People Dancing

(A PDF of this information sheet is available to download below)

Risk management is now a legal requirement for charities with a gross income of over £250,000. However, the Charity Commission feels that smaller charities should also establish a risk policy as a matter of good practice to demonstrate the charity’s accountability to its stakeholders (funders, general public, clients, etc.). The obligation to consider and take steps to reduce risk is not new; trustees have always had a duty to safeguard the charity and its assets. What is new is the duty to say they have done so.

The new requirements state that trustees must provide in the charity’s Annual Report ‘a statement confirming that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems have been established to mitigate those risks’ i.e. they have identified risks and they have put measures into place to lessen their impact.

This briefing will look at what is meant by ‘risk’ to charities, what a charity needs to do and how it can develop a risk management system.

Background to the requirement

Charities legislation and the charity accounting Statement of Recommended Practice (SORP) 1995 required charities to openly demonstrate that the charity’s trustees are managing the charity effectively. SORP 2000, Accounting and Reporting by Charities has since been expanded from being just an accounting recommendation to also requiring a wider report of a charity’s activities. The requirement is not just about financial risk. It includes all risks to an organisation including physical risk, and of particular relevance to charities, reputation risk.

An opportunity in disguise

Risk management does not have to be seen as a threatening or negative activity. It has a beneficial, pro-active, positive side, although you may not think so when confronted by your list of potential problems! The process makes you look at your organisation carefully and correct weaknesses in your operations, thereby making you stronger in the long term. It also reveals missed opportunities i.e. things that might prevent the organisation (or areas within it) from being as successful as it could be.
For example, the Stakeholder Pension Scheme legislation requires charities with more than five employees to designate a stakeholder scheme, provide access to it for staff and facilitate contributions from the payroll. The risk in not complying with this is fines of up to £50,000. However, the positive side of this is that it is an opportunity to provide staff with pension plans, which may be a way of retaining good staff in a competitive employment market.

Just what is risk?

We all face risks every day. Charities are no exception. For charities, risk can be defined as ‘any event or action that may adversely affect the organisation’s ability to achieve its charitable objectives and execute its strategies’.
Risks are many and varied and depend on the work you are doing. Risks may be ‘external’, e.g. changes in economic conditions or ‘internal’, e.g. failure in operational management or financial controls or loss of staff. Risk affects all aspects of an organisation.

Common risks for charities might be:

• governance – bad internal management, unsuitable trustees, conflicts between trustees and management, an out of date constitution and election process;
• strategic – not meeting objectives, or setting the wrong objectives, not monitoring and adapting to changes in government policy or public perceptions;
• operational failure – which may in turn impact on charitable objectives, e.g. inadequate quality of service caused by, say, poor information systems and loss of data, computer problems and loss of time;
• reputational – adverse public relations, breach of confidentiality;
• financial – loss of a major funder, inaccurate financial information, inadequate reserves and cash flow, inadequate diversity of income sources, increased competition for funds, difficulty complying with funding rules, fraud and theft;
• regulatory – failure to meet legal and regulatory requirements, e.g. non-compliance with requirements for fund raising activities, employment law, Disability Discrimination Act, Data Protection Act, etc;
• people – failure to maximise performance, loss of key staff, legal issues;
• health and safety – office, clients, field work, festivals, concerts, etc.

So what do we have to do?

Manage the risks. Risk management involves identifying and assessing risks and then devising a plan to deal with them. This should be an ongoing process – regularly reviewed and updated to reflect changes in circumstances. It should involve the whole organisation (trustees, staff, volunteers) and be done collaboratively to give you a full picture of what you might face. It is important to note that not all risks can be eliminated but that the extent of the risk can and must be mitigated. This is usually possible with appropriate controls in place.

A good risk management process will be:

• aligned with the organisation’s mission;
• supported by trustees, management and staff;
• communicated effectively throughout the organisation;
• adaptable to change;
• simple but structured.

Risk management is a balancing act and a continuous process consisting of five main steps:

1. identification – highlighting potential risks;
2. prioritisation – scoring the risks, i.e. by their potential harm and likelihood;
3. elimination or mitigation – taking the appropriate action;
4. review – periodically testing the effectiveness of the action taken;
5. reporting – to trustees and the management team.

You might want to assign one person to be responsible for the process and you might even need to form a working group representing all aspects of the organisation and chaired by either a trustee or the chief executive.

