How to manage risk

All charities face risk. It could be the risk of losing money, bad publicity, or losing key staff or volunteers. Risk is not always a bad thing. Without risk there's often no reward.

Trustees must identify and manage risk. This is part of good governance and should be an ongoing process which is regularly reviewed.

The aim is not to get rid of all risks ‒ that would be very difficult and costly. The goal of risk management is to reduce the risk to a level the charity is comfortable with. This is known as the ‘risk appetite’.

The following seven steps are a tried-and-tested risk management process. It’s best to work through them with a group of people. This should include trustees and staff who understand the organisation well.

The first step is to identify possible risks in the different areas of your charity’s work.

Look at your strategy and main objectives. Think about the things that might stop you from achieving them. The Charity Commission’s risk management guidance recommends grouping risks in the following way.

Governance risks

• Does your board have the right skills?
• Does your governing document allow you to make the difference you want to make?

External risks

• What are the risks to your charity’s reputation? For example, negative publicity caused by poor service or working practices.
• What changes to government policy might affect your ability to achieve your objectives?

Regulatory and compliance risk

• Is there a risk of failing to comply with legislation or reporting?
• Could this damage your charity’s reputation or finances?

Financial risk

• Are there financial risks that might stop you achieving your objectives? For example, are you dependent on one source of income or are your reserves low?
• Is there a risk of fraud when transferring money to a different country that has fewer regulations or financial checks?

Operational risk

• Does the organisation have the right structure and processes?
• Do you have the right staff with the right skills? Are they in the right roles?
• Do staff have the tools they need to be successful? Do they communicate effectively?
• Is the organisation’s culture welcoming and inclusive?

You can use these groupings as a framework. Think about the risks alongside your strategic objectives. Remember to consider a range of possibilities in each area and explore both positive and negative outcomes.

Once you've identified a risk, you need to assess:

• the likelihood of the risk happening
• the impact the risk will have on the organisation if it happens.

To assess the impact of a risk, consider all the possible implications. Some of these might not be obvious. For example, one of the risks may be that you’re unable to articulate the impact of your work.

• An obvious consequence of this could be a reduction in funding.
• A less obvious consequence may be that your staff become disheartened and lose focus because they can’t see the difference they’re making.

You should think about these together as a board and with your senior leadership team.

Score the likelihood and impact of a risk

Use the following tables to give each risk a score for likelihood and impact.

Calculate the initial risk score

You can calculate the initial risk score by multiplying the likelihood score by the impact score.

For example, a risk with a likelihood of 2 and an impact of 3 would score 6 (2 x 3).

Many experts believe that the impact of a risk is more important than the likelihood and so deserves more weighting. You can use the following calculations to reflect this.

• Likelihood x impact + impact = risk score.
• Likelihood x impact + (2 x impact) = risk score.

You can’t manage every risk. Use the risk rating score to prioritise what you should focus on.

You should decide on a cut-off point for managing risks. For example, you may decide to only manage the top five or 10 risks, or risks that score six points or more.

The cut-off point will partly depend on how much capacity you have to manage the risks. It’s better to manage the most serious risks properly than to try to manage the full list.

You need to understand how much risk your charity is willing to accept. You should only take risks to help the charity meet its objectives.

Your risk appetite might change depending on the activity. For example, consider a charity that provides aid in war zones and runs charity shops. They may have a low risk appetite for health and safety in the shops, but a high risk appetite for safety in war zones.

Look at the top 10 risks you’re managing. Decide your risk appetite for each and give them a target risk score.

Each risk must be controlled to a level the charity is happy with.

The board should work with the people who own the risk. Together you should think about all the controls the organisation has in place to reduce the likelihood or impact of the risk. For example, if the risk is fraud, one of the controls might be anti-fraud measures.

Once you’ve listed all the controls for each risk, you can re-score its likelihood and impact. This will give you a residual risk score.

Think about whether this residual risk is:

• at an acceptable level. Risks are at an acceptable level if the residual risk score is the same as your target risk score
• too high. This means you’ll need to make a plan to further reduce the risk. For example, you may need to:
  • put more controls in place
  • improve existing controls
  • stop the activity
  • get insurance or contract out the risk
• too low. In this case, you might consider stopping or reducing some of the risk controls.

Once you’ve identified your key risks and decided how to deal with them, record your plans in a risk register.

NCVO members can download a free risk register template.

Once you’ve identified the key risks and put controls in place, it’s important to make sure the controls are working.

The risk owner should confirm controls are working as planned. They should provide regular evidence to the board.

If your charity has internal auditors, you can ask them to confirm that the controls are working. You can also ask external auditors or other professionals to do this.

You need to decide how you’ll monitor and review your risks and plans.

You should consider changing circumstances. Risks may come and go. Their likelihood or potential impact could change. So you may need to change the way you deal with them.

You should include risk monitoring and review in your strategic and operational planning. Review your risk register:

• at least once a year
• more often for large or complex projects
• whenever there are incidents that suggest the controls you have in place aren’t working well.

Some organisations ask for a summary of risks and suggested mitigation to be included in board papers.

It can be useful to do an in-depth review of a risk at each board meeting. This helps the board get a detailed understanding of risks and controls. It also gives assurance that risk is being managed effectively.

• NCVO members can download our risk register template.
• Read this guide to scenario planning for voluntary organisations.
• Take a look at our safeguarding resources.
• The Charity Commission has guidance on charities and risk management.
• The Commission also has guidance on how to report a serious incident in your charity.