Skip to content
Sport Governance Principles

Principle 7: The defence

a system which protects the organisation


To proactively protect the organisation from harm, the board ensures the organisation has and maintains robust and systematic processes for managing risk.

  • The ability to avoid, or limit the negative consequences of risk through a proactive framework.
  • There is an effective and consistent approach to risk throughout the organisation.
  • There are clear parameters on what decisions and risk events require escalation to the board and what management is expected to report against.
  • Goals and objectives are achievable as risk has been considered.
  • Compliance can lead to eligibility for funding and grants programs.
Questions to ask
  • Is our approach to compliance rigorous enough to ensure we do not breach any legislated or regulated requirements?
  • Do we know what our key risks, challenges and emerging issues are?
  • How much risk are we willing to accept in pursuit of our purpose and vision? Is the manner in which we are managing risk creating an unintended consequence to our members?
  • Do our current systems and processes ensure the board has a clear and current overview of our risks (positive and negative) and mitigation strategies?
  • Are we including both financial and non-financial risks into our risk management process?
  • Are the directors receiving sufficient information to be able to competently assess and manage the organisation's risk?
  • Do we have early identification of emerging risks and processes to enable the treatment of risks identified outside an annual assessment process?
  • Do we have an effective and tested business continuity plan?

What is risk?

Risk is not inherently a bad thing. According to the international standard for risk management (ISO:31000), risk is the ‘effect of uncertainty on objectives’. This uncertainty is often where opportunities are found, but can also result in negative consequences. Risks can be categorised as financial or non-financial. Financial risks are the risks associated with financing an organisation, such as access to funding and capacity to pay bills. Non-financial risks describe other risks facing an organisation (i.e. compliance, conduct, strategic and operational). Despite the name, non-financial risks often carry financial implications (e.g. loss of sponsorship revenue due to reputational damage).

What can the board do?

The board is responsible for determining how much risk the organisation is willing to accept in pursuit of its purpose and vision, monitoring adherence to that level of risk, and ensuring action is taken when the level of risk exceeds the organisation’s stated comfort level. The board must ensure that the organisation effectively manages risk in line with a board-approved risk management framework. Documenting the risk management framework is essential.

What goes into a risk management framework?

A risk management framework describes an organisation’s approach to the management of risk. The key elements of a risk framework are the risk appetite statement, risk management policy and the risk register. The risk appetite statement is a statement by the board about how much risk an organisation is willing to accept, usually by type of risk. The risk management policy describes how an organisation will assess, treat, monitor and report on, and make decisions related to risk. The risk register should document the level of threat of current risks facing the organisation and what is being done to mitigate or treat the likelihood and/or consequence of those risks. A risk management framework should be implemented in line with the scale of the organisation and the nature of the risks it faces. A framework should be regularly reviewed, incorporating continuous improvement, to ensure it remains fit for purpose.

Why is a system needed?

Boards which take an ad hoc or informal approach to managing risk may place the organisation in danger and/or fail to effectively achieve strategic objectives. Failure to monitor financial and non-financial risks can have very real implications for an organisation and, potentially, legal implications for directors who fail to fulfil their duties. While many of these implications are very similar for sport and non-sporting organisations, sport has some unique risks and consequences (e.g. ineligibility for competition, and loss of membership rights).

Example behaviours and actions

  • Use the risk appetite statement as a guide in making major decisions
  • Determine the metrics that management reports on, rather than relying on management determining what is relevant
  • Monitor adherence to the risk appetite statement and act when the organisation is outside the stated appetite
  • Respond to evolving or new risks facing the organisation
  • Engage in ongoing learning and development about emerging risks
  • Regularly challenge reports from management or risk committees
  • Seek information from independent sources where required
  • Regularly updates the risk register
  • Educates and trains staff and volunteers on how to recognise and report on risk in line with the risk management policy
  • Regularly updates and tests the business continuity plan
  • Ensures all business cases for major decisions include risk
  • Prepares thorough and accurate reports in line with the requirements of the board
  • Reports any breaches of the risk management framework to the board according to policy
  • Sets the cultural tone that managing risk should be a part of 'business as usual' and not something separate from operations


A set of good practice suggestions, which should underpin the Board’s considerations in applying this principle.

As a board, develop and regularly review a risk management framework that includes, at least, a risk appetite statement, risk management policy and risk register.
Ensure board meetings regularly review the risk management of the organisation, even if the organisation also has a risk committee and an internal audit function.
The board may delegate some of the management of risk to a risk committee, but maintains ultimate responsibility for the effective management of risk.
Annually review all applicable legislative and regulatory requirements and develop a compliance system for adherence to these requirements.
Acquire and maintain appropriate insurance policies for directors and officers.
Develop a system for directors and officers to access independent professional advice where required.

Resources, online learning and advice

We recommend all current and aspiring board and committee members enrol in the free online course, The Defence – Risk Education for Directors.

Head to the National Governance Resource Library for resources and tools.

For guidance, or to discuss how your organisation may best implement good practice in this area, please contact your State/Territory agency for sport and recreation.

For NSOs, email your query to and a consultant will contact you.

Return to top