Charity risk management has traditionally been undertaken by identifying as many risks as possible and then applying an impact/likelihood scoring matrix. This may be undertaken at team, department and then board level. The resulting risk register will be extensive and so the board typically focuses on the top ten highest scoring risks. In practice, however, this leads to much debate and discussion on the scoring methodology and distracts attention away from how the risks are actually being managed.
To achieve better governance of the key strategic risks, many boards accept that there will be a set of headline risks (usually five, but up to six) which will always be key for their organisation. And it is likely that these are similar across many organisations. This does away with the need for subjective scoring methods and an arbitrary cut-off for risks that get board focus (it will always be the eleventh charity risk that comes back to bite you!). It also saves much time and debate at board meetings.
Key strategic risks
|Impact||Are you making the desired impact in support of your beneficiaries and can you evidence it?|
|Financial sustainability||Are you managing the finances to ensure you continue to make an impact in the medium to long term?|
|Compliance||Are you meeting your regulatory, legal and donor compliance requirements and expectations?|
|Reputation||Are you able to respond effectively to any incident that could result in damage to your reputation?|
|Specific to the charity||Specific to the nature of the charity and may be a risk that is at the heart of what the charity stands for. For example, for a children’s charity it might be child protection.|
The board needs to have a clear mechanism for getting assurance on the management of charity risk. A board should agree the risk policy and oversee the process to identify and assess key risks affecting the organisation. It should understand how the organisation intends to manage those risks, but it also needs assurance that the management of charity risk is effective.
Understanding how risks are managed
Taking the approach to identifying risks outlined above, it then becomes easier for boards to understand how risks are being managed. A vast amount of day-to-day management is about managing risks, so risk management should not exist in a separate function or be undertaken as a separate activity. An understanding of risk management should start from the existing management activities. First, we consider the strategic risks. Earlier we suggested that all organisations have up to five major strategic risks. Next, a board needs information about how the existing processes, procedures, policies and quality systems contribute towards the management of the key risks. This can be brought together into an assurance framework.
Illustration of an assurance framework
The following set of five risks have been identified by a charity board as their Big Five, as discussed in the section on Governance of risk. Now the board want to understand more about the existing management processes which will help to manage these risks.
|Risk||Information and existing processes|
|Quality of service to beneficiaries||Beneficiary feedback|
Quality assurance audits
|Compliance & reputation||Incident response plans|
Performance management systems
What is apparent is that these are not typical controls, such as bank reconciliations and authorisation. The focus is not on internal financial controls, but on management processes that for well-functioning boards should appear on most board agendas.
An interesting exercise is to map these risks to the board agenda. If the board is discussing the right issues and the right strategic risks have been identified, there should be a high level of correlation between the two. If that does not exist, then either the board is wasting its time on unnecessary issues or the risks are wrong.