ao link
Charity Digital
Shop
Exchange
Insights
Academy
Events
On-demand
About Us
Search
Remember Login

New to Charity Digital?

Register
User Menu
Remember Login

New to Charity Digital?

Register
INSIGHTS
Register/Login
Remember Login

New to Charity Digital?

Register
Search
Back to listing

Article: The five steps of risk assessment

15 March 202209:00 - 10:00
Moderator
Paul Rubens
Paul Rubens

An event like a hacker attack or the loss of a major donor could be catastrophic for your charity. So what are you doing to reduce the risk of such an event? This question is at the core of risk management, and it’s one that charities of all sizes should be asking themselves on a regular basis.

 

For larger charities, it is in fact an obligation: non-company charities with incomes of £500,000 or more (and charities with incomes above £250,000 plus assets worth more than £3.26 million) must include a risk management statement in their trustees’ annual report, according to government guidance.

 

Here we offer five simple steps to help charities carry out an adequate risk assessment.

 

 

Where should you begin?

 

To get started, it is a good idea to take a look at the five steps to risk assessment that are recommended for more general workplace risk assessments, but which a little adaptation can also be applied to charity operations. These five steps are:

  • Step 1: Identify the risks
  • Step 2: Decide what might be harmed and how
  • Step 3: Evaluate the risks and decide on mitigations
  • Step 4: Record your findings and implement them
  • Step 5: Review your risk assessment regularly and update if necessary

Let’s take a look at each of these in turn.

 

 

Identify the risks

 

This is perhaps the most important step in the risk assessment process, because it is only once you have identified all the risks that your charity faces that you can manage these risks appropriately.

 

The Charity Commission recommends that risks are grouped into five types:

  • Financial risks: includes the risk that a major funding source could dry up and the risk of financial fraud
  • External risks: includes the possibility of political actions, or negative publicity caused by poor service
  • Regulatory and compliance risks: includes failing to comply with data privacy legislation or failing to submit a risk management statement
  • Operational risks: includes failing to recruit people with suitable skills, or failing to take the appropriate cyber security measures
  • Governance risks: includes failing to ensure that the charity board has the right skill sets or qualifications

Cyber security has become so important that many organisations including charities now carry out a detailed cyber security risk assessment, as well as a more general risk assessment.

 

Decide what might be harmed and how

 

This step entails looking at the impact of the risks identified in the first step.

 

This is important because by articulating the impacts you can get a much greater appreciation of what running any given risk might entail. For example:

  • The impact of a major funding source drying up may mean your charity would be forced to stop offering many of its services, or it might even mean that the charity could no longer operate
  • The impact of negative publicity caused by poor service could mean fundraising revenues fall significantly in the short- or long-term
  • The impact of failing to comply with data privacy legislation could be that your charity faces a financial penalty and loss of reputation
  • The impact of failing to ensure that the charity board has the right skill sets could be that your charity wastes money on failed projects – perhaps new service offerings or internal projects such as implementing a data analytics system

There are a number of digital tools which you can use to help you with these stages of a risk assessment.

 

Check out our article for more information: Digital tools to help with risk assessment.

 

 

Evaluate the risks and decide on mitigations

 

During this stage, you need to look at each risk and then assess how likely it is to actually happen. You then need to combine the result with the impact of the risk (established in the previous step) in order to decide what – if anything – you should do to mitigate the risk to an acceptable level.

 

In effect, for any risk this is an exercise in balancing two things – how likely it is to happen, and how bad it would be for your charity if it were to happen.

 

When you think about it like that it becomes apparent that you may not need to worry much about things which are unlikely to happen and which would have very little impact if they did. Conversely, risks that are very likely to happen and which would have a catastrophic impact on your charity need to be dealt with as soon as possible.

 

In between these are risks which are unlikely but would have a significant impact, and events which are likely but would have little impact.

 

The final part of this stage is to consider what you need to do, if anything, about the high-likelihood, high-impact risks in order to mitigate these risks. After that, you should look at the low-likelihood high-impact risks and the high-likelihood low-impact risks, and finally the low-likelihood low-impact risks.

 

There are a number of ways to mitigate risks. These include taking out insurance (including cyber insurance) and making changes to the way your charity operates in order to reduce their likelihood (or avoid them altogether).

 

For some risks, particularly low-likelihood low-impact risks, you may choose to do nothing and simply accept that they might occur.

 

 

Record your findings and implement them

 

It’s easy to overlook this stage, but it is important your charity records the findings of its risk assessment so that it can be used in the future, and also to prove that a risk assessment has in fact taken place.

 

This may be a requirement for regulatory compliance, or in order to make an insurance claim to show that you have taken reasonable steps to mitigate certain risks.

 

 

Review your risk assessment regularly and update if necessary

 

This final step is necessary because charity operations can and do change – sometimes quite dramatically – over time. That means that you need to review your risk assessment regularly to ensure that it takes into account any such changes and captures any new risks that these changes entail.

 

The frequency of these reviews depends on the nature of your charity, but in general a risk assessment may need to be reviewed as frequently as every few months or as rarely as once a year, but in any case, a review should take place after any major changes to the way that your charity operates.

Recite Me toolbar