Governance and risk management

29 January 2019

A key responsibility of charity trustees is to review the risks they face and decide how best to manage them. Historically this may have been undertaken by the Board as an annual exercise; the risk register taken off the shelf, dusted off and reviewed, at a high level, to ensure it remained “appropriate”. However in the context of high profile cases where the impact of specific risks were arguably grossly under-estimated and technology, and the associated cyber risks, is changing at such rapid pace, our experience suggests that Boards are now prepared to invest more time than ever thinking about risks and how to manage them. 

The principle of risk management sits at the heart of the 2017 Charity Governance Code. The Charity Commission also has its own guidance Charities and Risk Management (CC26) which outlines the basic principles and strategies. A quick google search suggests there are other useful sources of information available to Trustees who are either looking at risk management for the first time or looking for a fundamental revamp of the approach they have historically adopted.

Taking risk is often an everyday part of charitable activity but managing risk effectively is essential if trustees are to achieve their key objectives and safeguard their charity's funds and assets.  In trying to solve complex issues and meet the changing needs of their beneficiaries, it is imperative that charities have an appetite to take a certain amount of managed risk. Sector guidance is certainly not intended therefore to result in risks being eliminated altogether, but rather that the risks are managed and appropriately monitored to ensure that they remain within the tolerance accepted by the Board. 

What is risk management?

Identifying, understanding and managing the possible and probable risks is a key part of effective governance for charities of all sizes and complexity. 

By managing risk effectively, trustees help ensure that: 

  • significant risks are known and monitored, enabling trustees to make informed decisions and take timely action; 
  • the charity makes the most of opportunities and develops them with the confidence that any risks will be managed;
  • forward and strategic planning are improved; and 
  • the charity's aims are achieved more successfully 

Reporting in the Annual Report on the steps taken to manage risk also helps to demonstrate accountability to stakeholders including beneficiaries, donors, funders, employees and the public. Charities that are required by law to have their accounts audited must include a risk statement. The purpose of the statement is to give readers an insight into how the charity handles risk, an understanding of the major risks to which the charity is exposed and the risk assessment and monitoring processes that are embedded in the culture of the charity.

The types of risks a charity faces depend very much on the size, nature and complexity of the activities it undertakes, and on the health of its finances - although there are inevitably common themes. As a general rule, the larger and more complex or diverse a charity's activities are, the more difficult it will be for trustees to identify the major risks and put proper systems in place to manage them. This means that the risk management process will always need to be tailored to fit the circumstances of each individual charity, focusing on identifying the strategic risks that the organisation faces. 

Identifying Risks

The identification of risk should be integral to the strategic business planning and budget setting process. Trustees should ask themselves 

“What external and internal risks might prevent the charity from achieving its strategic objectives?” 

“What might happen and what would be the consequences for the charity it if happened?”

“Are there any steps that might be taken to mitigate the risks?”

Many charities find it helpful to think about the potential risks in the following key areas:

  • Income - loss of grants or contracts, a reduction in individual giving and donations. These risks may be exacerbated in a period of economic uncertainty or where there is a failure to budget accurately
  • Operations - loss of key staff, sufficient space to deliver activities due to fire or damage, lack of reserves or unexpected rises in the cost of delivery
  • Governance -  inability to recruit sufficient numbers of suitably skilled trustees or poor performance of the existing Board
  • External - examples may fall into one of six areas; a change in political policies, economic, social, environmental, technology, legal or environmental factors 
  • Reputation - arising from data security breaches, safeguarding concerns or poor treatment of beneficiaries
  • Compliance - arising from non-compliance with a whole host of complex legislation including GDPR, fundraising regulations, employment and other laws.

Models for prioritising risks

Having identified the key areas of risk, trustees consider how to prioritise the individual risks and the actions and controls necessary to manage the risk. 

There is a variety of models applied, although a traditional “scoring” of likelihood and impact is still the most commonly applied. Likelihood is usually measured by reference to a time period. Impact is considered in the context of both the financial impact as well as the impact on the reputation of the organisation. The numerical result helps to indicate those risks, which require the greatest focus and the risk management approach, which is adopted. Often, the highest rated risks are colour coded red (significant), amber (medium) and green (low). The Red, Amber, Green (or RAG rating) is another approach traditionally adopted. The problem with this approach is that trustees can often end up with a binary view that red risks are bad and green risks are good. But, without understanding the organisational risk appetite this may result in the wrong response.

Managing risks

Having identified and prioritised the risks, the next step is to decide whether to accept the risk, take action to limit or mitigate the risk, pass the risk on to a third party (for example through insurance or outsourcing) or to give up certain activities to avoid the risk. Where the risk can be managed by appropriate internal controls or through insurance, it is important to compare the cost with that which would arise if the risks were to materialise. Once the controls are identified, a score can be attributed to the net residual risk - i.e. the risk that remains after appropriate action has been taken.

Where controls are identified, it is critical that a risk owner is allocated to maintain oversight – interestingly this is still a step in the process which is still often missed. Without a risk owner (Trustee or member of the management team) it is difficult to ensure active monitoring of the risk and an adverse movement in the risk (due to changes in the impact or likelihood) can be missed resulting in late or no action being taken.


