Recent years have seen charities large and small coming under increasing scrutiny and being asked penetrating questions by funding agencies, journalists and the public. High-profile scandals affecting some of the biggest name charities have generated a climate of scepticism, even suspicion, about the whole charity sector. The result: risks to reputation, indeed risks more broadly, have risen up the agenda for all in the sector. Risk is now a big issue for all charities and good risk management is, or should be an essential aspect of charity governance.
Where then does your charity stand?
Charities have a duty to their staff, their beneficiaries, funding agencies, and their own trustees to ensure that risks that could affect the operation of the charity are properly identified, mitigated where possible and managed, and that the whole process is properly run and recorded.
So how does risk management work? Some of the major areas of risk are well known. First is financial risk. Do you have measures to protect against the possibility of fraud or misuse of funds? Even if you trust your staff and volunteers implicitly it is still good practice to have appropriate measures in place, removing scope and temptation for misuse. Is your reserves policy appropriate, able to safeguard the charity against a financial downturn or loss of a major source of income? (I know that the idea of significant reserves elicits a hollow laugh from many charity treasurers, but it’s at least a good idea to have carefully thought out what your reserves should be – typically covering the costs you would face if the charity were to have to cease operation in a hurry, along with some element of contingency.)
A second area is IT risk. This covers measures to be taken to guard your systems against hacking and viruses. it means ensuring that information is properly backed up and retained in more than one physical location. It means having a recovery plan in place in the event of some major IT failure, whether accidental or malicious. Databases of supporters, beneficiaries and others are vital to most charities and in the era of GDPR, can take a long time to build up and loss is serious, as records need to be kept of people who have given their permission to be contacted by the charity for various purposes.
For many charities, a third major risk area is safeguarding - taking appropriate care of children and vulnerable adults, and making sure that information held about them is held for the right reasons, with the right permissions, and securely.
These and other areas come together in the fourth and perhaps most all-embracing area of risk, that of reputation. Mistakes and carelessness in other areas can fundamentally harm a reputation - arguably the most important asset of a charitable organisation. As Warren Buffett famously said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.”
Safeguarding reputation involves appropriate measures to deal with risks such as those above, and having a regular dialogue with stakeholders, beneficiaries, funders and where appropriate, members of the charity, whether individual or organisational. It’s wise to compile a stakeholder-issue matrix, identifying what aspects of a charity matter most to whom - and therefore where trust and mutual confidence are most important.
Conflicts of interest, particularly affecting senior staff, or trustees, must be identified, declared and appropriate steps taken to ensure that no accusations of inappropriate influence will take hold. Areas of possible conflict at the organisational level must be identified too – for example a charity may be augmenting its income by offering services on a paid-for basis, and this may be perceived as conflict by some of the very organisations which are members of the charity or its supporters.
So what questions should you be asking?
If you are running a charity, or are a trustee of a charity, these are some of the questions to ask:
Have you identified risks that could face your charity, and how systematically has this been done?
Do you have a well thought-out risk register and if so, when was it last reviewed, and how much time was taken by the board of trustees and senior staff in conducting that review?
Have the risks being assessed and rated, in terms of the likelihood of each “risk event” occurring and the impact of the risk event, were it to do so? And if so, is the rating simply on a “high, medium, low” basis, or do you know what “high“ actually means, as this can be different to different people? Does it mean that the charity would have to cease operation? Or that there will be serious harm to one or more beneficiaries?
For each of the major risks, have you identified mitigation actions, differentiating those designed to mitigate the likelihood of the event occurring from those designed to mitigate its impact? For example, to protect a computer system you might mitigate likelihood by having the system regularly maintained and the server housed in an air-conditioned environment, while to mitigate the impact of failure your might, indeed should, have a backup and recovery plan in place.
Have you identified an owner for each risk, responsible for reviewing the adequacy and effectiveness of mitigation actions and drawing attention to events or changes in the business environment that might affect the risk rating, particularly if it causes the risk rating to be increased?
Many charities find that trustee meeting agendas are rather too crowded to devote adequate time to risk assessment and management, and assign the task to a separate group, often an audit and risk subcommittee (noting the importance that “audit “shouldn’t just be about finance). If that isn’t an approach you take, how about allocating a specific special meeting of the board of trustees and senior staff each year to review the risk register really carefully? And to get an independent view, a fresh pair of eyes, try bringing in someone from outside the charity, perhaps from another charitable body in a somewhat different sector. A fresh pair of eyes often brings a useful new perspective and can identify issues which those closely involved in the charity might have overlooked.
Make sure you test drive risk measures
Finally, how do you know that your mitigation measures work? You probably wouldn’t put total confidence in your fire precautions and evacuation procedure unless you had at some time carried out a fire drill to see whether the measures would actually work and everyone would be able to leave the building and be accounted for in time. So for similar reasons, it’s often a good idea to test the adequacy of other risk mitigation measures. For example, an exercise could be devised to test what would happen in the event of sudden unavailability of your core IT systems, including perhaps a membership database or financial records? Such a simulation can be a salutary learning exercise.
Good risk management at first sight might seem a little onerous. But the same could be said about many things in life which turn out to have real benefits. We’ve probably heard it said “If you think safety’s expensive, just try accidents”: in the same way, risk management is a lot less troublesome than getting nasty surprises when something happens that you haven’t foreseen. Good risk management is a part of good business management - and whether it’s a charity or any other sort of business, investment in a proper risk management approach is an investment that’s well worthwhile.
We would like to thank Cranfield Trust Volunteer, David Brown, very much for taking the time to write this blog for us and for sharing his expertise on risk management.
If you’ve been inspired by David's blog and would like to know how we can help you manage risk at your charity, get in touch to find out about our free management consultancy projects.