When I see a negative story in the press about a charity, I always wonder whether the issues uncovered had been on the charity’s risk register. I am guessing that the answer is usually "no". This is not necessarily because of a failure in governance – it is more likely to be a failure in our processes to help us manage risk.
Risk registers can be helpful for providing discussion points and raising awareness of issues, but they also have flaws. Chief among these is a fundamental misunderstanding that the purpose of risk management is to eliminate risk. People prepare risk registers thinking that they need a complete list of all the possible risk events that could affect their organisation. This is flawed because it is impossible – we cannot possibly think of everything. The first change is to clarify that the purpose of risk management is to help the organisation achieve its strategic objectives.
Typically, risk registers rank the risks for probability and impact. This is subjective scoring, and one person’s high likelihood will seem improbable to someone else. We know from Nobel Prize-winner Daniel Kahneman that we are over-confident in decision-making and in judging our own abilities. This is evidenced in risk registers, when many risks that are ranked as "unlikely" become reality, to the surprise of most people involved. We are poor at assessing likelihood. Impact is also difficult to assess unless you have defined the risk narrowly. The financial impact might be low, but the reputational impact high, so ranking risks is difficult if you have only one impact measure.
Another flaw is that risk registers tend to mix events we cannot control with internal problems that we can. Better then to focus the risk register for trustees on strategic risks – these will include risks arising from changes in the external environment, including changes in stakeholder expectations. It might also include risks arising from the strategy itself, in which situation the organisation wishes to be risk-taking but therefore needs to manage the risks well.
Managers should be responsible for managing operational risk. Providing trustees with assurance reports to demonstrate how they manage day-to-day risk should help to build confidence across the organisation that you are doing the right things and doing them well. Assurance reporting needs to be at least annual and managers should be prepared to sign off on their own assurance reports covering the areas under their responsibility.
We have had shocks to the sector from reports of sexual misconduct and other poor behaviour. Risk registers are unlikely to list such events because it is tantamount to admitting that there is a poor culture in the organisation. We need to turn risk management on its head and focus on what it is we need to get right. This starts from the strategic goals – what do we need to get right in order to be successful in our mission? It cascades to each manager, encouraging them to think about the purpose of their role, team or department.
Kate Sayer is a consultant at specialist auditors Sayer Vincent