It is best practice for all PCCs to consider the risks to which they are exposed and to take appropriate steps to minimise them.

Whilst risk management is the responsibility of the PCC it is often easier for a small group to work through the risk management process and then present the results to the PCC for discussion and adoption.

Acknowledging Risk

Firstly you will need to identify, categorise and review (decide what to do about) the risks which affect your church.

Risk can be defined as “the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives or execute its strategies”

The first stage in managing risks is to identify all the risks the PCC/church could be subject to.  At this stage you need to include everything you can think of however trivial or unlikely.

Risks fall into four broad categories:

  1. Financial – this is usually the largest group
    For example: Budgeted income is not met, a fund raising event does not produce the income envisaged, investments fall in value, no tenant can be found for the parish house for 3 months, cheques are issued for incorrect amounts, money goes missing from the safe, a building project runs over budget. Another example would be the loss of a major donor.
  2. Reputational – risks that affect how you are perceived in the community
    For example: Adverse reports in the local press, an argument between two senior church members gets into the local paper, the notice board still has Christmas service details up at Easter
  3. Statutory and legal requirements
    For example: Health and safety issues, Employment law, Child protection issues, Disability Access issues
  4. Operational risks – risks that would stop the church functioning
    For example: Fire damages the church building, theft of a large sum of money, vandalism in the church, illness of the vicar

Some risks will obviously fall into several categories – e.g. a toddler falling down stairs has health and safety implications but may also damage the church’s reputation.

Once risks have been identified the next step is to categories them based on how likely they are to happen and how big the impact would be if they did happen

For example:

Fire in church – low likelihood/high impact

Window broken by vandals – high likelihood/low impact

Having categorised them each risk needs to be looked at – start with those which are high impact and high likelihood, then move on to those which are high impact low likelihood and so on.

For each risk consider what current systems are in place and whether they are adequate. For each risk you can either:

  • Accept the risk –it may be that the level of risk is acceptable especially if it is low impact.
  • Avoid the risk – at the other extreme you may decide that the risk is so serious that it has to be avoided altogether.
  • Sharing the risk – it may be that some activities could be carried out jointly with other churches.
  • Mitigating the risk – this means taking what reasonable steps you can to reduce the risk.

Recording Risk

Having identified risks, categorised them and decided what to do about them you need to put the details into a register (the Risk Register) as a record of what has been decided. All PCC members need to be aware of the contents of the register. The register should also be reviewed at least annually and, if major risks are identified in the meanwhile, they will need to be added.

Recognising Risk Management in the Annual Report and Accounts

All PCCs with income or expenditure over £250,000 are required to have a policy with regard to the management of risks. There must be a statement in the Annual Report and Accounts stating that the PCC have considered the major risks they may be subject to and have put in place appropriate systems to mitigate those risks.

In addition to the above information you may want to visit our section on financial controls and look at the Charity Commission’s guidance on risk management (CC26) which can be found here.