The risk management imperative for charities
Funding, cyber security, partnerships… these are just some of the emerging risks that could plague a charity of any size, at any time. Like most organisations, the avoidance of significant interruption to day to day running is an absolute must. But are charities paying enough attention to keeping their risk management protocols up to date?.
Meaningful risk management is best achieved through a fine balance: manage too obsessively and a charity runs the risk of missing out on opportunities to innovate. Taking a more relaxed approach on the other hand leaves it unprepared for an incident.
The most recent annual Charity Risk Survey found that 52% of charities surveyed reported having used the same method of risk management as in the preceding year. This may not necessarily be a worrying trend – it could just suggest that charities feel their current methods are adequate.
However, the risk environment is continually in flux, and whilst even the best risk management strategy can rarely prevent incidents from occurring outright, it is vital that charities keep their strategy under constant review to ensure that the balance between managing risk and embracing innovation is struck.
New technology and risk
Continually evolving risk can impose an immense pressure on charities which want to change and innovate. In addition to an increasingly difficult funding environment, another ongoing consideration for charities is the need to navigate rapidly changing technological developments.
Social media, the growing threat of cyber crime, and the need to guarantee data security are creating new and unprecedented pressures for charities, and the public increasingly expect them to be on top of these issues.
Indeed, research into public trust in charities with regards to data security has found that more than two thirds (68%) of people would be discouraged from donating online or via mobile in the future in the event of a data breach. Perhaps even more concerning, four in ten (42%) stated that it would discourage them from donating by any means in the future.
It may be impossible entirely to prevent these technology led incidents from occurring, but it is crucial that charities recognise and understand such risks, and put in place sufficient precautions so that they are as well prepared as possible should an incident occur. The public generally accept that things sometimes go wrong, but what is often hard to explain is when an organisation was unprepared for an incident that had already been identified.
Keeping risks in focus
It is of course the case that funding difficulties, social media and other risks have bred incredible innovations from charities, searching for ways to adapt to, and make the most of changing circumstances. The challenge for charities is keeping up with the opportunities presented by change, while keeping risks in focus.
As already emphasised, it is important to ensure that a charity's approach to managing emerging risks doesn’t quash potential opportunities to innovate. Here are five practical questions a charity can ask itself in order to strike this balance:
- What risks have we seen emerge over the past one, three, five and ten years?
- What processes do we have in place for identifying and quantifying emerging risks?
- Who in our charity is responsible for overseeing this?
- How often are we refreshing our risk strategy to include emerging risks?
- How are we integrating emerging risks into our decision making process?
The ever-growing expansion of social media is an excellent example of a recent development that presents immense opportunities as a fundraising and campaigning tool for charities, but which also carries risk. For example, one much cited concern is the use of social media by volunteers working on a charity’s behalf.
Charities, big and small, have long recruited volunteers to help with their day to day operations like fundraising, administration or other essential roles. These volunteers, while informally employed, may choose to use their own social media profiles for this purpose, and identify themselves as working for the charity.
While this will in most cases be beneficial for the charity and not present any problems, it could open up charities to reputational damage if a volunteer acts inappropriately on social media in the charity’s name. With this in mind, it is crucial that a charity spots the risk of this kind of incident happening before one occurs, and take steps to ensure that that the volunteers are both aware of, and bound by some form of social media policy.
Embedding risk management
The Charity Risk Survey identified a number of barriers faced by charities to updating their approach to risk management. Some 61% of charities said they lacked the time necessary to implement new measures. Cost was flagged by 40%, while others also highlighted limited buy-in at a senior level.
If risk management is to work at its best, it should be the responsibility of everyone in the charity. It can often be challenging to secure buy-in from senior figures in an organisation who can be more concerned with strategic long term business aims than the perceived short term issues of day to day risk. However, given that those at the most senior level of a charity, i.e. trustees and top management, are most responsible for the smooth running of the organisation, it is even more essential that they are involved.
For example, the benevolent fund, IET Connect, ensure that its trustees are kept up to speed on new risks by holding five board meetings each year. At each, one of five aspects of risk from a pre-determined risk register is examined, and emerging risks are also discussed. The Charity Commission provides a useful example of such a risk register, which charities can use as a model to devise their own.
In an environment where rapid change is now the norm, all charities will be feeling the pressure. That said, the sector continues to tackle these issues head on and it is vital that charities continue to embrace change and use it to their advantage – all while keeping the accompanying risks firmly within their vision.