Carrying out a risk assessment could save your charity from a disaster
An event like a hacker attack or the loss of a major donor could be catastrophic for your charity. So what are you doing to reduce the risk of such an event? This question is at the core of risk management, and it’s one that charities of all sizes should be asking themselves on a regular basis.
For larger charities, it is in fact an obligation: non-company charities with incomes of £500,000 or more (and charities with incomes above £250,000 plus assets worth more than £3.26 million) must include a risk management statement in their trustees’ annual report, according to government guidance.
Here we offer five simple steps to help charities carry out an adequate risk assessment.
To get started, it is a good idea to take a look at the five steps to risk assessment that are recommended for more general workplace risk assessments, but which a little adaptation can also be applied to charity operations. These five steps are:
Let’s take a look at each of these in turn.
This is perhaps the most important step in the risk assessment process, because it is only once you have identified all the risks that your charity faces that you can manage these risks appropriately.
The Charity Commission recommends that risks are grouped into five types:
Cyber security has become so important that many organisations including charities now carry out a detailed cyber security risk assessment, as well as a more general risk assessment.
This step entails looking at the impact of the risks identified in the first step.
This is important because by articulating the impacts you can get a much greater appreciation of what running any given risk might entail. For example:
There are a number of digital tools which you can use to help you with these stages of a risk assessment.
Check out our article for more information: Digital tools to help with risk assessment.
During this stage, you need to look at each risk and then assess how likely it is to actually happen. You then need to combine the result with the impact of the risk (established in the previous step) in order to decide what – if anything – you should do to mitigate the risk to an acceptable level.
In effect, for any risk this is an exercise in balancing two things – how likely it is to happen, and how bad it would be for your charity if it were to happen.
When you think about it like that it becomes apparent that you may not need to worry much about things which are unlikely to happen and which would have very little impact if they did. Conversely, risks that are very likely to happen and which would have a catastrophic impact on your charity need to be dealt with as soon as possible.
In between these are risks which are unlikely but would have a significant impact, and events which are likely but would have little impact.
The final part of this stage is to consider what you need to do, if anything, about the high-likelihood, high-impact risks in order to mitigate these risks. After that, you should look at the low-likelihood high-impact risks and the high-likelihood low-impact risks, and finally the low-likelihood low-impact risks.
There are a number of ways to mitigate risks. These include taking out insurance (including cyber insurance) and making changes to the way your charity operates in order to reduce their likelihood (or avoid them altogether).
For some risks, particularly low-likelihood low-impact risks, you may choose to do nothing and simply accept that they might occur.
It’s easy to overlook this stage, but it is important your charity records the findings of its risk assessment so that it can be used in the future, and also to prove that a risk assessment has in fact taken place.
This may be a requirement for regulatory compliance, or in order to make an insurance claim to show that you have taken reasonable steps to mitigate certain risks.
This final step is necessary because charity operations can and do change – sometimes quite dramatically – over time. That means that you need to review your risk assessment regularly to ensure that it takes into account any such changes and captures any new risks that these changes entail.
The frequency of these reviews depends on the nature of your charity, but in general a risk assessment may need to be reviewed as frequently as every few months or as rarely as once a year, but in any case, a review should take place after any major changes to the way that your charity operates.