Free Risk Tool

Risk Register & PolicyGenerator

Describe your organization and top risks to get a scored risk register table with controls, actions, and a complete risk management policy.

UK CC26 & US BoardSourceScored L × I matrixRegister + PolicyFunder-ready

What Is a Risk Register and Does My Charity Need One?

A risk register is a structured document that identifies the key risks facing your organisation, assesses how likely and serious each risk is, records the controls you already have in place, and sets out the actions needed to manage each risk further. For charities and nonprofits, it is one of the most important governance tools you can have.

In the UK, the Charity Commission's guidance CC26 makes clear that managing risk is a core trustee duty. The Charity SORP requires the Trustees' Annual Report to include a statement on principal risks and how they are managed — and a risk register is the evidence behind that statement. For US nonprofits, IRS Form 990 Part VI asks boards directly about risk oversight, and major funders increasingly expect organisations to demonstrate active risk management as part of due diligence.

Our free AI generator produces two documents at once: a scored risk register table with likelihood, impact, controls, and recommended actions; and a complete risk management policy that can be adopted by your board. Both adapt automatically to UK, US, and global contexts.

Who Needs a Risk Register?

UK charities preparing their Trustees' Annual Report (risk statement required by Charity SORP)
Nonprofits applying for larger grants where funders ask about risk management
Organisations going through due diligence for a statutory contract or service agreement
Charities approaching a merger, restructure, or significant change in activities
Boards that want a structured framework for discussing risk at trustee meetings
US nonprofits responding to IRS Form 990 Part VI questions on governance and oversight
Small charities that have never documented their risks but know they should
Any organisation whose funding dependency, key person risk, or premises situation has changed

What Is the Difference Between a Risk Register and a Risk Management Policy?

A risk register is the operational document — the live list of specific risks, their scores, controls, and actions. It changes over time as risks emerge, are mitigated, or are retired. A good risk register is a working management tool that gets reviewed at every board meeting, not a document created once and filed away.

A risk management policy is the governance framework — it explains the organisation's approach to risk: what risk appetite means for this organisation, who is responsible for what, how risks are identified and scored, and how the board monitors the register. It is reviewed less frequently (typically every two years) but provides the structure within which the risk register operates.

Most funders and regulators expect both. The Charity Commission, for example, distinguishes between having a risk management process (the policy) and the evidence that it is working (the register). Our tool generates both in a single generation so you have everything you need from the outset.

Frequently Asked Questions

How does the risk scoring matrix work?

Each risk is scored on two dimensions: likelihood (how probable is this risk?) and impact (how serious would it be if it occurred?). Both are scored 1–5, where 1 is minimal and 5 is severe. The risk rating is calculated by multiplying the two scores. Ratings of 1–4 are Low; 5–9 are Medium; 10–16 are High; 17–25 are Critical. This simple matrix allows you to prioritise: High and Critical risks need active management, while Low risks may simply be monitored. Our generator uses this standard matrix and flags which risks need the most immediate attention.

What does risk appetite mean for a charity?

Risk appetite is a statement of how much risk your organisation is willing to accept in pursuit of its mission. A low risk appetite means the organisation prefers certainty and stability and will take significant steps to mitigate most risks. A high risk appetite means the organisation is comfortable with uncertainty and will accept more risk in exchange for greater mission impact. Most small charities have a medium appetite overall — but it varies by category. Almost all charities have a very low appetite for safeguarding risk, for example, while they may have a higher appetite for financial risk when it comes to investing in a new programme. Your risk management policy should spell this out explicitly.

How often should a charity review its risk register?

Best practice is to review the full risk register at every board or trustee meeting — typically quarterly for active charities. High and critical risks should be monitored more frequently: the CEO or equivalent should track them monthly and report progress to the Chair between meetings. The risk management policy itself should be reviewed every two years, or sooner if there has been a significant incident, restructure, or change in the organisation's activities. The Charity Governance Code recommends that boards annually assess the effectiveness of their risk management process, not just review the register itself.

Do funders ask to see a risk register?

Increasingly, yes. Larger grant-makers — particularly statutory funders, national lottery distributors, and institutional foundations — include risk management questions in their due diligence. Some ask specifically for your risk register; others ask whether the board has reviewed risks in the past 12 months. Having a current, well-maintained risk register signals organisational maturity and funder confidence. It also supports the risk statement required in UK charity annual reports (Charity SORP), which is itself a public document that informed funders will read before deciding whether to invest.

Ready to find grants that match your mission?

FundRobin's AI matches your organisation to grants automatically — so you can spend less time searching and more time winning.

Find Matching Grants