How many risks should be on the register?

12–20 for the active register. More than that and you have stopped triaging. The longer list lives in an appendix; the active register is the small list trustees discuss.

How often should it be updated?

Quarterly, by the senior team. Then annually deep-reviewed by the full trustee board. Material changes between cycles are flagged immediately by the named owner.

A single named senior staff member. Risk-by-committee fails. The owner is responsible for the assessment, the mitigation actions, and the next-quarter update.

Charity Risk Register: A Two-Page Working Template

A working risk register that fits on two pages and actually changes decisions - the practical fields, the maintenance rhythm, and the traps that turn most registers into shelf-ware.

Most charity risk registers are too long, too generic, and too untouched. They were built once, in a workshop, and now live in a folder that nobody opens between annual reviews. That is not risk management. That is filing.

A working risk register is something else: short enough to read in five minutes, specific enough to drive a decision, and updated often enough to be honest. The pattern below is what I use with charities of every size, with light adaptations for scale.

What a working register looks like

Two pages, twelve to twenty active risks, four columns: risk, current rating, owner, mitigation. A movement indicator (up / down / flat). A note column for anything that has materially changed in the last quarter.

That is it. Anything more elaborate - heat maps, multi-dimensional scoring, weighted impact frameworks - is for the audit committee, not the full board. The full board needs a register it can read across a meeting room.

The four fields that matter

1. Risk (one sentence)

A specific, recognisable description of the risk. Not "financial risk" - too generic. "Loss of our largest single funder, currently 38% of unrestricted income, end of contract Q3 2027." That is a risk. The reader can see it, weigh it, and act on it.

Generic risks are a sign that the register has not been thought through. Every risk on the register should pass the "would a stranger know what we mean?" test.

2. Current rating (impact × likelihood)

Two simple scales: impact (1–4) and likelihood (1–4), multiplied to give a 1–16 score. Map to traffic-light tiers:

1–4: green - monitored, low priority for active management.
5–9: amber - actively managed, mitigation in train.
10–16: red - board-level attention, urgent action required.

Resist the urge to use 1–5 scales (introduces a "neutral" middle that is unhelpful) or weighted impact across multiple dimensions (over-engineered for the questions a board needs to answer). A 1–4 × 1–4 grid is the smallest credible model.

3. Owner (one named person)

A single senior staff member, by name. They are responsible for the assessment, the mitigation actions, and the next-quarter update. The chief executive can own a few; everyone else owns one or two. No risk should be unowned, and no risk should be owned by "the team" or "the trustees."

The discipline of named ownership is what turns the register from a document into a working artefact. It is also what surfaces the risks no-one is willing to own - which are usually the ones that need owners most.

4. Mitigation (current and planned)

Two short statements: what is currently in place, and what the next mitigation step is. Both specific, both with a date if possible. "We are diversifying funders" is not a mitigation; "we have applied for two new funders this quarter, decisions expected by April" is.

The mitigation column is what turns the register into a plan. Without it, the register is just a list of worries.

The categories - what should always be on the register

Six categories every charity register should cover, with at least one risk per category:

Financial: funder concentration, cash runway, restricted-fund overuse, fraud.
Governance: trustee recruitment, succession, conflict-of-interest management.
Safeguarding and beneficiary: duty of care failures, complaints handling, service quality.
People: key-person dependency, burnout, recruitment, employment law.
Operational and digital: systems failure, data breach, cyber attack, supplier dependency.
Reputational and external: media risk, sector reputation, regulatory change, political environment.

A register missing any of these categories is not a complete register. It is a partial view. The blind spot is usually where the next surprise comes from.

The maintenance rhythm

Quarterly: senior team review

Once a quarter, the senior team meets specifically on the register. 90 minutes. Each owner walks through their risks: still rated correctly, mitigation progressing, anything new. Updates go in. Movement indicators are set.

Twice a year: chair conversation

The chair sits with the chief executive and the safeguarding lead, mid-quarter, between board meetings. 60 minutes. Specific focus: anything you would not say in a board meeting? Any rating you are uncomfortable with? This is where the honest conversations happen.

Annually: full board deep dive

Once a year, the full board spends a session on the register. Each red risk gets 10–15 minutes; each amber risk gets a five-minute summary. Greens are noted. Categories are reviewed for completeness. New risks are added; closed ones are archived.

Three traps that turn registers into shelf-ware

Trap 1: Long lists, low specificity

A 50-risk register where each risk is one generic sentence is worse than a 12-risk register where each risk is concrete. The cost of a generic register is real: trustees stop reading it because they can't tell which ones matter.

Trap 2: Mitigation without dates

"We are working on this" is not a mitigation; it is an aspiration. Every mitigation gets a date. If the date slips, the register notes the slip and the new date. Without dates, mitigations age silently.

Trap 3: Treating the register as a compliance artefact

Some charities treat the register as a Charity Commission box-ticking exercise - produce, file, forget. That mindset is what makes registers useless. Treat it instead as a working document used by the senior team to allocate time and budget.

A short worked example

Risk: Loss of largest single funder. Current rating: impact 4, likelihood 3, score 12 (red). Owner: Chief Executive. Mitigation: contract renewal under negotiation; backup plan to seek replacement funding from sector-wide scheme; restricted-fund balances mapped for 6-month bridging if needed; updated April board.

That entry, by itself, is more useful than 30 generic-risk entries. It tells you what to worry about, who is on it, and what they are doing.

A risk register that fits in your eye line is a register you will use. A register that needs scrolling is a register that gets reviewed once a year, badly.

A 30-day rollout

Week 1: Run a 90-minute senior team session. List every category and the top risks in each.
Week 2: Assign owners. Have each owner write the rating and current mitigation.
Week 3: Review and prune. Get to 12–20 active risks. Anything else goes to a watchlist appendix.
Week 4: Present to the chair, then to the next board meeting. Lock in the quarterly rhythm.

Thirty days. Two pages. One conversation each quarter. That is the difference between governance theatre and governance that earns its place at the table.

A Risk Register for the Modern Charity