Introduction
Embedding risk management into the activities of churches and charities adds great value towards achievement of objectives.
Nevertheless, statistics show that 57% of senior executives rank “risk and compliance” as one of the top two risk categories they feel least prepared to address, while 69% of executives are not confident that their current risk management policies and practices will be enough to meet future needs.
Risk management is not about avoiding risks, but it requires taking an informed approach to identify and respond to risks in a way that protects the value of the organisation.
Risk management also requires awareness of, and taking advantage of, opportunities to create better value in the realisation of church and charity organisation goals.
How then should churches and charities go about risk management? This article takes you through 6 steps to risk management in churches and charities.
Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.
Scene Setting
Coach Emmanuel arrived early to the Learning & Development Committee (LDC) pre-meeting room, helping himself to some tea as the rest of the committee trouped in.
Elder Sam: Wow! I can’t believe you beat us to it today. You look so excited!
Coach Emmanuel: Great to see you all! I am excited indeed! Our last masterclass on Why Risk Management is important in Churches and Charities, generated a lot of interest, questions and feedback. I can’t wait to get stuck into today’s session to further explain how to go about implementing risk management in churches.
Leader Badtrus: I have been reflecting on last week’s masterclass on why risk management is important in churches and charities. Why don’t we turn today’s masterclass into a workshop for identifying our risks so we can get started with risk management?
Elder Sam: Good idea, especially as we have all our board and committee members and team leaders attending the masterclass today. However, although we now know why we need to manage risks, we still need to cover the other part of the masterclass on how to go about risk management.
Coach Emmanuel: You are right! Let’s get going on the other part of our risk management masterclass; 6 Steps to Risk Management in Churches and Charities, so we can have a good framework to guide our implementation.
Steps to Risk Management – 1 – Clarify Objectives
Risks are a part of everyday life in all organisations but they could hinder the achievement of objectives if not properly identified and managed.
Being clear on what the church or charity is aiming to achieve helps to identify the real risks it faces, any opportunities to take advantage of, and helps inform how to respond.
The mission, vision, core values should be translated into strategies and objectives, approved and overseen by the governing board of the church or charity.
These should be communicated across the organisation so everyone is running with the same vision and understands how that translates into organisational objectives, with a clear line of sight to individual operational activities. This should enable relevant and true risk identification.
Steps to Risk Management – 2 – Communicate the Risk Management Framework
The board needs to set out the framework for risk management, setting out the risk management policy, governance, roles and responsibilities.
A good risk management framework would typically include the following elements as a minimum:
- The risk management policy setting out the stand of the church or charity on risk management and its approach to the management of risks.
- Risk management sponsor – there should be a named individual at board level as sponsor for risk management, providing oversight and accountability.
- Roles and responsibilities, including designated or chief risk officer to ensure that the risk management policy and framework is implemented effectively.
- Risk assurance – For example, establishment of a Risk Assurance Committee to oversee the effective implementation of the risk management framework, as a sub-committee of the board, and chaired by the risk sponsor.
- Risk assessment approach – including a risk assessment matrix showing likelihood and impact definitions and how the combination affects the overall assessment of risk.
- Risk Register template – for consistency in risk assessments and management across the organisation.
- Risk Response options – guidance on how to consider appropriate responses to risk.
- Risk Appetite – the level of risk the church is willing to tolerate. This can vary across risk types. For example, the church may state that its risk appetite for financial loss through fraud is zero.
Steps to Risk Management – 3 – Identify Risks
Identifying risks consists of three elements – capturing the risk, articulating the risk, and recording the risk.
Capture Risks
For churches or charities just starting out on their risk management journey, one great way to start is to hold a risk workshop.
This involves bringing people together at all levels of operations to identify risks to their areas of operation.
For example, in a church this would include office staff, pastors, deaconry, service unit or activity team leaders e.g. choir, ushering etc., boards and committee members.
The risk sponsor or chief risk officer would brief the workshop participants to set expectations and buy-in, and a facilitator will take them through a session of risk identification.
Nothing is too silly to highlight. The risks gathered are then organised in categories, clarified and merged where necessary. A list of identified risks is then collated.
Risk workshops is not a one-off activity. They can be repeated periodically for the whole church or charity workforce or in smaller groups such as boards or committees.
