The Charity Commission’s Charity Sector Risk Assessment 2025 paints a challenging picture: squeezed finances, increasing fraud and cyber threats, governance weaknesses, safeguarding concerns, and a shifting reputational landscape. For finance leaders and finance trustees, it’s a clear signal that your financial and analytical skills are more vital than ever.
Many trustees will admit that risk management is not the most energising part of the agenda. Risk registers can feel like a compliance exercise: lists of things that might go wrong, ranked, colour-coded, reviewed quarterly, and then quietly parked.
The problem isn’t the tool, it’s the mindset. Too often, risk management is seen as paperwork, not as strategy. Finance professionals, however, are well placed to shift this perception. You already think in probabilities, impacts, and interdependencies. You understand the language of data, controls, and assurance. That’s exactly what effective risk governance needs. So how can financially literate trustees and finance leads breathe life into this process?
- Make the link between risk and purpose: start by reframing the conversation: risk management isn’t about avoiding danger; it’s about enabling the charity to deliver its mission sustainably. For example, financial risk is not only about liquidity, but also about the charity’s ability to keep its doors open to beneficiaries. Every risk reviewed should connect directly to why the charity exists.
- Use financial analysis to bring realism into the room: many risk discussions are qualitative. High / medium / low ratings mean different things to different people and finance leaders could strengthen this by quantifying the risk, for example, estimating the reduction in reserves if income dropped by 10 percent, or the value of staff time (and staff costs) spent on dealing with a PR crisis. Scenario planning and sensitivity analysis are familiar tools to finance professionals and can transform abstract risks into tangible decisions.
- Make the risk register a living, breathing document: risk management shouldn’t be confined to an annual update; it should be a dynamic conversation. For example, review emerging risks at every board or finance committee and invite managers to share real-world indicators: late grant payments, staff turnover, compliance gaps. Finance leaders can help by integrating risk metrics into management accounts and dashboards.
- Assess and articulate your board’s risk appetite: every charity has a risk appetite, but few boards take the time to define it clearly. Risk appetite should be explicit, evidence-based, and nuanced by risk type. Your board might have low appetite for safeguarding or compliance risks, where a single failure can be devastating, but may tolerate a moderate level of financial risk, for example in piloting new fundraising approaches or investing reserves. And it may have a higher appetite for strategic or innovation risks, where calculated experimentation can drive growth or impact.
- Elevate the conversation: from mitigation to opportunity: a balanced risk culture acknowledges that not all risk is bad. Some risks, such as developing a new income stream, adopting new tech, or forming a partnership, are necessary for innovation. Finance professionals can champion informed risk-taking by encouraging the board to assess not just how to avoid loss, but how to invest wisely in opportunity. This might mean scenario-based investment cases, clear ROI metrics, or structured reviews of new initiatives.
- Address the new reality: fraud and cybercrime: the 2025 Risk Assessment highlights growing exposure to fraud and cybercrime, and new legal duties for larger charities to prevent fraud proactively. Finance leaders should ensure that strong internal controls are in place to protect the charity. This includes segregation of duties and dual authorisation for payments, regular fraud risk assessments, cyber awareness training across staff and trustees, and clear escalation routes for concerns.
- Build engagement through storytelling and ‘what ifs’: numbers tell part of the story, but human narratives bring risk to life. Use brief case studies to illustrate what happens when controls fail or when risks are managed well. Hearing how a cyber attack impacted another organisation will bring the threat to life and helps to engage staff and volunteers in training that can otherwise seem dry and abstract.
Risk management doesn’t have to be dry, defensive, or bureaucratic. With financial expertise and storytelling, trustees and executive leaders can transform it into a dynamic process that supports resilience and connects to the charity’s mission.
