Introduction
Maintaining strong governance is crucial for any Australian charity or not-for-profit organisation. A key component of this is proactive risk management, a practice the Australian Charities and Not-for-profits Commission (ACNC) emphasises to ensure registered charities meet their compliance obligations and maintain public trust.
The cornerstone of an effective risk management framework is a comprehensive risk register. This guide explains what a risk register is and why it is essential for meeting the ACNC Governance Standards, offering a step-by-step approach to building a tool that protects your organisation from financial, operational, and reputational harm.
Understanding the Australian Charities and Not-for-profits Commission Risk Register for Your Charity
What Is a Risk Register?
A risk register is a formal record used to document the risks an organisation has identified and the strategies for managing them. It serves as a fundamental tool in risk management, providing a systematic and coherent way to log important information generated throughout the risk management process.
For not-for-profit organisations, this register functions as a central document for tracking potential threats and opportunities. Creating a simple risk register is accessible for charities of any size, as you can use common software like:
- Microsoft Word
- Microsoft Excel
The primary purpose of a risk register is to ensure all identified risks are documented and can be monitored effectively.
The Role of a Risk Register in Good Governance
A risk register is a critical component of good governance for any charity, demonstrating a commitment to proactively managing potential issues. Its use is integral to meeting compliance, statutory, and organisational requirements set by regulators like the ACNC.
By maintaining a comprehensive register, a charity can show it is taking reasonable steps to protect its assets and ensure its financial affairs are managed responsibly.
Effective risk management, supported by a thorough risk register, helps a charity’s board and management to:
| Uphold Duties | Assist Responsible Persons in fulfilling their ACNC and ASIC duties to act with reasonable care and diligence, as required by the ACNC Governance Standards. |
| Improve Decision-Making | Guard against poor decision-making and complacency by providing a clear overview of potential challenges and opportunities. |
| Protect Stakeholders | Safeguard the interests of stakeholders, including beneficiaries, donors, and volunteers, by anticipating and mitigating harm. |
| Maintain Trust | Enhance public trust and confidence by demonstrating accountability and transparently managing the risks associated with the charity’s operations. |
Request a Free Consultation with one of our experienced Lawyers today.
Get Your Free Initial Consultation
Why ACNC Risk Register Is Essential for Your NFP
Meeting Australian Charities and Not-for-profits Commission Governance Standards & Compliance Obligations
For not-for-profits, maintaining a risk register is a practical step towards fulfilling crucial compliance obligations with the ACNC. Good governance requires that registered charities comply with a set of core, minimum standards, and effective risk management is fundamental to meeting these requirements.
This registration is effectively your charity’s ‘license to operate,’ making compliance essential for your existence and the pursuit of your mission.
The ACNC Governance Standards outline the duties and responsibilities of those running a charity. Specifically, Governance Standard 5 details the duties of Responsible Persons, which include:
- Acting with reasonable care and diligence
- Acting in the best interests of the charity to achieve its purpose
- Managing the charity’s financial affairs responsibly
A risk register serves as tangible proof that your organisation is actively identifying, assessing, and managing risks, thereby demonstrating that your Responsible Persons are fulfilling their duties with the required level of care.
Failure to meet these obligations can lead to significant ACNC action, which may include:
- Issuing warnings
- Giving directions
- Revoking a charity’s registration
Protecting Your Organisation from Financial & Reputational Harm
Beyond compliance, a robust risk management framework is vital for protecting your not-for-profit from significant harm. Threats such as fraud, financial abuse, and corruption can lead to devastating financial losses and cause profound damage to your organisation’s reputation, potentially eroding public trust and confidence.
Fraud, in particular, poses a significant threat, and it is vital that your charity is safe from fraud. It can be categorised in two main ways:
| Fraud Category | Examples of Fraudulent Activity |
|---|---|
| Internal Fraud | Misusing charity credit cards for personal expenses Creating false invoices Claiming inappropriate expenses |
| External Fraud | Using deceptive invoices to get money Hijacking a bank account Conducting unauthorised fundraising in the charity’s name |
Implementing a risk register helps your organisation proactively identify these vulnerabilities. By anticipating potential strategic and operational risks, you can establish proper financial controls and procedures to prevent misconduct, safeguard assets, and ensure that funds are used for their intended charitable purpose, thereby protecting your organisation’s long-term sustainability and standing in the community.