1. Identify and assess risks

• Clarify your organisation’s key objectives, e.g. to comply with legislation; to meet the needs of our members by 80% within the next 2 years
• Once these have been identified, ask: What risks would prevent us from meeting these objectives? What measures could we adopt to reduce this risk to an acceptable level? List potential risks: Hold a brainstorming session with managers as well as all/some trustees. You could plan this into a regular board meeting or hold a special workshop. For example, in advance of the next Board meeting ask each board member and manager to list what they see as the major potential risks to which the organisation is exposed. (Similar exercises could be undertaken by groups of staff, collated by the chief executive and the findings compared.) Make the most of sources that already exist for identifying risks, e.g. your business plan will help to highlight the risks associated with chosen strategies and may lead to the development of possible alternatives. The annual budget approval process should identify and assess the assumptions underlying the budget and thus address the need for contingency provisions. Staff appraisals and exit interviews, the accident book, complaints procedures, feedback from users, market research, assessments by funders, inspections by regulatory authorities, internal audit reports, etc. are all possible sources for the identification of risks
• Collate the lists and classify the risks in terms of occurrence (are they likely to occur) and the impact they might have on your organisation. Assess the relative significance of each risk, weighing up both the potential damage that might result, on a scale from negligible to catastrophic, and the likelihood of occurrence, from unlikely to inevitable
• It helps to judge against a time limit, i.e. what is the likelihood of this happening in the next year? Or the next 3 years? To put things in perspective and to prioritise your actions ask yourself questions such as: what will happen if we lose our major funder? or our administrator goes on long term sick leave?

2. Prioritise

Do a ‘sensitivity analysis’, i.e. prioritise the risks and consider what level of risk is acceptable in the light of your organisation’s objectives and resources. Something that is likely to happen, and will have a serious impact, should be dealt with first.
For 1 and 2 above you could draw up a table with the following headings:

Likelihood

Extremely unlikely or a rare occurrence
Unlikely
Moderately likely
Regular occurrence
Highly likely
Extremely likely or frequent occurrence.

Impact

Not critical to the continued operation of the organisation
Minor impact in some areas
Minor impact in many areas
Significant impact that would not affect the continued operation in the short-term, but might in the long term
Significant impact in the medium term on major operational areas
Fundamental to continuing operations.

3. Elimination or mitigation

Now consider what controls already exist and if necessary what action the organisation needs to take.
Adopt one or more of the following options (this could be tasked to your working group):

• avoid the risk – i.e. cease to operate in a particular area of activity. Not always a bad thing e.g. a contract might have expensive getting out clauses;
• accept the risk;
• transfer the risk – i.e. to a third party by taking out insurance; or through conditions or warranties on contracts;
• reduce the risk – e.g. introduce new procedures and policies, make sure you have off-site back ups for computer data;
• minimise the impact – i.e. with contingency planning: putting measures in place in case something goes wrong. If the building were to burn down what would our recovery plan be? If the rate of inflation goes up how will the personnel budget cope? (for financial contingency planning it would be sensible to get advice from an accountant);
• monitor the risk and exploit any potential upside.

In assessing the effects of risks you could draw up a table containing the following headings: (Please see the PDF download below for tables).

4&5. Review and reporting

You will find it easier to reduce the likelihood of risk if you create a good system that takes risks into account from the start. This will include systems that address the whole operation of your organisation, in addition to the areas where risks have been identified. Check your procedures and policies, make sure that risk management is a part of every day processes and that your organisation is capable of reacting to internal and external changes. Any weaknesses in the system should be evident – and reported – immediately.
A good system will be able to provide your board with reports on:

• identification, evaluation and management of key risks;
• assessment of the effectiveness of methods you use for controlling these;
• actions to remedy any weaknesses (including costs and benefits);
• adequacy of your monitoring of your system.

It will also have key organisational ‘controls’ in place, e.g.

• Early warning indicators – key indicators that will alert you and trustees to the fact that things are going wrong. Examples might include a fall in membership, fast staff turnover, a reduction in bank balances;
• Management information – procedures that ensure that trustees receive regular information to enable them to assess the organisation’s risks on an ongoing basis, e.g:
  • everyone in the charity understand the risks and their roles;
  • individual responsibilities are clearly defined;
  • all systems of control have been documented;
  • there is a process of regular review of the effectiveness of the systems;
  • procedures record any shortfalls and take corrective action;
  • you are able to monitor activity within and across the sector.

