Q: My charity's risk management process needs a revamp. What's your advice?
A: I have participated in numerous risk management meetings and I confess to having fallen asleep in approximately 50 per cent of them; the remaining 50 per cent were saved by some highly caffeinated coffee. However, since becoming chair of a risk committee myself, I am now a complete convert and have many tools to share with you to reinvigorate the process within your charity.
I am sure you already have in place the basics of identifying key risks and grading them for likelihood (L) and impact (I). After scoring each risk (LxI) you can prioritise by simply listing them in order, using a RAG (red/amber/green) rating or a tool such as the Johari window. Add sections for mitigation plans - who is responsible for each area and a review date - and you have the starting point for your management process.
Here's the difficult bit. Your challenge is identifying the risks without ending up with a list of the obvious ones only - "failure to reach target" for example - and capturing the ones that really matter. Arguably, once something is on a risk register, everyone can relax, knowing that things are in hand. What we need to worry about are the unknown risks.
How can you do this? The most important contributory factor is developing a culture in your charity where risk is seen as everyone's responsibility, whatever their level.
Even people not used to the technicalities of risk management respond well to questions such as "what keeps you awake at night?", or even "what is the editor of our local newspaper hoping will happen to give her a front page story?"
You might also think about how you can try to balance personal responsibility with having a no-blame culture. Learning from mistakes is a good way to populate your risk register.
Just as important, however, is making risk management an interesting, living issue, not just a piece of paperwork that needs completing so you can tick a box at appraisal time. Think of how you might encourage innovation in your charity through things like lively meetings, awards and prizes, and apply these tactics to risk management.
Finally, there is the issue of how your trustees govern risk management. The risk register should be a scheduled board agenda item at least once every year, and trustees should consider doing an occasional 'deep dive' - a time when they ask one of the organisation's executives to give them chapter and verse on a particular issue.
If you are not large enough to have an internal auditor, trustees should request a programme of spot checks to show the process is working in practice.
Valerie Morton is a trainer, fundraiser and consultant
- Send your questions to Valerie.Morton@haymarket.com