scope:

INTRODUCTION

Organizations, whether private enterprise, public sector, or not-for-profit, face risks that can affect the achievement of their objectives and potentially their very survival. The uncertainty that generates risk for an organization arises because the organization's purpose and objectives (which the organization can control) are pursued against uncertain internal and external influences (which it cannot totally control). Consequently, by understanding the organization's risks, how they are caused and how they could affect it the organization can, if necessary, make changes (treat the risk) so that it is more likely to achieve its purpose and objectives and might even do so faster, more efficiently, and with improved results.

Passion and the 'cause' may be a NFP organization's pulse, but they may not always protect it from unwise decisions, mismanagement, or human fallibility. Equally, finding new and more effective ways to support the organization's clients, members and cause involves taking risk. Accordingly, good governance requires the organization to find the right balance between taking risks on an informed basis, treating undesirable risks and having the confidence that the organization can bear its level of risk in pursuing its purpose and objectives.

For the organization's stakeholders, what matters most is not what happens in the face of uncertainty, but rather how well the organization deals with a change in circumstances, the unthinkable or the unforeseen happening-bad and good. As uncertaintly and risk are implicit in all decision making and risk is generated and controlled at all levels of the organization, managing the organization's risks effectively will benefit all of the organization's stakeholders. Specifically, for the organization's key stakeholders, the benefits include:

a) Clients-assured access to professional services and representation that meets their needs, maximizes opportunity, empowerment, and inclusion, and prevents harm.

b) Members-confidence that they belong to an organization that is sustainable, professional, consistently able to meet their needs and objectives, and that does not waste resources.

c) Funders-confidence that they support an organization that is sustainable, professional, can recognize and respond to risk effectively, is consistently able to improve services to, and advocacy for, its clients, members and cause, and that will not waste their contributions.

d) Board of directors-confidence that decisions properly recognize and respond to the organization's risks, that the necessary controls modifying risk and risk treatment plans are in place, that the organization has resilience to disruptive events that might threaten it, and that it systematically learns from its successes and failures.

e) Management-confidence that the organization's risks are clearly understood and are being managed effectively and that decision making in the organization is supported by a risk-aware culture, which anticipates problems before they occur and identifies opportunities early. Assurance that the necessary controls modifying its risks are in place and are effective, and that the organization consistently learns from its successes, failures and near misses. Ability to demonstrate to funders and other stakeholders that the organization's risks are being managed effectively.

f) Employees, volunteers, contract and casual staff-confidence that the organization is making a positive difference to its clients, members and cause, that they personally are proactively contributing to this no matter what their role, and reassurance that everybody's wellbeing and safety are being appropriately protected.

AS/NZS ISO 31000 provides a benchmark to maximize the effectiveness of the organization's risk management activities. Using this Handbook to implement AS/NZS ISO 31000's systematic and straightforward approach, the organization can develop and sustain a comprehensive understanding of its risks and the controls modifying those risks, and can ensure that the amount and type of risks it faces are desirable or tolerable.

By effectively managing the risks it faces the organization can guard against poor decision making, complacency and being inadvertently exposed to potentially debilitating consequences of its activities. This can include risks that:

i) Opportunities are missed, underestimated or mismanaged.

ii) Changes in government policy and preferences are not responded to effectively.

iii) Programs and services are not relevant or effective.

iv) New programs or changes to the scope and requirements of existing programs are beyond its core purpose and capability.

v) NFP tax status is lost because of inappropriate activities.

vi) Funding for a major program ceases or a significant amount of revenue is lost.

vii) Staff turnover escalates and its staff recruitment and retention strategies are not effective.

viii) Expenses increase excessively or are underestimated or not properly accounted for in budgets and funding submissions.

ix) Media attention on its clients, members and cause are not responded to immediately and adequately, or are missed altogether.

x) Critical corporate knowledge and key relationships are lost.

xi) Intellectual property is lost or is not adequately protected.

xii) A partner fails, is embroiled in controversy, or becomes strategically aligned with another organization.

xiii) Acts of fraud are not detected.

xiv) There is a serious failure or breach of its duty of care (e.g. actual or alleged sexual misconduct or abuse by an employee or volunteer).