How to manage risk

Risk management is the process of identifying, evaluating and controlling risks.

The aim is not to eliminate all risks entirely (this would be very difficult and not cost effective), but rather to reduce the risk to a level that the charity is comfortable with (the risk appetite).

These seven steps are a tried-and-tested risk management process. It’s best to work through them with a group of people, including trustees and staff who understand the organisation well.

Risk register template for NCVO members

NCVO members can download a risk register template in the tools and resources section.

The first step is to identify possible risks in the different areas of your charity’s work.

Look at your strategy and main objectives, and think about the things that might stop you achieving them.

The Charity Commission suggests that you review risks under the headings of governance, external, regulatory, financial and operational. You can use these headings as a framework, thinking about the risks in relation to each of your strategic objectives.

Remember to consider a range of possibilities in each area (the things that might happen) and explore both positive and negative outcomes.

Governance risk

Does your board have the right skills?

Does your governing document let you to do what you need to do to make the difference you want to make?

External risk

Do you have the influence and reputation that you need? What are the risks to this reputation (eg negative publicity caused by poor service or working practices)?

What changes to government policy might affect your ability to achieve your objectives?

Regulatory and compliance risk

Is there a risk of failing to comply with legislation or reporting, which might result in both reputational damage and financial damage?

Financial risk

Are there risks to your finances that might stop you from achieving your objectives (for example, are you dependent on one source of income or are your reserves low)?

Is there a risk of fraud when transferring money to a country that has few regulations or financial checks?

Operational risk

Is the organisation set up and run in a way that allows success?

Do you have the right staff with the right capabilities? Are they in the right roles?

Do staff have the tools they need to be successful? Do they communicate in the right way and use effective processes?

Do you have the right organisational culture?

Once a risk has been identified, you need to assess:

• the likelihood of the risk happening
• the impact of the risk on the organisation if it happens.

To assess the impact of a risk, consider all the possible implications, some of which might not be obvious.

For example, one of the risks may be that you’re unable to articulate the impact of your work.

• An obvious consequence of this could be a reduction in funding
• A less obvious consequence may be that your staff become disheartened and lose focus because they can’t see the difference they’re making

Thinking about this together as a board, with your senior team, is a valuable exercise.

Scoring the likelihood and impact of a risk

You should give each risk a score for likelihood and impact.

*If one or more of these consequences is possible or if the risk occurs, give it the related score.

Calculating the initial risk score

The initial risk score is calculated by multiplying the likelihood score by the impact score.

For example, a risk with a likelihood of 2 and an impact of 3 would have a score of 6 (2 x 3).

Ways of calculating the risk score

Many experts believe that the impact of a risk is more important than the likelihood and so deserves more weighting. These two alternative calculations reflect this.

• Likelihood x impact + impact = risk score
• Likelihood x impact + (2 x impact) = risk score

You can’t manage every risk, so use the risk rating score to prioritise what you should focus on.

It’s useful to determine a cut-off point, above which you’ll manage the risk and below which you won’t. For example, you may decide to manage only the top five or 10 risks, or risks that score six points or more.

The cut-off point will partly depend on how much time you have to manage the risks. It’s better to manage the most serious risks properly than to manage a full list weakly.

You need to understand how much risk your charity is willing to accept in pursuing its objectives.

Your risk appetite might change depending on the activity. For example, a charity that provides aid in a war zone and uses charity shops to fund this work might have a low risk appetite for health and safety in its shops, but a high risk appetite for safety in the war zone.

In this step, look at the top 10 risks that you’re managing and determine your risk appetite for each and your target risk score. You should aim to get the residual risk (the risk that remains after you have your controls in place) to a level in line with the risk appetite.

The level of each risk must be controlled to a level that the charity is happy with.

The board should work with the people who own the risk to think about all the controls the organisation has in place to reduce its likelihood or impact. For example, if the risk is fraud, one of the controls might be anti-fraud measures.

Once you’ve listed all the controls that you have in place for a risk, you can rescore its likelihood and impact to get a residual risk score.

Zurich Insurance provides a range of managing risk insight guides which cover a range of relevant topics.

Think about whether this residual risk is:

• at an acceptable level (eg the same level as your target risk score)
• too high, which means you’ll need to identify additional actions to reduce the risk further (eg putting in place more controls, improving existing controls, stopping the activity, or insuring against or contracting out the risk) – this will give you an action plan that can be reviewed
• too low, which means that you might consider stopping or reducing some control.

Once the key risks have been identified, assessed and are subject to controls, it’s important to make sure that these controls are being performed as expected.

You can ask the risk owner to confirm at appropriate intervals that they’ve checked the controls and that they’re working as planned, and to give evidence to support this.

You can also ask internal auditors (if you have them) to give assurance that the controls are working, or ask your external auditors or other professional to do this.

Once you’ve identified your key risks and decided how to deal with them, record your plans in a risk register so that you can come back to it later.

You need to decide how you’ll monitor and review your risks and plans, taking account of changing circumstances. Risks may come and go, or their likelihood or potential impact could change, so you may need to change the way you deal with them. It’s a good idea to tie this monitoring and review process into your strategic and operational planning.

Review your risk register at least once a year (perhaps more often for large or complex projects) and whenever there are incidents that suggest the controls you have in place aren’t working well.

Some organisations also ask that all papers which go to the board include a summary of the main risks and suggested mitigation.

It can be useful to pick a risk at each board meeting and do an in-depth review of it. This gives the board a detailed understanding of the risks and controls, and helps assure them that risk is being managed effectively.

Charity Commission guidance

• Charities and risk management (CC26) includes an alternative risk management model, risk register template and examples of common risk and their mitigation
• Prepare your charity trustees’ annual report
• Reporting a serious incident in your charity

Zurich Insurance

• Zurich is an NCVO trusted supplier. Learn more about Zurich's services