Risk management for charities
- threat or opportunity?
The Charity Commission issued the revised Statement of Recommended Practice,
Accounting and Reporting by Charities, in October 2000. Probably the most headline
grabbing new requirement introduced by the Charities SORP 2000 is the requirement
for trustees to make a statement on risk management in their statutory annual Trustees
Report that normally accompanies the accounts. It is easy for charities to get
concerned about the implications of this and, in particular, view this as an onerous
duty. This guidance aims to reassure trustees and staff in charities that in most cases
this does not represent a significant extension of their responsibilities, and to provide
practical suggestions how to address the risk reporting requirements.
Introduction to risk
Our world is full of risks, and we have all grown up used to making decisions over
how we will deal with them. In the corporate world risk management has become an
essential part of good management. The question is how relevant this may be for the
Risk management in the commercial environment and especially within the financial
services industry is often considered using advanced statistical techniques. Risk is
inextricably bound up with probability and in the commercial world complex
approaches have been developed utilising concepts such as normal distributions,
regression theory, and diversification.
For most charities, their operations are not as complex as large multinational
conglomerates or major financial institutions; hence a more abstract framework is
better at providing a methodology for the management of risk. Risk management is
now seen as an important tool in ensuring the ordered and efficient operation of
charities, regardless of their size or nature. It is the formalisation of this essentially
common-sense approach to charity administration that should be the focus of trustees’
attention, not just the Charities SORP reporting requirements. Indeed, the Charity
Commission as a public body, has itself undertaken a risk management exercise
considering its own responsibilities and operations
History to Governance Reporting
It is only relatively recently that the reporting on governance and internal controls of
an organisation has been a public matter, developments in this area principally
occurring during the 1990’s. The conceptual framework for thought in this area was
first addressed in North America by the Treadway Commission and the Committee of
Sponsoring Organisations. In this country the response to perceived abuses of
corporate governance was the Cadbury Committee report in 1992.
The Cadbury report focused on areas such as the need for non-executive directors,
remuneration committees and the disclosure of directors’ emoluments. None of these
are directly applicable to the Charity Sector. The report did however also make
recommendations on forming audit committees, confirming going concern status and
reporting on the effectiveness of internal controls. All of these are relevant for
The Hampel Committee “Combined Code” issued in 1998, brought together the initial
responses to Cadbury and in particular affirmed the benefit of reporting on internal
controls. The corporate world accepted that there were considerable benefits in
demonstrating that companies had formal and transparent arrangements for financial
reporting and were applying adequate internal control procedures. However, the
practical question of how companies could report on the effectiveness of their internal
controls was not addressed. The remit of the Turnbull Committee was to consider
how this would be best achieved. The final report of this Committee was issued in
Until this point references were only being made to reporting on internal controls.
Turnbull brought about a radical change in approach with the focus being on risk
identification, and the effectiveness of controls being considered by reference to their
ability to mitigate risk where appropriate.
Board responsibility for the establishment of a sound system of internal control was
highlighted, but the need for risk management to be “embedded” into the culture of
the whole organisation was also emphasised. The process was to be seen as an all risks
policy, not just financial risks
The guidance provided a framework for considering the effectiveness of the internal
control system through consideration of factors such as clarity of risk assessment,
existence of a control environment and control activities, adequacy of information for
decision-making, and the extent of monitoring processes.
Turnbull recommended that the Board’s Statement on Internal Control should express:
• Acknowledgement of the Board’s responsibility for the internal control system
• Existence of on-going risk assessment and management processes
• How internal control effectiveness is reviewed
Whilst the Turnbull report did not insist that companies have an internal audit
function, it did encourage that the need for internal audit be considered annually.
The corporate sector’s experience of adopting Turnbull principles is still relatively
limited as they have only just come into effect – being mandatory for listed companies
for accounting periods ended on or after 23 December 2000.
Other sectors, such as Registered Social Landlords, and Further and Higher Education
establishments, have also adopted corporate governance disclosures. These largely
mirror the regime for listed companies. The statutory reporting approach adopted for
the charity sector is however different to all of these.
