Risk Register
A handy tool to help Trustee Boards identify and manage risk
Quick links
To watch in full screen, double click the video
Identifying, monitoring, and managing risk is a key part of good charity governance, and Scouts Trustees must develop and maintain a risk register.
But what is a risk register? And how is it different to a risk assessment?
A risk register is a tool to help organisations identify, assess, and manage risks that could affect their operations.
Think of it as a list that keeps track of potential risks and what the organisation can do to manage them.
Risk registers typically record:
- What the risk is
- The impact of the risk
- How likely it is to happen
- What actions are in place to manage the risk
- Who is responsible for monitoring them
Maintaining a risk register is strongly recommended by charity regulators.
It helps your Trustee Board to keep track of all the risks in one central place, so the charity can be organised and prepared.
Let’s take a look at what are the main elements of a risk register, and how it’s different to a risk assessment.
Risk registers focus on the overall risk for your charity as a whole, for example financial, legal and governance risks.
The Trustee Board is responsible for creating and updating it throughout the year.
The Trustee Board uses the risk register to check what’s in place to manage these risks and make decisions on what they need to do about them.
Risk assessments focus on the risks of a particular activity or event.
Usually, it’s the Section Teams who are responsible for writing them in preparation for the activity or event.
Lead Volunteers use the risk assessment to check that our volunteers are running that specific activity or event in the safest way possible.
The risks you need to record on your risk register will vary depending on your own circumstances, like the size and assets of your patch.
For example, a Scout Group based on a village hall have different risks to consider compared to a District that owns a campsite and lots of equipment.
Having your risk register at your Trustee Board meetings is very handy. You can include a risk management discussion point and use the risk register to:
- Ask for updates on risks with a high severity rating
- Check if any risks have changed since your last meeting
- Identify if any new risks need the Board’s attention
Keeping the risk register up to date help Trustees make the right decisions to keep everything well managed and safe.
You’ll find a risk register template with examples and more information on the different types of risk on the risk register webpage at scouts.org.uk
And if you’d like to know more about (or refresh your memory on) how Trustees manage risk, check Being a Trustee in Scouts learning.
Thanks for watching!
Risk register template
The risk register template helps Trustee Boards identify, monitor and manage risks. You'll find examples of risks and how to control them.
Download risk register templateTrustee Boards and risk management
Trustee Boards are responsible for creating a risk register and updating throughout the year. They're also responsible for putting the right risk mitigations in place, but they can delegate actions to others.
For example, the Trustee Board might decide a building needs maintenance, but they’re not responsible for doing the repairs themselves.
The Trustees' task is to identify and manage the risks, defining actions to reduce them to a level the charity is comfortable with.
Completing your risk register
Step 1: Identify the risks
Work with other Trustees and Leadership Teams to identify risks. The risks you identify will depend on the size of your Group, District or County.
A risk is something that may or may not happen. It could be anything that has a potential affect to the operations of your patch.
The risk categories you should consider: external, operational, financial, legal and regulatory, governance, and data protection. Below are some examples to get you started.
External risks
External risks are associated with factors from outside Scouts. Think about the possibility of:
- temporarily or permanently losing equipment or buildings due to extreme weather events, vandalism and ending of hire or lease.
- competition with other similar organisations.
- collapse of other charities in the organisation.
- turbulent economic or political environment.
- complaints from previous members.
- criminal prosecution of adults or young people (relating or not to their involvement in Scouts).
- an impact of (positive and negative) press, community perception and relationships.
- changes to government policy.
- extreme weather events.
Operational risks
Operational risks are associated with running sections and delivering the programme. Think about how the following might affect this:
- volunteers’ skills, experience, knowledge, and availability.
- possibility of volunteers making decisions outside their remit or authority.
- possibility of injury to members and non-members on Scout premises or while doing a Scout activity.
- ability to run and attend events safely.
- ability to use and manage social media appropriately.
- ability to manage equipment, vehicles, campsite, Scout shops and premises.
- possibility of having inadequate insurance for people, equipment, buildings, and assets.
