E very charity needs to be in a strong position to deflect or minimise the likelihood of significant risks taking place. An effective risk management framework is a valuable tool that supports your organisation’s activities and provides assurance and oversight to trustees. Managing the risks surrounding the securing of funding and fewer public donations is a constant challenge. Closures and adverse publicity of other high profile charities are a pertinent reminder that the management of reputational risk, being responsive to changes in government policy and maintaining an open and supportive culture are all key components to ensure the longevity of an organisation. Risk management is a structured and continuous process across the whole organisation that is used to identify, assess, decide on responses and report on opportunities and threats that affect the achievement of your objectives. It is not a new concept, but managing risk will undoubtedly add value to your organisation. It is recognised as good corporate governance and is critical to all successful businesses. A sound system of internal control depends on a thorough and regular evaluation of risks and for the chosen approach to be supported by the Board of Trustees and an Audit Committee, where one is in place. For risk management to be truly effective it needs to be ‘the way we do things here’.
The benefits A risk management framework does not have to be complicated and time-consuming. It offers a number of rewards to those organisations that get it right:- • Higher likelihood of achieving objectives • Improved understanding of the key risks and their wider implications • Greater management focus on the issues that really matter • Fewer nasty surprises or crises • Capability to take on greater risk for greater reward • More informed risk-taking and decision- making • It could also help to reduce insurance premiums! The approach There is a wealth of technical guidance available to assist in putting together an effective risk framework, so it may be useful to think about risks in the following way: • Well-known risks - based on good existing knowledge • Hypothetical risks - based on uncertain or incomplete knowledge and ‘horizon scanning’ • Unknown risks - based on an absence of knowledge. These often pose the most significant issues to an organisation. For example, it would be interesting to know whether the risk register of a well-known German car manufacture included a risk relating to the reliability of their omission tests. Evaluating risk • Step one is to identify those risks that may impact on the achievement of a charity’s objectives and to score these before considering the controls in place to manage that risk. This produces a gross risk score. • Step two is to consider how each risk is managed and what assurances are available, both internal and external to the organisation. • Step three is to score the risks identified but this time taking into account the mitigating controls in place. This produces a net risk score. Scoring can typically follow a methodology that assesses risk using five categories of impact (1-5) and likelihood (1-5). It could result in a top risk being categorised as 25. At that level it would be likely to be business-critical to the organisation should the risk occur.
Risk appetite (or how much risk is acceptable?) As part of the risk scoring process, there is a need to decide on the level of risk the organisation is willing to take on. This is an important part of the process as in many cases we find that organisations are unduly risk- averse in some areas. This can mean that the costs of managing a risk are higher than they need to be. Trustees and management will recognise that some risks have to be taken for the charity to evolve, but some risks will leave you facing a high or unacceptable level of risk. These are likely to include data security, budgetary control and safeguarding risks. A further option here is to consider introducing a target risk score to the process. This enables the Board of Trustees and management to articulate the future risk score they want each key risk to attain, with the target score varying according to each risk. The roles and responsibilities Everyone in your organisation is responsible for identifying new risks and challenging existing assumptions. Management are responsible for monitoring and reporting on the actions in place that reduce the impact and/or likelihood of each risk occurring. Members of the Board of Trustees or audit committee are responsible for overseeing the processes in place that manage the charity’s risks and for challenging management over the effectiveness of the risk mitigations in place. Each of these roles is important to achieve a successful framework. Scrutton Bland are a leading provider of specialist Risk Management Services to the charity, education, public sector and private sector clients. Through training, advice and practical solutions to risk management the Scrutton Bland team can help you implement or enhance your existing risk management framework.
For more information contact Paul Goddard at 0330 058 6559 or email paul.goddard@scruttonbland.co.uk
R I S K M A N A G E M E N T | S C R U T T O N B L A N D | 3 7
Made with FlippingBook - professional solution for displaying marketing and sales documents online