Risk management is a core responsibility of directors and management committees. Failing in this not only has impacts on the organisation, but potentially personal liability for those involved.

All businesses and organisations face risks, both internal (being risks you have the power to prevent or mitigate within your organisation) and external (risks you have less ability to manage). In fact, risk-taking is what organisations do. So you need solid processes for identifying, assessing and controlling the risks facing your organisation.

Risk management in governance and operations

How you set up and run your organisation has a major impact on the risks it faces, particularly from the perspective of governance and operations. As we’ve discussed in previous articles:

• governance is the internal rules, practices and processes that govern the operation and performance of an organisation, while
• operations is the implementation of strategy, policies, procedures and processes, and generally carrying out the activities of the organisation.

There are many ways in which governance and operations are interconnected and, in fact, rely upon one another. Without a solid governance framework, operational risks abound, while without operational staff putting the governance system into effect, its purpose is not served and risks are not addressed. The relationship between governance and operations is also built into the structure of each organisation, where the governance body will usually have an oversight role and delegate operational responsibilities – that is, organisational management are formally granted particular responsibilities and decision-making capacities, such everyday decisions like managing staff and team performance, expenditure of organisational funds (up to certain limits) for operational purposes, and so on. This should be clearly stated in a regularly reviewed delegations policy.

(It is important to note that there are some differences between the responsibilities of management committees and boards. We cover the responsibilities of management committees in more depth on Community Door, while if you are on a board of directors, for example, you may find this page from the Australian Institute of Company Directors helpful.)

When it comes to risk management, key governance responsibilities include:

• establishing, reviewing and regularly updating risk management and other relevant policies and procedures for staff to follow;
• reviewing the implementation of the risk management system; and
• generally overseeing organisational risk management.

However, it is largely the organisational staff (including volunteers and managers) who are responsible for identifying and responding appropriately to risks within their day-to-day work. For example, while a governance body may be responsible for setting out how organisational staff should identify and respond to risks to client safety, it is usually the operational staff themselves who respond to specific instances of client-related risk. However, the governance body and internal governance-focused staff may review the responses to particular types of risk, provide guidance on risk responses, and continuously monitor and improve the organisation’s risk management framework. To see how this works in practice, you check out our recent blog post on managing DFV-related risks.

Here are some questions to ask yourself regarding your organisation’s management of risks:

1. Do we identify significant risks to the organisation and its operations on an ongoing basis?
2. Once identified, do we analyse the potential impact of each risk and create strategies to treat and reduce the risk?
3. Have we created a risk management plan and risk responses? If so, do we regularly review and update these?
4. Do we have appropriate insurances in place?

Having a culture in your operation where everyone feels both safe and empowered to speak up about risks (actual or potential) is helpful too!