LEGAL REQUIREMENTS – The SORP Compliance Statement

The information you gather from the risk management process will have to be reported to the trustees from time to time. This will not only meet the SORP requirement but will also satisfy trustees that your organisation is well run. Even if you do not legally need to provide a statement it is good practice to do so.
At the end of every year the trustees will have to formally assess the progress your organisation has made in mitigating risk. A detailed paper outlining the work you have done for this should be submitted to the Board. This must be formally minuted so that there is a firm record that the trustees have made the assessment and agreed that they can state in their annual report that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems have been established to mitigate those risks.

At the very least the report needs to state: “the trustees have assessed the major risks to which the organisation is exposed, in particular those related to the operations and finances, and are satisfied that systems are in place to mitigate exposure to the major risks.” The Trustees must have supporting documentation to demonstrate that they have undertaken a risk assessment. It may be wise to have this independently confirmed.

A more detailed statement might explain:

• the trustees’ responsibilities;
• what structures are in place to ensure the organisation’s objectives are effectively met;
• what systems of control are in place (internally);
• how controls are reviewed;
• the adoption of a risk management process.

However, this is not the end of the process. The risk management cycle should begin again by identifying the current, and potential, risks, facing the charity. The existing risk exposure checklist will form the basis of the next assessment, which may identify new risks, such as those arising from changes in legislation. For example:

• The trustees are concerned about confidentiality and security of data. Action – review of IT security policy inline with the Data Protection Act.
• The trustees are concerned about the financial records. Action – full review of accounting system including staff skills, use of accountant, etc.

Further help and information

www.charity-commission.gov.uk or T: 0870 3330123. The Charity Commission has issued guidance and an example format for a risk register at www.charitycommission.gov.uk/supportingcharities/charrisk.asp

RISK BRAINSTORM (this is not a definitive list!) Would your organisation be affected by:

Reputational

• A major incident resulting in physical injury to a member of your organsation or to a member of the public
• A scandal involving either a trustee or an employee of your organsation
• Dissatisfaction about the way in which funds are used
• Failure to comply with laws and regulations
• Problems affecting the sector.

Laws and regulations

• Are you aware of specific laws your organisation is subject to in relation to your activities?
• Have you identified health and safety issues and do you have a written policy?
• Are you registered under the Data Protection Act and do you have procedures in place to ensure that there is compliance with the Act and that there is security of data?
• Are you complying with conditions, stipulated by donors or grant making bodies, in relation to the use of funds?
• Are you complying with regulations in relation to the presentation and filing of annual accounts?

Assets

• Is your ownership documented and recorded?
• Is the location of each asset known?
• Are your assets maintained in good order?
• Are your assets physically secure?
• Are the assets safeguarded against inappropriate use or fraud?
• Is the disposal of assets properly authorised, and, in the case of land and buildings, is professional advice obtained?

Liabilities

• Are all liabilities identified?
• Are all liabilities recorded?
• Is expenditure incurred only by authorised persons?

Fundraising activities

• Are all fund raising projects properly controlled?
• Are funds collected secure?
• Are funds appropriated in accordance with the charity’s objects or the donors’ wishes?

Physical and other disasters

• Storm damage, fire, flood, explosion, loss of power supply, loss of water supply, loss of communications, computer failure resulting in loss of data and delay in collecting income.

Other external factors

• Problems affecting other charities within the sector
• A change in Government policy, including the withdrawal of taxation and other benefits
• A fall in the popularity of the your cause
• Greater competition for sector related funding.

Financial control

• Accounting records that are not regularly reconciled
• Lack of budget systems including: Strategic and operational business plans; Internal procedures to review and agree budgets; Documentation and control of agreed budgets
• Monitoring processes, including measurement of financial performance, such as comparisons between actual and budgeted results

Capital project planning and control, including evaluation of the need for, and the benefits of, any potential capital projects, control and monitoring of the project and assessment of the value obtained once the project is complete.


Published by Foundation for Community Dance, January 2011

© Foundation for Community Dance. All rights reserved.

Every care has been taken in the preparation of this publication, but is not intended to be legally comprehensive or to replace professional/legal advice. No responsibility can be accepted by the publishers, author(s) or contributors for any errors, omissions or changes not for any harm, however caused, which results from the information presented.

This information sheet was first produced and published by Voluntary Arts: www.voluntaryarts.org/briefings.