Gillian McKay: There are fundamental problems with regularly reviewing risk registers

We humans feel that planning gives a sense of control and a sense of safety to manage change. At the time of writing this column, it has just been suggested that there is a ‘special place in hell’ for those that make very big decisions without a clear plan, and those who do so should reflect on their moral culpability for the outcome.

I have no idea whether ecclesiastically this is the case or not, but if this is true then there will be a very long queue. In reality, many large life decisions, such as choosing a career, buying a house, having children, do not easily lend themselves to planning how the venture will finally pan out, but it is comforting to think that a bit of planning could make the whole experience a bit less disruptive.

Such is the comfort sought when it comes to the area of charity risk planning. There is a popular school of thought that sees every risk as something that, once identified, should be controllable. This leads to very long risk registers, which name a very large number of possible risks, accompanied by other equally long lists of controls for those risks and often, for good measure, a number arrived at to give a numerical weighting to the likelihood and severity of these risks.

If there is a special place in hell for the unduly risk averse then there is equally one for the endless meetings of reviewing risk registers. There is also a fundamental problem with this approach to risk management. Firstly it gives the false comfort that a risk can be mitigated by the control identified. Many charities have controls, but the actual events includes elements that cannot be thwart that control.

Secondly, the numerical weightings on many risk registers give great comfort to many of us, particularly the accountants amongst us, but we do need to remember it is only a figure based on a subjective judgement and does not in itself really mean anything.

Numerical calculations suggest a link between probability and impact. It is not the case that the probability of a risk will always be a reflection of its impact. As we have seen, very unlikely events such as volcanic ash clouds, can also have a very substantial impact.

Finally, risks do not remain static. Environments change, ways of working change and consequently risks evolve with this changing landscape. Creating a risk register and adding to it doesn’t address the changing nature of the risks we face.

So how should charities manage risks? I’m not the oracle on risk management but I would suggest at least including the following in the risk management process:

1) Think about impact, not the risk that led to it

It is the impact of risk, not the risk itself that charities need to deal with. If a charity loses its HQ it is irrelevant whether that is due to a power cut, fire or terrorist bomb. Focus should be on how to manage the impact rather than the route itself.

2) Don’t leave it just at board level

Identification of risks and planning how to mitigate them is often done at board level by those who are not involved in the day to day operations and therefore least likely to encounter and manage risk. Make risk management an open structure, encourage teams to feed up to the board what they perceive as the key risks, both current and emerging, and how best to combat them. Have open and active discussions at all levels of the charity on the identification and control of risks.

3) Accept that risk cannot by nature be controlled

Even with the best made plans unforeseen and negative things happen. This does not mean the planners are morally culpable just that, on this occasion, something unexpected happened. Take it as an opportunity to learn, improve on what needs to be done and move forward as an organisation.

    Share Story:

Recent Stories