Statutory requirements for charities
For charities, the requirement to report on risk was introduced by the Statement of
Recommended Practice, “Accounting and Reporting by Charities”, and the
accompanying “Charities (Accounts and Reports) Regulations”, both issued in October
2000. The requirements of each are slightly different, as can be seen below.
Charities SORP 2000.
Paragraph 31(g) requires the Trustees Annual Report to contain “a statement
confirming that the major risks to which the charity is exposed, as identified by
the trustees, have been reviewed and systems have been established to mitigate
Careful reading of this indicates that the trustees do not have to be concerned that th ey
have indeed identified all the major risks that the charity may encounter. But where a
major risk has been identified, then they must have taken steps to consider, and where
necessary, do something about the risk concerned.
Charity accounting regulations 2000
Under the Charities (Accounts and Reports) Regulations 2000, which give
statutory effect to much of the Charities SORP, there is a requirement (mandatory
for all non-exempt charities exceeding £250,000 gross income for the year -
charitable companies included) that the trustees make a statement that they have
“given consideration” to:
a) the major risks to which the charity is exposed; and
b) systems designed to mitigate those risks.
This may be seen as less stringent than the Charities SORP. If so, ultimately the
statutory responsibility of trustees regarding risk management disclosures could be
interpreted as achievable merely through its inclusion on the trustees’ meeting agenda.
Importantly, smaller charities whose gross income is less than £250,000 do not
have to report on risk management at all. If they do so it will be on a purely
Some commentators have exaggerated the scope of these requirements, stating that
they represent a major extension of trustees’ roles. As with all aspects of the operation
of charities, risk management needs to be consider in the context of trustees’
fundamental responsibility to protect the property of the charity and to secure its
proper application on the Objects of the charity. The specific statutory duty to report
on risk matters is only a small aspect of the general responsibility for the prudent
management of a well-run charity. Aspects of this are referred to in the Charity
Commission’s booklet CC60, “Hallmarks of a Well-Run Charity”, issued in March
We therefore set out below a practical process to manage risks that will apply to all but
the simplest or the most complex charities. This will assist in directing the affairs of
the charity in an orderly and efficient manner, and also enable the risk reporting
requirement of the SORP to be met.
Charities do not have to adopt any specific approach to risk management. In
particular the Charity Commission, whilst believing there is a need for trustees to
comment on their management of risk, has not provided any specific guidance in this
area. It is therefore up to each charity to decide the best approach for its own
particular circumstances. In deciding what process to adopt there are a number of
factors worth considering.
1. Charities should beware of adopting commercial models of risk management.
For example business transactions are generally characterised by the
involvement of two parties, customer/provider, manufacturer/retailer, etc.
However, there are often one-way transactional relationships in charity
operations – donors, beneficiaries. Most commercial models do not recognise
this. In addition, commercial organisations are primarily concerned with
shareholder returns and value, whereas charities tend to be driven by the
social value of their work. Charities must also be aware of the balancing of
needs of both current and future beneficiaries.
2. The assessment of major risks does not apply just to financial matters but all
aspects of the operation of a charity. It is therefore essential that all parts of
the organisation are involved in risk management, not just the finance
3. Two practical approaches used in risk assessment are ‘top down’ and ‘bottom
up’ techniques. The top down approach to risk management considers the
organisation as a whole taken from the viewpoint of the Board, and seeks to
identify the risks that exist in each part of it. The bottom up approach utilises
key groups within the organisation focusing on the risk concerns in their area
of operation. Using a risk framework, this data is aggregated to give an
assessment of risk at an organisational level.
In the charity sector the top down approach is in most cases the best one. This
approach reflects the governance framework in which trustees have ultimate
legal responsibility for all the charity’s affairs, with day-to-day operations
delegated to an executive management team.
4. Having identified and profiled risks, commercial organisations will often
consider these together as a portfolio of risks. A negative risk in one area of
operation may cause a positive effect in another. Many charities are not as
complex as this, and therefore this may not be an important consideration.
