While charities in Singapore run the risk of running short of funding or losing confidential data, more than half - 50.9 per cent - do not have a risk management policy.
A survey done last year of 222 charities and Institutions of a Public Character (IPCs) here has found a "lack of understanding of risk management benefits". There are 2,217 charities and IPCs here.
Only 21.2 per cent of respondents have a formal and regular risk assessment process, it found.
The survey, which was released yesterday, was done jointly by the Charity Council, KPMG Singapore and the National University of Singapore Business School in September last year.
It found that the top risk management challenges charities face are a lack of: experience or expertise risk management (79.3 per cent), human resources to carry out risk management activities (70.3 per cent), and financial resources to implement risk management practices (59 per cent).
Lapses can happen when there is no preventive framework, noted Dr Ho Yew Kee, the principal investigator for the survey.
Dr Ho, an accounting professor, said: "For example, if a charity lost its database because of hacking, future donors will think twice about donating because their details are at risk - names, addresses, IC numbers, even credit card details.
"All the good work of the charity can be washed away because of risk that is not properly managed."
But if the charity was aware of this risk and protected Internet access points or stopped staff from installing software, this hacking risk could be mitigated, he added.
To help charities and IPCs improve their risk management efforts, the three organisations launched a toolkit yesterday. It recommends four steps: identify risks, assess them, look for ways to manage them, and monitor them.
Mr Gerard Ee, chairman of the Charity Council, said: "Charities need to build the capability to identify, understand and manage risks. It is part and parcel of good stewardship, and serves to protect the interest of the beneficiaries, employees and volunteers."
Singapore Children's Society chief executive Alfred Tan said that for the past 10 years, the society has had risk management policies in place, which are reviewed monthly.
"Today, the risk exposure is much more complex than it was 10 years ago... Today, there are a lot of risks in cyber security. This area can disrupt our services immediately, so we've got IT people to look at it quite thoroughly," he said.