How to identify, assess and manage risks that your charity might face.
Applies to England and Wales
Types of risk
Anything that could prevent your charity achieving its aims or carrying out its strategies is a risk. The types of risks your charity might face will depend on its size, funding and activities, among other factors.
Risks your charity may face include:
- damage to its reputation
- receiving less funding or fewer public donations
- losing money through inappropriate investments
- change in the government’s policy on a particular issue, affecting grants or contracts
Identify any potential risks that could prevent your charity from meeting the needs of its beneficiaries, and put processes in place to assess and manage those risks.
How to manage risks
You are not required by law to have a risk management process for your charity, nor to follow a particular method. But the Charity Commission strongly recommends that you have a clear risk management policy and process. This will help you identify and manage all types of risks, and embed risk management into your charity’s work.
The commission’s detailed guidance on risk management sets out the basics of dealing with risks. It includes a risk management model made up of the following steps:
- establish a risk policy
- identify risks
- assess risks
- evaluate what action to take
- review, monitor and assess periodically
The model includes a heat map grid – this is one way to assess the impact each risk could have on your charity.
Your charity should have a structured approach to risk management that is appropriate for its size and complexity. Example approaches include:
- Risk assessment toolkit – KnowHow NonProfit
- Risk management standard – The Institute of Risk Management
When to report on risk management
By law, non-company charities with incomes of £500,000 or more (and charities with incomes above £250,000 plus assets worth more than £3.26 million) must include a risk management statement in their trustees’ annual report. But it’s good practice for smaller charities to report on their risk management activities too.
Company charities must report on their main risks and uncertainties in the directors’ report (unless they are classed as a small company by law).
What to include in a risk management statement
Your risk management statement should include:
- an acknowledgement of the trustees’ responsibility to identify, assess and manage risks
- an overview of your charity’s process for identifying risks
- an indication that major risks have been reviewed or assessed
- confirmation of the systems and processes set up to manage risks
Larger charities or those with more complicated activities should provide a more detailed risk management statement.