Risk registers are the marmite of board papers. Some people love them, and others hate them. I must admit I have fallen into the latter camp more often than not. I have seen risk registers that were too dull, in too small font, too impenetrable to understand and too long.
The problem is that some boards act as if risk registers were a legal obligation that their charity regulator forced upon them. Therefore, it didn’t matter if nobody understood them or found them useful or even read them.
So here is the good news: you don’t have to do one. You should only create risk registers if your board finds them useful.
Another strange thing about risk registers is that they seem to be a trustee thing. Not a staff thing. In other words, they are produced just for trustees. Why staff weren’t interested in the risk the charity faced I don’t know.
Nine risk register ideas and tips for boards
- Start with a ‘love it or lose it’ approach to risk registers. In other words, only do one because the board or the senior management team find it useful. If the consensus of opinion is that the risk register is useful that’s great. If not, then revise or reform it, or refuse to do it.
- Use a risk register as a horizon-scanning tool. Risk registers can be a great way to look at the external world and examine the challenges to the organisation. This could include the impact of AI, the changing nature of society, how a new government will impact your charity, and so on.
- Look at the five biggest threats to your organisation delivering its mission. These are the existential risks. Do you have the money to keep going? What is the risk of key staffing leaving? What is the risk of doing too much (badly), or the risk of being too cautious?
- Pose your risks as questions. It’s too easy to have to have a risk register which is a long list of dull headings – IT, HR, Fundraising, Compliance, etc. It’s much better to pose the risk as questions – What will we do if that funder doesn’t renew their grant? Why is staff turnover so high? Are we making the most of AI in our work?
- Let trustee and staff nominate and own specific risks. I have seen risk registers which are rather like a hermit crab covered in barnacles. The poor old risk register keeps gaining more and more risks, and never sheds any. As a result, the list gets longer and longer and it has risks that nobody ‘owns’, knows why they are there, or even cares about. So make sure that every risk has an owner who’s trying to mitigate it, a timescale for review/removal, and a nominator who wants it there.
- Shake up the risk register format. If you are worried your risk register is becoming board wallpaper, then change the format. Get five trustees or staff to present five risks in two minutes – one minute each for explaining the risk and one minute for the ways of reducing or addressing the risk. Explain a risk with interpretative dance!
- Remember Charles Handy’s frogs. The great management guru Charles Handy used to talk about the differences between putting frogs in cold and hot water. If you put a frog in hot water, it jumped straight out. But if you put a frog in cold water and then heated it up it never realised the danger and got boiled alive (I hope this was just a metaphorical set of frogs). The important thing is that some risks are urgent and important, and charities will take immediate action. But others are slow and insidious, and very easy to miss seeing them sneak up.
- Categorise your risks. Leading on from the frog-based example it may be helpful to divide your risks into different types. The urgent and important (getting enough funding), the slow and insidious (the changing pressures on our services), the ones specific to our organisation (high staff turnover) and the general for all charities/organisations (the impact of AI).
- A risk register is a tool, not an ass-covering exercise. Perhaps the most important thing to remember is that a risk register is a tool for your board and your organisation. If it isn’t doing that, then scrap it or improve it. Don’t keep going with a labour-intensive risk register that takes huge amounts of time for staff to update, and which nobody finds of much value.
If you have a risk register, or an approach that has work for you and your organisation, we’d love to hear from you. Email me on [email protected] and we’ll put together a selection of the ideas and examples that come in.
