Skip to main content
Book a call — £89
Menu

Risk Management and Insurance for Charities: A Guide | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCharity & NFP

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Running a charity means holding something precious in trust: not just money and assets, but a mission that other people believe in. That makes risk management more than a box-ticking exercise for trustees. It is the quiet work that keeps a charity standing when things go wrong, whether that is a funding shortfall, a safeguarding incident, a data breach or a reputational knock that spreads faster than the facts. This guide walks through how charities in England and Wales can approach risk sensibly, what the main categories of risk tend to look like in practice, and how insurance fits into the picture as one tool among several. It is written for trustees, charity managers and volunteers who want a plain-English starting point rather than a compliance headache, and who would rather prevent problems than firefight them.

Overview

Risk management, in a charity context, is the ongoing process by which trustees and senior staff identify what could go wrong, decide how serious each threat is, and put proportionate measures in place to reduce the likelihood or the impact. It is not about eliminating risk entirely, which would make most charitable work impossible, but about taking considered risks with eyes open.

The Charity Commission expects trustees of larger charities to include a risk management statement in their annual report, confirming that the major risks have been reviewed and that systems are in place to manage them. Smaller charities are encouraged to follow the same approach proportionately.

Insurance sits alongside this work as a way of transferring certain financial consequences to an insurer when a risk cannot be avoided or fully controlled. Done well, risk management protects beneficiaries, safeguards trustees from personal exposure, reassures funders, and keeps the charity's reputation intact. Done poorly, or not at all, it tends to surface only when a crisis hits and options have narrowed.

Key steps

  1. Map your charity's risks honestly. Start with a structured conversation at trustee level about what could genuinely harm the charity or the people it serves. Cover governance, operations, finances, safeguarding, data, premises, reputation and the external environment. Write everything down, even the uncomfortable items, because unrecorded risks rarely get managed.
  2. Assess likelihood and impact. For each risk identified, consider how likely it is to occur and how damaging it would be if it did. A simple scoring matrix works well here, allowing trustees to rank risks and focus attention on those that combine real probability with serious consequences rather than dispersing energy across every possible scenario.
  3. Decide how to respond to each risk. For every significant risk, choose whether to avoid the activity altogether, reduce the likelihood through controls, transfer the financial consequences through insurance, or consciously accept the risk because the mission justifies it. Record the reasoning, because that trail matters if something later goes wrong.
  4. Put controls and insurance in place. Controls might include staff training, safeguarding policies, financial delegation limits, cyber security measures or reserves targets. Where residual risk remains, review insurance cover such as trustee indemnity, public liability, employer's liability, property, professional indemnity and cyber policies, matching each policy to the risks it is meant to address.
  5. Review regularly and learn from incidents. Risk registers lose their value quickly if they sit untouched between audits. Build a rhythm of review, at least annually and whenever something significant changes, and treat near misses and complaints as useful data. Update policies, training and insurance cover as the charity evolves.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Do all charities in England and Wales need a formal risk register?
Charities required to have their accounts audited must include a risk management statement in their trustees' annual report, confirming that major risks have been reviewed. Smaller charities are not strictly required to keep a formal register, but the Charity Commission strongly encourages a proportionate approach. In practice, even a simple document that records key risks and how trustees are addressing them demonstrates good governance and protects the board.
Q What insurance does a charity typically need?
It depends on what the charity does, who it works with and what it owns. Common policies include public liability, employer's liability where there are staff, trustee indemnity, property and contents, professional indemnity where advice is given, and increasingly cyber cover. Charities with vehicles, events or overseas work may need specialist cover. A broker familiar with the charity sector can help match cover to actual activities.
Q Are trustees personally liable if something goes wrong?
Trustees who act honestly, reasonably and within their powers are generally well protected, but personal liability can arise in specific circumstances, for example where trustees act outside the charity's objects, authorise unlawful payments or ignore clear duties. Trustee indemnity insurance can cover certain personal liabilities, subject to the policy terms and the requirements of charity law. Getting clarity on this early is sensible.
Q How often should trustees review the risk register?
At a minimum, the board should review the risk register annually as part of the accounts and annual report cycle. In practice, many boards revisit it at every meeting or quarterly, particularly where the charity operates in a changing environment. Any significant event, such as a new contract, a safeguarding concern, a funding change or a data incident, should trigger an immediate review rather than waiting for the next scheduled slot.
Q What is the difference between a risk and a safeguarding concern?
Safeguarding concerns are a specific category of risk relating to the welfare of people the charity works with, particularly children and vulnerable adults. They demand their own policies, training, reporting lines and, in serious cases, referral to the Charity Commission as a serious incident. Treating safeguarding purely as a line on the general risk register tends to underplay it; most charities handle it through dedicated safeguarding governance alongside the wider risk framework.
Q Can insurance replace good risk management?
No. Insurance only responds to certain financial consequences and almost always excludes losses caused by deliberate wrongdoing, known issues that were not disclosed, or failures to follow reasonable procedures. Insurers expect policyholders to take sensible precautions, and claims can be declined where controls were absent. Insurance is best thought of as a backstop for risks that have already been reduced as far as reasonably practicable, not as a substitute for prevention.
Q When does a risk need to be reported to the Charity Commission?
The Commission expects trustees to report serious incidents promptly, including significant loss of funds, safeguarding incidents, data breaches of a serious nature, and events that could damage the charity's reputation or beneficiaries. Guidance on what counts as a serious incident is published on gov.uk and is updated from time to time. If in doubt, trustees should err on the side of reporting and record the decision clearly.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.