It is a great way of getting both bottom-up and top-down risks identified, and may sometimes reveal significant information that would otherwise have been overlooked.
Additionally, the risk management guidance and approach should make it clear that everyone has a responsibility for risk management.
It should encourage anyone to approach their immediate leadership to raise concerns about potential risks.
Leaders should also be clear on what to do when a risk is identified in isolation, and how to ensure it is escalated to the point of response.
Articulate Risks
The way you articulate a risk can affect the level of insight you get into the right mitigation actions for the risk.
It is therefore important to articulate risks properly. A simple framework of Cause, Effect, Impact works wonders in getting risks effectively articulated.
Let’s see how this works. Risks are best expressed in terms of:
“Cause”, resulting in “Effect”, leading to “Impact”. Some examples below:
- Inadequate financial governance results in the breakdown in financial controls, leading to financial loss through mismanagement and / or fraud.
- Poor awareness and implementation of data protection regulation results in breaches of data confidentiality or non-compliance with data protection principles and practices leading to loss of public trust, financial loss through penalties and fines, litigation for data breaches and reputation damage.
- Poor controls over physical assets results in theft, misappropriation, loss or unnecessary purchases, leading to financial waste through costs of replacement assets, or reputation damage from lack of necessary assets.
The key is to always ask “So What?”. The end of the “so what?” chain is the impact that we are trying to mitigate.
The effective articulation of the “Effect” and “Impact” helps to identify appropriate mitigation actions to take to address the “Cause”.
Record Risks
Identified risks need to be recorded in a consistent way that facilitates risk assessment, articulation of mitigating actions and owners, tracking progress and checking the effectiveness of actions.
It is recommended that risks are recorded in a Risk Register. This could be in a table format or as a page for each risk with a dashboard providing an overview.
A good Risk Register would typically be structured to include the fields below:
- Risk ID or Reference number
- Risk Description (articulated as “Cause, Effect, Impact”)
- Risk Category (e.g. Financial, Governance, Regulatory etc)
- Likelihood (scored)
- Impact (scored)
- Overall risk assessment (score based on Likelihood and Impact)
- Risk Owner (at Board / committee level)
- Risk Coordinator (at working level)
- Actions in place (and active)
- Residual risk assessment (score of risk remaining after taking action)
- Further actions planned
- Proximity (how close the risk is to materialisation)
- Date last reviewed
- Trend (e.g. direction of travel compared to last month)
A well-structured Risk Register should provide good audit trail of each risk that the church or charity faces, what is being done to address the risk and who is accountable for managing the risk.
Steps to Risk Management – 4 – Assess Risks
Assessing the Risks means putting each Risk into perspective for prioritisation.
This is usually done by assessing the likelihood of the risk occurring and its impact using a predetermined rating scale.
The combined effect then determines the priority to assign to the risk. The assessments are recorded in the Risk Register.
An example of a Risk Matrix showing Impact plotted against Likelihood in a 5×5 matrix, with four levels of risk assessment.
|
|
VH (5) |
|
|
|
|
|
Risk Assessment Key |
Very Severe |
|
|
|
H (4) |
|
|
|
|
|
Severe |
||
|
Impact |
M (3) |
|
|
|
|
|
Material |
||
|
|
L (2) |
|
|
|
|
|
Manageable |
||
|
|
VL (1) |
|
|
|
|
|
|||
|
VL (1) |
L (2) |
M (3) |
H (4) |
VH (5) |
|||||
|
|
Likelihood |
|
|
|
| Example Risk Impact Ratings | |
| Very Low | Minimal loss, delay, inconvenience or interruption. Can easily and quickly be remedied. (1) |
| Low | Minor loss, delay, inconvenience, or interruption. Short to medium term effect. (2) |
| Medium | Significant waste of time and resources. Impact on operational efficiency, output and quality. Medium term effect which may be expensive to recover. (3) |
| High | Major impact on costs and objectives. Serious impact on output and/or quality and reputation. Medium to long-term effect and expensive to recover. (4) |
| Very High | Critical impact on the achievement of objectives and overall performance. Huge impact on costs and/or reputation. Very difficult and possibly long-term to recover. (5) |
| Example Risk Likelihood Ratings | |
| Very Low | Extremely unlikely to occur (1) |
| Low | Unlikely but not impossible to occur (2) |
| Medium | Fairly likely to occur (3) |
| High | More likely to occur than not (4) |
| Very High | Almost certain to occur (5) |
Steps to Risk Management – 5 – Address Risks
Having assessed each risk and recorded the assessment in the Risk Register, the next step is to address the risks. This means taking action to mitigate the risks.
