How to manage risks in your charity

How to identify, assess and manage risks that your charity might face.

This guidance was withdrawn on

This information is covered in our guidance Charities and risk management (CC26).

Applies to England and Wales

Types of risk

Anything that could prevent your charity achieving its aims or carrying out its strategies is a risk. The types of risks your charity might face will depend on its size, funding and activities, among other factors.

Risks your charity may face include:

  • damage to its reputation
  • receiving less funding or fewer public donations
  • losing money through inappropriate investments
  • change in the government’s policy on a particular issue, affecting grants or contracts

Identify any potential risks that could prevent your charity from meeting the needs of its beneficiaries, and put processes in place to assess and manage those risks.

How to manage risks

You are not required by law to have a risk management process for your charity, nor to follow a particular method. But the Charity Commission strongly recommends that you have a clear risk management policy and process. This will help you identify and manage all types of risks, and embed risk management into your charity’s work.

The commission’s detailed guidance on risk management sets out the basics of dealing with risks. It includes a risk management model made up of the following steps:

  1. establish a risk policy
  2. identify risks
  3. assess risks
  4. evaluate what action to take
  5. review, monitor and assess periodically

The model includes a heat map grid – this is one way to assess the impact each risk could have on your charity.

Your charity should have a structured approach to risk management that is appropriate for its size and complexity. Example approaches include:

When to report on risk management

By law, non-company charities with incomes of £500,000 or more (and charities with incomes above £250,000 plus assets worth more than £3.26 million) must include a risk management statement in their trustees’ annual report. But it’s good practice for smaller charities to report on their risk management activities too.

Company charities must report on their main risks and uncertainties in the directors’ report (unless they are classed as a small company by law).

What to include in a risk management statement

Your risk management statement should include:

  • an acknowledgement of the trustees’ responsibility to identify, assess and manage risks
  • an overview of your charity’s process for identifying risks
  • an indication that major risks have been reviewed or assessed
  • confirmation of the systems and processes set up to manage risks

Larger charities or those with more complicated activities should provide a more detailed risk management statement.

Published 23 May 2013