- anything else that may affect the ability to meet Scouts’ aims and objectives through the programme.
If you have premises, you might’ve already identified risks when completing the Safe Scouting Premises Audit.
Financial risks
Financial risks are associated with managing money, reserves, funding, and investments. Think about the:
- cashflow and reliance on income or grants.
- ability to cover costs of running a building or paying rent.
- ability to cover unbudgeted or unforeseen costs.
- ability to manage finances and create reports for accountability.
- ability to meet financial auditing requirements.
- ability to comply with funding restrictions or rules.
- possibility of internal or external fraud/scams, inappropriate or loss-making trading activities, unauthorised spend, and major financial error.
- possibility of volunteers financially benefiting from the charity.
Legal and Regulatory risks
Legal and Regulatory risks are associated with change or non-compliance with laws, regulations, and the Scouts policies, rules, and processes. Think about the possibility of:
- failing to comply with the Scouts Policy, Organisation and Rules, including volunteers not completing mandatory learning criminal records checks.
- failing to comply with safeguarding policy.
- failing to comply with health and safety regulations.
- failing to follow charity law and employment laws.
Governance risks
Governance risks are associated with managing the charity. Think about the:
- Trustees’ skills, experience, knowledge, and availability.
- Trustee Board’s structure and its ability and capacity to govern the charity.
- ability to provide Trustees with the appropriate level of information at the right time.
- possibility of Trustees having conflict of interest.
- possibility of the Trustee Board being dominated by one individual or a small group of connected individuals.
Data Protection risks
Data Protection risks are associated with personal or organisational data that could result in loss, damage, misuse, or destruction. Think about the possibility of:
- failing to comply with data protection regulation.
- failing to store sensitive personal data securely.
- paper-based records with sensitive personal data being kept in a variety of locations.
- not having strong passwords for laptops, phones and other digital devices holding sensitive personal data.
- sensitive personal data being stored indefinitely, with no defined policies for retention.
- a personal data breach.
Step 2: Assess the risks
You need to understand the impact and likelihood of the risks you’ve identified. We use a 4x4 grid to help us work out the score of a particular risk.
Trying to decide on an appropriate score is difficult if you’re making the judgment on your own. It’s always best to review risks and their scores as a team. That way, you have a more balanced, accurate view of each risk.
Check the definitions for impact and likelihood below to help you.
- Minor: No impact on activities or reputation. Complaint unlikely. Legal action unlikely.
- Important: Some activity disruption. Potential for negative publicity - avoidable with careful handling. Complaint probable. Legal action possible.
- Significant: Activities disrupted. Negative publicity unavoidable. Complaint probable. Legal action probable.
- Major: Activities interrupted for significant time. Major negative publicity unavoidable. Major legal action expected.
- Unlikely: Not expected to occur within two years
- Possible: May occur within 12 to 24 months
- Likely: Could occur within 12 months
- Highly likely: Expected to occur within 12 months
Once you have scored the likelihood and impact in the template, the overall risk score is worked out automatically by multiplying impact by likelihood, and adding the impact score again.
Risk score = (impact score x likelihood score) + impact score
To find out more about assessing risks, go to the top tips page from NCVO.
Step 3: Control the risk
To begin with, think about what the score would be before you do anything about the risk. This is your pre-control score.
Then, think about all the different things that help you to manage that risk, by either reducing its impact or the likelihood of it happening. These are your controls.
Once you’ve recorded all the controls you have in place, think about how much that’s reduced the score you started with. This is your post-control score. Think of this as the 'real' level of risk.
Are there any other things you can do (perhaps longer-term plans) to reduce the impact or likelihood even further? Please write these up in your ‘Further planned actions’ column.
Step 4: Monitor the risk
Make sure every risk has a named 'owner' and named people who are 'responsible' for any necessary actions. Remember, tasks can be delegated to people outside the Trustee Board. It's important they provide regular updates on these actions, so you know if the risk is being managed correctly.
Here are a few ways you can monitor risks:
- Ask for reports and updates on actions
- Review risks at Board meetings
- Review risk assessments