Skip to main content
Book a call — £89
Menu

Risk Management Legal Framework for Charities Explained | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCharity & NFP

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Running a charity means carrying responsibility for money, people, reputation and mission, and trustees are expected to take those responsibilities seriously. Risk management sits at the heart of that expectation. It is the discipline of spotting what could go wrong, working out how serious it might be, and deciding what to do about it before problems materialise. For charities in England and Wales, this is not simply good practice; it is woven into trustee duties, Charity Commission expectations and the wider governance standards that funders, regulators and the public now take for granted. This guide walks through the legal backbone of charity risk management: where the duties come from, what trustees are expected to do in practice, how governance codes fit in, and the steps a board can take to build a proportionate framework that actually works for the size and shape of its charity.

Overview

The legal framework for risk management in charities is the set of statutory duties, regulatory guidance and governance expectations that require trustees to identify, assess and manage the risks facing their organisation. It is not contained in a single statute.

Instead, it sits across the Charities Act 2011, trustees' fiduciary and common law duties, the Charity Commission's published guidance (including CC3 and CC26), the Statement of Recommended Practice (Charities SORP) for financial reporting, and the Charity Governance Code as a voluntary but widely adopted standard. Larger charities preparing accruals accounts are expected to include a statement in their trustees' annual report describing the principal risks and how these are being managed.

Smaller charities are held to a proportionate version of the same expectation. Taken together, these elements create a framework that treats risk management as an ongoing trustee responsibility rather than a one-off paperwork exercise, something that feeds into strategy, reserves policy, safeguarding, financial controls and decision-making at board level.

Key steps

  1. Map the risks that actually matter to your charity. Start with an honest conversation at board level about what could stop the charity delivering its purposes. Cover strategic, operational, financial, safeguarding, reputational, compliance and external risks. A risk register that reflects your real activities is far more useful than a generic template copied from another organisation.
  2. Assess likelihood and impact proportionately. For each risk, trustees should form a view on how likely it is to happen and how damaging it would be if it did. A simple scoring approach often works well for smaller charities, while larger organisations may need more detailed analysis. The aim is to prioritise attention, not to produce a spreadsheet for its own sake.
  3. Decide how each risk will be treated. Trustees typically choose between tolerating, treating, transferring or terminating a risk. That might mean tightening financial controls, buying insurance, strengthening safeguarding policies, changing suppliers, or stepping away from an activity altogether. The rationale for each decision should be recorded so the board can show it has thought the issue through.
  4. Embed risk management into governance and reporting. Risk should be a standing item at board meetings, linked to strategy, reserves and operational plans. Where the charity is required to prepare a risk statement in its trustees' annual report, that statement should genuinely reflect the board's discussions rather than being drafted as an afterthought at year-end.
  5. Review regularly and update when circumstances change. Risks shift as the charity grows, funding changes, new activities launch or the external environment moves. Trustees should schedule formal reviews at least annually, and revisit the register whenever something significant happens, a major grant, a new service, a safeguarding concern, or a change in the law.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Are charity trustees legally required to manage risk?
Trustees have a general legal duty to act in the charity's best interests, protect its assets and exercise reasonable care and skill. The Charity Commission treats risk management as part of that duty. Larger charities that prepare accruals accounts must also include a risk statement in their trustees' annual report. Smaller charities are expected to take a proportionate approach rather than ignore risk entirely.
Q What is the Charity Commission's role in risk management?
The Charity Commission is the regulator for charities in England and Wales. It publishes guidance setting out what it expects from trustees, including on internal financial controls, safeguarding and serious incident reporting. It does not prescribe a single risk management method, but it expects trustees to have identified the principal risks facing the charity and to be actively managing them in a way that suits the charity's size and activities.
Q Do small charities need a formal risk register?
There is no fixed legal requirement for every charity to keep a detailed risk register, but trustees of any size of charity should be able to demonstrate they have thought about the main risks. For very small charities this might be a short written summary discussed at board meetings. As the charity grows or takes on more complex activities, a more structured register usually becomes sensible.
Q How does the Charity Governance Code fit in?
The Charity Governance Code is a voluntary code setting out principles of good governance, including a principle on decision-making, risk and control. It is widely used by boards, funders and auditors as a benchmark. Adopting the Code is not a legal obligation, but many charities find it a practical way to show stakeholders that risk management is being handled seriously and proportionately.
Q What happens if trustees fail to manage risk properly?
Poor risk management can expose a charity to financial loss, safeguarding failures, reputational damage or regulatory intervention. In serious cases, the Charity Commission can open an inquiry, issue formal directions or disqualify individuals from trusteeship. Trustees may also face personal liability in limited circumstances, particularly where losses result from a clear breach of duty rather than an honest mistake of judgement.
Q When should a charity report a risk event to the Charity Commission?
The Commission expects trustees to file a serious incident report where something significant has happened, for example safeguarding incidents, major financial loss, fraud, or a significant data breach. The threshold is based on actual or potential harm, not just the size of the charity. Guidance on what to report and how is published on gov.uk and should be reviewed before making a submission.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.