Classifying risks so that they align with the organisation’s objectives and operations will ensure more relevant and embedded risk management.
The majority of charities follow the Charity Commission guidance CC26: Charities and Risk Management which was published in 2010 and updated in 2017. The guidance is simple and easy to follow, and it suggests categorising risks into governance, operational, finance, environmental and external, and law and regulation compliance risks, but notes there are other risk classification models that could be used.
As charities have become more complex with both the internal and external environments changing it may be that this classification system may not be the most helpful. The purpose of the classification system is to help identify risks, understand the impact of similar risks which when brought together can be more significant than individually and there tends to be inter-related controls that can make a much stronger control environment.
While it would not be beneficial to start reorganising comprehensive risk registers that have been established for many years, it would be a valuable exercise to review your strategy and business objectives to ensure key areas that could have a significant impact on the success of the charity are represented separately. Areas that are often lost within the volume of the register are IT risks, the risk of fraud, risks associated with major capital development projects and strategic risks.