The arrival of COVID-19 has elevated the concept of risk towards the very top of the priority list for most church and charity trustees. Risk is however more than COVID and to some extent exists in every activity that we undertake. Risk, or more importantly the fear of its consequences, can easily paralyse organisations. Mark Twain once said: “Twenty years from now you will be more disappointed by the things you didn’t do than by the ones you did”.
We see examples of risk assessment and management in the Bible. In Numbers 13 the spies sent by Moses decided it was too risky to take on the giants and so the dream of the Promised Land was lost for that generation. On the other hand David assessed the risk of fighting Goliath without oversized armour and decided to go ahead. In so doing he changed not only his own life story but also the path of history.
In our experience, churches and charities are more likely to achieve their strategic aims by identifying and assessing risks and then taking action. Beyond that, the Charity Commission expects trustees of all charities to take “a systematic approach to the consideration and management of risk”. This does not mean seeking to avoid every risk and when done well, risk assessment will prove a liberating experience for organisations rather than a stifling one.
Risk management is generally a three step process.
Step 1: Identify the risks you face. Think beyond the classic risks of fraud or the building burning down and think about strategic and leadership risks; risks associated with employment; IT and data protection; communications; governance; finance etc.
Step 2: Assess the risk. There are various techniques to do this, but most focus on the same three aspects.
- What is the likelihood of the risk happening? The higher the likelihood the higher the risk ranks;
- What would be the impact on the organisation and its aims if the risk were to happen? The greater the impact, the higher the risk ranks;
- The third question assesses the controls that an organisation has in place to limit or mitigate the risk that it faces– the better the controls, the more the risk can be lowered.
Applying some form of scoring criteria to these three aspects allows a residual risk (that risk which remains after a system of controls is in place) to be calculated. Residual risk scores can then be ranked with the highest risks prioritised for earlier action.
Step 3: Decide what action to take. Once organisations have identified and assessed risk, they need to take action. Generally organisations can either:
- Accept the risk;
- Seek to avoid the risk all together;
- Find better ways to reduce the risk;
- Seek to transfer the risk (typically through insurance).
Equipped with this identification, assessment and action plan, (all captured in some form of risk register) your organisation will be better placed to move forward in achieving its goals, not paralysed by the fear of risk.