As a trustee, this is likely to be a key part of your role. With often complex issues and ever-changing needs of beneficiaries, charities need to have an appetite to take a certain amount of managed risk. Identifying, managing and understanding those risks is critical for trustees and must be integral to planning, to ensure the longevity of the charity.

As a trustee, you need to take the time review the risks your charity faces and assess how best to manage them. In the past this may have been a brief and unstructured part of your annual planning process. However, after a number of high-profile cases where the impact of specific risks was clearly grossly underestimated, along with the rapid pace of technological change and associated cyber risks, boards should be prepared to invest more time than ever thinking about risks and how to manage them.

Risk management sits at the heart of the 2017 Charity Governance Code. The Charity commission also has its own guidance – Charities and Risk Management (CC26) which outlines the basic principles and strategies and provides some useful templates and checklists. This is a great reference point along with many online resources for trustees either looking at risk management for the first time or aiming to approach the subject with the latest information.

It’s impossible to totally eliminate risks, but the guidance mentioned above will mean that the risks are managed and appropriately monitored, to ensure that they remain within your tolerated levels.

What is risk management?

No matter the size or complexity of your charity, effective risk management is something that needs careful care and attention. By managing risk effectively, trustees can ensure that significant risks are identified and monitored, enabling informed decisions and appropriate action. Your charity will be far more likely to succeed in its mission if it has confidence their risks will be managed. Reporting on the steps taken to manage risk also helps to demonstrate accountability to stakeholders – such as funding providers and beneficiaries.

If your charity is required by law to have its accounts audited, you’ll need to make a risk management statement in your trustees’ annual report confirming that ‘…the charity trustees have given consideration to the major risks to which the charity is exposed and satisfied themselves that systems or procedures are established in order to manage those risks.’ (Charities (Accounts and Reports) Regulations 2008).

Major risks are defined as those that would have a major impact and are likely, or highly likely to occur. If they did happen, they would have a major impact on some or all of the following areas – governance, operations, financial, environmental or external factors such as reputation or relationship with funders, and a charity’s compliance with laws or regulations. Even if you’re a smaller charity that doesn’t need to make this statement, you should still be concerned about the risks your charity faces. It’s best practice to commit to the disciplines and scrutiny required to make a risk management statement.

An effective risk management process is not a one-size-fits-all approach, so take the time to understand what this means for your charity. What risks might prevent your charity from achieving its objectives? What are the consequences? What are the options available to mitigate the risk? A RAG rating  – Red/Amber/Green score may help to identify where the focus needs to be, but be careful this doesn’t lure you into an overly simplified view of your risk, this could mean you miss important details.

If you identify a risk that would have a very high impact and very low likelihood of occurrence, please be especially careful. They are the ones you should take most care to protect, even if they are unlikely to happen; more so than risks with a very high likelihood of happening, but an insignificant impact. Bear in mind that on rare occasions those improbable events do occur with devastating effect, at other times likely events do not ever happen.

A focus on high-impact risk is important, but remember that the occurrence of a lower impact risk might trigger other events, making it a much bigger threat. One low impact risk may lead to another, resulting in a cumulative impact that becomes extreme or catastrophic. Many studies have shown that most business failures are the result of a series of small, linked events having too great a cumulative impact to deal with rather than a single large event. If organisations only look at the big risks, they can often end up ill-prepared to face the interaction of separate smaller adverse events interacting together.

Managing risk

So, having identified, assessed and scored the risks, the next step is to decide whether to accept the risk, take action to reduce it, outsource or insure the risk, or avoid the risk by curtailing activities or reducing their scope or extent. Where the risk can be managed by internal controls or insurance, assess the cost of mitigation with that arising if the risk materialised. Ensure that any internal controls you implement has an owner who is accountable for monitoring any changes to the risk. When purchasing insurance, it is important to ensure the policy is tailored to cover the specific needs and scope of the charity’s activities and is not a generic commercial product.

With the current pace of change, risk management must be a dynamic and continual process, embedded in the culture of an organisation in order to remain effective and relevant. New risks will emerge – the risk of losing assets or data through cyber risks for instance – and existing risks will change, often at pace. The rapidly changing current economic environment, high inflation and competition for scarce staff, skills and resources requires trustees to be constantly vigilant in order to be able to respond effectively and remain focussed on delivering their objectives.