Before you commence identifying and assessing risk, it is important to agree the basics of how you are going to ensure that risks to your organisation are identified and managed.
This strategy should be appropriate to the size, responsibilities and capacity of your organisation. The questions below can help form your checklist:
Will this be a Management Committee member? Senior staff member? A volunteer? An external consultant? Judgement should be made based on the level of detail and time involved (see point 2), the expertise or knowledge required and the size of the organisation.
Do you want to keep this very simple and take a snapshot of major overall risks to the organisation? Do you want to look comprehensively at the organisation and its activities? Do you want to conduct independent risk assessments for each project area or function, before pulling this together into a wider picture? Focusing only on a limited range of risks is, in itself a calculated risk which should be assessed. Is the Management Committee prepared to accept the consequence if a significant risk is overlooked? Consider also any requirements placed by funders, legislation, or insurance policies.
Will you assess risk in a single discussion at a committee meeting or a through a process extended over several weeks? This is likely to depend on the complexity of the organisation, the scope of the assessment and the range of stakeholders involved. Establishing time limitations at this stage will help to keep the process manageable.
Will you consult Management Committee members? Staff? Volunteers? Members? Ensure that you involve those who know the organisation and its activities best, but don’t widen the consultation unnecessarily.
Documentation is an essential part of risk assessment and risk management, even if this is simply your usual committee meeting minutes. A range of templates are available and it is important to select one that provides a level of detail and complexity appropriate to your organisation, but which is user-friendly.
Regardless of who carries out the initial assessment, the Management Committee are responsible for reviewing the risks and ensuring that they are being effectively managed. It is important to schedule this in so that sufficient time is devoted to considering the information presented and its oramifications. If the Committee carried out the assessment themselves, they should have an opportunity later to discuss the documented notes of that discussion to ensure acceptance and agreement.
Ensure that there is a clear agenda and structure to your considerations so that you don’t’ get sidelined. You will need to prioritise attention to the most significant risks, considering whether further actions can be taken to reduce these and whether you are happy to accept these risks or need to take more drastic action.
Risks, and the progress in implementing recommendations to reduce risks, should be kept under review and any new practices evaluated. This enables you to monitor if your actions have had the desired effect of reducing risk, and creating a more stable environment for the organisation. Risk management also requires regular monitoring of risks in light of new developments, providing early warning if risk levels change. Judge what is realistic or necessary in light of the risks faced and the time resources available. Will you review every 6 months? Annually? Every 6 months is recommended where possible due to the need to assess a changing environment.