General Election 2024

Read our updates on issues relevant to charities for the upcoming election. Learn more

How to manage risk

This page is free to all

Risk management is the process of identifying, evaluating and controlling risks.

The aim is not to eliminate all risks entirely (this would be very difficult and not cost effective), but rather to reduce the risk to a level that the charity is comfortable with (the risk appetite).

These seven steps are a tried-and-tested risk management process. It’s best to work through them with a group of people, including trustees and staff who understand the organisation well.

Risk register template for NCVO members

NCVO members can download a risk register template in the tools and resources section.

Identify the risks

The first step is to identify possible risks in the different areas of your charity’s work.

Look at your strategy and main objectives, and think about the things that might stop you achieving them.

The Charity Commission suggests that you review risks under the headings of governance, external, regulatory, financial and operational. You can use these headings as a framework, thinking about the risks in relation to each of your strategic objectives.

Remember to consider a range of possibilities in each area (the things that might happen) and explore both positive and negative outcomes.

Governance risk

Does your board have the right skills?

Does your governing document let you to do what you need to do to make the difference you want to make?

External risk

Do you have the influence and reputation that you need? What are the risks to this reputation (eg negative publicity caused by poor service or working practices)?

What changes to government policy might affect your ability to achieve your objectives?

Regulatory and compliance risk

Is there a risk of failing to comply with legislation or reporting, which might result in both reputational damage and financial damage?

Financial risk

Are there risks to your finances that might stop you from achieving your objectives (for example, are you dependent on one source of income or are your reserves low)?

Is there a risk of fraud when transferring money to a country that has few regulations or financial checks?

Operational risk

Is the organisation set up and run in a way that allows success?

Do you have the right staff with the right capabilities? Are they in the right roles?

Do staff have the tools they need to be successful? Do they communicate in the right way and use effective processes?

Do you have the right organisational culture?

Analyse the risks

Once a risk has been identified, you need to assess:

  • the likelihood of the risk happening
  • the impact of the risk on the organisation if it happens.

To assess the impact of a risk, consider all the possible implications, some of which might not be obvious.

For example, one of the risks may be that you’re unable to articulate the impact of your work.

  • An obvious consequence of this could be a reduction in funding
  • A less obvious consequence may be that your staff become disheartened and lose focus because they can’t see the difference they’re making

Thinking about this together as a board, with your senior team, is a valuable exercise.

Scoring the likelihood and impact of a risk

You should give each risk a score for likelihood and impact.

*If one or more of these consequences is possible or if the risk occurs, give it the related score.

Calculating the initial risk score

The initial risk score is calculated by multiplying the likelihood score by the impact score.

For example, a risk with a likelihood of 2 and an impact of 3 would have a score of 6 (2 x 3).

Ways of calculating the risk score

Many experts believe that the impact of a risk is more important than the likelihood and so deserves more weighting. These two alternative calculations reflect this.

  • Likelihood x impact + impact = risk score
  • Likelihood x impact + (2 x impact) = risk score

Prioritise the risks

You can’t manage every risk, so use the risk rating score to prioritise what you should focus on.

It’s useful to determine a cut-off point, above which you’ll manage the risk and below which you won’t. For example, you may decide to manage only the top five or 10 risks, or risks that score six points or more.

The cut-off point will partly depend on how much time you have to manage the risks. It’s better to manage the most serious risks properly than to manage a full list weakly.

Determine the appetite for risk

You need to understand how much risk your charity is willing to accept in pursuing its objectives.

Your risk appetite might change depending on the activity. For example, a charity that provides aid in a war zone and uses charity shops to fund this work might have a low risk appetite for health and safety in its shops, but a high risk appetite for safety in the war zone.

In this step, look at the top 10 risks that you’re managing and determine your risk appetite for each and your target risk score. You should aim to get the residual risk (the risk that remains after you have your controls in place) to a level in line with the risk appetite.

Reduce and control the risks

The level of each risk must be controlled to a level that the charity is happy with.

The board should work with the people who own the risk to think about all the controls the organisation has in place to reduce its likelihood or impact. For example, if the risk is fraud, one of the controls might be anti-fraud measures.

Once you’ve listed all the controls that you have in place for a risk, you can rescore its likelihood and impact to get a residual risk score.

Zurich Insurance provides a range of managing risk insight guides which cover a range of relevant topics.

Think about whether this residual risk is:

  • at an acceptable level (eg the same level as your target risk score)
  • too high, which means you’ll need to identify additional actions to reduce the risk further (eg putting in place more controls, improving existing controls, stopping the activity, or insuring against or contracting out the risk) – this will give you an action plan that can be reviewed
  • too low, which means that you might consider stopping or reducing some control.

Give assurance

Once the key risks have been identified, assessed and are subject to controls, it’s important to make sure that these controls are being performed as expected.

You can ask the risk owner to confirm at appropriate intervals that they’ve checked the controls and that they’re working as planned, and to give evidence to support this.

You can also ask internal auditors (if you have them) to give assurance that the controls are working, or ask your external auditors or other professional to do this.

Monitor and review risks

Once you’ve identified your key risks and decided how to deal with them, record your plans in a risk register so that you can come back to it later.

You need to decide how you’ll monitor and review your risks and plans, taking account of changing circumstances. Risks may come and go, or their likelihood or potential impact could change, so you may need to change the way you deal with them. It’s a good idea to tie this monitoring and review process into your strategic and operational planning.

Review your risk register at least once a year (perhaps more often for large or complex projects) and whenever there are incidents that suggest the controls you have in place aren’t working well.

Some organisations also ask that all papers which go to the board include a summary of the main risks and suggested mitigation.

It can be useful to pick a risk at each board meeting and do an in-depth review of it. This gives the board a detailed understanding of the risks and controls, and helps assure them that risk is being managed effectively.

Further information

Charity Commission guidance

Zurich Insurance

This page was last reviewed for accuracy on 25 February 2022

Back to top

Sign up for emails

Get regular updates on NCVO's help, support and services