< Back
You are here:

Risk Management Process

Charities need to manage risk like any other business. Whilst some risks they face may be similar to those of traditional businesses, there are many differences. Risk management is a key tool for protecting your organisation, volunteers and service-users.

Charity Risk Management

There are many approaches to risk management, but most important is that your organisation approaches this subject with a clear head and an objective mind. The fundamental questions that you should be asking yourself are what you may lose or suffer (the event), how likely it is that the event could materialise (the frequency) and the extent to which you can afford that event occurring (the impact).

Insurance is only one stage in the risk management process and irrespective of insurance, risks still require careful and considered management.

Review Risk

The first stage in managing risk lies in identifying the risks that reside within your charity. What situations might stop you from operating? What losses might create one-off costs which would stretch your cash flow? What liabilities have the potential to damage your organisation? In which circumstances might the interjection and support of an insurer help your charity? A good way to identify risks is to get your board or management team to carry out a brainstorming exercise.

Risk Register

Once you have reviewed the risks that your organisation faces, you should set up a simple spreadsheet to serve as a risk register, with a basic scoring or rating mechanism. This will be a fluid document that should be regularly reviewed, critiqued and added to. The register identifies key areas of risk in terms of their potential frequency and impact. This will help highlight issues that require attention in order of priority and identify factors which will help mitigate the risks.

Business Continuity Plan

Use the risk register to help create a Business Continuity Plan (BCP). This should look at the major risks your organisation could encounter and how you will react if any of them materialise (including internal and external communication). The aim of the BCP is to keep your organisation running smoothly if there’s a problem. The BCP will be specific to your organisation and should identify responsibility for the Business Continuity Plan and a crisis management hierarchy so it is clear who is in charge when the BCP is triggered.

Your BCP should consider the impact on income and cashflow, the impact on effectiveness, staff, customers and service users and the impact on reputation and stakeholders that may arise because of big risks. Don’t forget to consider the IT (both software and hardware) implications of big risks!


When your risk register and BCP has been created, your management team can consider and agree upon an insurance purchasing plan. This allows you to match the insurances you require to the risks you face and highlight any uninsured risks to ensure they are dealt with appropriately.


To remain up-to-date and relevant to your developing organisation, your risk register and BCP should be regularly reviewed at board and senior leadership level.

Is something wrong, missing or needs updating? Let us know.

Except where otherwise noted, CaSE Insurance licenses the content in the Risk & Insurance Library under the Attribution-NonCommercial-ShareAlike 4.0 International licence. All content in the Risk & Insurance Library is intended purely as introductory information on the subject matter, and does not provide you with information on risk management or insurance or advice (whether legal or financial) on which you should rely. You should always seek professional advice specific to your requirements.