In order to understand and treat risk, you need to be clear about the internal and external context in which your organisation is operating.
For larger organisations with varied services operating over several locations, it does get a little more complicated, but for most not-for-profit groups the task need not be overwhelming.
In order to recognise a risk you need to know what a risk is. While some risks may apply to almost everyone, some will be specific to your organisation.
Some organisations will have to put in more effort than others - a chess club will not have to exert as much effort on risk management as a diving club, for example.
In undertaking a risk assessment you need to take into account your own organisation's specific objectives and capabilities, as well as external factors, such as the changing legal environment and shifting social standards.
At the end of this step you should be able to detail your organisation's objectives, who will have an impact or be affected by your risk management process, and set out a number of areas which should be allocated attention. These can then be used to prioritise the order in which you attack the next task.
So how do you go about establishing a context for risk management?
Start by allocating the task to one person (ideally someone with a particularly good grasp of what your organisation is about, as well as some background knowledge about risk management), or set up a sub-committee.
Whoever is in charge (committee or individual), you need to ensure that this is a whole-of-organisation process so start spreading the word by holding a brainstorming session and explaining what you're setting out to do in your newsletters and bulletins.
Questions you need to ask as part of the process of establishing a risk management context for your organisation can be broken down into two areas: the organisation context and the strategic context.
The organisational context
This involves looking at your organisation's aims, activities, structure, membership and methods of operation.
Below we have provided examples of some questions you might want to ask, with some answers supplied for a fictional junior football club, the Joeys, to give you an idea of where to start.
What are the aims and objectives of your organisation?
The main aim is to field a football team and to win a premiership. Other aims include providing a safe, fun, inclusive recreational activity for kids in our area and improving the skills and self esteem of our players.
What is your organisation's core activity?
The primary activity is playing football. Secondary activities include training of players and umpires, trips to big league games, social events and fundraisers.
Who is involved with your organisation - both internally and externally?
The main people involved in the club are the players and the coach. On a slightly less-involved level are parents of players and other supporters. We also have involved from local businesses who sponsor the team, and the council that provides our oval and facilities.
One way of getting a clearer picture of all the people involved in your organisation is to draw a simple diagram, starting with a small circle in the centre in which you list the main participators in your group's activities, and moving outward.
Going through the process of deciding who goes in which circle will help you get a clearer grasp on what (and who) is important to your organisation.
What facilities do you have and/or use?
Clubrooms and oval (ours for home games; various others for away games), car park.
Try to include absolutely everything.
Also make a note if you allow anyone else to use your facilities - you could be liable if something goes wrong.
Finally, to establish an internal context for your risk management strategy, ask:
- What is your organisation currently doing to manage risk, either formally or informally?
- What type of insurances does your organisation have (if any)?
- What is the legal structure of your organisation. Is it incorporated?
The Strategic Context
This step involves looking at the environment in which your group operates. The answers to these questions may involve some research. Some questions you should look at are:
What relationships does your organisation have and how important are these?
It's important for your organisation to recognise relationships you have established with other parties that are necessary for you to operate. For the fictional football group the Joeys, these might include players and parents, the league the team plays in, a peak sporting body and councils that provide facilities they play on. Some of these will be more important than others.
Your circle diagram already undertaken (see above) will help you to define those relationships.
What laws, regulations, rules or standards apply to your organisation?
There are a lot of laws - a lot of laws - and you're supposed to observe all of them. It goes without saying that you're not supposed to defraud people, discriminate against or harass them, or breach the general prohibitions applying to everyone. Critically, there are laws that apply particularly to not-for-profit organisations.
Depending on where you are and what you do, your organisation may also have to comply with council by-laws.
In defining your strategic context you should also consider external trends. Some of these are outlined below (though you will have others that apply to your particular organisation).
- Litigiousness: There is a greater public awareness of legal rights and an increasing tendency for people to take legal action if they feel they have been unfairly treated. Not-for-profits should no longer assume they will be treated leniently by the community or the courts just because they are doing "good work". You must revew your legal obligations.
- Higher standards: Volunteers require a greater level of expertise than in the past and, as a result, are becoming harder to find and harder to hold on to. People are also more time-poor than they used to be. What other factors are affecting your volunteer workforce?
- Duty of care: To establish a context in which to consider risks, your organisation must identify its duty of care, and accept it. If you don't feel you can accept that level of responsibility, your group should review its activities.