Risk Management and Insurance

The responsibility of managing and controlling a charity means a trustee's involvement in the risk-management process is essential. Poor risk management reflects badly on both trustees and their charity and leaves them in a position of vulnerability (and potentially facing allegations of negligence) when something inevitably goes wrong – and even when it doesn’t allegations also incur costs.
By following these three steps, trustees can create a simple but effective risk-management strategy that will minimise the chances of something going wrong during their tenure.

Step 1: allocate responsibilities to individuals

Different charities face different risks depending on their finances and the complexity, size and nature of the activities undertaken. This means trustees need to recognise that the risk-management process should be tailored to fit the circumstances of their own specific charity. However, it’s impossible for a trustee to appreciate the intricate risks facing an IT system, for example. By allocating risk-management responsibilities to an individual in each ‘department’, the charity can benefit from their specialist knowledge of systems and processes, and of their weaknesses, to identify the risks facing them.
It is important to note that the ‘size’ of the charity does not always reflect the risk or potential exposure.

Step 2: identify the risks

Anything that could prevent your charity achieving its aims or carrying out its strategies is a risk. The types of risks your charity might face will depend on its size, funding and activities, among other factors.
Risks your charity may face include:
damage to its reputation
receiving less funding or fewer public donations
losing money through inappropriate investments
External events & activities – increased exposure to allegations or failure to manage, control or operate
It is often a matter of common sense – for example, maintaining a safe environment for visitors and staff to work in – but a trustee should consider what needs to be done if a serious event does take place. This could be anything from a major computer malfunction that breaches confidential service-user data, to a physical disaster such as a flood or fire. 
Identify any potential risks that could prevent your charity from meeting the needs of its beneficiaries, and put processes in place to assess and manage those risks. The diagram here details some of the risks and the knock-on effects they can have on a charity’s operations.
Step 3: insuring against the unforeseen

Insurance plays a big part when evaluating risk assessment; some risks are insurable but others are not. For example, insurance is available for injury claims at public events, but not for 'trade risks' such as lack of ticket sales due to inadequate promotion. Generally speaking, however, the majority of ‘obvious’ risks can be insured against:
- Professional indemnity insurance can protect against allegations of negligent advice.
- Trustee liability insurance can protect against allegations of wrongdoing by trustees.
- Public liability insurance can cover against injuries and illness suffered by members of the public.
- Employers’ liability insurance can protect against injuries and illness suffered by employees (and usually volunteers).
- Fidelity cover can protect against loss of money or goods arising from fraudulent acts by employees.
- Data/Cyber liability insurance can cover the cost of restoring loss to business income or reputation caused by damage to computers and computer networks. Data leaks and data losses can lead to PR nightmares.

How to manage risks

You are not required by law to have a risk management process for your charity, nor to follow a particular method. But The Charity Commission strongly recommends that you have a clear risk management policy and process. This will help you identify and manage all types of risks, and embed risk management into your charity’s work.
The Charity Commission’s detailed guidance on risk management sets out the basics of dealing with risks. It includes a risk management model made up of the following steps:
1.establish a risk policy
2.identify risks
3.assess risks
4.evaluate what action to take
5.review, monitor and assess periodically
The model includes a heat map grid – this is one way to assess the impact each risk could have on your charity.