Risk cannot be avoided, but most types of risk can be anticipated and therefore planned for.
Community and voluntary organisations, charities and social enterprises operate in particularly high risk environments, coping with uncertain funding streams, having vulnerable client groups, being dependent on voluntary input, and so on and so forth.
It is important that people who run not-for-profit organisations, whether as volunteers or paid staff, are aware of the risks involved and feel comfortable dealing with them. In fact if your organisation takes a proactive approach to risk management, not only can you work to avoid bad risks but you can also identify opportunities for development.
What Kinds of Risk Should We be Aware Of?
Here are a selection of the categories of risks facing organisations in our sector, and some examples:
- Financial (such as inadequate reserves)
- Human Resources (such as departure of key staff)
- Operational (lack of capacity among key staff to deliver projects on time)
- Technological (such as the computers dying without sufficient backup)
- Physical (such as someone falling off a ladder)
- Reputational (such as media exposure of bad practice)
- Governance (such as the lack of a plan to guide the organisation’s work).
What Steps Should we Take to Tackle Risk?
Before you begin….
Identify a key person to take responsibility for developing and delivering the risk strategy. In an all-voluntary group this responsibility could be assigned to the chairperson of a Risk Subcommittee. Where you have staff, responsibility could rest with the CEO or similar senior manager. Ultimate responsibility for managing risk still rests with the governing body.
Identify an appropriate Risk Management Process/Tool. The Wheel has developed a toolkit on Risk Management which you might find useful in your organisation. You can download the Reducing The Risk toolkit here.
In Reducing The Risk you’ll find plenty of detailed information on the steps summarised below.
Step 1 - Risk Identification
Taking as your starting point the organisation’s vision and mission, identify the risks that may prevent the organisation from achieving your goals. You can also use broad headings, like those above, to help you think of the potential threats to the organisation.
It is important to involve key stakeholders (board, volunteers, staff, service users etc.) in this exercise.
Step 2 - Risk Assessment
You now need to look at the potential impact of each of the risks identified. What would be the consequences of each? How serious would it be for the organisation? How likely is it to happen?
It might be useful to plot out the various risks on a diagram like the one below.
This will help the governing body to assess which risks are most serious and need immediate attention and which risks need monitoring over time.
Step 3 - Risk Control
Now the organisation can begin to put safeguards in place to control the likelihood or seriousness of a potential risk. There are various actions that you can take to control for risks. These range from avoiding the risky activity altogether to putting in place a policy to minimize the risk, to taking out insurance so that if the risk occurs the organisation will be able to seek compensation.
Step 4 - Risk Monitoring
It is essential that organisations monitor how their risk management processes are working. The Board must take responsibility for ensuring that the controls in place are effective in minimizing the risks to the organisation. Equally its important that the Board monitors how risks change over time, a risk that may seem unlikely this year, may become a key priority twelve months down the road.
What does an Effective Risk Management Process Look Like?
Risk Management needs to be embedded in the organisation’s day-to-day processes and have buy-in from all in the organisation. The process should have robust prioritization. It’s essential that the necessary human and financial resources are in place and that the process is underpinned by clear communication channels so that anyone in the organisation can notify the board of compliance breaches and other major risks.