How to complete a risk assessment

Identifying the risks

A good way to identify the risks associated with the management and operational processes for the organisation or project is to hold a brainstorming session. The aim should be to identify risks, without going on to debate or assess them at this stage.
A typical local voluntary organisation should think about potential risks within each of the following areas:

• trustees
• organisation
• funding 
• paid staff 
• volunteer staff 
• health and safety
• client service levels
• IT 
• premises 
• finance.

Assessing the risks

2.1 Rating criteria

Risk assessment involves rating each risk against the two dimensions below.

Probability

The ‘probability’ aspect of risk assessment involves deciding how likely it is that the risk will occur. Each risk should fall into one of three categories:

• high probability: the risk might occur once every one to two years
• medium probability: the risk might occur once every three to five years
• low probability: the risk might occur less frequently than once in five years.

Impact

The ‘impact’ aspect of risk assessment involves considering what the potential impact of the risk would be on the organisation, client or project. Each risk should fall into one of three categories:

• high impact: the organisation might be forced to terminate activities as a result of a catastrophic failure or occurrence defined by the risk
• medium impact: the organisation would continue but the risk will have significantly effected its performance, timescales or costs
• low impact: the impact would be small and easily managed at a relatively routine level within the organisation.

2.2 Types of risks

Critical risks

• major risks with high probability and high impact
• require explicit management to keep them under control
• e.g. late payment of a grant that causes the charity to become insolvent.

Difficult/insurance risks

• risks which are unlikely to occur but which would have severe consequences if they did occur
• difficult to manage
• e.g. a catastrophic power failure in the organisation’s operational headquarters, causing all computers and systems to fail.

Routine risks

• commonly occurring risks which have only a minor impact on the organisation as they occur frequently
• action to mitigate the risk should be built into a routine process
• e.g. minor human errors in delivery processes or procedures.

Low importance risks

• risks which have both low likelihood and low impact
• responsibility for these risks might be delegated to lower levels in the organisation
• these risks may be monitored to see if they develop into more important risks.

Mitigating the risks

Risk mitigation actions might include:

• define actions which would eliminate the risk or reduce it to an acceptable level. For example, in the event of a late grant or contract payment, the organisation could seek to generate or borrow a contingency fund of one to three months’ revenue.
• insure against unlikely but high impact risks. For example, to mitigate against a power failure, the organisation could pay for a back-up computer server housed offsite, with systems and processes automatically transferred to the back-up server.
• redefine or redesign the activity generating the risk to be lower risk. For example, to reduce routine human errors, manual activities could be transferred to computer-based processes with operator prompts and support.
• monitor the risk to see if it develops into a higher category risk. For example, monitoring the reliability of key office equipment to ensure that items can be replaced cost-effectively and in good time.

Once you have defined the actions for each risk, you will need to estimate the resources, workload and costs for each action. You can then assess the resources and costs against the risks to decide whether they are sensible and in proportion.

Deciding on contingencies

There are four aspects to consider when assessing contingency:

• performance
• funding
• timescale 
• cost.

Performance

This is the standard of client performance or service that has been promised to a grant provider or advertised externally. In general, an organisation will promise around five to ten per cent less than the standard they believe they can achieve on a routine basis.

Funding

This area of contingency covers the amount and timing of the funds or income that needs to be raised. Most organisations would not want to assume that the funding they have been promised will come into the organisation in full and on time, so will try to commit
resources only when the funding is assured. Some organisations align core funding areas with more certain sources of income and other services or resources with smaller, less certain funding sources. It can also be sensible to hold an appropriate level of funding in reserve.

Timescale

This contingency relates to the completion date of a project or the date at which a certain level of performance is achieved. The typical contingency is to quote a later completion date than is necessary, to allow for things that might go wrong.

Cost

Project costs or ongoing operational costs, including inflation, should be a major area of contingency. The management team might decide to forecast a somewhat higher cost than they believe they can achieve, to allow for additional costs and resources that would be required if things go wrong or the project runs for longer than planned.