Risk Management as part of charity governance

“The best laid schemes of mice and men Go often awry.”
Robert Burns, To a Mouse, 1785

Risk is inherent in all human endeavours. Charities and Not-for-Profits can experience their ‘best laid schemes going awry’ like everyone else and have the same need for managing risk as all other organisations. Dharma Care places great importance on risk management because we are dealing with donor funds and vulnerable recipients.

Risk is simply uncertainty in achieving objectives. Unfortunately, understanding and managing risk is anything but simple.

The Dharma Care Board is responsible for the organisation’s risk management strategy. Indeed, this is among the Board’s most important responsibilities. This doesn’t mean that it’s the Board’s job to go round and fix everything that might go wrong. It is the Board’s responsibility, however, to ensure there is a system for managing risk, and that Board decision-making is informed by an awareness of the organisation’s risk and how it is managed. As a Board we:

  • oversee a risk management framework that aligns to the organisation’s purpose and strategy;
  • ensure Directors are provided with information about risk, and how it is managed; and
  • periodically review the risk management framework.

Most organisations follow the ISO Standard for Risk Management (ISO 31000) in establishing their risk management system. But that’s only the start. Too often we see organisations do something that is claimed to follow the Standard, but is quite ineffective.

To begin assessing risk, we identify our objectives for both the organisation and the Board? We then ensure they clearly articulated and written down.

If an organisation doesn’t have objectives, i.e., there is nothing it wants, then there is no risk. Sometimes when organisations struggle to articulate their objectives, it is important ask ‘If your organisation is the solution, what was the problem?’.

Dharma Care’s Board has thought long and hard about this question and has objectives related to its strategic planning, objectives for the Board, and objectives for the organisation.

The next stage in our process is to ask what could go wrong, or exceed our expectations, that might mean we don’t achieve, or overachieve, our objectives. These become our risk and opportunity statements. There could be several statements against each objective.

Now the real work begins! For each risk or opportunity statement, we answer the ‘so what’ question – what could happen? Here we give the FULL story, not just some two-word throw away. What happens to people, money, legal outcomes, impact on strategy, safety and environment, etc.? Our risk management system includes a consequence table that covers both negative and positive consequences, and how our organisation views those consequences, and we draw from those categories in formulating our story.

Assessing risk is then just combining the severity of the consequences with the likelihood that the risk scenario might occur, and produce the consequences you wrote in your story, in a risk matrix.


Here are some questions we consider:

  • Do we communicate our risk system to all our employees?
  • What is the risk culture in our organisation?
  • To what extent does our Board and managers believe their successes are the result of good luck?
  • To what extent are important things known within our organisation, that managers cannot find out?
  • To what extent do incentives for the Board, the CEO and the team produce unwanted or perverse consequences?
  • To what extent does the Board and the Executive challenge and call to account bad behaviours or poor performance within our own group?
  • How quickly does unwelcome news travel upwards to leaders? Is this slower than the speed of good news?
  • To what extent does the behaviour of leaders at all levels provide a consistent and good example to be followed by subordinates?
  • And the real biggie: to what extent is our organisation aware of complexity in our operations, and ensure complexity is a key aspect of our risk analysis?

We can discuss these and other questions in future blogs.