It is best practice for all PCCs to consider the risks to which they are exposed and to take appropriate steps to minimise them.

Whilst risk management is the responsibility of the PCC it is often easier for a small group to work through the risk management process and then present the results to the PCC for discussion and adoption.

Acknowledging Risk

Firstly you will need to identify, categorise and review (decide what to do about) the risks which affect your church.

Risk can be defined as “the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives or execute its strategies”

The first stage in managing risks is to identify all the risks the PCC/church could be subject to.  At this stage you need to include everything you can think of however trivial or unlikely.

Risks fall into four broad categories:

  1. Financial – this is usually the largest group
    For example: Budgeted income is not met, a fund raising event does not produce the income envisaged, investments fall in value, no tenant can be found for the parish house for 3 months, cheques are issued for incorrect amounts, money goes missing from the safe, a building project runs over budget. Another example would be the loss of a major donor.
  2. Reputational – risks that affect how you are perceived in the community
    For example: Adverse reports in the local press, an argument between two senior church members gets into the local paper, the notice board still has Christmas service details up at Easter
  3. Statutory and legal requirements
    For example: Health and safety issues, Employment law, Child protection issues, Disability Access issues
  4. Operational risks – risks that would stop the church functioning
    For example: Fire damages the church building, theft of a large sum of money, vandalism in the church, illness of the vicar

Some risks will obviously fall into several categories – e.g. a toddler falling down stairs has health and safety implications but may also damage the church’s reputation.

Once risks have been identified the next step is to categories them based on how likely they are to happen and how big the impact would be if they did happen

For example:

Fire in church – low likelihood/high impact

Window broken by vandals – high likelihood/low impact

Having categorised them each risk needs to be looked at – start with those which are high impact and high likelihood, then move on to those which are high impact low likelihood and so on.

For each risk consider what current systems are in place and whether they are adequate. For each risk you can either:

  • Accept the risk –it may be that the level of risk is acceptable especially if it is low impact.
  • Avoid the risk – at the other extreme you may decide that the risk is so serious that it has to be avoided altogether.
  • Sharing the risk – it may be that some activities could be carried out jointly with other churches.
  • Mitigating the risk – this means taking what reasonable steps you can to reduce the risk.

Recording Risk

Having identified risks, categorised them and decided what to do about them you need to put the details into a register (the Risk Register) as a record of what has been decided. All PCC members need to be aware of the contents of the register. The register should also be reviewed at least annually and, if major risks are identified in the meanwhile, they will need to be added.

Recognising Risk Management in the Annual Report and Accounts

All PCCs with income or expenditure over £250,000 are required to have a policy with regard to the management of risks. There must be a statement in the Annual Report and Accounts stating that the PCC have considered the major risks they may be subject to and have put in place appropriate systems to mitigate those risks.

In addition to the above information you may want to visit our section on financial controls and look at the Charity Commission’s guidance on risk management (CC26) which can be found here.


Anti Fraud Guidance

This section is designed to help you understand what fraud is, how it can impact your church and what prevention methods you can implement.

It is important to note that this webpage provides a basic scope on the topic and more in-depth information can be found in the reference section at the bottom. It is important to remember that most individuals involved in church are honest and trustworthy; however, like other sectors churches are not immune to fraud. Prevention methods described in this webpage will help you to ensure that your church is a safe place for people to grow together in faith.

You can also download the following information as a PDF.

Fraud is a criminal deception intended to result in financial or personal gain. It comes in many forms, and anyone can be a target, including a church. According to Charity Fraud Report 2023, 43% of charities reported a fraud or an attempted fraud in 2022.

Two main categories of fraud include:

  • Internal – committed by employees, trustees, or volunteers within the charity
  • External –   committed by individuals not directly involved in the organisation

Financial fraud can have devastating consequences on churches and other religious organisations. In addition to negatively impacting a church’s finances, fraud can damage its reputation and relationships with members and benefactors. This can result in a loss of trust and support for the church, making it difficult to conduct its mission effectively.

Internal fraud prevention

All PCCs in the Church of England are independent charities accountable to the Charity Commission. All PCC members are trustees of the charity which means that they have the duty of overseeing and governing the church and ensuring that finances are managed correctly and in a manner which corresponds to the aims of the charity.

Examples of internal fraud:

  • Unauthorised access   to   the   PCC/GCC    bank   account   leading   to inappropriate payments being made.
  • Making overpayments for services or products
  • Making payments to non-existing suppliers or employees

The circumstances which may lead to the fraud include:

  • Overreliance on one person
  • Lack of trustee engagement in finance and controls
  • Absence of internal controls

Those situations create a potential financial risk. Having an organisational culture which, values openness and transparency can help to control those risks.

Preventing internal fraud requires a combination of strong internal controls and culture of integrity. Effective strategies may include:

  1. Establish a Strong Ethical Culture and Encourage Open Communication: Promote a culture of honesty and integrity among all members and foster an environment where individuals feel comfortable discussing ethical concerns and reporting suspicious activities.
  2. Background Checks: Conduct thorough background checks on new hires to ensure they have no history of fraudulent behaviour.
  3. Implement Internal Financial Controls and Segregation of Duties: Use internal financial controls such as access controls, reconciliations, and approval processes to safeguard assets and ensure accurate financial reporting. Divide responsibilities among different people to reduce the risk of For example, the person who authorises payments should not be the same person who processes them.
  4. Employee, Trustees and Volunteers Training: Provide annual training on fraud awareness and prevention.

Implementing the above measures can significantly reduce the risk of internal fraud and help maintain a trustworthy environment.

External fraud prevention

Unfortunately, churches are often an easy target for external fraud due to high trust culture and lack of resources for high-security systems. The fraudsters may use techniques like time pressure to impose pressure on the victims. To prevent external fraud, consider the following strategies:

  1. Clear Financial Policies: Establish clear policies for managing money, including the separation of duties between those who oversee income and expenses.
  2. Dual Authorisations: Ensure that no single person can authorise financial transactions. This reduces the risk of unauthorised payments.
  3. IT Security: Implement IT security measures, including up-to-date antivirus software, strong passwords, and two-factor authentication.
  4. Training and Awareness: Educate staff, trustees, and volunteers about common fraud tactics and how to recognise them.
  5. Healthy Scepticism: Encourage a culture of healthy scepticism where unusual requests or transactions are questioned and verified.

By implementing these measures, churches can significantly reduce the risk of external fraud and protect their resources.

Cybercrime

In times when IT technology becomes more advanced cybercrimes also impact the churches. Action Fraud has reported an increase in this type of fraud, which involves the impersonation of a senior figure within an organisation requesting for the transfer of funds.

To prevent cyberfraud:

  1. Check email addresses/ telephone numbers when making requested transactions.
  2. Do not click on links or open attachments in unexpected/ unusual e-mails.
  3. Question details when being asked to transfer money at short notice.
  4. Ensure that confidential documents are always shredded before being thrown away.

How to report the fraud?

If a charity has fallen victim to any type of fraud, trustees should report it

to Action Fraud by calling 0300 123 2040. Charities should also report fraud to the Charity Commission as a serious incident, using the dedicated email address: rsi@charitycommission.gsi.gov.uk

Further Resources