Risk Management Policy & Risk Register

Risk Management Policy

Adopted on: 1 April 2025
Review Date: April 2030

Purpose

This policy outlines our approach to identifying, assessing, and managing risks that could impact our ability to achieve our objectives as a charity focused on fire safety education, advocacy, or community support.

Scope

Covers strategic, operational, financial, reputational, and compliance risks across all activities, including outreach, training, fundraising, and governance.

Principles

  • Risk management is integral to decision-making and governance.
  • Proportionality: Risk processes will be light-touch but effective.
  • Risk ownership is shared – Trustees and key staff share responsibility for identifying and managing risks.
  • Risk is not always negative — taking well-managed risks may be essential to innovation and impact.

Roles and responsibilities

RoleResponsibility
TrusteesOversight, risk appetite, final decisions
Executive DirectorCoordinates risk activities, reports to Board
Programme Leads/ Network LeadsManage operational/project-level risks
CommunicationsManages reputational risk, government/public engagement
ContractorsFlag operational and safety concerns, follow protocols

Process

  • Risks are recorded in a central risk register.
  • Risks are assessed using a simple matrix: Likelihood (Low/Med/High) × Impact (Low/Med/High).
  • Key risks and controls are reviewed regularly by the trustees or at each major project phase.

Risk Categories

  • Strategic Risks
    • Lack of influence on policy
    • Misalignment with government agendas
    • Failure to represent stakeholders effectively
  • Operational Risks
    • Inadequate fire safety content or training
    • Low-quality stakeholder engagement
    • Event safety failures
  • Reputational Risks
    • Public misperception (e.g., political bias)
    • Failure in advocacy leading to backlash
    • Partner conflicts damaging credibility
  • Compliance & Legal Risks
    • GDPR and safeguarding breaches
    • Non-compliance with lobbying regulations
    • Inaccurate technical claims (liability)
  • Financial Risks
    • Reliance on few funders
    • Insufficient reserves for advocacy or emergencies
  • External Risks
    • Policy changes reducing fire safety standards
    • Political instability disrupting engagement plans
    • Technological failures in data/simulation tools

Risk Assessment process

  1. Step 1: Identify risks across programmes and functions
  2. Step 2: Score each risk (1–5 for Likelihood & Impact)
  3. Step 3: Rank:
     – Low (1–6)
     – Moderate (8–12)
     – High (15–25)
  4. Step 4: Assign owner & develop controls
  5. Step 5: Monitor regularly, escalate if needed

Reporting and review

  • Regular updates to leadership/ Management Team
  • Regular reviews by trustees
  • Annual workshop to reassess key risks
  • Incident reviews for any major safety, data, or reputational breach

Risk Register ‘Snapshot’

RiskImpactLikelihoodMitigation/ControlOwnerReview Date
Loss of key contractorsHighMediumSuccession plan, appropriate renumeration policyChair/ Treasurer/ TrusteesApril 2026
Funding shortfallHighMediumDiversified funding strategy, membership growth strategy, modified reserves policyExec Director/TreasurerApril 2026
Reputational damage due to misinformationMediumMediumClear comms policy, social media guidelinesComms LeadApril 2026
Failure to comply with charity regulationsHighLowAnnual compliance checklist, trustee trainingChair/ Exec DirectorApril 2026
Poor data handling (e.g. sign-ups, donations)HighLowGDPR-compliant systems, regular reviewsExec DirectorApril 2026