The Regulator for Charities in England and Wales
July 2007
Trustees, staff and charity volunteers handle risk as an everyday part of any charity’s work. Risk is often seen as going hand in hand with the rewards and opportunities of advancing a charity’s work. For example, the opportunity to raise funds brings volunteers, staff and trustees together to advance a charity’s fundraising objectives. Fundraising can even raise public awareness of the charity’s work.
Take two examples, a garden fete and a charity concert. The organisers of the garden fete may be setting out stalls and fun activities for children in a large private garden to raise funds for the village hall. Expecting a good turnout of up to 200 people over the day, the organisers need to reflect on how to ensure that admissions are handled properly, cash takings are kept safe, that the stalls are sturdy and the children’s play activities are safe and appropriately supervised by vetted volunteers. Being an English summer’s day they may consider the weather and have a tented area just in case it rains and a back up plan to use the village hall, rather than take out insurance against adverse weather. In thinking through and planning the event, the trustees are taking account of risk in very practical pragmatic way. This is exactly what risk management is about.
The organisers of the charity concert may approach these problems differently; like the fete the safety of the public, control of admissions and safeguarding of cash is important. However, they may be hiring an outdoor venue, hiring seating, incurring costs in setting up a parking area and refreshments, and paying artists’ performance fees. The fete was comparatively small with 200 people attending over the whole day but the concert may have 600 seats for a set 3 hour early evening performance. The risk from adverse weather is viewed as so great that the extra cost of insurance is considered worthwhile and to enable all to go well, the trustees hire an events organiser to co-ordinate and marshal the staff and volunteers. Again, a practical approach to risk. Note that even though facing similar risks, the scale and nature of the fundraising events can cause trustees to take a different approach to risk management.
This guidance seeks to take trustees and staff through the subject of risk and identifies the requirements for disclosing the approach taken to risk, discusses the types of risk faced, identifies the need for a risk policy and provides a practical framework for identifying, managing and reporting on risk. Risk is an everyday part of what charities do and managing it effectively is essential if the key objectives set by trustees are to be achieved.
Under Accounting and Reporting by Charities - Statement of Recommended Practice (SORP) trustees are required to make a statement confirming that:"..the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems have been established to manage those risks."
This requirement has raised questions as to the steps trustees should take to enable a positive statement to be made with reasonable confidence in the Annual Report. The SORP firmly places the reporting of risk management on the agenda of all auditable charities. "Risk" is used in this guidance to describe the uncertainty surrounding events and their outcomes that may have a significant effect, either enhancing or inhibiting:
"Major risks" are those risks which have a high likelihood of occurring and would, if they occurred, have a severe impact on operational performance, achievement of aims and objectives or could damage the reputation of the charity, changing the way trustees, supporters or beneficiaries might deal with the charity. Risk management should therefore not be seen purely as a compliance issue nor as being solely focused on the prevention of disaster. The process enables trustees to focus on the management of risks that would prevent the charity achieving its strategic objectives. In so doing, charities are able to take opportunities and develop with an understanding of the risks faced, and with confidence that reasonable steps have been taken to manage them.
The identification of risk arising from activities undertaken and the management of those risks are not new concepts to most trustees. Indeed, for most charities the identification, evaluation and management of risk has been incorporated into their management processes for many years. For some charities the consideration of the risks inherent in activities will be an element of planning and decision making but perhaps the process lacks a structure or methodology.
Most charities are already likely to consider risk in the context of their day-to-day activities. The requirement to include a risk management statement in the Annual Report means that charities need to consider risk and its management in a more structured way if a positive statement is to be made in the Annual Report. No matter what size they are, charities should take a systematic approach to the consideration and management of risk.
This guidance is designed to help trustees set a framework which allows them to:
The risks that a charity faces depend very much on the size, nature and complexity of the activities undertaken and on the finances of the charity itself. As a general rule, the larger and more complex or diverse a charity’s activities, the more difficult it will be to identify the major risks faced and put appropriate systems in place to manage them. The risk management process will therefore always need to be tailored to fit the circumstances of each individual charity. Each charity should, however, focus on the major risks identified. This guidance sets out basic principles and strategies that can be applied to most charities. Trustees of large, complex charities may need to explore risk more fully than the outline given here.
This July 2007 version of our guidance has been updated to reflect the requirements of SORP 2005 and to include some examples. There are no significant changes of policy.
The SORP requires that the trustees’ Annual Report should include a "statement confirming that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and that systems have been established to manage those risks" (paragraph 45).
