Charity Commission Risk Management: What your Board actually needs to do
Ask most charity trustees what “risk management” means, and you’ll get a lot of uncertain looks. It sounds like something large organisations with dedicated compliance teams worry about — not a board of six volunteers meeting on a Tuesday evening. But charity commission risk management is a core trustee responsibility, not an optional extra. And the gap between what the Charity Commission expects and what most smaller charity boards actually do is wider than you might think.
The good news: getting this right doesn’t require a risk specialist. It requires the right structure, the right habits, and a clear understanding of where your board’s attention should actually go.
Strategic Risk vs Operational Risk: Why the distinction matters
This is where most boards go wrong. They confuse operational risk — day-to-day issues like staff absence, IT problems, or a supplier letting you down — with strategic risk, the things that could genuinely threaten your charity’s ability to deliver its mission.
Your board is responsible for strategic risk. That means things like:
- Significant loss of funding or income concentration risk
- Reputational damage that undermines public trust
- Governance failures that attract regulatory scrutiny
- Failure to adapt to changes in the sector or beneficiary needs
Operational risk is for your staff and management team to handle. When boards get pulled into operational detail, they lose sight of the bigger picture — and that’s where serious problems can develop unnoticed.
The Governance360 risk register is built around this distinction. It’s designed to keep your board focused on strategic-level risks, with a clear framework that separates board-level oversight from day-to-day management. If you’re still working from a spreadsheet where everything from a broken boiler to a funding cliff gets equal weight, it’s worth reading our piece on [link: existing article on risk registers
What the Charity Commission Actually Expects
The Charity Commission is clear in CC26 — its guidance on charities and risk management — that trustees must:
- Identify the principal risks facing the charity
- Put systems in place to manage those risks
- Regularly review both the risks and the controls
- Report on the major risks and management systems in the annual report (for charities with income over £250,000)
That last point catches people out. If your income is above the threshold and your trustees’ annual report doesn’t include a risk statement, you’re not meeting basic compliance requirements.
But compliance is really the floor, not the ceiling. A risk register that only exists to satisfy a reporting requirement isn’t protecting your charity — it’s just ticking a box.
Building a Risk Management Framework That Actually Works
Effective charity commission risk management follows a straightforward cycle:
- Identify — What could prevent you from delivering your mission?
- Assess — How likely is it, and how serious would the impact be?
- Control — What do you already have in place? What gaps exist?
- Review — Is the risk picture changing? Are controls still working?
- Report — Does the board have visibility? Is it in the annual report?
The Governance360 risk register walks your board through this process in a structured, accessible way. Risks are scored for likelihood and impact, owners are assigned, and the register is stored alongside your other board papers — so it’s always in context, not buried in a spreadsheet nobody can find before a meeting.
Crucially, the platform flags when a risk review is overdue, so it doesn’t quietly fall off the agenda.
Helping your Board understand its Role: The Director Academy
One of the most common risk management problems isn’t a process problem — it’s a knowledge problem. New trustees often have no idea what’s expected of them, and even experienced board members can have significant gaps when it comes to governance fundamentals.
The Governance360 Director Academy includes a risk management basics module designed specifically for this. It’s practical, jargon-free, and covers exactly what trustees need to understand about their responsibilities – without requiring them to read through pages of regulatory guidance on their own. It works equally well as part of a trustee induction or as a refresher for existing board members.
Start managing your Risks properly
If your charity doesn’t have a working risk register, or if yours hasn’t been reviewed in over a year, now is the right time to sort it out. The Charity Commission’s expectations are clear, and the reputational and regulatory consequences of getting it badly wrong can be serious.
Governance360 gives smaller charities the tools to do this properly — without complexity and without cost barriers. Explore the platform and see how the risk register works in practice. And if your board would benefit from structured training, the Director Academy is a straightforward way to bring everyone up to speed.