From the Regulator
Risk is a factor affecting the everyday work of charities, and managing risk effectively is essential if the key objectives set by trustees to provide the best possible service for their charity’s beneficiaries are to be achieved.
The Commission’s existing guidance on charities and risk management is due to be updated shortly. Both the existing and revised guidance is intended to help trustees and staff by explaining how trustees should approach the subject of risk. It sets out the requirements for disclosing the trustees’ approach to risk, discusses the types of risk faced, identifies the need for a risk policy and provides a practical framework for identifying, managing and reporting on risk[1]
The economic downturn has given many charities much food for thought when it comes to risk. They face the risks associated with financial shortfalls, of potentially having to scale back projects, or making redundancies and other cutbacks. Charities that already have
a rigorous approach to risk management will have benefited from having a structured approach to support decision making. The Commission’s latest survey on the impact of the economic downturn on charities shows that 37 per cent of the largest charities who responded have recently reviewed their risk policies, but fewer small to medium charities have done so [2].
The Commission’s existing guidance on risk explains that as a general rule, larger charities and those with activities which are more complex or diverse find it more difficult to identify the major risks faced and put appropriate systems in place to manage them. The risk management process should therefore be tailored to fit the circumstances of each individual charity. The identification of risk arising from activities undertaken and the management of those risks are not new concepts to most trustees. Indeed, for most charities the identification, evaluation and management of risk has been incorporated into their management processes for many years. But the guidance is clear – no matter what size they are, charities should take a systematic approach to the identification and management of risk. Here are just some of the key points covered in the current guidance, but the full guidance is worth a thorough read.
What sorts of risk need to be considered?
The charity SORP (Statement of Recommended Practice, which provides a comprehensive framework of recommended practice for charity accounting and reporting) requires charities whose accounts must be audited to make a statement in their annual report confirming that they have considered the major risks the charity is exposed to, and have put in place systems or procedures to manage those risks.Trustees may wish to set a policy to help make decisions as to the levels of risk that can be accepted on a day to day basis and those matters that need to be referred to them for decision.
Charities face some level of risk in most of the things that they do. The charity sector is diverse and the nature of activities and external influences will expose charities to differing areas of risk and levels of exposure.
These could include:
- Governance risks – e.g. inappropriate organisational structure, difficulties recruiting trustees with relevant skills, conflicts of interest;
- Operational risks – e.g. service quality and development, contract pricing, employment issues; health and safety issues; fraud and misappropriation;
- Financial risks – e.g. accuracy and timeliness of financial information, adequacy of reserves and cash flow, diversity of income sources, investment management;
- External risks – e.g. public perception and adverse publicity, demographic changes, government policy;
- Compliance with law and regulation – e.g. breach of trust law, employment law, and regulatory requirements of particular activities such as fund-raising or the running of care facilities.
The role of the charity trustees
The responsibility for the management and control of a charity rests with the trustee body and their involvement in the key aspects of the risk management process is essential, particularly in setting the parameters of the process and in the review and consideration of the results. This should not be interpreted as meaning that the trustees must undertake each aspect of the process themselves.
The level of involvement should be such that the trustees can make the required statement on risk management in their annual report with reasonable confidence.
Charities will have differing exposures to risk arising from their activities and will have different capacities to tolerate or absorb risk. A charity will also need to understand its overall risk profile so that, for example it can balance higher and lower risk activities. These considerations will help the trustees to decide the levels of risk they are willing to accept and may provide a benchmark against which the initial risk assessment is undertaken.
The risk assessment and evaluation will in turn inform the trustees of the charity’s overall risk profile and the steps which should be taken to manage major risks identified, and so better inform trustees when establishing their policies on risk generally.
