In order to achieve charitable objectives and safeguard funds and assets, Trustees should regularly assess the risks facing their charity and provide a framework for managing those risks.
In this article we look at the use of a risk register in helping trustees identify the risks that apply to their charity – these should then be classified as those that are strategic or major risks, and those that are less serious. We will refer to the benefits of managing risk with an effective risk register, and ten of the typical weaknesses that we have seen in practice.
The risk context for Trustees
Risks are will always be present within charity businesses. To successfully manage the primary operations of the charity, key controls are employed – the risks can arise when those controls are not employed or not working. Trustees need to mitigate risks in the key areas such as finance, security, governance, operations and compliance.
The risk management process needs to be tailored to the circumstances of each charity, focusing on identifying the risks the charity faces – especially the major risks – and how each one will be mitigated. The risk policy of the charity outlines how risk management is undertaken:
It encapsulates the key features of the approach to managing risk, detailing the risk appetite, how risks are captured and assessed, and a scoring method.
It refers to the risk register and the risk review process, including which committee will receive updates and the opportunity for review.
Key features to assess are
(i) the risk appetite – the level of risk you are prepared to accept
(ii) the risk owner – who is responsible for – and managing – the risk
(iii) the reporting process – communication of changes and updates to risks as they occur.
The risk culture of the charity, and the tone from the top, is an important aspect of introducing effective risk management. For example, charities have started to have their strategic risks listed on their trustees meeting agenda to remind and focus on risk management throughout the meeting.
The Risk Register
You will need a method for capturing, identifying, assessing, and scoring risk, alongside a list of controls already in place. Risks needs to be assessed based on how you mitigate or manage them, using the 4 T’s:
- Treat (take action like introduce a control);
- Tolerate (do nothing);
- Terminate (stop activity) or
- Transfer (e.g. insurance or use of agents/contracts).
For trustees, the risk register is a pivotal tool in the governance and risk management framework. For the register to be meaningful, you will need a standardised methodology used across the organisation to make sense of a risk register. Thus it’s normal for an organisation to have detailed guidance and training those risk owners so that risks are assessed using a standard scoring method and stratification. The resultant risk register should then be subject to regular review and update, with clear ownership and responsibility. Risks do change and there needs to be a process that records and monitors changes to ensure that actions are taken to effectively reduce risks.
The risk register itself should record all of the organisation’s risks and there should be a reporting mechanism of the review to the board. It doesn’t have to be “owned” by the board (especially as many of the controls in place to mitigate risk will be at management and operational level); but the board and management will want to know how effective the risk actions are. Therefore the reporting should show whether risk scores have changed, new risks added or risks which have been successfully closed. The board should be responsible for review and management of the key strategic risks of the organisation – which are they risks that they own.
- The risk register is developed to:
- Help identify, capture, assess and grade emerging risks in terms of likelihood and seriousness (impact).
- Provide a useful tool for managing and reducing risks.
- Demonstrate to the public and stakeholder partners that charity business is being managed effectively.
- Assist trustees in undertaking and adhering to their duties, including making the risk management statement in the annual report where those charities and trusts are audited.
- Ensure the communication of risk management issues to key stakeholders.
10 typical weaknesses
Risk management can be seen as a separate exercise which needs to be undertaken rather than a fundamental part of running of the organisation effectively. The risk register is purely a tool for recording the risk management process and reporting thereon. For any charity the risk register is a vital tool for trustees or management to use and understand. But the 10 most common weaknesses that occur which reduce the effectiveness of the register include:
- Risk register templates are often left untouched and unchanged from one year to the next.
- Not all risks affecting the charity are identified.
- Risk are not scored correctly and hence, not stratified for the appropriate level of attention.
- Controls in existence chosen to mitigate risk aren’t used and the resultant action isn’t correct, applicable or appropriate. Or the controls aren’t proportionate to the risk and overtly costly.
- Risk owners (responsible officers or staff) aren’t identified to monitor, manage and report on the risks.
- A date for regular review isn’t identified (typically “ongoing” is used).
- Risk review isn’t part of a regular review cycle, say quarterly, termly or annually.
- Risk discussions aren’t minuted as evidence of risk management.
- Discussions don’t include challenging current entries and suggesting options (including new risks, removing spent risks, rescoring current risks, giving more attention to higher risk areas).
- Lack of an annual review to confirm and summarise the register position and risk policy as part of the risk and control framework, and informing the annual risk management statement.
Many of these weaknesses are easily rectified, so make sure to check your register often and keep it up to date.
Typically, a sound risk management framework is driven by early and precise identification and grading of risks as they emerge, documented in a risk register to manage this process. From there you need buy-in and support from staff and management in terms of agreeing any actions to help mitigate risks and of course, monitoring progress with that. Greater attention is needed to the use of risk registers; all too often they fall short of expectation, allowing risks to not be addressed due to resource issues even when critical, or fail to adequately highlight issues that may be vital to the charity’s future plans.
We will be happy to field any observations or queries you may have on managing risks with an effective risk register at your charity This could include working with you to develop and improve your risk management process and use of the risk register.
This post was written by Helena Wilkinson Charity Partner at Price Bailey and Simon Craven Senior Internal Auditor at Price Bailey. If you need further information on any of the above, please feel free to get in touch with Helena using the contact form below.
We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firm.