduce the risk to a level the charity is comfortable with. This is known as the ‘risk appetite’.
The following seven steps are a tried-and-tested risk management process. It’s best to work through them with a group of people. This should include trustees and staff who understand the organisation well.
The first step is to identify possible risks in the different areas of your charity’s work.
Look at your strategy and main objectives. Think about the things that might stop you from achieving them. The Charity Commission’s risk management guidance recommends grouping risks in the following way.
You can use these groupings as a framework. Think about the risks alongside your strategic objectives. Remember to consider a range of possibilities in each area and explore both positive and negative outcomes.
Once you've identified a risk, you need to assess:
To assess the impact of a risk, consider all the possible implications. Some of these might not be obvious. For example, one of the risks may be that you’re unable to articulate the impact of your work.
You should think about these together as a board and with your senior leadership team.
You should give each risk a score for likelihood and impact.
*If one or more of these consequences is possible or if the risk occurs, give it the related score.
You can calculate the initial risk score by multiplying the likelihood score by the impact score.
For example, a risk with a likelihood of 2 and an impact of 3 would score 6 (2 x 3).
Many experts believe that the impact of a risk is more important than the likelihood and so deserves more weighting. You can use the following calculations to reflect this.
You can’t manage every risk. Use the risk rating score to prioritise what you should focus on.
You should decide on a cut-off point for managing risks. For example, you may decide to only manage the top five or 10 risks, or risks that score six points or more.
The cut-off point will partly depend on how much capacity you have to manage the risks. It’s better to manage the most serious risks properly than to try to manage the full list.
You need to understand how much risk your charity is willing to accept. You should only take risks to help the charity meet its objectives.
Your risk appetite might change depending on the activity. For example, consider a charity that provides aid in war zones and runs charity shops. They may have a low risk appetite for health and safety in the shops, but a high risk appetite for safety in war zones.
Look at the top 10 risks you’re managing. Decide your risk appetite for each and give them a target risk score.
Each risk must be controlled to a level the charity is happy with.
The board should work with the people who own the risk. Together you should think about all the controls the organisation has in place to reduce the likelihood or impact of the risk. For example, if the risk is fraud, one of the controls might be anti-fraud measures.
Once you’ve listed all the controls for each risk, you can re-score its likelihood and impact. This will give you a residual risk score.
Think about whether this residual risk is:
Once you’ve identified your key risks and decided how to deal with them, record your plans in a risk register.
NCVO members can download a free risk register template.
Once you’ve identified the key risks and put controls in place, it’s important to make sure the controls are working.
The risk owner should confirm controls are working as planned. They should provide regular evidence to the board.
If your charity has internal auditors, you can ask them to confirm that the controls are working. You can also ask external auditors or other professionals to do this.
You need to decide how you’ll monitor and review your risks and plans.
You should consider changing circumstances. Risks may come and go. Their likelihood or potential impact could change. So you may need to change the way you deal with them.
You should include risk monitoring and review in your strategic and operational planning. Review your risk register:
Some organisations ask for a summary of risks and suggested mitigation to be included in board papers.
It can be useful to do an in-depth review of a risk at each board meeting. This helps the board get a detailed understanding of risks and controls. It also gives assurance that risk is being managed effectively.
Last reviewed: 08 October 2024
Help us improve this contentGet regular updates on NCVO's help, support and services