Risky business: Why you should manage risk within your charity
Updated: Feb 9
One of the areas I regularly support charities with is risk management. The appetite for addressing, monitoring and working to reduce risks (quite rightly) increased during covid-19. While it is unlikely that many charities previously had ‘global pandemic’ on their risk register, those with a robust risk management approach in place, were able to consider the impact of a reduction of income, an increase in demand for services, staff illness and other factors that came with this unprecedented challenge. Organisations that didn’t have an active risk register were forced to think about risks and it is likely that risk became the focal point of board meetings.
While many aspects of life have ultimately returned to ‘normal’ this shouldn’t be a green light to put the subject of risk to one side, or to leave the risk register untouched, gathering dust. The impact of the pandemic still carries many risks, alongside the cost-of-living crisis and many other challenges. But, aside from that we still need to think about the everyday risks every organisation faces, even when things feel like they are moving in the right direction.
What is risk and how do we manage it?
The Charity Commission outlines that ‘risk is an everyday part of charitable activity and managing it effectively is essential if the trustees are to achieve their key objectives and safeguard their charity’s funds and assets’. In its Guidance Charities and Risk Management (CC26) the basic principles and strategies that can be applied to help charities manage their risks are addressed. It outlines the types of risks charities should consider and the stages of creating a risk management model.
I thoroughly recommend taking a pro-active approach to risk management. It is important to understand the guidance and apply a framework to your charity’s approach to risk. By doing this a board, and indeed the whole organisation, can feel far more in control. It isn’t, however, simply enough to identify the risks. I have seen many a risk register become a static document, everyone recognising a certain risk but doing nothing to negate it or prepare, should it arise. It is essential that charities monitor risks, have a control procedure in place for each risk and identify actions that need to take place. I would always suggest giving each risk an owner, so that there is an individual responsible for overseeing each risk and the associated actions.
Make the risk register an active part of every board meeting. Review the current risks, consider new risks and reduce active risks where you can. Don’t discuss it in isolation! Consider how the risks fit alongside your policies and procedures, your strategy, and your operational plans. You should also regularly review your approach to managing risk – are you doing all you can? Does it still work for your organisation?
Should we or must we have a risk management procedure in place?
The CC26 guidance outlines what a charity must (legally) do and what they should do (to adhere to good practice).
There is only a legal requirement for charities to have a risk management statement in the annual Trustee’s Report if your charity requires an audit. The threshold being:
an income of £500,000 or more
or a gross income exceeding £250,000 with gross assets held exceeding £3.26 million
However, the Charity Commission outline that smaller charities are encouraged to make a statement in their report as a matter of good practice. If you are actively managing risks, then it is definitely worth including a statement (guidance on what should be included is outlined in the CC26 guidance and your accountant should also be able to support and advise).
Don’t put it off!
When working with a charity on their risk management model, I always feel they come away with a great sense of empowerment. Knowing the risks your charity faces should be seen as a positive thing. Every charity has risks. You will never eliminate them all. But you can be prepared for them, put in the appropriate controls to manage them and reduce their impact, should they arise. II suggest if you add one topic to your next board meeting, make it your approach to risk.