Managing risk

What is risk management?

Risk management is the process by which you identify potential risk events or threats to your organisation that might arise as a result of your activities, assess the impact of these events should they occur, the likelihood of them occurring, and the action you might decide to take either to minimise them or to respond to them should they happen.

A risk event is an uncertain event or set of circumstances that, should it occur, will have an effect on desired outcomes. The effect could be positive or negative, and it is usual but not essential that risk assessment focuses on adverse effects.

A hazard is a risk event which has the potential to cause harm to people. This could be a dangerous property of an item or a substance, a condition, a situation or an activity.

Risk is the likelihood that the harm from a risk event is realised and the extent of it. In a risk assessment, risk should reflect both the likelihood that harm will occur and its severity.

You might consider conducting a risk assessment of different aspects of your group’s activities. Some areas you might want to consider could be for example:

  • Events involving the general public – event safety, first aid provision, venue provision · Governance issues – control of your finances and budget planning; succession planning of committee personnel; ability to changes in the external environment
  • Practical concerns – planning rehearsals and administration, IT (eg storage of information, data protection)
  • Child protection – assessing the situations where your organisation comes into contact with children; how you manage those and minimise associated risks; assessing the need to conduct Disclosure and Barring Service (DBS) checks

It is not expected that in identifying the risks you will necessarily be able to remove them, but if you can consider them and take any necessary steps to minimise them it will stand you in good stead if it comes to having to deal with them in reality. It will also help you identify which are the most significant risks in terms of severity and likelihood. Furthermore, should an incident ever occur for which your organisation is held responsible you will be able to demonstrate the steps you have taken to do your best to prevent this happening, which will be an important consideration. The presence of risk is not a reason not to undertake an activity, but it is of course good practice to ensure that overall risk levels are managed and where appropriate reduced to acceptable levels.

When should you do a risk assessment?

There are a number of situations where you might consider conducting a risk assessment. For example, you might decide amongst your committee to prepare an assessment of all the risks associated with running your organisation, as an exercise which you then annually review and update.

You might also prepare one for your events – either as a general tool or for a specific occasion, especially if it incorporates some unfamiliar activities that you might not have considered the implications of before.

If you run any activities involving children or vulnerable adults it is very important that you would conduct a risk assessment of these activities, and review as part of this exercise whether you are adequately implementing your child protection or other policies, and whether you need to conduct DBS checks.

How do you do it?

A risk assessment has 5 steps:

  1. Identify the risk event/hazard
  2. Determine its severity/impact should it occur
  3. Determine the likelihood of it happening
  4. Calculate a relative rating for the risk based on the combination of likelihood and impact
  5. Decide on any actions to take in order to minimise the risk

In calculating the impact and likelihood of a particular hazard, you could either simply indicate a high, medium or low ranking, or you could use a numeric scale eg 1 to 5. The overall rating of risk is then a combination of the two. So if the impact is high and the likelihood low, then a medium ranking might be appropriate. If using a numeric scale, it is normal to multiply one number by the other: so if the impact is 5 (where 5 is a high impact) and likelihood is 4 (where 5 is very likely), the combined factor would be 20 (this is known as a risk process number). You would then need to agree a benchmark rating, for example those with a rating of 12 or more being considered high risk and requiring the most attention.

Example risk assessment

You might wish to consider risk by type of activity, eg Governance issues or Event management.

  Example 1 Example 2
Identified hazard member of the public taken ill at a concert trustees succession planning not effective
Severity medium/high (or 4) high (or 5)
Likelihood of occurrence low (or 1) medium (or 3)
Overall risk medium (or 4) medium/high (or 15)
Actions needed to minimise risk Decision based on: investigation of sourcing a qualified first-aider; enquiry of group members for first aid training and willingness to stand by at concerts for such incidents; investigation re employing St John Ambulance volunteers for events identify possible successors from membership; co-opt individuals onto committee; recruitment campaign for external volunteers who may be non-playing members

Mitigating the risk

Once you have identified and assessed the risk, you need to determine which risks need to be addressed and what action can be taken to mitigate those risks (see example above).

Actions can take 4 basic forms. One reduces the probability of an event occurring, another seeks to detect the event occurring and thereby limit the impact, another reduces the severity of impact should it occur and the fourth seeks to minimise the impact by transferring the cost of the impact elsewhere (insurance).

Once the risk mitigation activity has been undertaken, the risk assessment should be reviewed. If the mitigation has been successful then the risk score will have been reduced.

The risk assessment findings will need to be recorded and a system developed to ensure that the risk assessment is reviewed and, if necessary, revised. As far as possible this should be a practical, working document that assists with day-to-day planning, and becomes integrated into the organisation (this is normally called a risk register).

Other resources

If you are planning an event you might find this free guide useful.

Making Music also has a risk assessment template you can use.


We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.