So what are the top risks that we see across the charity sector at the moment? Whilst charities come in varying shapes and sizes, it is interesting to note many common themes in the strategic risks identified. The top 4 areas of risk are discussed in more detail below.

It should come as no surprise that sources and sustainability of income always seems to rank very high. Reduced public spending, competition for funds and commissioning processes lead many charities to manage the risk through tight budgetary and cost controls with conservative views taken on when to make investment in enhanced infrastructure including systems and people. Whilst over the long term charities may seek to diversify their unrestricted income channels, I work with several charities who are focussing on ensuring the quality of what they deliver and not over committing themselves. 

Cyber risks now feature high up in the top risks. This is a good example of a risk, which, a decade ago would probably not have appeared on the average risk register. However the risk of losing assets and data, the loss of reputation and financial penalties from breach of data regulations - many examples of which have featured in cases under investigation by the ICO - mean that cyber risks are often the biggest stay awake issue for Trustees who don’t employ IT specialists on a full time basis. In relation to the potential costs to the charity should they succumb to a cyber-attack, there is usually a recognition that spending a modest amount on specialist support to ensure that, for example, appropriate firewalls and basic security measures are in place should be considered to be money well spent!

People related risk is key for many charities but often for different reasons. For those charities dependent on large volumes of lower paid staff (for example many involved in the care sector) there are concerns around the availability of sufficient workers (and particularly those coming from overseas) in our post-Brexit economy. For other charities, there is dependence on a small number of key personnel who could be difficult to replace at short notice.  Both aspects of this risk are tricky to manage. With the former, the monitoring will most likely sit with the HR team who are closer to external information and data which could indicate when the risk is beginning to grow to an unacceptable level. In the later example it is important that a certain amount of transition planning is done and appropriate notice periods are built into the contracts of key individuals to aid a smooth transition.

Regulations, compliance and information governance also feature in one guise or another. The raft of laws and regulations which apply to charities (in the same ways as they often apply to corporates), the requirements of the fundraising regulations, money laundering and GDPR all require specialist knowledge and skills to ensure that there is awareness of the rules and processes are embedded across the organisation to ensure compliance.


In the 21st century and with the pace of change happening around us all, risk management must be a continual process to remain effective. Day to day activities will result in new risks and existing risks will become more or less significant - often over relatively short periods of time. An effective Board will therefore, in the context of a well established risk management framework, consider, review and monitor risks regularly to ensure they are able to respond effectively and remain focussed on delivering its objectives.

Case study - the Institution of Engineering and Technology

As a larger charity, the Institution of Engineering and Technology (IET) faces a relatively complex set of risks across its activity set, which ranges from educational work in schools, to publication of technical standards. The charity has adopted a layered approach to risk management, with a strategic risk register owned at Board of Trustee level but with other risks captured and managed in operational risks registers. A risk management tool (JCAD) is used to ensure a structured approach to risk assessment and the development of risk management plans. The tool ensures ownership of both plans and individual controls is clear, and regular reviews can be prompted.

IET also adopts standard project management protocols (PRINCE2 and Agile) to ensure dynamic risk management is included in all of its project planning and execution.

Responsibility for risk identification and review is embedded in multiple points in the governance structure of the IET, allowing the charity to access a range of perspectives across both staff and volunteer teams, within the context of the risk policy set by the Trustees. Periodically, the whole set of strategic risks are reviewed using workshops to ensure the established assessment of risks is challenged. Oversight of the risk management framework is further supported by inclusion in the role of the Audit and Risk Process Committee and the recent appointment of a Compliance and Risk Manager.

Tom Hlaing, IET’s Honorary Treasurer says “As a professional body for engineers, our senior volunteers have a strong awareness of the importance of risk management from their working lives and expect the same level of diligence within the charity space. As a charity Trustee I particularly value the opportunity to work alongside our staff team in open discussion of risk issues as a key component of effectively managing the charity.”  

Case study – the Nuffield Foundation 

At the Nuffield Foundation trustees and management have recognised that, for strategic risk management at least, the somewhat formulaic ‘probability’ and ‘impact’ approach can lead to more emphasis on the scoring mechanisms than on the deeper implications of the risks identified.

To avoid this trap we have developed an approach that frames each conversation to consider the gap between our risk appetite and the actual profile of a given risk. This has a number of advantages in comparison to some more widely used approaches, including:

  • It recognises that risk assessment is more of a continuum than a precise point on a chart. It allows space to acknowledge the degree of uncertainty in evaluating risks
  • At its centre is the knowledge that failing to take sufficient risk can be as much of a problem as failing to mitigate against downside risks
  • As the primary question is ‘where are we furthest from our aspiration in terms of risk appetite?’, the discussions naturally become action-oriented and forward-looking.

While it is still early days of our deploying this approach, we believe it is offering a more fruitful focus on strategic risk management than is stimulated by conventional risk frameworks.

This article was first published in Accountancy Daily Magazine on 18 December 2018