Boards are responsible for setting the Risk Culture in any organisation

Risk capacity refers to the amount of risk the company can actually absorb, from a financial and legal perspective, and may be a smaller level than the Board’s Risk Appetite. Once the Board embarks on a committed Risk Management path, research needs to be done to decide the organisation’s risk appetite, capacity and tolerance, before commencing the risk identification process.

Identify, Assess, Evaluate, Prioritise, Control, Monitor

Once identified, you assess the risks on the standard scale of likelihood of occurrence and likely consequence, then evaluate which risks are mission critical. You then prioritise the risks in order of importance or urgency to then apply controls which include the following options:

This can be done through ELIMINATION or avoidance, REDUCTION of risk through changes in procedures or equipment or training, TRANSFERRING or sharing the risks through insurance, partnerships or contractors and finally ACCEPT the risks, if appropriate.

Once you have decided the control(s) that need(s) to be applied, you can calculate the Managed Risk Ranking. The aim is to achieve a level of risk within the organisation’s risk tolerance and capacity, otherwise the control needs to be further reviewed.



The organisation then needs to develop a Risk Register where you list all risks, and monitor the progress of treatment of them. 

Importantly, when an organisation is going through their Strategic Planning process, they must perform a risk assessment on any key strategies they plan to implement, and I advocate here that they should review 3 scenarios:

Best Case – Worst Case – Most Likely Case

This simple form of risk management can help avoid poor strategies becoming fatal for the organisation. And for each strategy, a ‘trigger’ must be set to flag if the results are sub-optimal, and commence an immediate review to rectify the situation.

Risk Oversight

The Board and senior management of any organisation, especially NFPs, should provide ongoing oversight of organisational risks. As a minimum, monitoring the Risk Register at Board meetings would be a great start, with the frequency dictated by the number of board meetings per annum (every meeting if you only meet 4 times per year and potentially quarterly if you meet every month). A Risk Officer/Manager could be appointed to be the lead on Risk, or a Risk Committee could be created to oversee the risk on behalf of the Board, depending on the size and resources of the organisation. Frequency may also be driven by the types of risk identified, as some may be more likely to occur than others, requiring more frequent monitoring.



By following the ISO 31000 framework, you have a simple step by step process to apply to the management of all identified risks.

Crisis Management

I believe one of the most overlooked areas of Risk Management is Crisis Management. Does your organisation have a Crisis Management Plan in place, to cover the next steps when a major crisis hits? This is one of those things that everyone treats on the basis of “Oh that would never happen, so why plan for such an extreme risk?” Until it hits!

Think Lismore floods, the various peak bushfire seasons (Eastern Victoria 2006-7, Black Saturday 2009, Black Summer 2019-20 and 2025-26) and the Viva Energy Geelong Oil Refinery Explosion in April this year (really bad timing considering the Iran War and consequent national fuel crisis), leaving the refinery with limited production capacity.

If your organisation is hit by a devastating crisis, what is your Crisis management Plan? Do you have a Business Recovery plan – can you continue to operate or will the business effectively close until it can reset?  Does the organisation have the financial reserves to survive a trading hiatus?

 Registered clubs in NSW have burnt to the ground in past years and none (as far as I am aware) had a Crisis Management plan in place, identifying how the club could move operations to an alternate venue to trade from, till the original club could be rebuilt. These are some of the many considerations that need planning to ensure the organisation can minimise the potential damage of a major crisis.

External Review

For many organisations, if the internal expertise does not exist, then the use of External Risk consultants or Auditors is an appropriate option. Organisation audit financial performance regularly (or at least annually) as part of minimising the risk of theft and fraud, so a natural corollary to that would be to audit other high risk areas with external expertise. Cybersecurity is a key area here, including the impact of AI to the organisation, that would best be served by expert consultants to provide and audit of the risks facing the organisation.

For registered clubs and pubs with poker machines, where money laundering is a high profile risk, Anti Money Laundering and Counter Terrorism Financing (AML/CTF) programs must be in place, and their performance monitored. Legislative mandate drives biennial audit of these programs and must be done by suitably qualified AML/CTF consultants and auditors.

Most other areas will have external expertise available to audit the organisation’s policies, procedures and implementation of risk mitigation like Human Resources (especially for psychosocial risk), environmental compliance and even reputational risk.

Are you prepared to risk your organisation’s success and reputation by not managing all your risks? For assistance in setting a Risk Management Policy, Procedure and Program in place, contact Ron Browne 0414 633 423 or ron@extrapreneurservices.com.au