How to review your risk policy

Is the charitable sector a risky place? Depends on how you look at it.

The cost-of-living crisis and unreliability of donor income means that charity operations aren’t as secure as they once were. Having a risk management policy to help navigate becomes crucial to gauging, and weathering events.

With change afoot, reviewing and updating the policy is necessary. Here’s how to start.

Fit for purpose

Ensure that the policy covers what it is mean to cover – risks that may affect the organisation. You may need to bring the policy up to speed with new threats to the organisation like borrowing costs or phishing attempts. Describing existing or new risks helps users identify the problem.

Know if it is a legal requirement

All charities that are audited are required by the Charity Commission to maintain a risk management statement. Organisations with an income of over £500,000 or those with a gross income exceeding £250,000 with assets over £3.26 million are required to include one.

Officially, this statement is one that trustees acknowledge to the public and the commission. They need to verify that risks have been duly considered and that appropriate systems and processes are in place to manage them.

Delegate responsibility

Proper risk management includes named people and teams who are responsible for the process. This should be updated on a regular basis. Remember that trustees need oversight.

Get feedback across teams

It’s challenging to have a view on every charity operation. To effectively govern and mitigate risk, encourage feedback from the team on what they are seeing on the front lines. This could be highlighting whether fraud attempts are increasing or if donations are coming in less frequently.

Cause and effect

Once risks are described, test out the thinking. Highlight what the probability is of something happening and scope the potential effects. There may be a string of follow-on effects which could impact charity operations and beneficiaries.

Risk scoring

Typically, risk management policies will include a scoring programme to categorise and assess threats. The Institute of Risk Management aligns with how the Charity Commission sees the issue. They say to look at both impact and likelihood of occurrence across a numeric scale. Each risk is classified further in terms of strategic, operational, financial, reputational, and compliance.

During the risk policy review, re-evaluate how the scoring is done, frequency and likelihood of occurrence.

Check the risk register

A risk register is a document that captures all the risks that an organisation faces. Many template documents also rate how likely the scenario is and what preventative measures are in place. 

In terms of a project, Asana says: “A risk register is a document that is used as a risk management tool to identify potential setbacks within a project. This process aims to collectively identify, analyse, and solve risks before they become problems.

Learn from mistakes

There may be situations where risk is unavoidable and charities suffer small setbacks. From this perspective, it’s important to take a look at what happened, would it happen again, and how could things be done differently.

The Institute of Risk Management says to own up to learnings: “It’s a good idea to communicate the learning to key people across the charity as although it might be too late this time, others may be able to prevent similar issues in their work.”

Have a contingency plan

A business continuity plan (BCP) is an accompanying document that outlines what to do in an emergency. Endsleigh, the insurance company, highlights the crux of what to address:

• What to do in extreme events like weather, terrorism, snow, or floods
• Where to go and how to operate if the charity’s premises are not accessible
• How to access the charity’s insurance policy

Charityfm says to make it easy for emergency services. Include staff contact details and a site map.  Ultimately the plan needs to be clear on how operations will go on or recover during a disruptive event.

Test the BCP

Sarah Cox from Ansvar, writing for Civil Society, says the key to a BCP is to test, and test again. She writes: “remember to think of your business continuity plan as a living document! It should be constantly evolving as your charity’s needs change over time.”

In simple words, practice your BCP to ensure that if something does happen, everyone in the organisation is prepared.

Ensure you have a communication strategy

The Charity Finance Group says letting staff and beneficiaries know what is happening is part of the BCP. The communication strategy should include the chain of command, scripted messages, and a mechanism for feedback.