Join Our Network

Beyond a bit of paper…

With complex operating environments, it can feel like we are dealing with a different challenge every day.  I’ve spoken to many voluntary sector leaders in recent months who describe feelings of uncertainty and demands on their time like few have experienced before (not withstanding, for different reasons, a certain pandemic a couple of years ago).  Clearly there is a very real concern here (one that should be on the risk register) – leaders are feeling the pressure and multiple research papers both nationally and locally tell us overwhelm, stress, and burnout are on the increase.

And crises? Well by their nature, we rarely see them coming until they pop right up in front of us, finger outstretched, aiming for the eye!

In times of uncertainty, one thing does remain certain – problems will come, challenges will arise and as the adage goes ‘fail to prepare, prepare to fail’… So, how? Good risk registers are a helpful start.  They help us to think through what might happen, spot early warning signs, and to put in place mitigations which if done well, can go a long way to reducing if not eliminating the risk. 

And what does ‘good’ look like? I’m not going to say what this should look like exactly – I’m very aware that I thrive with structure, a good spreadsheet, plenty of columns and some sort of coloured risk hierarchy; but that won’t necessarily work for every organisation.  I do strongly recommend putting something on paper though for ease of review and tracking, in the interests of good governance, and there are some core elements and principles to think through (however you end up formatting them) –

  1. Where to start? – if there is no register in place, or it needs a review – I strongly recommend a SWOT and PESTEL analysis.  This will determine what is going on both inside and outside of the organisation and ensure some horizon scanning.  Remember this must be include some longer-term thinking – what may not be a risk right now, may be heading the organisation’s way and you want to head it off.
  2. What should it include? – (there are numerous free templates out there if you/your board wants the structure) you’ve identified the risks, now name them. Phrase and re-phrase, narrow them down, pick them apart and make them succinct.  Sometimes the risk is so broad that it won’t enable any demonstrable mitigations and controls to be put in place.  For example, if you have 50 employees and 4 levels of hierarchy, a risk that simply says “Staff Wellbeing” will only end up in a long list of controls in place attempting to cover all the different elements within it.
  3. What else? – identify controls (process, policy and practices designed to control the risk) and mitigations (strategies used to reduce the likelihood or impact of the risk).  The point is that with these things in place, the risk is lowered or impact reduced. If you are using a traditional risk register format, you should end up with a lower score when these are in place compared to the original.
  4. Scoring – putting a score to likelihood and impact and then multiplying for a final risk score before and after C&M’s is particularly helpful to understand which risks need your focus, but also to have meaningful conversations about how effective your actions are/will be.  There is little point creating extra work (you have enough!) with actions that really won’t impact the score. Nb: you may be doing it for other reasons or contexts which is fine, just be clear on why and record it elsewhere.
  5. Sub-sections – these can be lengthy documents.  It may therefore be useful to divide it up into categories – for example, Finance, Governance, People, External, Environmental, Regulatory and so on.  Whatever you need.  If you do this, I highly recommend having a front sheet for ‘Highest Risks’ so that these can be dealt with first.

1-5 done – now what? Now the real work begins because we’ve now entered the danger zone.  Remember the governing document shelf sitting from the first in this series?  The risk register has a nice comfy place alongside it – it will probably be slightly more active, maybe a board outing once a quarter, but it can have a penchant for a nice shelf nap in between.

The bare minimum is the board outing – refreshed and reviewed quarterly for that purpose, this is your ‘Strategic Risk Register’. Arguably it’s up to date and it is looked at regularly in some depth. It is a good tool for conversation, accountability, and challenge and it will probably give you time to spot most strategic challenges and even crises, so that you can prepare.  I’m not knocking it.

But to go back to my original point – we are operating in ever more complex and fast-paced environments and perhaps a more regular outing would be even more useful.  For micro/very small organisations this could simply be a conversation with the Chair of trustees at a regular meeting or 121, for small organisations at management meetings, or for larger organisations at senior leadership meetings more formally.  By example, for us, we run an Operational Risk Register alongside our strategic one, reviewed monthly at exec team meetings, with the ability to escalate to the strategic one if it is something our trustees should have sight of, or could support with. But that won’t be needed for all – it must be proportionate to your organisation and needs.

So there we have it, you have started a risk management process and to go back to where we began, the starting point for dealing with uncertainty.

This blog is the 4th in a 6-part series on challenge and crisis – next time, we’ll focus on how we prepare for the other end of the journey – if crisis hits (sometimes no amount of risk mitigation or planning will actually stop it), Business Continuity Plans are often the first port of call; so watch this space and do get in touch if there are other topics you would like to see.

Hannah