This concept should not, however, be ignored, as there are some instances
where this may be the case. For example, in a national organisation reduced
central government funding may go hand in hand with increased support via
Compound risks may also exist where an event or activity in one area has
knock-on effects throughout the organisation. For example, an operational
problem could affect the charity’s reputation and thereby impede fund raising.
For charities that may have these complex interlinked risks it is important that
the risk model they adopt addresses these scenarios.
Key stages in risk management
We suggest a five-stage approach to the risk-management process.
Risk policy ? Identification ? Assessment ? Mitigation ? Monitoring
a) Risk Policy
It is too simplistic to assume that the environment in which charities operate,
particularly bearing in mind trustees’ individual liability, predetermines a risk-averse
approach. The trustees of each charity are likely to have a different view of the level of
risk that is acceptable for their own operations. The first stage in the risk management
process is to agree on this policy.
Integral to this process is defining for the charity what would be considered a major
risk, which in essence is one that could potentially cause significant impairment in the
achievement of the charity’s objects. It is useful to adopt this as a preliminary
‘benchmark’ for filtering those risks worthy of consideration, to avoid being
overwhelmed by potential but in reality insignificant risks.
It is also important to specify responsibility for risk management processes. Whilst
trustees retain the ultimate responsibility, in many charities the detailed consideration
and review of procedures will be delegated perhaps through a sub-committee
structure to senior management.
b) Risk Identification
Risks are identified by looking at key aspects of the charity, focusing initially on factors
significant in the achievement of its charitable objects and its overall mission and aims.
At this stage no value is placed on these risks. For example, the potential impact or the
likelihood of occurrence are ignored.
There are various ways to reveal the potential risks facing a charity. For example,
“brainstorming”, facilitated discussions or a questionnaire, involving a group of both
trustees and senior members of staff.
It is possible to utilise traditional analysis techniques such as:
• SWOT (Strengths, Weaknesses, Opportunities, Threats) or
• STEEPLE (Social, Economic, Environmental, Political, Legal, Ethical)
• Scenario analysis
These are useful devices to focus attention on the key factors affecting the charity.
Many charities consider such matters in their strategic planning processes or in
developing internal audit needs assessments, hence risk identification may not be a
major exercise to undertake. As well as these types of techniques it is often helpful if
identified risks are grouped into risk families that have common risk characteristics.
Our model categorises risks into nine broad “themes”: We have used an activity-based
approach, as this reflects the organisational structure generally operated in the sector.
These themes are likely to be appropriate for the majority of charities, but where
necessary should be amended for particular circumstances and issues.
sion Risk Huma
Objects/Mis n Res
We set out in Appendix A example risks within each of these themes, as a guide to
matters that should be considered. Risks will however be different for each charity,
hence this should not be seen as a comprehensive list of all risks that could be
c) Risk Assessment
The results of risk identification are assessed in terms of incidence (probability) and
impact (severity). A typical approach is for this to be considered graphically using
some form of risk mapping technique (see below). This enables meaningful
conclusions to be placed on the risks identified. Applying a simple mathematical
formula results in a ‘score’ for the risk. For example the range of risk scores possible
under a low/high assessment are:
Impact Incidence Risk Score
Low X Low Low
Low X High Medium
High X Low Medium
High X High High
Where appropriate, more complex statistical or mathematical models could be used.
For example, to predict the possible impact of relatively random events, techniques
such as Monte Carlo simulation (a technique for attributing probabilities to apparently
random events) or actuarial projections may be helpful. Actuarial involvement may be
helpful for some charities in determining future demand on the charity’s services from
its beneficiaries. In view of the cost involved, these approaches are only likely to be
adopted where the events are potentially very significant.
Risk mapping is a commonly used and straightforward way of presenting risk assessments
in a graphical manner. The traditional risk map portrays risks using two factors, “impact”
and “incidence”. These normally form the two axes on a risk graph. In a simple map each
factor can be rated either low or high. The graph is then split into four quadrants as shown
below. The graph also indicates the typical mitigation responses to the possible spectrum
High impact/ low incidence High impact/ high incidence
• Mitigate through • Mitigate by reducing
reducing severity e.g. severity and frequency
insurance • Possibly avoid
Low impact/ low incidence Low impact/ high incidence
• Monitor only – not • Mitigate through
cost effective to reduced frequency
Charities will need to determine the level of precision required when setting a scale to measure risk.
