By putting in place an appropriate system of risk oversight and internal controls, boards can help increase the likelihood that their organisation will deliver on its purpose.
Risk is another board responsibility, no matter how big or small the NFP. Organisations should establish a sound system of determining risk appetite, oversight, recognition, management, treatment and control.
It is often helpful to think about risk in a strategic and cultural context – getting on top of risk matters will enable the NFP to do the things it needs to do and make it more robust. For many NFPs their ability to achieve their purpose relies upon them showing they have appropriate, effective and current risk management controls, systems and processes in place i.e. they get “accredited” and keep their “license to operate” through appropriate risk oversight.
There may be legal, financial and operational risk compliance obligations linked to NFPs being allowed to operate e.g. for health and/or care providers there are minimum clinical and qualitative standards that must be met and for many NFPs with government funding, robust risk management relating to financial controls are a requirement.
As with all the Principles, approaches to risk will vary according to the purpose, size, structure and personnel running the NFP.
Larger, national NFPs may have acquired or developed a sophisticated risk management program of controls, system and processes with the support of external professional advisors. Tools and methodologies such as Risk Management – Principles and Guidelines – AS/NZS ISO 31000 2009 are also used by larger organisations to help them with this task.
Smaller local NFP boards with few, if any, staff will apply their own experience, judgement and common sense when thinking about and debating risks and mitigation plans for the NFP. The commentary and questions below outline some fundamentals on risk identification and management as a starting point for NFPs.
Whatever the size and purpose of an NFP, directors showing clear leadership on their responsible approach to risk will have a significant and positive impact on promoting
a healthy culture throughout the organisation [see Principle 9].
There is a vast array of risks that NFPs should consider, including but not limited to:
- Staff or employment issues (e.g. wrongful dismissal, harassment)
- Volunteers (e.g. injury to the individuals themselves and/or damage caused to others or property as a result of their inadequate training or screening)
- Physical spaces and equipment (e.g. fire, workplace health and safety issues, theft or misuse, public liability)
- Records (e.g. legal requirements to keep records, confidentiality)
- Cash receipts and payments (e.g. inaccurate records, lack of internal checks and balances)
- Financing (e.g. grant dependent organisations)
It can be helpful to think of risks in broad categories, such as:
- Compliance risks (e.g. failure to lodge statutory information in allowed time)
- Financial risks (e.g. loss of funding, insolvency, expense blow-out)
- Governance risks (e.g. ineffective oversight)
- Operational or program risks (e.g. poor service delivery)
- Environmental, including event risks (e.g. natural disasters and states of emergencies)
- Brand and reputational risks (e.g. due to worsened stakeholder or community perceptions, from major event failure or adverse commentary on performance via traditional and/or digital and social media channels)
- Strategic risks (e.g. stakeholder behaviour change, increased competition for funding)
The number, type and significance of risks vary from organisation to organisation. For example, in the case of an organisation involved with childcare, appropriate screening of staff and volunteers and the health and safety of the environment in which children play are likely to be of importance. For member-based associations, an important risk needing attention might be ensuring confidential information pertaining to members is kept secure.
A conventional approach to risk management (some of which a board may delegate to management, provided there is adequate reporting to and monitoring by the board) would require the board to:
- Identify risks, particularly principal risks, facing the organisation.
- Analyse these risks (What category are they? How likely are they? How material)?
- Establish the organisation’s risk ‘appetite’.
- Prioritise risks (e.g. by ranking).
- Develop a risk register containing information such as likelihood, materiality and prioritisation.
- Develop and implement strategies to manage the risks, as appropriate, including consideration of:
- Risk avoidance (e.g. don’t do the activity that gives rise to the risk).
- Risk transfer (e.g. insurance).
- Risk mitigation (e.g. limits of activity); and/or risk acceptance.
- Monitor identified risks and how these are being handled on a regular basis.
- Ensure identified risks are written into the job descriptions of any relevant staff, clearly setting out responsibility and accountability.
- As part of regular reviews, consider whether there are additional risks that need to be assessed and managed, and whether existing strategies to manage risk need to be modified.
A board’s oversight of risk may benefit from the establishment of a separate committee or be included in an Audit Committee’s responsibilities. If a risk management committee is formed, it should have a clear charter or terms of reference agreed by the board. A common practice would be for the committee chair to report to the full board at the board meeting following each Committee meeting.
Questions for consideration
- Are there appropriate policies and procedures in place to enable effective oversight and management of risks, including but not limited to identification of principal risks (e.g. on-going funding) and effective management of those risks?
- Does the board devote time in its agenda to consider risks?
- Has the board discussed its risk appetite?
- How often does the board conduct a comprehensive risk governance review (including an assessment of effectiveness)?
- Has management designed and implemented systems to give effect to policies and procedures endorsed by the board, and to periodically report to the board on whether, and the extent to which, those risks are effectively being managed?
- Does the board have access to external professional assistance and advice in identifying and developing strategies to manage and mitigate risk?
Download the full Good Governance Principals and Guidelines for Not-for-Profit Organisations as a PDF.