The Charities (Accounts and Reports) Regulations 2005 ("the 2005 Regulations" - SI No.572) place a legal requirement on charities whose accounts are required by law to be audited for the trustees’ Annual Report to "contain a statement as to whether the charity trustees have given consideration to the major risks to which the charity is exposed and systems designed to manage those risks".
In England and Wales the Charities Act 2006 has amended the audit thresholds for charities. For accounting periods:
All charities that have a legal requirement to have their accounts audited are therefore required to make a risk management statement. Trustees of smaller charities with gross income below the audit threshold (who should still be concerned about the risks their charity faces) are encouraged to make a statement as a matter of best practice. Appendix I provides guidance on how each element of the SORP requirement can be addressed within the risk management statement.
Charities that are incorporated under company law which do not qualify as small companies under company law must include a business review in their directors’ report. The business review must contain a description of the principal risks and uncertainties facing the company.
To be a small company, at least two of the following conditions must be met:
Although only charities which are medium and large companies must describe the risks facing the charity in this way, trustees may find it a useful exercise to include within their annual report a discussion of the major risks, the ways in which the charity manages those risks and areas for future review, rather than simply provide a simple statement that is worded to mirror the wording in the SORP. Such a disclosure may also be more helpful and informative to the reader of their report.
The SORP requires the risk management statement to be made in the context of "identified" risk. Section 1 of this guidance deals with the factors the trustees are likely to consider in establishing their overall policy towards risk. Section 2 deals with the processes necessary for the identification of risk, describes who should be involved in the process and provides one possible classification method for risk. The SORP focuses on major risks. Major risks are those which, if they occur, would have a severe impact on operational performance, objectives or reputation of the charity and which have a high likelihood of occurring. The guidance explains in Section 3 one method of reviewing and assessing risk through a "risk mapping" exercise. Appendix III provides illustrative examples of potential risk areas and the possible impact that may arise from a particular risk.
The SORP requires a statement as to whether "systems have been established to manage" major risks identified. Having identified the major risks then a decision needs to be made as to the method of managing them. Trustees may wish to set a policy to help make decisions as to the levels of risk that can be accepted on a day to day basis and those matters that need to be referred to them. Section 4 of this guidance sets out a possible framework for evaluating the potential courses of actions that can be taken to manage the risks identified.
The approach describes four basic strategies that can be applied to an identified risk:
Appendix III provides illustrative examples of steps that may be taken in relation to identified risks.
The process of risk management extends beyond simply setting out systems and procedures, and Section 5 provides guidance on monitoring and assessing the systems put in place.
Charities face some level of risk in most of the things that they do. No single list or classification of risk can ever be regarded as complete. The classification is primarily to ensure key areas of risk arising from both internal and external factors are considered. The charity sector is diverse and the nature of activities and external influences will expose charities to differing areas of risk and levels of exposure. The following is a brief outline of one possible classification system and examples of risks that may fall into each category:
Appendix III expands on this classification approach and provides further illustrations of risks that may fall into each category.
The responsibility for the management and control of a charity rests with the trustee body and as such their involvement in the key aspects of the risk management process is essential, particularly in setting the parameters of the process and in the review and consideration of the results. This should not be interpreted as meaning the trustees must undertake each aspect of the process themselves. In all but the smallest charities trustees are likely to delegate elements of the risk management process to managers ensuring that they, as trustees, review and consider the key aspects of the process and results. The level of involvement should be such that the trustees can make the required statement on risk management with reasonable confidence. This is likely to involve:
There are several models that can be used to identify and manage risk. There is no requirement or obligation on trustees to adopt any particular model or approach, but each of these models has a number of core elements and these are recommended as being essential for a proper understanding of risk management. Although these elements can be used as ‘steps’ or ‘stages’ it is very likely that trustees will need to revisit each stage as their knowledge of the charity’s risk profile increases. These key stages are likely to include:
1. Establishing risk policy.
2. Identifying risks and controls.
3. Assessing risk.
4. Evaluating what action needs to be taken.
5. Periodic monitoring and assessment.
Risk is an inherent feature of all activity and may arise from inaction as well as new initiatives. Charities will have differing exposures to risk arising from their activities and will have different capacities to tolerate or absorb risk. A charity with sound reserves could perhaps embark on a new project with a higher risk profile than, say, a charity facing solvency difficulties. Risk tolerance may also be a factor of the activities undertaken to achieve objectives. Thus a relief charity operating in a war zone may, in order to achieve its objectives, need to tolerate a higher level of risk to staff than might be acceptable in its UK-based activities. A charity will also need to understand its overall risk profile, ie the balance taken between higher and lower risk activities.
