Most organisations are subject to risk, but perhaps the stakes are highest for charity organisations, whose service users depend on their vital services. Charities operate in an environment where the consequences of unmitigated risk can be catastrophic. Mismanagement of funds can result in negative publicity, loss of trust, and reduced funding. Furthermore, charities must comply with a complex web of regulations and ethical standards, which adds another layer of complexity to their operations.
Managing risk in charities is essential to ensure that they can continue to serve their beneficiaries, deliver their vital services and maintain their reputation as trustworthy organisations.
Some risks may be unavoidable, such as the pandemic – which, according to IBIS World saw “25% of UK charities lose 40% of their income in 2020.” Or the economic cost of living crisis which means some charities are having to close, due to rising energy costs, which are 4.5 times higher than February 2021.
Other risks, such as cybersecurity threats, inefficient processes, legacy systems, and attrition can be managed and mitigated by having the right processes and controls in place. Here are some best practices for managing risk in charities:
Identify and assess risks
The first step in managing risk is to identify potential risks. Charities should conduct a risk assessment to determine what risks they may face and how likely they are to occur. This assessment should consider all aspects of the charity’s operations, including finances, programs, staff, volunteers, safeguarding and external factors such as changes in legislation or economic conditions.
Running a risk workshop can help identify risks. It is useful to have a standard way of describing risks to prevent risk descriptions running away from you and becoming too vague.
Develop a risk management framework
After identifying and assessing risks, charities should develop a risk management framework. This plan should outline how your charity will mitigate, avoid, or transfer each risk. It should also use a RACI method to specify who is responsible, accountable, to be considered and to be informed for each risk.
Update tools and processes
Reviewing systems and processes regularly can help identify any potential areas of exposure. Do your systems need updating? Are you at risk of a data breach because of current processes? Are you able to deliver your services effectively and efficiently to meet demand? Legacy systems can not only be inefficient but present a significant risk. Your data handling should be conforming to GDPR requirements, and you may need a CRM platform to help you manage this.
Establish Governance Structures
Effective governance is essential for managing risk in charities. Charities should establish clear governance structures, including a board of trustees, to oversee the organisation’s operations and ensure compliance with legal and regulatory requirements. The board should be responsible for setting the charity’s strategic direction. Charity trustees have overall responsibility for setting in place the risk management framework and must state that they have considered the major risks to which the charity is exposed and satisfied themselves that systems or procedures are established to manage those risks in their trustees’ annual report.
Embedding risk management into culture
When we talk about culture, we mean the behaviours which are driven by the values and purpose of the organisation. The approach to your risk strategy should be consistent and adopted across the whole organisation. A culture which embraces the following principles will be better set up to adopt and embed risk management:
- Continuous learning and improving the risk strategy
- Honest, timely and transparent communications
- Integrity, embracing individual and collective responsibility
- Trust, being comfortable to raise risks and challenge assumptions
Independent evaluations are another way that charities can provide assurance to stakeholders. Independent evaluations can assess the effectiveness of charity programs and services, identify areas for improvement, and provide recommendations for enhancing impact. Independent evaluations can also provide charities with valuable feedback that they can use to improve their operations.
Impact reports are another critical tool for providing assurance to donors and other stakeholders. Impact reports can measure the social and environmental outcomes of charity programmes and services and provide evidence of the charity’s impact. Impact reports can also help charities to identify areas where they can improve their programmes and services to increase their impact.
In conclusion, risk management and assurance are critical components of charity operations. Charities must identify and manage risks effectively and provide assurance to stakeholders that they are operating efficiently and effectively. To achieve this, charities must establish a risk management framework, conduct financial audits, commission independent evaluations, and conduct impact assessments. By doing so, charities can demonstrate their commitment to transparency, accountability, and social impact.
If you need any guidance on establishing risk management frameworks get in touch with us today.