Small Charities and Risk

This back to basics guide for small charities takes a look at the identification and management of risk within your charity.

 

What is risk? 

Risk, quite simply, is the potential of something going wrong, or happening, that could have a negative impact on your organisation..  

Why does risk matter? 

Risk can relate to internal and external factors which have the potential to negatively affect your charity’s income generation, level of expenditure, security (think data, cyber, fraud), ongoing operation and, ultimately, survival. 
Understanding the potential risks facing your charity, voluntary organisation or community group helps you decide how best to prepare for such risks becoming reality, through a process known as risk management. 

Who needs to know about risk? 

Trustees and senior members of staff should understand the conditions which give rise to risk. There should be procedures in place to review your identified risks and your proposed responses, as well as to see if new risks have emerged – and if any previously identified risks no longer need to be considered. 

The Charity Commission in its risk management guidance (CC26) is very clear.  It says: ‘Charity trustees should regularly review and assess the risks faced by their charity in all areas of its work and plan for the management of those risks.’ 

This is not a task that can be delegated to a committee as the full board needs to have a proper understanding of the key risks their organisation faces. This is fundamental to the proper fulfilment of their role as directors or trustees. 

Where do we start? 

Start with a risk identification exercise. This could cover governance, financial, operational and reputational risks. Governance and reputation may cut across operational and financial risks and they are elements to consider for every risk in those categories too. 

You can also think about risks as they relate to strategy (your path to achieving your long term aims), business as usual (BAU) or projects (usually pieces of work with a specific outcome or timeframe, sometimes called task and finish). 

Thinking in these broad categories of risk, you can then develop appropriate ways of responding to risks and managing them. It will also help you ensure that the responsibility for managing risk is appropriately allocated within the organisation. 

Once you and your team have identified risks and are thinking about what you can do about them, you generally have six options: 

  1. Accept the risk and monitor it, to ensure you have not miscalculated and that you notice if the risk changes 
  2. Avoid the risk by stopping the activity 
  3. Transfer the risk by taking out insurance cover or contracting out an aspect of the activity 
  4. Develop response plans to mitigate the effects of an adverse risk event, or to take advantage of an unplanned opportunity 
  5. Reduce the likelihood of an adverse risk event by putting controls in place 
  6. Take management action to increase the chances of success  

You should keep a record of your risks (often called a risk register) which includes your decisions on which approach to take to a risk and what your actions to reduce the risk are. 

Risk registers often include a risk score based on: 

  1. The likelihood of a risk becoming a reality, and 
  2. The impact this will have on your organisation 

 

The approach to risk involves one other key factor: proportionality. You won’t want to over-manage a risk as this is wasting time and money, but, equally, you will not want to respond inappropriately as this is both ineffective and a waste of resources. An underlying purpose to ranking risks for probability and impact is to prioritise risks for action and resources. 

Reviewing your risks regularly, discussing what’s changed and what’s new will help you allocate resources and time to the areas which will help you ensure you are working towards your purpose in a considered, focused way.  

Your trustees are crucial to this work and should play an active role in understanding and managing risks facing your organisation.  
 
Further resources and events

'Rethinking Risk – Beyond the tick box', published in association with Sayer Vincent, 2016 

The Charity Governance Code

Charity Commission CC26: charities and risk management 

Build your skills and knowledge

Advanced Charity Finance, one-day CFG course, 23 September 2022

Foundation Charity Finance, one-day CFG course, 6 October 2022

Inspiring Financial Leadership 2022/23, CFG's flagship training course in partnership with Centre for Charity Effectiveness and Sayer Vincent