These considerations will inform the trustees in their decision as to the levels of risk they are willing to accept and may provide a benchmark against which the initial risk assessment is undertaken. The risk assessment and evaluation will in turn inform the trustees of the charity’s overall risk profile and the steps taken to manage major risks identified and so better inform trustees in their determination of their policies. The trustees need to communicate to managers the boundaries and limits set by their policy to ensure a clear understanding of the risks that can be accepted and those that the trustees would consider unacceptable.
This is the creative element of risk analysis and is a process that requires careful consideration. Although there are various tools and checklists available, the identification of risks is best done by involving those with a detailed knowledge of the organisation’s workings. Whilst the SORP statement focuses on major risks "identified by trustees", except perhaps in the smallest charities input into this process will extend beyond the trustee body.
This process will involve considering, for example:
For this process to work, trustees and executive management need to be committed to it. Trustees will need to consult widely with key managers and staff, as ideas are likely to come from all levels of the organisation. Internal workshops involving the management, staff and volunteers are often used to gather information. Certain workshops may even involve supporters and beneficiaries where reputational risk or provision of service to beneficiaries is being considered.
Where the charity conducts certain of its activities through branches, subsidiary companies or joint ventures, although legally these may constitute separate entities, they may also give rise to risks that may directly or indirectly impact on the charity. Events in a subsidiary company may impact on income streams to the charity or give rise to reputational risk, or may even affect operational objectives directly where the subsidiary is used as a vehicle for service delivery. The risk identification process, whilst focusing on the risk to the charity itself, is therefore also likely to include identifying risks that may arise in branch or subsidiary company activities. The trustees may seek to ensure that the directors of subsidiary companies also adopt similar risk management procedures, with the results being reviewed by the charity’s trustees or incorporated into the overall risk management processes of the charity.
There are a number of models or frameworks that provide a classification of the type of risk to which an organisation can be exposed. Most models can be adapted to fit the charitable sector. Appendix III sets out one possible framework, looking at risk across the following categories:
It is important to appreciate that the process of risk identification must be charity specific reflecting the activities, structure and environment in which a particular charity operates. It follows from this that Appendix III should not be used as a checklist but rather to illustrate the type of risks that may be faced.
Similarly, although the process of risk identification should be undertaken with care, the analysis will inherently contain some subjective judgements and no process is likely to be capable of identifying all possible risks that may arise. The process can only provide reasonable (not absolute) assurance to trustees that all relevant risks have been identified.
Identified risks need to be put into perspective in terms of the potential severity of impact and likelihood of their occurrence. Assessing and categorising risk assists in prioritising and filtering the risks identified and establishing further action (if any) required and at what level. One method is to consider each identified risk and decide for each the likelihood of it occurring and the severity of the impact of its occurrence on the charity. This can result in an effective mapping of risks onto a chart, such as that shown below.
|
Likelihood of occurence |
III High likelihood Low severity of impact |
IV High likelihood High severity of impact |
|
I Low likelihood Low severity of impact |
II Low likelihood High severity of impact | |
|
Level of severity of impact on the charity | ||
This approach attempts to map risk as a function of the likelihood of an undesirable outcome and the impact that an undesirable outcome will have on the charity’s ability to achieve operational objectives. This process enables the trustees to identify those risks which fall into the major risk category identified by the SORP statement.
Major risks are those which, if they occur, would have a severe impact on operational performance, objectives or the reputation of the charity and which have a high likelihood of occurring Trustees may consider using a scoring system to assess which risks need further work. For example, severity of impact could be scored from 1 (least serious) to 5 (most serious) and similarly the likelihood of occurrence could be scored from 1 (remote) to 5 (almost certain). The impact score is usually multiplied by the score for likelihood and the product of the scores used to rank those risks that the trustees regard as most serious. This is illustrated in the following example.
A charity has a significant contract to provide a care service and there is a recent history of complaints from beneficiaries that has led to concerns being raised by the contract funder. The loss of the contract would have a severe impact on the charity’s finances and also on its ability to obtain further contract work, which is a key priority for the charity. The severity of impact is likely to score 5, and the likelihood (given recent history) scores 5. The risk score of 25 (multiplying method) creates a major risk score and highlights an urgent need for this risk to be mitigated.
