| The effective management of risk is an essential | | | | 2. Operational risks - e.g. service quality and |
| part of the responsibilities for trustees of charities | | | | development, contract pricing, employment issues; |
| and is often overlooked by those responsible for | | | | health and safety issues; fraud and |
| managing the smaller charity. | | | | misappropriation; loss of key staff; |
| Risk is an event or action that may adversely | | | | 3. Financial risks - e.g. accuracy and timeliness of |
| affect an organisation's ability to survive or | | | | financial information, adequacy of reserves and |
| compete in its market or to maintain its financial | | | | cash flow, diversity of income sources, |
| stability or its positive public image and the overall | | | | investment management; |
| quality of its people and services. Risk can also | | | | 4. External risks - e.g. public perception and |
| arise from a failure to exploit opportunities or | | | | adverse publicity, demographic changes, |
| from a breakdown in operational controls and | | | | government policy; |
| procedures. | | | | 5. Compliance with law and regulation - e.g. breach |
| The requirement to manage risk | | | | of trust law, employment law, and regulative |
| For registered charities the Charities SORP | | | | requirements of particular activities such as |
| (Statement of Recommended Practice) sets out | | | | fund-raising or the running of care facilities. |
| the reporting requirements for trustees on the: | | | | Although the process of risk identification should |
| | | | be undertaken with care, the analysis will |
| 1. identification of major risks | | | | inherently contain some subjective judgements |
| 2. the review of risks | | | | and no process is likely to be capable of |
| 3. the systems or procedures established to | | | | identifying all possible risks that may arise. The |
| manage risk | | | | process can only provide reasonable (not |
| It is therefore essential for all charities that they | | | | absolute) assurance to trustees that all relevant |
| have a sound risk management policy | | | | risks have been identified. |
| The role of the trustees | | | | Assessing risks |
| The responsibility for the management and control | | | | The first stage of the assessment process is to |
| of a charity rests with the board of trustees. The | | | | prioritise risks using impact analysis so that the |
| board's involvement in the key aspects of the risk | | | | significance of a risk is measured against the |
| management process is essential. Trustees do not | | | | likelihood of that risk actually arising. Significance |
| have to undertake each aspect of the process | | | | should be considered in both financial and |
| themselves. Their level of involvement should be | | | | reputational terms. Risks can be prioritised so that |
| such that the trustees can make the required | | | | those with high significance and high probability |
| statement on risk management in the statutory | | | | receive primary attention. Risks with high |
| annual report with reasonable confidence. | | | | significance and low probability scores give rise to |
| Sector Group | | | | the need for contingency planning whereas risks |
| The management of risk will involve the following | | | | with low significance but high probability scoring |
| key steps: | | | | can often be addressed by improvements to |
| | | | internal control procedures. |
| 1. establishing the risk policy | | | | All risks have to be considered in the light of the |
| 2. identifying risk | | | | charities 'risk threshold' the setting of which will be |
| 3. assessing risk | | | | influenced by the level of reserves, the projected |
| 4. evaluating and implementing what action needs | | | | surpluses etc. |
| to be taken | | | | Evaluating and implementing the action required |
| 5. reviewing and establishing a system of periodic | | | | Where major risks are identified the trustees will |
| monitoring and assessment | | | | need to ensure that appropriate action is taken to |
| Although these elements can be used as 'steps' or | | | | ensure that these are mitigated. This review |
| 'stages', it is likely that trustees will need to revisit | | | | should include establishing the adequacy of |
| each stage as their knowledge of the charity's | | | | controls already in place. For each of the major |
| risk profile increases. | | | | risks identified, trustees will need to consider any |
| Any risk management policy will need to be: | | | | additional action that needs to be taken to |
| | | | mitigate the risk, either by lessening the likelihood |
| 1. comprehensive | | | | of the event occurring, or lessening its impact if it |
| 2. continuous | | | | does. |
| 3. integrated | | | | There are four basic strategies that can be |
| 4. suitable and proportional | | | | applied to an identified risk: |
| Establish risk policy | | | | |
| Risk is an inherent feature of all activity and may | | | | 1. transferring the financial consequences to third |
| arise from inaction as well as new initiatives. | | | | parties or sharing it (e.g. insurance, outsourcing); |
| Charities will have differing exposures to risk | | | | 2. avoiding the activity giving rise to the risk |
| arising from their activities and will have different | | | | completely (e.g. a potential grant or contract not |
| capacities to tolerate or absorb risk. A charity | | | | taken up); |
| with sound reserves could perhaps embark on a | | | | 3. management or mitigation of risk; or |
