Risk management and Insurance

Home > Help and Guidance > Running your organisation > Risk management and Insurance

Risk Management process

A risk is the chance, great or small, that the organisation will be damaged in some way as a result of a particular hazard. For example, a trailing cable is a tripping hazard, which creates a risk of accident and injury, potentially resulting in litigation and financial costs to your organisation.

Risks can arise from a variety of situations, and health and safety issues such as the example above are a common concern. However you should also be alert to other risks which may arise in the different areas of your organisation’s work. These risks could be financial, operational, regulatory, to do with your governance or an external factor. You should try to think about all of these risk areas when making decisions.

Risk management is sometimes perceived to be a potentially overwhelming process. However, there are simple steps that you can take to work through a risk management process. You should not be put off by a concern that you might not get it 100% right, as any action you take to reduce risk is infinitely better than none at all.

The cycle of risk management

Risk management is a cyclical process with four stages.

Risk identification – identify all the factors, events and situations that could present a risk to the organisation.
Risk analysis – sort, score and rank risks as the basis for making decisions about how to handle them. When you analyse the risk you need to think about the likelihood of it happening and the potential impact.
Risk control – take steps to reduce or avoid the likelihood of a risk occurring and to minimise its impact. You can also think about fall back (contingency) plans for managing bad and worst-case scenarios.
Risk monitoring – monitor and review risks to determine whether the risk control actions under 3 above are effective, and whether their nature and/or likelihood has changed over time.

Controlling risk

When deciding how to deal with a risk you have a number of options, and your action will depend on the circumstances and how much risk your organisation is willing to accept (your ‘risk appetite’). The main options that you have are:

Avoid – not carry out the activity for which risk has been identified.
Prevent – taking action to reduce the likelihood of a loss, for example, installing anti-virus software on ICT equipment. Development of robust internal policies is key to prevention.
Minimise – taking action to reduce the consequences of a loss should it occur, for example installing sprinklers to slow the progress of a fire.
Accept – the organisation might be prepared to accept some risks, for example where the cost of preventative action significantly outweighs the likelihood and potential impact of the risk.
Transfer – liability for the risk is transferred to another body. This might be through contractual arrangements, for example a sub-contractor accepts the risks associated with contract delivery. Alternatively, risks flowing from financial loss are transferred to an external insurance company when you take out insurance. It is the responsibility of the trustees to make sure that the organisation has adequate insurance cover and we look at this in our Insurance section.

Other sources of information

Charity Commission guidance on how to assess risk, including information on how to assess and score risks

NCVO also have information on how to assess risk

Health & Safety Executive risk management

Insurance requirements

Trustees have a responsibility to protect their organisation. Insurance can be an appropriate way to manage risk and protect against any loss, damage or liability arising from the specified risks. Some insurances may be required by law, others are optional and what is required will depend upon the size, complexity and activities that your organisation carries out.

Insurances required by law

Organisations that employ staff are required by law to buy employers’ liability insurance
Organisations that own or operate motor vehicles are required by law to buy motor insurance

Other types of insurance

Examples of types of insurance that might be needed to cover an organisation’s property against loss or damage are:

buildings insurance
contents insurance
event insurance

Examples of types of insurance that might be needed to cover against an organisation’s third party liabilities are:

professional indemnity insurance
public liability insurance

It is also possible to buy insurance that protects the organisation’s Trustees from personally having to pay any claims that are made against them for failing in their duties. This insurance is called trustee indemnity insurance.

Volunteers and insurance

For insurance purposes, voluntary organisations are advised to treat volunteers in the same way as they do their employees and ensure that they are covered by the usual types of insurance an organisation might buy, such as employers’ liability or public liability cover.

You should check any insurance policy to make sure:

that it definitely includes volunteers
how the term ‘volunteer’ is defined for the purposes of that policy
whether any upper or lower age limits apply
that the policy covers the types of activities that the volunteers will be undertaking

Get advice

When thinking about taking out any type of insurance cover, you should carefully consider taking proper independent professional advice. It is usually best to use an insurance broker who has an understanding of the needs of the voluntary sector and who is in a position to place business with any one or more of a range of insurance companies. Organisations can also go directly to a specialist charity insurer. The important point is to use a broker or insurer with specialist knowledge of the insurance requirements of charities and voluntary organisations to ensure that the correct coverage is arranged at a competitive price.

For more information on the things to consider when putting in place insurance have a look at our information sheets:

Insurance

Volunteers and Insurance

Other sources of information

Charity Commission guidance – Charities and insurance

Policies

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
SGPBShowingLimitationPage{hash}	session	The cookie is used for website to display popup content.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpress_logged_in_{hash}	session	Remember User session for logged in users and keep you logged in to the site.
Wordpress_sec_{hash}	15 days	The cookie is used for website protection against hackers store account details.
wp-wpml_current_language	session	Saves the language settings.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1NW060S4FN	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.