Judging the severity of impact also requires careful consideration and may require some subjective judgement. Often a clear financial impact can be assessed but certain events will in themselves create an indirect impact that may be significant and present a major risk. Many charities operate in the context of public confidence and future income streams may be heavily dependent on the perception and reputation of the charity with the public and funders.
This is not to say that the other risks should be ignored. Those with high potential severity of impact but low likelihood of occurrence need to be kept under review, possibly annually and will need some arrangements in place to ensure that they can be addressed should they arise. Similarly, events with low severity but with a high likelihood of occurrence may become gradual drains on a charity’s finances or reputation. Those risks with both low severity and low likelihood of occurrence are unlikely to merit significant attention and effort might be better focused elsewhere.
Where major risks are identified then the trustees will need to ensure that appropriate action is being taken to ensure that these are mitigated. This review should include establishing the adequacy of controls already in place.
For each of the major risks identified, trustees will need to consider any additional action that needs to be taken to mitigate the risk, either by lessening the likelihood of the event occurring, or lessening its impact if it does. The following are examples of possible actions :
Once each risk has been evaluated, the trustees can draw up a plan for any action that needs to be taken. This action plan and the implementation of appropriate systems or procedures allows the trustees to make a positive statement as to risk management.
Risk management is aimed at reducing the " gross level" of risk identified to a "net level" of risk that remains after appropriate action is taken. This identification of "gross risk", the control procedures put in place to manage the risk, and the identification of the residual or "net risk" is often scheduled in a risk register (see Appendix II ). Trustees need to form a view as to the acceptability of the residual or "net risk" that remains after management. It is possible that the process may also identify areas where the current control processes are disproportionately costly or onerous compared to the risk they seek to address.
In assessing additional action to be taken the costs of management or control will generally be considered in the context of the potential impact or likely cost that the control seeks to prevent or mitigate. The cost of managing a risk needs to be proportionate to the potential impact. A balance will need to be struck between the cost of further action to manage the risk and the potential impact of the residual risk.
Good risk management is also about enabling organisations to take opportunities and to meet urgent need, as well as preventing disasters. For example, a charity may not be able to take advantage of technological change in the absence of a reserves policy that gives adequate liquidity, or perhaps could not mount a successful emergency relief programme without adequately trained staff and organisational structures. Appendix III sets out some illustrative examples of the type of systems and procedures that can be put into place to mitigate an identified risk.
Risk management extends beyond simply setting out systems and procedures. The process needs to be dynamic to ensure new risks are addressed as they arise and also cyclical to establish how previously identified risks may have changed. Risk management is not a one-off event and should be seen as a process that will require monitoring and assessment. Staff and managers need to take responsibility for implementation. There needs to be communication with staff at all levels to ensure responsibilities are understood and embedded into the culture of the charity. It is likely that a successful process will involve ensuring that:
One method of codifying such an approach is through the use of a risk register (see Appendix II ). The register seeks to pull together the key aspects of the risk management process. It schedules identified risks and their assessment, the controls in place and the residual risks, and can identify responsibilities, monitoring procedures and follow up action required.
The trustees can monitor risk by:
For all but the larger and more complex charities, annual monitoring is likely to be sufficient when supplemented by update reports and assessment of new activities or proposed projects.
A charity that has identified the major risks it faces, and established systems to manage such risks, will be able to make a positive statement on risk in its trustees’ Annual Report. This will help to demonstrate the charity’s accountability to its stakeholders (beneficiaries, donors and other funders, employees, and the general public). An effective risk management strategy can help ensure:
NCVO (the National Council for Voluntary Organisations) has produced guidance "Managing Risk – Guidelines for medium-sized voluntary organisations."
In addition, the Charity Commission has produced a number of publications that will be relevant in considering risk:
CC3 The Essential Trustee: What you need to know
CC8 Internal Financial Controls for Charities
CC9 Campaigning and Political Activities by Charities
CC11 Payment of Charity Trustees
CC12 Managing Financial Difficulties and Insolvency in Charities
CC14 Investment of Charitable Funds: Basic Principles
CC20 Charities and Fund-raising
CC22 Choosing and Preparing a Governing Document
CC24 Users on Board: Beneficiaries who become trustees
CC27 Providing Alcohol on Charity Premises
CC28 Disposing of Charity Land
CC29 Charities and Local Authorities
CC37 Charities and Public Service Delivery
CC38 Expenditure and Replacement of Permanent Endowment
CC47 Complaints about Charities
CC60 The Hallmarks of a Well-Run Charity
Charities and Risk Management - Appendices I, II and III .