Action taken must be proportional and cost-effective. Typically there are 4 types of actions that can be taken to mitigate a risk. You can decide to Terminate, Tolerate, Transfer or Treat each Risk.
Terminating the risk means taking actions to avoid the risk such as a decision not to go ahead with an investment proposal.
Tolerating the risk means accepting the risk and doing nothing about it due to its low likelihood of occurrence. For example, the risk of not being able to broadcast church services online due to all social media channels and web services being down.
Transferring the risk means shifting the responsibility for the consequences of a risk materialising to another party. For example, you can pass the risk of loss through theft to an insurance company by taking out an insurance policy.
Treating the risk means taking action to reduce the likelihood and/or impact of the risk occurring. Examples of actions that churches or charities can take to mitigate or reduce risks is through the implementation of good internal controls.
Internal controls are actions taken by management to ensure the achievement of business objectives. They are therefore an integral part of risk management and help to treat or mitigate risks.
Risk Appetite
Another aspect of addressing risks is understanding what level to manage the risk down to.
What level of risk can you tolerate? That is, what is your risk appetite for each risk?
Risk appetite can be set at organisation level – for example, “we have zero tolerance to fraud”.
Or risk appetite can be set by areas of risk – for example the risk appetite for Regulatory risks could be: “100% compliance with all regulatory and statutory requirements”.
Risk appetite can also be set at functional level – for example, the risk appetite for projects could be “we will accept fast fail of projects initiated in good faith up to $30,000.
Contingency Planning
Even with good risk management, adverse events can sometimes happen, but the risk mitigation actions in place can help limit the damage.
For example, unexpected weather events could lead to flooding of a premises or power loss.
Even though the risk has been transferred through insurance, there is still a need to limit the damage and impact on operations while waiting for the insurance company to respond.
Such events are addressed through contingency planning.
An example is through business continuity planning where actions to be taken in the period between risk events and recovery are articulated, tested and maintained in a state of readiness.
This ensures that the business continuity plan can be invoked when required to ensure that critical operations can continue.
For IT systems, disaster recovery planning is a key risk response that helps ensure continuity and recovery from IT risk events.
Contingency plans are mitigating actions and should also be recorded in risk registers as such.
Steps to Risk Management – 6 – Monitoring
Risk Management is not a one-off exercise – it requires monitoring and continuous assessment.
Risk management should be embedded in daily activities and organisational culture. Thereby in addition to managing existing risks, new risks can also be identified, reported and assessed for appropriate response.
A review of risk registers should be included on board / committee agendas as a standing agenda item.
The most effective boards and committees would find that most of their other agenda items would play to the items on their risk register.
But it is still important to deliberately review the risk register to ensure that risks are being managed, with appropriate actions, and at the right level.
Actions to address risks must not be an extra activity for boards and committees but must be embedded in actual day jobs of risk action owners, coordinators and in leadership roles.
A good practice is to additionally carry out deep-dive reviews into one or two risks at least quarterly, inviting the risk coordinators to discuss how the risks are being managed.
Any further action required for more effective management or any changes in risk appetite can be conveyed and implemented.
Each level of leadership and sub-committees should manage risks at their level. Any risk they cannot manage or risks that have wider organisational implications should be escalated.
Nevertheless, each sub-committee should include the top risks they are managing in their reports to their main governance board or committee.
Internal audits can also be commissioned to focus on the adequacy of risk management as a whole or to focus on particular high risks.
Conclusion
Risk management is a disciplined process that involves identifying the right risks, assessing them, taking action to address them and then ongoing monitoring.
Taking appropriate actions to address the risks, not as an add-on, but as part of decision making, operations and management, with regular review, will help embed risk management as a real enabler for successful achievement of objectives.
Read more about why risk management is necessary in churches and charities and how internal controls help protect finances.
