Conducting a Risk Assessment

Regardless of the size or scope of the issues to be assessed, or the length of time available, the process of assessing risk involves the same basic key steps:

Regardless of the size or scope of the issues to be assessed, or the length of time available, the process of assessing risk involves the same basic key steps:

  1. identifying
  2. categorising/rating
  3. managing and
  4. reviewing risk

Each of the key steps is outlined below with guidance on how you can address this within your own organisation, linking to additional supporting tools where appropriate.

1. Identify the risk

Refer back to the definition of risk and ask yourself, "Where is there uncertainty surrounding events or outcomes that could impact on our operational performance, ability to achieve our aims and objectives or our ability to meet the expectations of stakeholders?"


  • Do you face a risk of fire in your premises?
  • Are you at risk of losing key staff members?
  • Is there a risk of internal fraud or theft?
  • Is there a risk of serious damage to the organisation's reputation (e.g. child abuse allegations within a playgroup project)?
  • Is there a risk that funding streams could be terminated?

Sometimes it is useful to think of these grouped categories according to the various aspects of the organisation and its activities which you need to consider.  Click here for a profile of common areas of risk to prompt your thinking/considerations. 

You can use our risk assessment template for Step 1 to list the risks you identify.

2. Categorise/rate the risk


Risk identified:  Funding coming to an end. 
Likelihood:  High 
(Organisation has a lot of short term funding)
Impact:  High 
(Most of the organisation's functions rely on these funding streams, therefore an end to funding would prevent the organisation from achieving their aims and objectives.)

You now need to work out which of these risks you really need to worry about.  You can do this by categorising each risk according to:

  • likelihood (i.e. whether or not it is reasonable to expect an event or outcome to happen); and
  • impact (i.e. even if something did happen what would be the impact on the organisation and its work?)

There are many different ways of categorising risks - they can be given a numerical value (e.g. ranging from 1-5 according to seriousness in each category) or they can simply be rated as High, Medium or Low risks.

Click here for a simple template for completing Step 2.

3. Managing the risks

Having identified and categorised the risks, you now need to work out what you can do about the most significant of these risks.  For each, you should consider four options:

a)  Avoid the risk

Should you avoid the risk altogether by not entering into the activity or providing the service? (e.g. youth group decides not to engage in water sports on its residentials)

b)  Control the risk

Can you manage the activity so that the risk will be less likely to occur and less damaging if it does occur?  This is the most common approach. Risks can be controlled through application of good practice, clear policies and procedures, staff training, clear record keeping, regular reporting etc.

c)  Finance the risk

Should you simply accept that the risk is likely to occur and provide resources to meet the liabilities when they happen?

(e.g. an organisation with a high number of female staff faces a risk of being unable to meet it's obligations with regard to maternity pay.  They therefore set aside a fund annually for this purpose which they can dip into when necessary.)

d)  Transfer the risk

Can you have a third party perform the risky activity or transfer the consequences of the risk to another person or organisation?  This can be through insurance, indemnity, exemption from liability or by contracting another organisation to carry out the activity.

(e.g. In the past, some Health Trusts cooked meals in hospital kitchens which were then delivered by volunteers.  However due to the risks of food poisoning if meals are not served at the correct temperature, they now contract out this service, ensuring that a 3rd party is entirely responsible for the process.)

Use our Step 3 template to document how you are already managing the risks you have identified and what more you could or should consider doing to reduce the overall level of risk.

4. Review the levels of Risk

At the end of this process you need to go back and review how these risks should be categorised.  Given the measures that you have put in place to eliminate or mitigate (reduce) these risks, do they still constitute major risks?

Example of reviewed risk:

Risk: Organisation working with disabled persons identifies risk of losing current premises.


  • High likelihood (local council has provided for minimum rent for 5 years, but current lease is up and council is under pressure to generate rental income).
  • High impact (not aware of other premises with suitable access available locally, currently lacks resources to pay full rent).

Risk management:

Choose a suitable template

Ensure the template you use for recording your risk management process suits the needs and expertise of your organisation.

Click here for examples to suit both large and small organisations.

Organisation implements the following actions:

  • Enters into dialogue with Council to establish facts of situation
  • Researches and identifies alternative premises locally
  • Launches a fundraising appeal to raise money to enable them to afford to pay for their accommodation, whether with the Council or elsewhere
  • Raise the profile of their situation in the media to gain public support.

Reviewed risk category:

  • Medium likelihood (still a risk that they could lose the current premises, but this has been reduced through mitigating actions).
  • Low impact (have now got alternative options which means that the organisation is cushioned from negative impact if the risk does occur).

What next?

Risk assessment should become an integral part of how you manage the organisation, its resources and its activities.  It is now the Management Committee's responsibility to confirm that they are happy with this assessment of the risks faced by the organisation and are willing to accept the level of risk that remains.

The risk assessment should then feed into your overall and ongoing strategy for managing risk and should become an integral part of how you manage the organisation, its resources and its activities.

Quick Reference