In a recent post I challenged whether the way we manage risk is effective and suggested there were 4 questions we should ask when reviewing the major risks in the risk register.
Two initial questions to consider were:
- Have we identified the risk, the impact on the organisation and what would cause it?
- What are the controls that have been identified controlling? Are they there to prevent the risk occurring or to limit the damage caused?
Identifying risks and their controls
Identifying risks can help to investigate what can go wrong. Understanding the cause of the risk will help to explain why things go wrong, how they can go wrong and when they can go wrong.
Why does it matter? By understanding the risk to this extent, the charity is able to ensure there is a “risk action plan” that addresses preventing the risk event happening in the first place and limiting the impact of it. Risk registers rarely explain the impact on the organisation and is often just the impact rating and the controls are insufficient to manage the risks properly. For most charities the major risks on an organisation will require more than 2 or 3 bullet points in the controls box.
While it is not practical to look at every risk in this level of detail, it is important for the 4 or 5 major risks that could break your organisation.