Skip to main content

We are experiencing technical issues with our emergency phone line. In the event of an emergency, please contact 01443 508676.

We are experiencing technical issues with our emergency phone line. In the event of an emergency, please contact 01443 508676.

We are experiencing technical issues with our emergency phone line. In the event of an emergency, please contact 01443 508676.

Risk Register

A handy tool to help Trustee Boards identify and manage risk

Executive Committees are known as Trustee Boards. This came into effect for members in Scotland in July 2023, and all others from April 2023. 'Executive Committee' and associated wording will still be visible on Compass and the website as we move to our new way of volunteering.

To learn more about what we are doing to improve how we volunteer at Scouts, visit the Volunteer Experience webpages.

Identifying, monitoring, and managing risk is a key part of good charity governance and Trustees must develop and maintain a risk register.

A risk is something that may or may not happen. If it does happen, it could affect your Group, District or County/Area/Region (Scotland). An issue is when you’re dealing with something that’s already happened.

For example, you may identify there’s a risk of damage to your Scout meeting place in bad weather. If that happens, you’ll need to consider how urgently repairs are needed, or whether you need to cancel sessions to keep everyone safe. Simply thinking it through is risk management.

A risk register is a tool to help you record your risks and identify what to focus on. It’ll help you to manage risks and make the right decisions. 

Trustees develop and maintain the risk register, and put controls in place. But, they can delegate actions to others. For example, the Trustee Board might decide a building needs maintenance, but they’re not responsible for doing the repairs themselves.

The Risk Register is designed to support Trustee Boards to focus on risks to the charity. It prompts Trustee Boards to follow guidance from charity regulators on key areas of risk. This is distinct from guidance on Risk Assessments required for all Scouts activities and premises. To find out about the Trustees responsibilities for risk assessments read the Safety Checklist.

Completing your risk register

Step 1: Identify the risks

Work with other Trustees and Leadership Teams to identify risks. The risks you identify will depend on the size of your Group, District or County.

The risk categories you should consider: external, operational, financial, legal and regulatory, governance, and data protection. Below are some examples to get you started.

External risks

External risks are associated with factors from outside Scouts. Think about the possibility of: 

  • temporarily or permanently losing equipment or buildings due to extreme weather events, vandalism and ending of hire or lease.
  • competition with other similar organisations.
  • collapse of other charities in the organisation.
  • turbulent economic or political environment.
  • complaints from previous members.
  • criminal prosecution of adults or young people (relating or not to their involvement in Scouts).
  • an impact of (positive and negative) press, community perception and relationships.
  • changes to government policy.
  • extreme weather events.

Operational risks

Operational risks are associated with running sections and delivering the programme. Think about how the following might affect this: 

  • volunteers’ skills, experience, knowledge, and availability.
  • possibility of volunteers making decisions outside their remit or authority.
  • possibility of injury to members and non-members on Scout premises or while doing a Scout activity.
  • ability to run and attend events safely.
  • ability to use and manage social media appropriately.
  • ability to manage equipment, vehicles, campsite, Scout shops and premises.
  • possibility of having inadequate insurance for people, equipment, buildings, and assets. 
  • anything else that may affect the ability to meet Scouts’ aims and objectives through the programme.

If you have premises, you might’ve already identified risks when completing the Safe Scouting Premises Audit.

Financial risks

Financial risks are associated with managing money, reserves, funding, and investments. Think about the: 

  • cashflow and reliance on income or grants.
  • ability to cover costs of running a building or paying rent.
  • ability to cover unbudgeted or unforeseen costs.
  • ability to manage finances and create reports for accountability.
  • ability to meet financial auditing requirements.
  • ability to comply with funding restrictions or rules.
  • possibility of internal or external fraud/scams, inappropriate or loss-making trading activities, unauthorised spend, and major financial error.
  • possibility of volunteers financially benefiting from the charity.

Legal and Regulatory risks

Legal and Regulatory risks are associated with change or non-compliance with laws, regulations, and the Scouts policies, rules, and processes. Think about the possibility of: 

  • failing to comply with the Scouts Policy, Organisation and Rules, including volunteers not completing mandatory learning and disclosure checks.
  • failing to comply with safeguarding policy.
  • failing to comply with health and safety regulations.
  • failing to follow charity law and employment laws.

Governance risks

Governance risks are associated with managing the charity. Think about the: 

  • Trustees’ skills, experience, knowledge, and availability.
  • Trustee Board’s structure and its ability and capacity to govern the charity.
  • ability to provide Trustees with the appropriate level of information at the right time.
  • possibility of Trustees having conflict of interest.
  • possibility of the Trustee Board being dominated by one individual or a small group of connected individuals.

Data Protection risks

Data Protection risks are associated with personal or organisational data that could result in loss, damage, misuse, or destruction. Think about the possibility of:

  • failing to comply with data protection regulation.
  • failing to store sensitive personal data securely.
  • paper-based records with sensitive personal data being kept in a variety of locations.
  • not having strong passwords for laptops, phones and other digital devices holding sensitive personal data.
  • sensitive personal data being stored indefinitely, with no defined policies for retention.
  • a personal data breach.

Step 2: Assess the risks

You need to understand the impact and likelihood of the risks you’ve identified. We use a 4x4 grid to help us work out the score of a particular risk. 

Trying to decide on an appropriate score is difficult if you’re making the judgment on your own. It’s always best to review risks and their scores as a team. That way, you have a more balanced, accurate view of each risk. 

Check the definitions for impact and likelihood below to help you.

  1. Minor: No impact on activities or reputation. Complaint unlikely. Legal action unlikely.
  2. Important: Some activity disruption. Potential for negative publicity - avoidable with careful handling. Complaint probable. Legal action possible.
  3. Significant: Activities disrupted. Negative publicity unavoidable. Complaint probable. Legal action probable.
  4. Major: Activities interrupted for significant time. Major negative publicity unavoidable. Major legal action expected.
  1. Unlikely: Not expected to occur within two years  
  2. Possible: May occur within 12 to 24 months
  3. Likely: Could occur within 12 months
  4. Highly likely: Expected to occur within 12 months


Once you have scored the likelihood and impact in the template, the overall risk score is worked out automatically by multiplying impact by likelihood, and adding the impact score again.

Risk score = (impact score x likelihood score) + impact score

To find out more about assessing risks, go to the top tips page from NCVO.

Step 3: Control the risk

To begin with, think about what the score would be before you do anything about the risk. This is your pre-control score.

Then, think about all the different things that help you to manage that risk, by either reducing its impact or the likelihood of it happening. These are your controls.

Once you’ve recorded all the controls you have in place, think about how much that’s reduced the score you started with. This is your post-control score. Think of this as the 'real' level of risk.

Are there any other things you can do (perhaps longer-term plans) to reduce the impact or likelihood even further? Please write these up in your ‘Further planned actions’ column.

Step 4: Monitor the risk

Make sure every risk has a named 'owner' and named people who are 'responsible' for any necessary actions. Remember, tasks can be delegated to people outside the Trustee Board. It's important they provide regular updates on these actions, so you know if the risk is being managed correctly.  

Here are a few ways you can monitor risks:  

  • Ask for reports and updates on actions
  • Review risks at Board meetings
  • Review risk assessments