2. AGENDA
Risk management for charities: Setting the
scene
• Why is risk management important?
• Key trends in the sector
Minimum requirements: The essentials
Case study & discussion
Going beyond minimum requirements:
What does good practice look like?
Top tips
Final questions
4. Need for agility,
responsiveness and
resilience
Increasing and
changing needs
for services
Drive for bold,
calculated risks
Wide ranging
social
entrepreneurial
activities
Evolving role
of the State
and Brexit Prolonged
austerity and
significant
demographic
shifts
Shift from
grant to
contract
culture
Digital
revolution
Risk management in
dynamic, fast changing
environments
KEY RISK TRENDS
6. “Risk is not bad – there is an element of risk in almost
everything. And many in the charity sector believe that in some
situations charities, working as they do at the cutting edge of
many social problems, have a duty to take risks. Often no one
else will. But trustees will be expected to identify risks and
decide how they should be managed.”
Bates Wells Braithwaite, Duties of Charity Trustees
7. “Making decisions is also closely linked to managing risk.
It is important for trustees to be aware and informed
about risk. This does not always mean avoiding risk
altogether; it is better to recognise risks and take
appropriate steps to manage them. There is usually
some element of risk in decision making, and sometimes
innovation only comes about through measured risk-
taking.”
Charity Commission guidance “CC27 - It’s your decision : Charity trustees and decision
making” published 10 May 2013
10. Charity Commission guidance “CC26 – Charities and Risk Management”
“Risk is an everyday part
of charitable activity and
managing it effectively is
essential if the trustees
are to achieve their key
objectives and safeguard
their charity’s funds and
assets.”
11. MINIMUM REQUIREMENTS
“The responsibility for the management and control of a charity rests
with the trustee body and therefore their involvement in the key
aspects of the risk management process is essential.”
WHOSE RESPONSIBILITY IS IT?
Charity Commission guidance “CC26 – Charities and Risk Management”
12. MINIMUM REQUIREMENTS
Charities that are required by law to have their accounts audited
must make a risk management statement in their trustees’ annual
report confirming that:
THE RISK MANAGEMENT STATEMENT:
‘the charity trustees have given consideration to the major risks to which the
charity is exposed and satisfied themselves that systems or procedures are
established in order to manage those risks’.
Charities (Accounts and Reports) Regulations 2008
13. WHAT IS THE PURPOSE OF THE RISK
MANAGEMENT STATEMENT?
allow the trustees to
comment on any
further planned
developments of
the charity’s risk
management
processes
set out the
major risks
that the
charity is
exposed to
provide an
insight into
how the
charity
handles risk
14. An acknowledgement of the trustees’
responsibility
An overview of the charity’s risk
identification process
An indication that major risks identified
have been reviewed or assessed
Confirmation that control systems have
been established to manage those risks
MINIMUM REQUIREMENTS
What does the risk management statement need to cover?
THE RISK MANAGEMENT STATEMENT
15. “Although the risk management statement forms an important
part of the trustees’ annual report, there is no requirement for
the statement to be audited unless other requirements…apply.”
BUT “auditors that become aware of apparent misstatements or
inconsistencies in the trustees’ Annual Report, based on their
other audit work, will seek to resolve them and will need to
consider the impact on their report if such issues cannot be
resolved”.
Does the risk
management
statement need to
be audited?
NO, unless other
requirements apply
16. WHAT ARE MAJOR RISKS?
The Charity Commission provides that major risks are
those which:
have a major impact; and
a probable or highly probable likelihood of
occurring
17. CONTROL SYSTEMS & RISK IDENTIFICATION PROCESS
“Charities will need to consider risk and its management in a
structured way if a positive risk management statement is to
be made.”
WHAT DOES THIS MEAN?
Charity Commission guidance
“CC26 – Charities and Risk Management”
18. BOARD MINUTES
Trustees should not only make
sure that they are assessing risk
as part of their decision making
process… it is also important that
they record the reasons for their
decision so this can be evidenced
in the future.
21. WHAT DOES GOOD PRACTICE
LOOK LIKE?
GOING BEYOND THE
MINIMUM REQUIREMENTS
22. The identification,
assessment &
management of risk are
linked to the achievement
of the charity’s objectives
All areas of risk
are covered
A risk exposure
profile is created
reflecting the
trustees’ views as
to what levels of
risk are
acceptable
The principal
results of the risk
identification,
evaluation and
management
process are
reviewed and
considered
Risk management is
ongoing and
embedded in
management and
operational
procedures
SO WHAT DOES GOOD LOOK LIKE?
The Charity Commission recommends that charities adopt a risk
management policy and implement a rigorous risk management
processes to help to ensure that:
23. SO WHAT DOES GOOD LOOK LIKE?
EMBED AN EFFECTIVE RISK MANAGEMENT FRAMEWORK
No particular model
Key stages:
• Risk Management
Policy
• Identify
• Assess
• Evaluate
• Monitor and assess
What
does this
mean?
24.
25. RISK MANAGEMENT POLICY
“The implementation of an
effective risk management
policy is a key part of ensuring
that a charity is fit for
purpose.”
Charity Commission guidance “CC26 – Charities
and Risk Management”
26. What is risk?
“Risk is the uncertainty surrounding events and
their outcomes that may have a significant impact,
either enhancing or inhibiting any area of the
charity’s operations”.
Charity Commission for England and Wales
“Risk is the effect of uncertainty on our objectives”
International Organisation for Standardisation ISO 31000
IDENTIFY: HOW DO WE IDENTIFY RISKS?
27. The Charity Commission identifies 5 key categories of
risk:
IDENTIFY: HOW DO WE IDENTIFY RISKS?
Governance
Operational
Financial
External
Compliance
28. IDENTIFY: HOW DO WE IDENTIFY RISKS?
CONSULT
Whose responsibility?
Regular
reporting and
discussion at
Board
meetings
Specific part
of individual
roles?
Everyone’s?
30. EVALUATE: SO WHAT?
Draw up an “Action Plan”
CONSIDER WHAT ACTION NEEDS TO BE TAKEN
The 4
“T”s!
Tolerate
Treat
Transfer
Terminate
31. CONTINGENCY PLANNING “As part of an
effective risk
management
process, a charity
should consider
what needs to be
done if a serious
event does take
place.”
Charity Commission guidance “CC26 – Charities and
Risk Management”
32. MONITOR AND ASSESS
“Risk management is a dynamic process…not a one-off
event and should be seen as a process that will require
monitoring and assessment.”