To proactively protect the organisation from harm, the board ensures the organisation has and maintains robust and systematic processes for managing risk.
- The ability to avoid, or limit the negative consequences of risk through a proactive framework.
- There is an effective and consistent approach to risk throughout the organisation.
- There are clear parameters on what decisions and risk events require escalation to the board and what management is expected to report against.
- Goals and objectives are achievable as risk has been considered.
- Compliance can lead to eligibility for funding and grants programs.
- Is our approach to compliance rigorous enough to ensure we do not breach any legislated or regulated requirements?
- Do we know what our key risks, challenges and emerging issues are?
- How much risk are we willing to accept in pursuit of our purpose and vision? Is the manner in which we are managing risk creating an unintended consequence to our members?
- Do our current systems and processes ensure the board has a clear and current overview of our risks (positive and negative) and mitigation strategies?
- Are we including both financial and non-financial risks into our risk management process?
- Are the directors receiving sufficient information to be able to competently assess and manage the organisation's risk?
- Do we have early identification of emerging risks and processes to enable the treatment of risks identified outside an annual assessment process?
- Do we have an effective and tested business continuity plan?
What is risk?
Risk is not inherently a bad thing. According to the international standard for risk management (ISO:31000), risk is the ‘effect of uncertainty on objectives’. This uncertainty is often where opportunities are found, but can also result in negative consequences. Risks can be categorised as financial or non-financial. Financial risks are the risks associated with financing an organisation, such as access to funding and capacity to pay bills. Non-financial risks describe other risks facing an organisation (i.e. compliance, conduct, strategic and operational). Despite the name, non-financial risks often carry financial implications (e.g. loss of sponsorship revenue due to reputational damage).
What can the board do?
The board is responsible for determining how much risk the organisation is willing to accept in pursuit of its purpose and vision, monitoring adherence to that level of risk, and ensuring action is taken when the level of risk exceeds the organisation’s stated comfort level. The board must ensure that the organisation effectively manages risk in line with a board-approved risk management framework. Documenting the risk management framework is essential.
What goes into a risk management framework?
A risk management framework describes an organisation’s approach to the management of risk. The key elements of a risk framework are the risk appetite statement, risk management policy and the risk register. The risk appetite statement is a statement by the board about how much risk an organisation is willing to accept, usually by type of risk. The risk management policy describes how an organisation will assess, treat, monitor and report on, and make decisions related to risk. The risk register should document the level of threat of current risks facing the organisation and what is being done to mitigate or treat the likelihood and/or consequence of those risks. A risk management framework should be implemented in line with the scale of the organisation and the nature of the risks it faces. A framework should be regularly reviewed, incorporating continuous improvement, to ensure it remains fit for purpose.
Why is a system needed?
Boards which take an ad hoc or informal approach to managing risk may place the organisation in danger and/or fail to effectively achieve strategic objectives. Failure to monitor financial and non-financial risks can have very real implications for an organisation and, potentially, legal implications for directors who fail to fulfil their duties. While many of these implications are very similar for sport and non-sporting organisations, sport has some unique risks and consequences (e.g. ineligibility for competition, and loss of membership rights).
Example behaviours and actions
A set of good practice suggestions, which should underpin the Board’s considerations in applying this principle.
Resources, online learning and advice
We recommend all current and aspiring directors enrol for the free online course, The Defence: Risk Education for Directors. You can also use the guide below as you implement changes to improve risk management in your organisation. NSOs can email queries to SportsGovernance@ausport.gov.au and a consultant will contact you. All other sporting organisations are encouraged to contact their state or territory agency for sport and recreation for advice on best practice risk management.