Building Your ACNC Risk Register: A Step-by-Step Guide
Step 1: Establishing the Context for Your Risk Management
The first step in building an effective risk register is to establish the context for your charity’s risk management activities. This foundational stage involves defining the scope of your risk management framework by considering the internal and external environments in which your organisation operates.
Because risk is defined as the effect of uncertainty on objectives, you must first be clear about what your not-for-profit aims to achieve. To properly set the context, your organisation should undertake several key actions:
| Action | Description |
|---|---|
| Confirm Organisational Objectives | Revisit and confirm the objectives established in your business or strategic plans. These goals provide the benchmark against which all potential risks will be measured. |
| Identify Stakeholders | Develop a comprehensive list of internal and external stakeholders. This may include board members, staff, volunteers, clients, funders, government agencies, and community partners. |
| Define Risk Assessment Criteria | Establish clear criteria for evaluating the |
Step 2: Conducting a Comprehensive Risk Assessment
Once the context is established, the next step is to conduct a thorough risk assessment. This process involves systematically identifying, analysing, and evaluating potential risks to your charity.
A comprehensive assessment ensures that no significant threats are overlooked and provides the basis for prioritising your risk management efforts. The risk assessment process consists of three distinct stages:
| Stage | Description |
|---|---|
| Risk Identification | The goal is to create a complete list of risks your organisation might face. This can be achieved by examining different risk categories, such as financial, operational, legal, and reputational risks. |
| Risk Analysis | For each identified risk, you must analyse its potential consequences and the likelihood of it occurring. This stage involves using predefined criteria to understand the potential impact on your charity’s objectives. |
| Risk Evaluation | Finally, you will evaluate each risk to determine its priority. This involves comparing the level of risk against your organisation’s risk tolerance to decide which risks require immediate treatment and which can be monitored. |
Step 3: Developing & Implementing Risk Treatment Plans
After assessing and evaluating your risks, the next step is to develop and implement plans to address any risks deemed unacceptable. This is the active phase of risk management, where analysis is turned into concrete action.
A risk treatment plan documents exactly how your charity will manage, mitigate, or respond to a specific risk. When a risk requires action, several treatment options are available, including:
| Treatment Option | Description |
|---|---|
| Avoiding the risk | Deciding not to proceed with the activity that gives rise to the risk. |
| Reducing the likelihood | Implementing preventative controls to make the risk less likely to happen. |
| Minimising the consequences | Establishing contingency plans to limit the damage if the risk occurs. |
| Sharing the risk | Transferring some of the financial burden to another party, for example, through insurance. |
| Retaining the risk | Formally accepting the risk, which is typically done for low-level risks where the cost of treatment outweighs the potential impact. |
A formal risk treatment plan should be documented for each significant risk. This plan should clearly outline the proposed actions, the person accountable for implementation, the required resources, a timeline, and the measures that will be used to track its effectiveness.
Step 4: Committing to Continuous Monitoring & Review
Risk management is not a one-time project but an ongoing cycle that must adapt to change. The final step is to commit to a continuous process of monitoring and reviewing your risk register, treatment plans, and overall framework.
This ensures that your charity’s approach to risk remains relevant and effective as both internal and external conditions evolve. Establishing formal review and reporting mechanisms is a requirement of good governance. These processes provide assurance to the board and senior management that risks are being managed effectively.
A typical review schedule would include:
| Regularly reviewing | Review the risk register and the progress of treatment plans at management meetings, often on a monthly or quarterly basis. |
| Reporting | Report to the board with an update on the risk register, particularly focusing on ‘extreme’ and ‘high’ risks, in line with the board meeting cycle. |
| Conducting a formal review | Conduct a formal review of the entire risk management framework and policy, typically on an annual basis, to ensure it still meets the organisation’s needs. |
100% Obligation-Free
Speak to one of our Experienced Lawyers Today
Identifying Key Risks for Your Not-for-Profit’s Register
Financial, Fraud & Corruption Risks
A primary area of concern for any charity involves financial risks, particularly those related to fraud and corruption. These threats can come from both within and outside the organisation, potentially leading to significant financial loss and reputational damage.