The options for this are wide – for example three typical precision levels that may be used are:
I. Low/Medium/High or Green/Amber/Red
II. Five factors – Minor/Low/Medium/High/Critical (impact) or
III. Percentages i.e. between 0% and 100%
d) Risk Mitigation
Having identified and assessed the major risks faced by the organisation, these can then be
considered by priority. There may be a variety of approaches to resolve or control risk.
Reduce Establishing controls to reduce either the frequency or
impact of the risk is often the normal and best response to
risk mitigation. For example a purchase order system may
have a hierarchy of approval levels according to the
magnitude or type of expenditure concerned.
Avoid Some risks it is best not to take on, and therefore the risk
strategy is to avoid them by not carrying out the activity that
may cause them. For example, a local authority contract
may impose onerous conditions on a service providing
charity and should not be entered into.
Accept Where the risk is considered unavoidable, but it has been assessed
as an inherent aspect of the activity, the most appropriate approach
may be to accept that such risks may occur, and if they do they
will have some impact on the charity. For example, an
international relief charity may be exposed to exchange rate
fluctuations, which it chooses not to protect through currency
options or forward contracts.
Transfer Usually risk transfer is associated with contracts of insurance.
Other ways are possible, such as outsourcing, entering into joint
ventures, or debt factoring. An accurate assessment of risk may
justify an increased retention within the organisation and a
possible insurance premium saving.
Price Although uncommon in the charity sector, it is possible to increase
the price of a product or service if the perceived risk in its
provision is higher than normal.
Exploit Whilst many trustees may be highly risk-averse, in some cases
some degree of higher risk may be exploited where it is
accompanied by the potential for higher return. Clearly, trustees
cannot safely take this to excess, as they must act prudently in the
charity’s affairs in order to satisfy the duty of care imposed by
charity law. A typical example of this is structuring a balanced
investment portfolio that reflects the need for an income stream as
well as capital growth.
Once the approach to mitigating each significant risk has been established it is important that this is
appropriately recorded. The usual format for this is a Risk Summary or a Risk Register. This sets
out key aspects of the risk process using an appropriate notation. An example risk management
summary is set out in Appendix B. This is a simple form of risk register that will be appropriate for
Horwath Clark Whitehill has also developed a software package to assist in documenting the risk
process and recording risk management strategies. This may be appropriate where more formal
presentation or control of risk processes is needed or where the ch arity’s operations are relatively
complex. It may also be suitable where formal linkage is required between risk management and an
internal audit function.
It is important to recognise that there is a limit to the effectiveness of any risk mitigation strategy.
The very nature of risk means that you cannot adequately plan for the unknown, hence any system
can only provide reasonable but not absolute assurance of its aims. Risk mitigation will reduce the
gross level of risk to a net level. Charities must then be prepared to accept a tolerable level of
residual risk that it is uneconomic or unrealistic to remove.
Set out below is a projected analysis of the relationship between the cost of risk versus the cost of
Cost of risk Vs Cost of risk management
acceptance of risk
t Optimum risk
Risk aversion -
Cost of risk management
This inverse relationship demonstrates that for most organisations it is best to balance the relative
cost of risk with the cost of risk management. The opposites of a cavalier acceptance or risk and
stringent bureaucracy are highly unusual. Though it should be recognised that an inclination to
these extremes may sometimes be appropriate. For example, charity hospitals may insist on high
levels of clinical excellence at considerable cost, and strict regulation of participatory fund raising
events such as bungee-jumping may be necessary to preserve the life and health of those involved.
Alternatively, some international charities in order to achieve their objectives are forced to work in
countries that are politically unstable and where the physical dangers to charity staff are great.
Risk management monitoring and integration
It is all too easy for the risk management process to become just an annual exercise, carried out
merely to meet external reporting requirements. But, as most well-run organisations have already
realised, risk management should be integrated, or “embedded”, into all operations of the charity.
