Church ‘Business’ Risk Assessments

Church ‘Business’ Risk Assessments

Most people in church leadership are familiar with the idea of risk assessments in relation to health and safety, but it is also important to be aware of other risks to the church as an organisation, and to address them. It is an easy issue to ignore but think - are the building deeds safe and clear? What would happen if a computer virus destroyed the Pastor’ files? Or there was an accusation of fraud? In these situations, the leadership of the church could be negligent if it had not considered the risks and put measures in place.
How do business risk assessments work?
Most risks assessments comprise a table with several columns. For each risk area, eg IT systems failure, there needs to be an estimate of the likelihood of something happening and the impact of something happening. Both assume there are no special preventative measures already in place and are normally scored on a scale of 1 to 5. Multiplying likelihood by impact gives the gross risk on a scale of 1 to 25. The main ‘problem areas’ can then be identified and control measures put in place to lower the risk. These measures can be physical or managerial. Responsibility for some risks, such as fire extinguisher servicing, can be assigned to an individual, whereas others such as safeguarding good practice, require wider vigilance and should be the responsibility of the whole membership. A resulting risk level is then estimated.
When putting together a risk assessment it is useful to bear in mind the following points.

  • It is not possible to eliminate all risks but it is possible to recognise them and manage them.
  • To be manageable the assessment should be ‘high level’ and refer to other policies rather than attempting to address every risk in detail.
  • A risk assessment is best undertaken by a small number of people to allows different perspectives to be voiced.
  • The risk and its impact should be seen from the perspective of the church. As tragic as an injury is to an individual, the assessment should concentrate on the impacts on the church in terms of financial claims, loss of reputation etc.
  • Where control measures will be expensive or difficult to implement it may be possible to manage the risk in another way. For example, if a rarely used church balcony has a low parapet it may be better to close it off (and enforce this) rather than pay for additional balustrading.

Areas of risk
It is best to group risks into categories to make them more manageable. It is up to the church to determine what these may be but typical categories for a church may be:

  • Leadership
  • Staff/Volunteers
  • Children and Youth
  • Buildings
  • Finance
  • Legislation compliance
  • IT & data protection

Clearly some of these categories overlap but they will provide a useful framework.
Frequency of review
Although the risk assessment should have an annual review it should also be treated as a living document and used to inform decision making as situations change. For example, following the recent IT problems caused by ransomware it would be appropriate to review the IT and data section.
It is possible for a church to develop its own risk assessment but Rural Ministries has developed an outline template which churches can develop to suit their own needs and situation.  This can be downloaded here.

Nick Jones