Risk management is any activity undertaken to identify and control organisational risk and should be central to the Board’s and Trustee’s strategic management plan.
The impact and likelihood of risk are an everyday part of an organisation’s activity. Managing operational risk is essential if the organisation is to achieve its key objectives and safeguard the future.
From the Chief Executive Officer and Chief Financial Officer to the Board and Trustees, senior management should set a risk framework that allows the organisation to:
- identify the risks (threats and opportunities)
- make decisions about how to mitigate and control the major risks
- decide if a contingency plan is appropriate; and
- monitor, review and implement actions to support the management of risk
A key responsibility of Boards and Trustees is to review the risks they face and decide how best to manage them.
This may have been undertaken by the Board or the Trustees as an annual exercise. Experience suggests that organisations must now be prepared to invest more time than ever in thinking about risks and managing them.
Managing risk is an everyday part of any organisation’s activity, but managing risk is essential for senior management, Board members or Trustees to achieve the organisation’s key objectives. To solve complex issues and meet the organisation’s changing needs, organisations must have an appetite to take a certain amount of managed risk. Guidance is certainly not intended to result in all risks being eliminated, but instead, risks must be managed and monitored to ensure that risks remain within the tolerance accepted by the Board or the Trustees.
What is risk management?
By managing risk effectively, the Board or the Trustees ensure:
- risks are known and monitored, enabling informed decisions and timely actions
- the organisation engages with opportunities and develops them with the confidence that risks will be managed
- strategic planning is improved
- the organisation’s key goals are achieved
The types of risks an organisation faces will depend very much on the size, nature and complexity of the activities undertaken – although there are inevitably common themes. As a general rule, the more extensive and more complex or diverse an organisation’s activities, the more difficult it will be for the Board or the Trustees to identify the risks and engage the correct systems to manage the risks, meaning the effectiveness of the risk management process will always need to be tailored to fit the circumstances of the organisation.
Identifying risk should be integral to the strategic direction, business planning and budget setting. The organisation’s Board members or Trustees should ask:
- What external and internal threats and opportunities might prevent achieving key goals?
- What would be the Impact?
- Are there any steps that can be taken to control and mitigate the threats and opportunities?
Many organisations find it helpful to think about the risks in the areas of:
- Financial risk – the loss or gain of revenue, such as grants for charities or contracts for businesses
- Operational risk – loss of key personnel, loss of office or activities due to fire, lack of supplies
- Corporate Governance – the inability to recruit sufficiently competent and suitably skilled leadership roles such as Board member, individual Trustee, or senior executive with extensive experience
- External risk – examples may fall into the six areas of PESTLE – Political, Economic, Social, Technological, Legal and Environmental factors
- Reputational risk – arising from data security losses, health and safety issues, legal proceedings, etc.
- Compliance risk – arising from non-compliance with legislation, including GDPR, employment and other laws
Having identified the key strategic risk areas, Board members and Trustees must consider prioritising the individual risks and the actions necessary for effective risk management.
Various models are applied, although a traditional “scoring” of Likelihood and Impact is still the most commonly used, particularly on a Risk Matrix. The Impact is considered in the context of both the financial Impact and the Impact on the organisation’s reputation. The result indicates those risks which require the most significant focus and the risk management approach to be adopted.
Often, these Inherent Risks are colour-coded red (High), amber (Medium) and green (Low). The traditional approach is the Red, Amber, Green (or RAG rating). The problem with this approach is that Boards and Trustees can consider red risks are bad and green risks are good. Understanding the organisational risk appetite and risk culture may result in the wrong response.
After risk identification, risk assessment and prioritising the emerging risks, the next step is to decide whether to accept the risk, take action to control or mitigate the risk, pass the risk to a third party, for example, through insurance, or stop certain activities to avoid the risk. Once the actions are identified, a score can be attributed to the Residual Risk.
A Risk Owner must be allocated and accountable for maintaining oversight where actions are identified. This is still a step in the process that is often missed. An adverse movement in the risk (due to changes in the Impact or Likelihood) can be missed resulting in late or no action. Without a Risk Owner, for example, a Trustee, Board member, or senior management figure in the organisation, it is challenging to monitor the risk actively.
Risk management must be a continual process to remain effective with the pace of change in the 21st century.
Day-to-day activities will result in new risks, and existing risks will become more or less significant – often over relatively short periods.
Therefore, for an effective business strategy, the Board or the Trustees must consider, review, monitor, report and communicate risks regularly to ensure they can respond effectively and remain focused on delivering its strategic objectives in a well-established risk management framework.