There are a variety of ways of ensuring that risk considerations are embraced into the culture of the
organisation. For example, risk awareness training can be provided to trustees and senior members
of staff or individual managers could be given responsibility for ensuring that risk is considered in
the area under their control. Another approach is for all project proposals to formally address risk
issues, in the same way as one would require the financial considerations of a new project to be
addressed at the planning stage.
Risk management also needs to be responsive to changes. Hence there needs to be formal
mechanisms for reporting to senior management new risks that arise, as well as highlighting failures
in controls. Learning from one’s mistakes is seen as an admirable trait. Similarly, where a problem
occurs or a control fails in an organisation, it is important that the system encourages openness so
that appropriate action can be taken to remedy the weakness and to mitigate any resultant loss.
A typical risk register will include formal actions and reporting processes for individual risk areas
that occur throughout the year. The Board should receive regular updates on these areas as well as
obtaining a formal annual assessment of the organisation’s risk management processes. Having
done this the Board will be able to make the required comments in the trustees’ annual report.
Having emphasised earlier that risk management must go further than just considering financial
matters, it is realistic to recognise that it will often be the finance team who will be the prime
drivers in this process.
This is appropriate – accountants by training have the key skills needed to undertake risk
management successfully. These include investigative and analytical skills, and the understanding
of clearly documented processes.
Have overall responsibility for the establishment of a robust risk management system and for
reporting explicitly on this in the trustees’ annual report. Having set risk management policy in
conjunction with senior management, trustees can normally expect other risk processes to be
undertaken by managers subject to approval of actions and results by the Board. Appropriate
information in order to assess processes should be provided to the trustees throughout the year
and in particular summarised on an annual basis to provide supporting evidence for the statement
made in the annual report.
Audit or Finance Committee
The governance structure of many charities involves an audit or finance sub-committee of the
Board considering financial and operational matters in greater depth than the full Board. Whilst
issues concerning objects and mission should be the domain of the Board, other risk management
matters can be delegated for examination by the committee.
Risk research and investigation will generally be delegated to senior management of the charity,
together with the day-to-day risk-management systems. Information will need to be prepared by
management on a regular basis for trustees to consider the effectiveness of risk management.
One size does not fit all
Smaller charities may find some aspects of the risk management process rather daunting. This
need not be the case. For example, reporting on risk is only required by the Charity
Accounting/Reporting Regulations for ‘larger’ charities. Charities below the threshold for
preparation of a detailed annual report, those whose gross income is less than £250,000, do not
have to report on risk. Their annual reports need only include a brief summary of the activities and
achievements of the charity during the year.
Those charities that do need to comply with the detailed annual report requirements, but whose
operations are relatively simple, may undertake all risk considerations themselves, perhaps using
guidance such as ours as their template.
A few larger or more complex charities will require outside assistance from professional advisers.
The extent of this may range from assistance with part or the entire process, provision of specialist
risk management software, or integration with an internal audit function. It is important that
charities do not feel coerced or compelled to seek wide-ranging professional assistance unless
circumstances demand this level of support.
Recommended Accounts Disclosures
As noted above, disclosures relating to risk management will in future be made in charities’ annual
Trustees’ Reports. The difficulty for trustees is deciding the level of detail to include.
The Charity Commission issued seven sets of example Trustees Report and Accounts to
accompany the Charities SORP 2000. These possibly provide an indication of the minimum level
of disclosure that the Commission would find acceptable. However, it is important to bear in mind
that the Charity Commission is looking for guidance to be developed on all aspects of risk
management by the sector itself.
It is interesting to note that the risk disclosures in each example, whilst differing for the size and
complexity of each organisation, all refer to the basic SORP requirement of confirming that the
trustees had undertaken a review of major risks and that systems had been established to mitigate
Whilst rigid adherence to the SORP requirements will meet the minimum disclosure requirements,
for many charities best practice would encourage greater transparency regarding their approach to
risk management, which goes beyond the minimum required under the Charities SORP and the
Accounts/Reports Regulations. Risk management should be a process that is unique for each
charity. Therefore, a standardised or ‘boiler plate’ approach to disclosure must be inappropriate.
