Charity Risk Management Policy and Risk Register

A charity risk management policy sets out how your trustees identify, assess and manage the major risks the charity faces. It explains who is responsible, how often risks are reviewed and how decisions about managing them are recorded.

The Charity Commission, which regulates charities in England and Wales, expects trustees to think systematically about risk rather than reacting to problems as they arise. Sound risk management is part of good governance and supports the standards in the Charity Governance Code.

The headline point is simple. Trustees should identify and assess the major risks their charity faces, decide how to manage each one, and keep a written record, most commonly a risk register, that they review regularly.

Larger charities must go a step further and include a risk management statement in their trustees' annual report, confirming that the major risks have been reviewed and that systems are in place to manage them.

The relevant guidance is the Charity Commission's risk management guidance (CC26), which you can read alongside the wider list of Charity Commission guidance publications.

Why Risk Management Matters

Every charity faces risks, from financial pressures and safeguarding concerns to reputational damage and the loss of key people. Risk management does not mean avoiding all risk. It means understanding which risks are most serious and deciding, as a board, how to handle them.

A documented approach gives trustees confidence that nothing important has been overlooked. It also creates an audit trail that demonstrates good governance to funders, regulators and the public.

Risk management connects to almost every other area of charity compliance. Weak internal financial controls, an unclear reserves position or a gap in safeguarding can all become major risks if they are not identified and managed.

1. Identifying the Major Risks

The first step is to identify the major risks your charity faces. Trustees should look across the whole organisation, not just at finances, and draw on the knowledge of staff and volunteers who see day to day operations.

Risks commonly fall into broad areas such as governance, financial, operational, external and compliance. Thinking in categories helps make sure nothing is missed.

• Governance risks, such as conflicts of interest that are not managed or trustees lacking key skills.
• Financial risks, such as over-reliance on a single funder or insufficient reserves.
• Operational risks, such as safeguarding failures, loss of premises or the departure of key staff.
• External risks, such as changes in funding, regulation or public confidence.
• Compliance risks, such as failing to follow charity law or data protection duties.

2. Assessing and Prioritising Risk

Once risks are identified, trustees should assess how serious each one is. The common approach is to weigh the likelihood of a risk occurring against the impact it would have if it did.

A risk that is both likely and high impact demands close attention and a clear plan. A risk that is unlikely and low impact may simply be noted and monitored.

This assessment helps the board focus its time and resources where they matter most. It also makes it clear which risks need to be escalated to a full board discussion rather than handled at staff level.

3. Building and Maintaining the Risk Register

The risk register is the practical record of all this work. It is usually a table that lists each major risk, its likelihood and impact, the action being taken to manage it, and the person responsible.

A useful register also records the residual risk, meaning the level of risk that remains after controls are applied. This shows trustees whether further action is needed or whether the risk is now acceptable.

The register is a living document. Trustees should review it at agreed intervals, update it when circumstances change, and minute their review so there is a clear record of oversight.

4. The Risk Management Statement in the Annual Report

Larger charities must include a risk management statement in their trustees' annual report. This confirms that the major risks the charity faces have been reviewed and that systems or procedures are in place to manage those risks.

The statement does not need to list every risk in detail. It should give an honest account that the board takes risk seriously and reviews it on a regular basis.

Even where a charity is not required to publish a statement, doing so is good practice and reassures funders and supporters that the organisation is well run.

Quick Reference: Risk Management Essentials

Element	What It Covers
Guidance	Charity Commission risk management guidance (CC26)
Core duty	Identify and assess major risks and decide how to manage them
Main tool	A risk register, reviewed regularly by trustees
Assessment basis	Likelihood weighed against impact, with residual risk noted
Annual report	Larger charities must include a risk management statement
Status	Good governance, supported by the Charity Governance Code

What Trustees Must Do

• Identify the major risks across governance, finance, operations, external factors and compliance.
• Assess each risk by weighing its likelihood against its potential impact.
• Record every major risk in a risk register, with controls and a named owner.
• Review the register regularly and minute that review at board meetings.
• Report a risk management statement in the annual report where the charity is large enough to require one.
• Act on the risks that are most likely and most damaging rather than leaving them on paper.

Common Mistakes

• Treating the risk register as a one-off document that is written once and never updated.
• Focusing only on financial risk and overlooking safeguarding, governance and reputational risks.
• Listing risks without assigning a named person to manage each one.
• Failing to review and minute the register at board level, leaving no audit trail of oversight.
• Omitting the risk management statement from the annual report where one is required.
• Confusing risk management with risk avoidance and missing opportunities the charity could safely pursue.

How Policy Pros Can Help

We write bespoke charity policies that meet Charity Commission expectations and reflect how your charity actually works. A clear risk management policy, paired with a practical risk register, helps your trustees demonstrate strong governance.

Our charity policies and procedures service covers the full suite of documents trustees are expected to hold. The Commission's guidance on charity reserves (CC19) is a useful companion when assessing financial risk. Risk management sits alongside related areas, and we can prepare or review each one for you.

To see how risk management fits into your wider obligations, read our guide to charity policies and the annual return. You may also want our guidance on internal financial controls and your charity reserves policy, both of which feed directly into a sound risk register. For the wider regulatory picture, see the Charity Governance Code.