Risk management

Most charities have been undertaking risk assessment for some years. However, for many the process of listing risks and ranking them has taken up too much of the time. Your risk register may not seem relevant to day-to-day management and it has gone stale. Sayer Vincent can help you to refresh your risk management processes and make them relevant to trustees, managers and staff at all levels.

Our approach treats strategic risks and operational risks differently.

Operational risks are more often internal risks and predictable, therefore you can do something to manage them. You then need to ensure that the management actions are actually implemented and are effective.

Managers identify and map key risk areas, with the policies, procedures and controls they have in place and map those to a controls map in our framework. The framework works when viewed as a portfolio – the aim is to ensure that you have a balance between different types of controls and that you are covering all the main risks. Managers then “sign off” on their control map annually, clarifying that assurance is their responsibility.

Strategic risks are likely to be the big issues such as reputational risk, or the risk that the organisation will fail to deliver on a major strategic aim. They are also likely to be external issues with high impact which you cannot control and therefore you have to consider how you will respond to them if they happen. A good risk assessment process will analyse these risks to get to the root cause and then consider appropriate management responses. It is harder to assign specific responsibility for strategic risks as they are likely to be very high impact or pervade all parts of the organisation.

Senior managers develop a strategic risk register consisting of the high impact risks and the ones considered most important. Existing controls and actions to manage those risks are identified and then further actions added where considered necessary. With an emphasis on managing risks, it is likely that managers will have to develop responses to external risks. Although strategic risks need to be managed across the whole organisation, it is useful to identify the lead person who is responsible for developing further control actions.

Strategic risks and planned responses should be regularly reviewed, while operational risk can be reviewed annually unless there is a change in operations. Internal audit or peer review can check the effectiveness of the controls and management actions in place.

The benefits of this approach is that effective risk management is the objective and managers can focus on the areas of risk relevant to their role and within their zone of responsibility. It means that managers are more engaged in risk management at all levels.

Sayer Vincent can help your organisation to establish an approach that fits with your own planning processes:

Session with trustees and senior managers to develop the risk policy of the organisation and agree the organisation’s approach to risk management
Workshop sessions to launch and explain the approach to managers
Individual coaching to support middle managers to develop operational risk maps
Support for senior managers to develop the strategic risks

From these activities you can develop the level of skill of all managers as well as articulate a risk policy which is consistent with the overall purpose and strategy of the organisation. Managers at all levels will accept and own the risks they are responsible for.

“Working with Sayer Vincent has helped us to realise that risk management is a useful management tool, not just a matter of compliance. We now have a strategic risk register which we review every six months and a practical approach to operational risks which is effective at the day to day level.”

Sara Clarke, Chief Executive, Jewish Community Housing Association.