We recommend the disclosure covers the following key elements:
1. Acknowledgement that risk management is the responsibility of the Board of Trustees
In all cases it should be emphasised that ultimate responsibility for risk
management lies with the Board. However, in many instances detailed
considerations will be delegated to sub-committees or senior managers. It is
therefore helpful to indicate membership of such committees (often the Audit
Committee), and give a broad outline of their terms of reference. An indication
of the Board’s overall policy on risk could also be provided.
2. Describe in overview the risk assessment process undertaken
Whilst in most cases it will not be either appropriate or necessary to explain in detail how
the charity has addressed risk management, giving an overview of the methodology used
will provide reassurance that the trustees have adopted a reasonable approach. For
example, how risks have been identified and assessed, indicating whether external
professional advice has been sought.
3. List the key internal controls and assurances adopted
A summary description of the key systems of internal control used to mitigate risk
should be included. Typically this will incorporate reference to financial
management processes, such as budgeting, strategic planning, management
information systems and monitoring of financial performance. Key operating
controls may be referred to if desired, such as formal financial procedures
manuals, agreed approval/authorisation processes, and segregation of
responsibilities, but without going into details. Where appropriate treasury
management controls may also be important, hence brief comments could be
made about cash management systems and foreign exchange controls. The broad
nature of governance arrangements should be set out, with sufficient explanations
that enable the Board’s effectiveness to be demonstrated.
4. Comment on mitigation of major risk
This represents the trustees’ statutory statement on risk management.
Confirmation may be given that those major risks identified by the processes
detailed above, have been examined and controls introduced where necessary to
mitigate those risk. It should be emphasised that these controls can only provide
reasonable but not absolute assurance that risks have been adequately mitigated.
The level of detail required in each of these four sections will vary according to the size and nature
of the charity. The key aim is to demonstrate not just that the trustees have considered the risk the
charity faces, but that the affairs of the charity are managed in a prudent and effective manner –
assuming that is the case!
We are aware that trustees are wary of making statements on risk management that are too bold
and open to future criticism should problems occur later. This is understandable, hence it may be
appropriate for some charities that their comments should focus on processes adopted rather than
the outcome or effectiveness of risk management.
External audit reports
Some charities have been concerned about the reaction of their auditors to their risk management
processes and their ability to report in accordance with the Charities SORP 2000. In this regard it
is important to recognise that auditors only consider matters disclosed in the Trustees Annual
Report to ensure there is nothing that is inconsistent, mis-leading or at conflict with the
information in the audited accounts.
Where trustees are unable to report full compliance with the risk management disclosure
requirements of the Charities SORP, as long as they do not make misleading statements about of
the risk processes that are undertaken, perhaps limiting themselves to indicating that they have
started active implementation of formal procedures that would enable fully compliant risk-
mitigation reporting in future years, there should be no need for the auditors to comment on this
matter in their report.
If a charity has yet to commence an y formal risk management activities then it may not be
appropriate for the accounts to state they have been prepared under the 2000 Charities SORP and
Regulations, but continue to comply with the 1995 versions until the necessary preparations for
compliance with SORP 2000 have been completed.
Inevitably, this brief guide is unlikely to address all the issues that will concern charities as they
consider risk management and the disclosure requirements of the Charities SORP 2000. The key
message we would wish to impart is that trustees should not be overly concerned about the new
requirements, although some attention will be required to ensure that risk management procedures
are adequately formalised. For most charities the process should not be too onerous and, through
operating improvements, may result in the better achievement of the charity’s objectives. A
worthwhile aim indeed!
For more information on any matters in this guidance contact Sudhir Singh or any
other member of the Charities Unit at Horwath Clark Whitehill.
25 New Street Square
London EC4A 3LN
Telephone: 020 7353 1577
Fax: 020 7583 1720
Example Risks by Risk Theme
Set out below are example risks within the overall themes of the Horwath Clark Whitehill
risk model. These are intended to be indicators of typical issues to consider when
identifying potential risks rather than a comprehensive checklist. This is particularly the
case in the area of operational processes, where each charity must consider matters
relevant to themselves.
§ The Charity’s aims and objectives do not fit within its governing document
§ Activities and future developments restricted by objects
§ Objects or powers not clearly defined in governing document
§ Mission statement lacking, poorly defined or mis-understood
§ Ethos and values unclear
§ Mission/Vision not reviewed regularly
Charity Law and Regulation
§ Failure to operate within charitable objects and powers
§ Breach of statutory requirements (e.g. Charities Act – Property transactions, fund raising
§ Failure to meet statutory reporting requirements (Annual Report and Accounts, Annual
§ Use by Charity Commission of statutory investigatory powers
§ Breach of trust over use of restricted or endowed funds
Governance and Management
§ Board recruitment policy and procedures are not appropriate or adequate
§ Trustees insufficiently aware of the charity’s objects and its legal powers
§ Term of trustee appointments ineffective
§ Board size unwieldy
§ Decisions of the trustees adequately recorded
§ Board skills insufficient or inappropriate
§ Responsibility of individual Board members not clearly established
§ Lack of Board development
§ Board effectiveness not reviewed
§ Failure to identify potential conflicts of interest
§ Inadequate beneficiary/user influence or representation on Board
§ Board meetings irregular or poorly attended
§ Lack of annual agenda and timetable for Board activity
§ Trustees’ role ill defined
§ Terms of reference of sub-committees insufficiently well defined
§ Relationship between trustees and senior staff poor
§ Reporting to trustees inadequate
§ Board agendas/papers inadequate or not timely
§ Problems with senior management team (supervision, communication)
§ No succession planning for key Board or senior management positions
§ Chief Executive performance not appraised
§ Dominance of key individuals (staff, trustees, founder)
§ Lack of business and development planning
§ Adequate strategic plans not prepared
§ Users/beneficiaries/Staff/Trustees/Stakeholders not sufficiently involved in preparation
of strategic plans
§ Strategic plans lack clarity, structure, measurable targets
§ Strategic plans not properly implemented
§ Progress against strategic plans and actions not monitored
§ Charity’s policies, rules and standards not formalised or readily available
§ Change in political climate regarding charities
§ Charity Commission revised definition of charitable activity
§ Changes in charity taxation
§ Revision to VAT regulations
§ Change in local authority or central government approach towards beneficiary group
§ Demographic/social changes
§ Acts of God
§ Decline in public perception of charity
§ Interest or inflation rate changes
§ Impact on reputation of event, fraud, accident, media coverage etc
§ Contractual difficulties with key suppliers or service providers
§ Safeguarding assets (insurance, maintenance etc)
§ Physical security of staff/beneficiaries/users
§ Poor relationship with beneficiary groups
§ Lack of written policies and procedures
§ Failure to regularly review policies and procedures
§ No fixed asset register or facilities management system
§ Legal title to assets unclear
§ Intellectual property rights not safeguarded or not appropriately exploited
§ Inadequate disaster recover/major incident policies and procedures
§ No formal project planning and approval procedures
§ Incorrect or inaccurate advice given to service users
§ Undue influence by key funder, donor, customer, contractor etc
§ Breach of contract with funder
§ Transaction with trading subsidiary not undertaken at arms length
§ Trading Subsidiary not properly funded
§ Political campaigning undertaken outside the Charity’s objects
§ Poor or incorrect advice provided to charity service user
§ Failure to comply with operational regulations (Data Protection Act, Money
Laundering Regulations, Fire Safety, Food Standards, etc)
§ Poorly designed key performance indicators
§ Loss of key members of staff or trustees
§ Poor recruitment procedures
§ Difficulties in recruiting and retaining staff
§ Failures in staff vetting procedures
§ Poor staff morale
§ Staff stress or ill-health
§ Inadequate staff appraisal and development
§ No formal organisation structure
§ Inadequate segregation of responsibilities
§ Communication channels poorly defined
§ Lack of formal employment contracts
§ No written job descriptions
§ Volunteer terms/responsibilities lack clarity
§ Dependence on key individual
§ Lack of succession planning
§ Unclear or lack of employment terms and conditions
§ Inadequate disciplinary or grievance procedures
§ No whistle-blowing policy
§ Failure to operate equal opportunities
§ Breaches of employment rights, health and safety at work, working time
directive, Minimum Wage etc
§ Staff lack experience or training
§ Poor working practices – discrimination, bullying, etc
§ Inadequate pensions provision for employees
§ Impact on local environment (pollution)
§ Cost of environmental pollution clearing
§ Increased regulation regarding waste management
§ Failure to obtain planning application consents
§ Breach of regulations on Professional fund raising, commercial participators or
public charitable collections
§ Failure to control fund raising activities
§ Lack of control over fund raisers, ‘Friends’ and supporters groups
§ Weak fund raising plans and policies
§ Failure to meet fund raising targets
§ Fund raising database poorly controlled
§ Unplanned tax liabilities on fund raising events
§ Activities of professional fund raisers insufficiently controlled
§ No formal agreement with commercial participators
§ Lack of formal investment policy approved by trustees
§ Unauthorised or unclear delegatory or discretionary powers given to
§ Investment in an unauthorised investment
§ Ethical investment criteria adopted outside the Charity’s objects
§ Failure to adequately monitor investment manager performance
§ Inadequate custodianship protection of investments
§ Lack of diversification in investment portfolio or cash holdings
§ Unauthorised or uncontrolled investment pooling
§ Stock market turbulence or decline
§ Poorly designed or defined performance benchmark
§ Failure to achieve benchmark returns
§ Weak procurement policies and procedures
§ Inadequate purchase order authorisation or approval limits
§ Deliveries not matched to purchase orders
§ No purchase ledger or centralised procurement function
§ Lack of formal tendering policy
§ Payroll payment processes insecure
§ Failure to comply with employment tax requirements (tax, NIC, etc)
§ Fictitious employees on payroll
§ Incorrect tax or deduction rates used
§ Insufficient control over functions outsourced to payroll bureau
§ Non- compliance with tax legislation
Example Risks by Risk Theme (Continued)
§ Changes in industry standards
§ Failure of key software/hardware
§ Weak systems selection and implementation procedures
§ Lack of disaster recovery planning
§ Obsolescence or withdrawal of support to existing systems
§ Contractual or other problems with IT suppliers
§ Poor system access controls
§ Inadequate user support or training
§ Weak or ineffective financial controls
§ Systems and controls not operating as intended
§ Written financial procedures poor or non-existent
§ Inappropriate authorisation and approval processes
§ Inadequate financial planning and forecasting
§ Capital expenditure plans lacking
§ Charity assets not adequately safeguarded
§ Inadequate insurance cover
§ Inefficient or ineffective treasury management
§ Inability to meet financial obligations as they fall due (going concern)
§ No timely financial planning or management information
§ Inadequate cash flow management
§ Unprotected exposure to foreign exchange movements
§ Insufficient long term committed funding
§ Lack of financial supervision by Board
§ Statutory accounts not prepared in accordance with legal requirements
§ Qualified external audit report
§ Unplanned tax/PAYE/VAT liabilities
§ Failure to implement auditors’ management report recommendations
§ Inadequate scope of internal audit function
§ No direct communication lines between internal audit and trustees
(audit/finance committee etc)
§ Lack of control over outsourced services
§ Formal reserves policy not established or infrequently reviewed
§ Inadequate fund accounting
§ Poor management information systems
§ Unauthorised non-charitable trading
Simple example risk management summary
Overall Risk Risk Factor Risk Risk Impact Overall Control Retained Individual Monitoring Further
Area Likelihood (Low/ Risk procedure Risk Responsible Process Action
(Low medium Assessment Required
Governance Trustee Board Low High Medium Annual Low Board Annual None
and effectiveness review of Chairman Trustee
Management not reviewed Trustee Board Board
No timely Medium High High Low Finance Approval of None
financial Annual Director business
planning timetable for plan and
preparation of budget at
business plan February
and budget by trustees