Fraud can be broadly categorised into two types:
- Internal fraud: Committed by individuals connected to the charity, such as staff members, volunteers, or board members. Examples include:
- Misuse of charity credit cards for personal spending
- Creating false invoices for services never rendered
- Claiming inappropriate expenses
- External fraud: Perpetrated by outside parties with no direct link to the organisation. Common instances include:
- Submitting deceptive invoices
- Hijacking the charity’s bank account
- Conducting unauthorised fundraising campaigns using the charity’s name
A specific and serious financial risk is the potential for terrorism financing, where a charity’s funds or assets are misused to support terrorist activities, with or without the organisation’s knowledge. This can occur through various means, such as:
- A partner organisation diverting funds
- The charity’s premises being used to store weapons
- A terrorist group setting up a fraudulent charity to raise money
It is crucial for your risk register to document these potential issues and the controls in place to mitigate them.
Operational, Legal & Compliance Risks
Operational risks affect the day-to-day functioning of your charity and its ability to deliver services effectively. These can disrupt core activities and lead to a loss of productivity or a decline in service quality, which in turn can damage your organisation’s reputation. An example includes the disruption of daily activities due to a failure in internal systems or processes.
Legal and compliance risks arise from the failure to adhere to contractual, statutory, and regulatory obligations. For a not-for-profit, this can have serious consequences, including:
| Risk Category | Description |
|---|---|
| Legal and commercial risks | Breaching the terms of a contract, which could result in fines or litigation. |
| Compliance and statutory risks | Failing to meet legal obligations, such as reporting requirements for the ACNC or other regulators, which may lead to penalties. |
People, Safety & Reputational Risks
Risks related to people involve staff, volunteers, and the beneficiaries you serve. A critical component of this is safeguarding the vulnerable in your charity, which is the duty to protect the welfare and human rights of people connected to your charity’s work.This includes having processes to identify and mitigate any potential harm to beneficiaries.
Work Health and Safety (WHS) is another significant risk area. This involves:
- Ensuring a safe environment for all individuals involved with the charity
- Having clear procedures that staff and volunteers must follow to prevent injuries or health incidents
Reputational risks are threats that could damage public trust and confidence in your organisation. Negative events, such as the mismanagement of funds or a failure in service delivery, can lead to adverse media attention and a loss of support from the community and donors.
Cyber Security & Information Management Risks
In an increasingly digital world, all charities are vulnerable to cyber security and information management risks, making a charity’s guide to cyber safety & legal duties an essential resource. These threats can compromise sensitive data, disrupt operations, and lead to significant financial and reputational harm.
Key risks in this category include:
- Unauthorised access to information: Breaches where confidential data about your organisation, staff, or beneficiaries is accessed by unauthorised individuals.
- Hacking and data breaches: Malicious attacks aimed at stealing or exposing sensitive information.
- Viruses and phishing: Cyber attacks that can compromise your IT systems or trick staff into revealing confidential details.
- Loss of digital records: The potential loss of critical information due to inadequate IT systems, system failures, or a lack of proper backup procedures, which can result in a loss of productivity and reputational damage.
It is vital to identify and manage these digital vulnerabilities within your risk register.
100% Obligation-Free
Speak to one of our Experienced Lawyers Today
Conclusion
Developing a comprehensive risk register is a fundamental aspect of good governance for any Australian charity, providing a structured way to manage threats and meet ACNC compliance obligations. By following a clear process to identify, assess, and treat key financial, operational, and reputational risks, your not-for-profit organisation can protect its assets and uphold its duties under the ACNC Governance Standards.
If you need assistance developing or reviewing your risk management framework to ensure it meets ACNC requirements, contact our not-for-profit lawyers at LawBridge. Our team offers specialised legal services to help your charity implement a robust risk register, providing the peace of mind that comes with strong governance and proactive protection.
