n Step three is to score the risks identified but this time taking into account the mitigating controls in place. This produces a net risk score. Scoring can typically follow a methodology that assesses risk using five categories of impact (1-5) and likelihood (1-5). It could result in a top risk being categorised as 25. At that level it would be likely to be business- critical to the organisation should the risk occur. As part of the risk scoring process, there is a need to decide on the level of risk the organisation is willing to take on. This is an important part of the process as in many cases we find that organisations are unduly risk- averse in some areas. This can mean that the costs of managing a risk are higher than they need to be. Trustees and management will recognise that some risks have to be taken for the charity to evolve, but some risks will leave you facing a high or unacceptable level of risk. These are likely to include data security, budgetary control and safeguarding risks. A further option here is to consider introducing a target risk score to the process. This enables the Board of Trustees and management to articulate the future risk score they want each key risk to attain, with the target score varying according to each risk. Everyone in your organisation is responsible for identifying new risks and challenging existing assumptions. Management are responsible for monitoring and reporting on the actions in place that reduce the impact and/or likelihood of each risk occurring. Members of the Board of Trustees or audit committee are responsible for overseeing the processes in place that manage the charity’s risks and for challenging management over the effectiveness of the risk mitigations in place. Each of these roles is important to achieve a successful framework. Risk appetite (or how much risk is acceptable?) The roles and responsibilities
Paul Goddard, Head of Internal Audit at Scrutton Bland looks at the ways of evaluating and managing risks for charities and not for profit organisations
n Step one is to identify those risks that may impact on the achievement of a charity’s objectives and to score these before considering the controls in place to manage that risk. This produces a gross risk score. n Step two is to consider how each risk is managed and what assurances are available, both internal and external to the organisation.
Scrutton Bland are a leading provider of specialist Risk Management Services to the charity, education, public sector and private sector clients. We provide training, advice and practical solutions to risk management and we would be delighted to help you implement or enhance your existing risk management framework.
n Contact Paul Goddard on 01473 267000 or email firstname.lastname@example.org
Made with FlippingBook - Online magazine maker