Chapter 2 Tool 1: the risk assessment cycle
Published 3 January 2011
Applies to England and Wales
© Crown copyright 2011
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/charities-due-diligence-checks-and-monitoring-end-use-of-funds/chapter-2-tool-1-the-risk-assessment-cycle
The risk assessment cycle
Risk assessment cycle
Guidance on how a risk assessment cycle usually works
Stage 1: carry out a risk assessment
No matter what size they are, charities which consider risk and its management in a structured way and make a clear risk management statement in their annual report are likely to benefit in many ways. This includes enhancing charities’ effectiveness and accountability, and strengthening their reputations among beneficiaries, partners, donors, supporters and the public. There are various frameworks available for identifying the risks and carrying out a risk assessment that may be suitable for a charity to consider when planning programme operations. Once the various risks have been identified their likelihood and impact need to be evaluated. In practice it may be reasonable to exclude risks where both impact and likelihood are assessed as low and to focus attention and valuable resources on areas of risk with the highest impact. Further information on risk assessment and management can be found in the commission’s our publication Charities and risk management (CC26).
Stage 2: use processes and procedures and take action to mitigate and manage risks
Once the risks are identified and evaluated, trustees can draw up a plan for the steps that they consider need to be taken to address or mitigate significant or major risks. There are 4 basic strategies that can be applied to manage a recognised risk. These strategies can be identified as the 4 Ts:
- Transfer the financial consequences to third parties or share it. In this context, for example, through the terms or conditions of a partnership agreement or grant that enable the charity to claw back the grant or payment in certain situations.
- Terminate the activity giving rise to the risk completely. In this context, for example by refusing the grant or not accepting the project or stopping a particular activity or service.
- Treat the risk through effective management. In the context of giving grants or supporting projects, the best way to manage risk is to carry out proper due diligence and act on its results, ensuring there is suitable and regular reporting. Other ways of managing specific risk include making grants in smaller amounts conditional on certain events happening, or satisfactory reporting and auditing, or making an initial grant first and making it easy to terminate this.
- Tolerate the risk as one that cannot be avoided if the activity is to continue. An example of this might be where trustees take out an insurance policy that carries a higher level of voluntary excess or where the trustees recognise that in an emergency situation the main concern is to get aid to those who need it. Not all risks can be avoided entirely. The general approach is that the greater the risk the more that trustees need to do to be able to demonstrate that they have discharged their duty to manage it.
The cost of managing a risk should usually be proportionate to the potential impact. A balance will need to be struck between the cost of further action to manage the risk and the potential impact of the residual risk. However, a short term or one-off cost must be assessed against the long term benefits, assurances required and donor and public expectations. Some common risks that will need to be considered in the context of due diligence and monitoring are noted other Tools.
Stage 3: training staff and implementing systems
Procedures and processes only work if they are properly implemented. Charity staff, volunteers and other personnel need to know what those procedures are and how they work. They will need adequate training to ensure they are familiar with the systems and procedures. It is very important that they know what action to take if they suspect misconduct and criminal financial abuse. By understanding their own and others’ roles and responsibilities, individuals are more likely to be able to identify and report wrongdoing.
There should be clear reporting systems in place for staff and others working with the charity if they become aware of any activity that causes them concern. Staff and volunteers should know how to report their concerns, including concerns about the conduct of trustees or senior managers as well as about systems and individual events. If trustees know, suspect or have cause for concern that an individual is misusing the charity for their own purposes or misappropriating charitable funds, they must take immediate and appropriate action to investigate and resolve the issue.
Employees have particular rights under the Public Interest Disclosure Act 1998 and charity trustees have specific responsibilities in this regard. For more information on whistleblowing, see the Commission’s guidance on Complaints about charities (CC47) and The Public Interest Disclosure Act.
Sometimes causes for concern will be identified by the charity’s beneficiaries or members of the public. It is therefore important that systems are in place for them to raise their concerns with the charity.
Stage 4: monitor and review performance
Risk management extends beyond simply setting out systems and procedures. The controls identified to mitigate the risks must be capable of implementation, and the implementation (and its effectiveness) should be appropriately monitored.
Risk management procedures need to be sufficiently flexible and responsive to ensure that new risks are addressed as they arise. They should also involve periodic checks in order to identify new risks proactively and ensure that the approach to risk management remains fit for purpose. Risk management is not a one-off event and should be seen as an ongoing process that will arise out of monitoring and assessment.
Risk assessment tools
The following tools are not intended to replace the risk assessment processes that charities are already using. Their suitability will depend on the particular structure and activities of each charity and the risks to which it is exposed. Large charities are likely to have sophisticated risk assessment processes in place. The examples of tools that follow are designed to help smaller charities, with fewer employees, which do not have access to professional advice and support. The risk assessment tools comprise: