Charity risk registers – Understand your risks, and how to minimise them

Many trustees are aware of the risk management process and that they have a responsibility to understand their charity’s risk, and take measures to minimise them.

Usually, this process is based around a formal risk register, but in many cases, it’s not clear who is responsible for that register – or who reviews the details.

If you don’t have a formal register – many smaller charities are unsure where to start – The Charity Commission’s guidance in CC26 is available on their website and a great introduction to the process with many useful examples. There is also much helpful guidance at the Institute of Risk management specifically drafted for charities – https://www.theirm.org/charities

In this article, we are looking at the process behind the register and common errors in that process.

What kind of risk register do I need?

To begin with, it’s important to consider who will actually produce the register. Some trustees may feel this is their responsibility alone. But an effective process will start with management at the charity and even seeking the views of staff further down the chain. There may be small operational risks such as software glitches in the payments system, or data on gift aid declarations being lost for example. Trustees may not be aware of these issues, and even management may not understand how they arise – and therefore how to mitigate them.

So our first recommendation is to start with a practical exercise inviting views from a range of stakeholders. In this way, management can then pick out common issues or highlight areas they were previously unaware of. From here a draft register can be produced for consultation with trustees.

Risk registers built from the ground up can also act as a useful operational guide to the charity, and develop an understanding of its activities across the board.

Building a detailed operational register is good practice, but that doesn’t mean that the board of trustees need to constantly review a mammoth document in detail – the key strategic risks can be summarised for them regularly for review, while management keeps an eye on detailed operational items. This leads us to the next question…

Who should review the register and how often?

The second common area of weakness is in the review and update process for the register.

In many charities, the review and update of the register is delegated to a subcommittee. While an effective way to reduce time at board level – it’s imperative that the entire board see and approve the register annually. Any critical or strategic risks must be considered at board level, to make sure that the charity has sufficient mitigation in place and that all trustees are up to speed on current issues.

In some cases, the register is simply delegated to management to review and update, often without as much as a cursory glance by everyone on the board. This in itself is a risky process as the responsibility for safeguarding the charity rests with trustees, and the risk register is a crucial part of that.

Whichever process you choose – there should be a clear chain of responsibility right through from producing the register, updating it, and at the very least an annual review by the board. In this way, the register itself is not only an operational tool, but a communications tool within the entire charity as well.

In Conclusion

If you have a register but haven’t really looked at it in a while, it may be time to do so. You need to consider if it is giving any value in its current format. Putting it to the bottom of the pile would be a risk in itself. Do not forget to focus on your key strategic risks and what could stop your charity from delivering its Mission – this focus can often help identify key Board priorities and debates required.

This post was written by Michael Cooper-Davis, Charities Director at Price Bailey. If you need further information on any of the above, please feel free to get in touch with Michael using the contact form below.