Risk Management

Risk is a situation involving an exposure to danger. You should approach risk management positively, as part of the day-to-day management of the organisation, for it does not just identify threats, it also provides opportunities for improvements.

Threats and opportunities

Most risk can be anticipated and therefore planned for, for example:

  • Financial (such as inadequate reserves)
  • Human (such as departure of key staff)
  • Operational (such as theft of computers)
  • Technological (such as the computers dying without sufficient backup)
  • Physical (such as someone falling off a ladder)
  • Reputational (such as media exposure of bad practice)
  • Governance and management (such as a lack of plan to guide the organisation’s work).

Risk Management Sub-Committee

Does your organisation have procedures in place to comply with employment, equality, and health and safety legislation?

You may wish to consider a risk management or audit subcommittee that undertakes regular reviews of internal control systems. However you choose to conduct this process in your organisation you should ensure that the governing body is actively involved and reviews the risk management strategies annually as it is ultimately responsible for the risk management in the organisation. You should conduct an annual written assessment – under the main headings such as the seven listed above – of the risks facing your organisation (risk identification). Each risk that you identify should be assessed to examine the consequences to the organisation if it were to happen (risk assessment). Each risk then should be matched with a risk management strategy that describes the procedures that are in place or actions that are underway to manage or minimise that risk (risk management). Remember that you must put in place clear communication channels for all workers to report suspected breaches of law, regulations and other improprieties.


A Tool for Managing Risk

A useful tool to help you report the findings is to plot each risk identified on a simple graph that has ‘the chance of this risk happening’ on one axis, and ‘negative impact on the organisation’ on the other axis (see below). For example, the risk of a fire in your office destroying all your files and data on your PCs might have a low risk of happening, but if it did, it could have a very harmful impact on your organisation: in this case, that risk - identified by the letter (a) - would appear somewhere in the top left, as shown below.

A tool for managing risk

Although where to precisely plot the risk on this graph is a judgement call, this can be a helpful tool for management and the governing body to focus energy on the most important risks. It also quickly identifies those key risk areas that require more targeted management (that is, those in the top right quadrant) which have a high likelihood of happening and significant negative impact if they did happen. However, it is important to stress that risks plotted elsewhere on this chart should also be actively managed. One of the most effective risk management approaches is to have a comprehensive set of policies and procedures for the organisation. By having written policies and procedures on, for example, staffing and employment, internet and email usage, health and safety, etc, you will find that these procedures not only assist you in implementing your plans for the organisation, but they also act as risk management strategies for many of the ‘usual’ risks facing your organisation. In approaching risk management in this way, it becomes part of the day to day management of the organisation and not something to be intimidated by.

By dealing with risk directly in a manner similar to that described in this section, you can be sure that the organisation is better managed on a daily basis.

An example of risk management based on employing staff:

Step 1 – Identify potential areas of risk to your organisation
Does your organisation have procedures in place to comply with employment, equality, and health and safety legislation? If so, how well have these procedures worked in the past? When were they
Step 2 – Assess the impact of the risk on the organisation if it were to happen
For example, what are the legal penalties of not having health and safety statement? What are the reputational risks if a disciplinary matter is mishandled?
Step 3 – Manage risk by revising/developing procedures in the light of steps one and two
Implement required changes to existing procedures and develop procedures to meet identified gaps. Arrange for regular review of those procedures and decide how the organisation will keep itself informed of changes in employment legislation.