Following their session at the Charity Finance Summit on risk registers, Kate Sayer and Jonathan Orchard from Sayer Vincent look at some new approaches to risk management.
New approaches to risk management in the charity sector are required. Traditional risk registers have their place but can become stale. Typically the process to generate a risk register involves listing all the risks you can possibly think of, then ranking them for probability and impact.
Drawbacks to listing risks
- Definition of the risk – a risk can only be ranked if you have precisely defined the nature and extent of the risk, so vague descriptions are incapable of measurement
- Numbers-based ranking is misleading – people are often misled into thinking this is a scientific method and that the ranking is “true”, whereas it is really just an expression of perceptions
- One person’s view of what is high risk is different to the next person’s view, so you may not be talking the same language.
- Not all the risks included are actually risks, but are really areas which need some management attention or are the consequences of a risk
- Risks include both strategic and operational risks in one list or register
Risk registers do not lead to risk management
We do not believe that traditional risk registers have necessarily resulted in organisations managing risks more effectively. They are not good at ensuring that the actions identified to mitigate the risks are well aligned to respond to the risk effectively. And in many cases, the assessment of controls is weak.
Risk registers feed the misapprehension that risk management is about identifying all risks and then controlling them. In reality, it is not possible to identify all risks and risk management is not about controlling or eliminating risk.
Risk management is about treating risks appropriately. For many external risks and events outside your control, you cannot prevent the event happening or reduce the likelihood, but you can be ready to respond. So for many organisations they need to be able to respond to unforeseen events quickly and appropriately. In addition, risk management is about taking appropriate risk – it has a positive side as well.
A different approach is needed for strategic risks. These are risks that:
- Arise from the strategy
- Are external and so outside our control
- Are pervasive – in other words they cannot easily be managed by one team, but need co-ordinated action across the charity, although you may decide to ask one manager to lead the response.
Strategic risks tend to fall into a few categories – we call them the Big 5:
Are you making the desired impact in support of your beneficiaries and can you evidence it?
Are you managing the finances to ensure you continue to make an impact in the medium to long term?
Are you meeting your regulatory, legal and donor compliance requirements and expectations?
Are you able to respond effectively to any incident that could result in damage to your reputation?
Specific to your charity
Specific to the nature of the charity and may be a risk that is at the heart of what the charity stands for. For example, for a children’s charity it might be child protection.
Although they need to be interpreted for your charity, the first four are the questions every organisation should ask themselves. The fifth area is specific to the nature of work of an individual charity.
Strategic risk should start from the strategy and work towards a description of how your charity manages these risks. The management actions are likely to be ways in which the organisation can respond to mitigate the risk, since it is unlikely that you can prevent the risk event happening. So this shifts the emphasis to developing response plans and rehearsing these.
The key questions for a board to ask in relation to strategic risk are:
- How do we know as a board that we are managing this risk'?
- What is the underlying assurance process that tells us this?
- And can we trust that process?
An effective tool for answering these questions is an assurance framework that identifies ths assurance processes for each strategic risk and assess the reliability of that process.
Managing operational risks
The risk management process needs to be led by the trustees and senior management team, but it needs to be clear that operational managers have their role to play and are responsible for managing risks as part of their job. It is usual to have an annual process in place for operational managers to report on how they manage risks. Note that the emphasis is on managing risk, so the process focuses on actions to control risks.
The majority of operational risks are internal risks and predictable, so not so much risks as “things we have to get right”. So actually we need assurance that systems are in place and are effective. Rather than long lists of all the things you have to manage, it is more useful to accept that many of the operational risks are fairly obvious and are part of day-to-day management.
Managers should identify and map key risk areas, together with the policies, procedures and controls they have in place. A framework for managers and some training will help to ensure that the process is reasonably consistent across the organisation. Middle managers should share their completed frameworks with their manager and talk through any significant areas.
Adopting a revised approach to risk management will increase the level of understanding of risk across the whole organisation and develop the risk management capacity of all managers. Focussing on risk management rather than risk assessment will:
- Enable your organisation to develop an approach that helps you to understand the risks and opportunities you face
- Establish a pro-active approach to managing risks that recognises we cannot identify every possible risk and we cannot eliminate risk, however we can increase the organisation’s capability to respond to unforeseen events
- Prepare a risk register that provides senior managers and trustees with a useful tool for understanding and monitoring the strategic risks
- Provide a framework for risk management activities by departments and teams that enables them to manage, monitor and report on operational risks.
Kate Sayer and Jonathan Orchard are both partners at Sayer Vincent.
- Civil Society Media will publish a non-attending delegate pack with audio and slides from the Charity Finance Summit. For more information about purchasing the pack please email [email protected]