Monday, May 16, 2011

Risk management ... now let's begin

The Charity Commission produces an excellent guide to risk management which can be found here. Indeed they take risk management very seriously and registered charities should report in their annual return what they have done about managing risk.

The Charity Commission document says that risks can be associated with
  • Governance;
  • Operations - this includes the use of our buildings;
  • Finance;
  • External factors; and
  • Legal and regulatory compliance.
It also provides a risk management model which has four stages
  • Identifying risks;
  • Assessing risks ;
  • Evaluating what action needs to be taken on risks; and
  • Periodic monitoring and assessment.
This seems like a straightforward model but is often not the approach that organisations take.

For example a few years ago I was discussing in an internet forum about whether an organisation that I belonged to should incorporate. This was a small organisation with maybe 200 members across the country, with no staff, no building and no contracts or other non-charitable legal obligations. One person kept saying that we should incorporate to reduce risk and I kept asking him what risks he was trying to reduce by incorporating.

When we covered all the issues it appeared that incorporation was not the answer. The answer was in having clear policies and procedures, direct lines of accountability and a shared understanding of who was responsible for what. Good practice is always the most effective way to manage risk. This is not to say that you don't buy any insurances, because in many instances this is best practice, but it does mean that you do the thinking before you buy the insurance. We do this ourselves in our own lives - think about the insurances that you can buy when you buy a washing machine - some of us reckon that we are better off without it and some decide the opposite. We do an assessment about our individual needs - which are not just about the washing machine but may be about our finances or our need for peace of mind. Then we decide what works best for us - as far as we can predict.

You must always start with the risks and get a feel for how likely they are and what affects they would have. You then need to identify whether you can predict some risks and what you can do to minimise the chance of them happening and minimise their impact. Then you need to take action - or if you decide against action (as in the above example if you decided not to buy insurance) then as an organisation it is worth minuting at a meeting why you have decided on that course of action.

More in the next few postings about the sorts of risks that we might face.

No comments:

Post a Comment