Identifying risks
This is a process that requires careful consideration. Although there are various tools and checklists available, the identification of risks is best done by involving those with a detailed knowledge of the activities of the charity. Whilst the SORP statement focuses on major risks ‘identified by trustees’, except perhaps in the smallest charities, input into this process will extend beyond the trustee body. The trustees will need to think about:
- the charity’s objectives, mission and strategy;
- the nature and scale of the charity’s activities;
- the success factors that need to be achieved;
- external factors that might affect the charity such as legislation and regulation,
- and the charity’s reputation with its major funders and supporters;
- past mistakes and problems that the charity has faced;
- the operating structure – e.g. use of branches, subsidiary companies or
- joint ventures;
- comparison with other charities working in the same area or of similar size; and
- checklists of risk factors prepared by other charities or other organisations.
For this process to work, trustees and executive management need to be committed to it. Trustees will need to consult widely with key staff as ideas and useful contributions are likely to come from all levels of the organisation. Where the charity conducts some of its activities through branches, subsidiary companies or joint ventures, although legally these may constitute separate entities, they may also give rise to risks that may directly or indirectly impact on the charity.
Assessing risk
Identified risks need to be put into perspective in terms of the potential severity of impact and likelihood of their occurrence. Assessing and categorising risks assists in prioritising and filtering them and establishing what further action (if any) is required and at what level.
One method is to consider each identified risk and decide for each the likelihood of it occurring and the severity of the impact of its occurrence on the charity.
Judging the severity of impact requires careful consideration and sometimes subjective judgement. Often a clear financial impact can be assessed but certain events will in themselves create an indirect impact that may be significant and present a major risk.
There are techniques which trustees could use to assess and prioritise the risks that it faces such as scoring the likelihood of an undesirable outcome and also the impact that that outcome would have on the charity’s ability to achieve its objectives. This method could use a scoring system ranging from 1 to 5 for impact (1 being insignificant and 5 being catastrophic) and 1 to 5 for likelihood (1 being remote and 5 being highly probable). One score is multiplied against the other and the higher the resulting score, the higher priority is given to managing that risk.
Evaluate what action needs to be taken on the risks
Where major risks are identified then the trustees will need to ensure that appropriate action is being taken to ensure that they are being managed, including the review of the effectiveness of existing controls.
For each of the major risks identified, trustees will need to consider any additional action that needs to be taken to mitigate the risk, either by lessening the likelihood of the event occurring, or lessening its impact if
it does.
Once each risk has been evaluated, the trustees can draw up a plan for any action that needs to be taken. This action plan and the implementation of appropriate systems or procedures allows the trustees to make a positive statement as to risk management.
Good risk management is also about enabling organisations to take opportunities and to meet urgent need, as well as preventing disasters.
For example, a charity may not be able to take advantage of technological change in the absence of a reserves policy that ensures that there are adequate funds to do so, or perhaps could not organise a successful emergency relief programme without adequately trained staff and organisational structures.
Periodic monitoring and assessment
One approach trustees may choose is to create a risk register which would pull together the key aspects of the risk management process. It would set out, for example, the risks faced by the charity and their assessment, the controls in place to manage those risks, and could identify responsibilities, monitoring procedures and follow up action required[3].
Risk management extends beyond simply setting out systems and procedures. The process needs to be dynamic to ensure new risks are addressed as they arise and also cyclical to establish how previously identified risks may have changed.
Risk management is not a one-off event and should be seen as a process that will require monitoring and assessment.
[1] The guidance, Charities and Risk Management, was published in July 2007:
[2] Decision Making in Hard Times: Impact of the Economic Downturn on Charities, February 2010.
[3] See also Steve Fowler’s article ‘Managing the Risk Register’ on page 8 of this issue
Author: Clarissa Dann
Clarissa Dann was the editor of Caritas as well as an HR and management online service,he People Bulletin until July 2011.
She is now the editor of the specialist trade finance magazine, Trade and Forfaiting Review which can be viewed at www.tfreview.com but does write on charity finance and investment from time to time.
Clarissa has a background in legal and professional publishing, as well as business journalism and holds an MBA from
There are no comments on this article. Be the first to comment.