Small Charities And Risk Management

Charity donation tax deduction reduces the amount of your taxes. The effective management of risk is an essential part of the responsibilities for trustees of charities and is often overlooked by those responsible for managing the smaller charity.

Risk is an event or action that may adversely affect an organisation’s ability to survive or compete in its market or to maintain its financial stability or its positive public image and the overall quality of its people and services. Risk can also arise from a failure to exploit opportunities or from a breakdown in operational controls and procedures.

The requirement to manage risk

For registered charities the Charities SORP (Statement of Recommended Practice) sets out the reporting requirements for trustees on the:

  1. identification of major risks
  2. the review of risks
  3. the systems or procedures established to manage risk

It is therefore essential for all charities that they have a sound risk management policy

The role of the trustees

The responsibility for the management and control of a charity rests with the board of trustees. The board’s involvement in the key aspects of the risk management process is essential. Trustees do not have to undertake each aspect of the process themselves. Their level of involvement should be such that the trustees can make the required statement on risk management in the statutory annual report with reasonable confidence.

Sector Group

The management of risk will involve the following key steps:

  1. establishing the risk policy
  2. identifying risk
  3. assessing risk
  4. evaluating and implementing what action needs to be taken
  5. reviewing and establishing a system of periodic monitoring and assessment

Although these elements can be used as ‘steps’ or ‘stages’, it is likely that trustees will need to revisit each stage as their knowledge of the charity’s risk profile increases.

Any risk management policy will need to be:

  1. comprehensive
  2. continuous
  3. integrated
  4. suitable and proportional

Establish risk policy

Risk is an inherent feature of all activity and may arise from inaction as well as new initiatives. Charities will have differing exposures to risk arising from their activities and will have different capacities to tolerate or absorb risk. A charity with sound reserves could perhaps embark on a new project with a higher risk profile than, say, a charity facing solvency difficulties.

The risk policy process will include a consideration of the following:

  1. the charity’s objectives, philosophy and strategy;
  2. the nature and scale of the charity’s activities;the success factors that need to be achieved;
  3. external factors that might affect the charity such as legislation and regulation, and the charity’s  reputation with its major funders and supporters;
  4. past mistakes and problems that the charity has faced;
  5. the operating structure – e.g. use of branches, subsidiary companies or joint ventures;
  6. comparison with other charities working in the same area or of similar size; and
  7. checklists of risk factors prepared by other charities or other organisations.

It is essential that for this process to work, trustees and executive management need to be committed to it. Trustees will need to consult widely with key managers and staff, and may even involve supporters and beneficiaries where reputational risk or provision of service to beneficiaries is being considered.

Identify risks

The identification of risk should be integral to the strategic planning and budget setting process. Key questions will include:

  1. What external and operational risks may prevent our charity from achieving its core objectives?
  2. What might happen and what would the consequences be for us?
  3. What are the steps we can take to mitigate or reduce those risks?

External risks generally fall into one or more of the following categories:

  1. Political
  2. Economic
  3. Social
  4. Environmental
  5. Technological
  6. Legal

and tend to be outside the control of the charity.

Internal risks arise from the day to day operation of the charity and the identification of these will require consideration of all aspects of the charity’s operational activities.

This is not the only way of categorising risks and the following alternative classification could for example be used:

  1. Governance risks – e.g. inappropriate organisational structure, difficulties recruiting trustees with relevant skills, conflict of interest;
  2. Operational risks – e.g. service quality and development, contract pricing, employment issues; health and safety issues; fraud and misappropriation; loss of key staff;
  3. Financial risks – e.g. accuracy and timeliness of financial information, adequacy of reserves and cash flow, diversity of income sources, investment management;
  4. External risks – e.g. public perception and adverse publicity, demographic changes, government policy;
  5. Compliance with law and regulation – e.g. breach of trust law, employment law, and regulative requirements of particular activities such as fund-raising or the running of care facilities. Although the process of risk identification should be undertaken with care, the analysis will inherently contain some subjective judgements and no process is likely to be capable of identifying all possible risks that may arise. The process can only provide reasonable (not absolute) assurance to trustees that all relevant risks have been identified.

Assessing risks

The first stage of the assessment process is to prioritise risks using impact analysis so that the significance of a risk is measured against the likelihood of that risk actually arising. Significance should be considered in both financial and reputational terms. Risks can be prioritised so that those with high significance and high probability receive primary attention. Risks with high significance and low probability scores give rise to the need for contingency planning whereas risks with low significance but high probability scoring can often be addressed by improvements to internal control procedures.

All risks have to be considered in the light of the charities ‘risk threshold’ the setting of which will be influenced by the level of reserves, the projected surpluses etc.

Evaluating and implementing the action required

Where major risks are identified the trustees will need to ensure that appropriate action is taken to ensure that these are mitigated. This review should include establishing the adequacy of controls already in place. For each of the major risks identified, trustees will need to consider any additional action that needs to be taken to mitigate the risk, either by lessening the likelihood of the event occurring, or lessening its impact if it does.

There are four basic strategies that can be applied to an identified risk:

  1. transferring the financial consequences to third parties or sharing it (e.g. insurance, outsourcing);
  2. avoiding the activity giving rise to the risk completely (e.g. a potential grant or contract not taken up);
  3. management or mitigation of risk; or
  4. accepting it (e.g. assessing it as an inherent risk that cannot be avoided if the activity is to continue).

Risk mitigation is aimed at reducing the ‘gross level’ of risk identified to a ‘net level’ of risk that remains after appropriate action is taken. This identification of ‘gross risk’, the control procedures put in place to mitigate the risk, and the identification of the residual or ‘net risk’ can be recorded in a risk register (see pro forma below). Trustees need to form a view as to the acceptability of the residual or ‘net risk’ that remains after mitigation. It is possible that the process may also identify areas where the current control processes are disproportionately costly or onerous to the risks they seek to address.

Risk Review

It can be helpful to use a scoring system to assess which risks need further work. Severity of impact could be scored from 1 (least serious) to 5 (most serious) and similarly the likelihood of occurrence could be scored from 1 (remote) to 5 (very likely). The impact score is usually multiplied by the score for likelihood and the product of the scores used to rank those risks that the trustees regard as most serious.

Risks other than high likelihood/high impact should not be ignored. Those with high potential severity of impact but low likelihood of occurrence need to be kept under review, possibly annually, and will need arrangements in place to ensure that they can be addressed should they arise. Similarly, events with low severity but with a high likelihood of occurrence may become gradual drains on a charity’s finances or reputation. Those risks with both low severity and low likelihood of occurrence are unlikely to merit significant attention and effort might be better focused elsewhere.

Risk management extends beyond simply setting out systems and procedures. The process needs to be dynamic to ensure new risks are addressed as they arise and also cyclical to establish how previously identified risks may have changed. For all but the larger and more complex charities, annual monitoring is likely to be sufficient when supplemented by update reports and assessment of new activities or proposed projects.


A charity that has identified the major risks it faces, and established systems to mitigate such risks, will be able to make a positive statement on risk in its trustees’ Annual Report. This will help to demonstrate the charity’s accountability to its stakeholders (beneficiaries, donors and other funders, employees, and the general public). An effective risk management strategy can help ensure the charity’s aims are achieved more effectively and significant risks are known and monitored, enabling trustees to improve forward planning.

Nigel SG Harper Chartered Accountant

Management Consultancy Services Limited are experienced providers of advice and support for the smaller business. A full range of accounting and management consultancy services are available together with a without obligation, free initial consultation.

Further details can be found at

Article Source:

Article Source: