Like all organisations charities and not for profit organisations handle risk daily whether it is organisational planning to meet objectives, operational matters such as running shops, online activities and the like, safeguarding the charity and its beneficiaries from harm, or organising and running fundraising events.

The Charity Commission requires charities to include a risk management statement in Trustees’ Annual Reports which means that charities need to consider risk and its management in a more structured way if a positive statement is to be made in the Annual Report.

Furthermore, the Charity Commission states that “no matter what size they are, charities should take a systematic approach to the consideration and management of risk”.

http://www.charity-commission.gov.uk/Charity_requirements_guidance/Charity_governance/Managing_risk/default.aspx

What is ‘risk’ and risk management?

There are many definitions of ‘risk’ available and they revolve around an occurrence which impacts on the delivery of an objective. Risk management therefore looks at how risks can be eliminated, avoided, reduced, transferred or accepted by an organisation.

At a more strategic level the Board and Senior Management Team can view risk management as how you:

• Identify and anticipate problems that will stop you achieving your objectives

• Manage the risks your organisation presents to the public, your employees and volunteers, and your trustees

• Maintain the trust and confidence of internal and external stakeholders by running a successful and ethical organisation

• Work within existing budgets to meet your objectives and create financial stability and viability

• Demonstrate that you are a competent organisation in terms of management, trust management and financial management amongst other areas

How do you start to consider risk management?

The International Organisation for Standardisation (ISO) standard 31000 sets out a recommended route that starts with a mandate and commitment from the Board for risk management to be embedded across an organisation. Then a framework for risk management is designed and implemented, followed by the implementation of risk management itself. Finally, the usual continuous improvement processes are embedded to ensure that the approach is maintained and updated regularly.

Whilst this is undoubtedly an excellent way to proceed it may seem elaborate for some organisations and it may put others off moving risk management forward for fear of the time and commitment involved.

March 2013

Introducing Strategic Risk Management

Oval Charities

Mandate and Commitment

Design of Framework• Organisationandcontext• RiskManagementpolicy• Embeddingriskmanagement

Implementation• Implementframework• Implementrisk management process

Monitor and Review

Improve

An alternative route could be to jump into identifying, evaluating and treating risk to provide your organisation with an idea of what risks you face. Whilst not ideal it can be potentially an easier way into the process and provide you with ammunition to take to your Board should you need something more evidence-based and specific to your organisation.

The image opposite sets out this process.

Whether you want to follow the ISO 31000 approach or jump straight into risk assessment, Oval Charities can help you. Our practical and experience led approach will provide you with the confidence and expertise to tackle this complicated issue.

As an example of our more practical approach, the table below expands and explains the graphic above:

Co

mm

un

icat

e an

d C

on

sult

EstablishContext

Mo

nito

r and

Review

Risk

Risk Analysis

RiskEvaluation

Risk Assessment

Risk Treatment

Content

EstablishContext

Risk Assessment

Risk Identification

Risk Analysis

RiskEvaluation

Risk Treatment

Communicate and Consult

Monitor and Review

Identify what area of the organisation in which you want to identify and evaluate risks. This could be the organisation as a whole, a particular project or operational area.

The process to be used to determine the risks and how great they are to the organisation.

Identify the risks that will impact on the context selected. It is useful to think of these under headings such as financial risk, operational risk, external risk, internal risk, legislative risk and regulatory compliance, as well as if relevant, major projects.

Method used to determine the importance of a risk. It is important to understand an organisation’s financial capacity to bear risk (often called risk tolerance) and its willingness (often called appetite) to take on risk.

See examples below of how to consider risk likelihood and impact, as well as a sample risk matrix.

Although some risks are significant, some can be successfully managed to bring them down to a lower impact level. It is important to evaluate how/to what extent existing controls are reducing the risk item.

Consider whether there are additional actions and controls that can be taken to further reduce the risk for the organisation.

Communication about risk management activities, issues and actions should be made regularly to stakeholders.

Continuous process needs to be adopted to make sure that the risks remain relevant and significant enough to the organisational context to warrant actions being taken. New risks should be added and controlled risks that are reduced to a low risk status, should be removed.

Organisation strategy, aims, and objectives may be the best place to start.

None.

Brainstorming and questionnaires about key risks are commonly used to assist with risk identification, as well as looking at historical problems and considering future strategic and operational changes.

Usually divided between frequency/likelihood of risk occurring and severity/impact if the event does occur on the context reviewed.

Commonly used processes involve risk matrices that divide these two areas into scoring mechanisms e.g. High/Medium/Low and 1-5 after which each risk is plotted on a matrix.

Often the initial risk analysis is reduced by the effect of existing control of the risk in a designated column.

An additional ‘controls’ column can be added to note actions. Such actions should be allocated to a senior person and deadlines for implementation shown.

Initially a briefing document explaining why risk management is important and what the organisation is doing should be issued, followed by regular updates highlighting issues and actions.

An agreement should be reached for different people within the organisation to review their risks on a regular/agreed basis and report to the Risk Committee, who should ensure that the risk matrix is maintained and up to date.

Explanation Practical Advice

ExampleofStrategicRiskRegister–ImpactAnalysis

ExampleofStrategicRiskRegister–LikelihoodAnalysis

Score 1

Highly Unlikely

Previous experience at this and other similar organisations makes this outcome highly unlikely to occur. There are effective, tested and verifiable controls in place that prevent occurrences of this risk.

Score 3 Possible

The charity has in past experienced problems in this area but not in the last three years. Some controls are in place and generally work but there have been occasions when they have failed and problems have arisen.

Previous experience discounts this risk as being likely to occur but other organisations have experienced problems in this area. There are controls in place that whilst not tested appear to be effective.

Score 2 Unlikely

The charity has experienced problems in this area in the last three years. Controls may be in place but are generally ignored or ineffective.

Score 4 Very Likely

The charity trust is experiencing problems in this area or expects to in the next 12 months. No controls in place.

Score 5 Definite

Score 1

Negligible

Little or no financial impact (less than £5,000). Trust Services are not disrupted. No impact on the delivery of the corporate objectives.

No loss of confidence and trust in the charity.

Score 3 Medium

The financial impact would result in losses or a loss income of no greater than £100,000. Regular disruption to the activities for one or more service. A number of corporate objectives would be delayed or not delivered.

A general loss of confidence in the organisation within the local community.

The financial impact would be losses or a loss income of no greater than £25,000. Some temporary disruption to the activities of one service but not beyond this. It may cost more, or there may be a delay in delivering one of the organisation’s corporate objectives.

Some loss of confidence in the organisation felt by a certain group or within a small geographical area.

Score 2 Low

The financial impact would result in losses or a loss income of no greater than £500,000. Severe service disruption on a departmental level or regular disruption affecting more than one department. Many corporate objectives delayed or not delivered.

A major loss of confidence in the organisation within the local community.

Score 4 High

The financial impact would be greater than £500,000. Severe disruption to the activities of all departments. Unable to deliver most objectives.

A disastrous loss of confidence in the organisation both locally and nationally.

Score 5 Very High

Our ideas around how likelihood and impact can be approached are included here.

Would you like to talk?If you have any questions or would like to explore how you can make your insurance work harder for your organisation, we’re here to help.

Please speak to your usual Oval contact or alternatively call Alyson Pepperill, Head of Oval Charities on:

07824 492665

Or drop her an email at: alyson.pepperill@theovalgroup.com

Oval Insurance Broking LimitedRegistered Office: 9 South Parade, Wakefield, WF1 1LRRegisteredinEnglandNo:01195184Authorised and regulated by the Financial Services Authority

www.theovalgroup.com

Sample Risk Matrix on a 1-5 scoring basis

Finally once the process has been applied you will be able to formulate your organisational risk map. The sample below provides you with an idea of how this might reflect your risks.

This matrix enables an organisation to see at a glance which risks may be catastrophic to an organisation and which require action to reduce, transfer or retain such risks as a matter of urgency.

Most recently the so-called ‘Black Swan’ or ‘out of the blue’ risks have been much discussed within the risk fraternity. These would generally sit on most risk registers under likelihood 1 but impact 5 and as such recorded as only ‘Possible Action’ on the above. In the light of the numerous recent issues with such risks many organisations now colour 5 impact and 1 and 2 likelihood boxes ‘red’ or add an additional multiplication factor to take this into account which moves the usual 5/1 risk up to 5/3 so that it is addressed.

5

4

3

2

1

Possible Action 5

Action 10 Unacceptable Action Now 15

Unacceptable Action Now 20

Unacceptable Action Now 25

Unacceptable Action Now 20

Unacceptable Action Now 15

Action 10

Possible Action 5

Unacceptable Action Now 16

Action 12

Action 8

Possible Action 4

Action 12

Action 9

Possible Action 6

Possible Action 3

Action 8

Action 6

Action 4

Action 2

Possible Action 4

Possible Action 3

Possible Action 2

Possible Action 1

1 2 3 4 5

Impact

Like

liho

od