| new project with a higher risk profile than, say, a | | | | 4. accepting it (e.g. assessing it as an inherent risk |
| charity facing solvency difficulties. | | | | that cannot be avoided if the activity is to |
| The risk policy process will include a consideration | | | | continue). |
| of the following: | | | | Risk mitigation is aimed at reducing the 'gross |
| | | | level' of risk identified to a 'net level' of risk that |
| 1. the charity's objectives, philosophy and | | | | remains after appropriate action is taken. This |
| strategy; | | | | identification of 'gross risk', the control procedures |
| 2. the nature and scale of the charity's | | | | put in place to mitigate the risk, and the |
| activities;the success factors that need to be | | | | identification of the residual or 'net risk' can be |
| achieved; | | | | recorded in a risk register (see pro forma below). |
| 3. external factors that might affect the charity | | | | Trustees need to form a view as to the |
| such as legislation and regulation, and the | | | | acceptability of the residual or 'net risk' that |
| charity's reputation with its major funders and | | | | remains after mitigation. It is possible that the |
| supporters; | | | | process may also identify areas where the |
| 4. past mistakes and problems that the charity | | | | current control processes are disproportionately |
| has faced; | | | | costly or onerous to the risks they seek to |
| 5. the operating structure - e.g. use of branches, | | | | address. |
| subsidiary companies or joint ventures; | | | | Risk Review |
| 6. comparison with other charities working in the | | | | It can be helpful to use a scoring system to |
| same area or of similar size; and | | | | assess which risks need further work. Severity of |
| 7. checklists of risk factors prepared by other | | | | impact could be scored from 1 (least serious) to 5 |
| charities or other organisations. | | | | (most serious) and similarly the likelihood of |
| It is essential that for this process to work, | | | | occurrence could be scored from 1 (remote) to 5 |
| trustees and executive management need to be | | | | (very likely). The impact score is usually multiplied |
| committed to it. Trustees will need to consult | | | | by the score for likelihood and the product of the |
| widely with key managers and staff, and may | | | | scores used to rank those risks that the trustees |
| even involve supporters and beneficiaries where | | | | regard as most serious. |
| reputational risk or provision of service to | | | | Risks other than high likelihood/high impact should |
| beneficiaries is being considered. | | | | not be ignored. Those with high potential severity |
| Identify risks | | | | of impact but low likelihood of occurrence need to |
| The identification of risk should be integral to the | | | | be kept under review, possibly annually, and will |
| strategic planning and budget setting process. Key | | | | need arrangements in place to ensure that they |
| questions will include: | | | | can be addressed should they arise. Similarly, |
| | | | events with low severity but with a high likelihood |
| 1. What external and operational risks may | | | | of occurrence may become gradual drains on a |
| prevent our charity from achieving its core | | | | charity's finances or reputation. Those risks with |
| objectives? | | | | both low severity and low likelihood of occurrence |
| 2. What might happen and what would the | | | | are unlikely to merit significant attention and |
| consequences be for us? | | | | effort might be better focused elsewhere. |
| 3. What are the steps we can take to mitigate or | | | | Risk management extends beyond simply setting |
| reduce those risks? | | | | out systems and procedures. The process needs |
| External risks generally fall into one or more of | | | | to be dynamic to ensure new risks are addressed |
| the following categories: | | | | as they arise and also cyclical to establish how |
| | | | previously identified risks may have changed. For |
| 1. Political | | | | all but the larger and more complex charities, |
| 2. Economic | | | | annual monitoring is likely to be sufficient when |
| 3. Social | | | | supplemented by update reports and assessment |
| 4. Environmental | | | | of new activities or proposed projects. |
| 5. Technological | | | | Conclusion |
| 6. Legaland tend to be outside the control of the | | | | A charity that has identified the major risks it |
| charity. | | | | faces, and established systems to mitigate such |
| Internal risks arise from the day to day operation | | | | risks, will be able to make a positive statement on |
| of the charity and the identification of these will | | | | risk in its trustees' Annual Report. This will help to |
| require consideration of all aspects of the charity's | | | | demonstrate the charity's accountability to its |
| operational activities. | | | | stakeholders (beneficiaries, donors and other |
| This is not the only way of categorising risks and | | | | funders, employees, and the general public). An |
| the following alternative classification could for | | | | effective risk management strategy can help |
| example be used: | | | | ensure the charity's aims are achieved more |
| | | | effectively and significant risks are known and |
| 1. Governance risks - e.g. inappropriate | | | | monitored, enabling trustees to improve forward |
| organisational structure, difficulties recruiting | | | | planning. |
| trustees with relevant skills, conflict of interest; | | | | |