This section explains the concept of risk management and describes some practical strategies to assist organisations to manage the risks they face. While the principles discussed are relevant to all community organisations, the strategies will be most appropriate for small to medium agencies. Larger organisations will probably need to go into more detail than that provided here and may go as far as making risk management the sole or prime duty of a staff member.
Risk management and legal prescriptions
Compliance with the law is not always easy. Laws have become so numerous and complex that it seems impossible to comply with them all, every time. Nonprofit organisations wish to avoid breaking the law not only because of the penalties, but also because negative publicity may affect its standing and trustworthiness in the community. Nonprofit organisations, more than most other organisations, rely on the public’s trust to exist. Donations and volunteers disappear when an organisation is characterised as ‘untrustworthy’ because of breaches of the law.
An organisation will probably identify the risk of a fine for breaking a law in its risk management process. For example, there is a risk of a fine or penalty fee if an organisation is required by law to file its annual audited financial report with a government department. These types of risks need to be dealt with in a slightly different way than other risks the organisation may face. This is because the law requires an organisation to comply with the provision, not make a decision to insure against the event occurring, or to accept the risk of being discovered and fined. It is more appropriate to deal with such issues by a legal compliance plan. Standards Australia has devised a special standard for such purposes (AS 3806: 2006). A legal compliance plan manages exposure to breaching the law for the organisation, board members and management. Some important differences between risk management and legal compliance concepts are:
- Risk management reduces and manages risks; compliance seeks to eliminate or prevent them completely
- Risk management undertakes a cost/benefit approach (if cost exceeds the benefits from control, reduce control); compliance must prevent a breach occurring, regardless of the cost
The benchmark for risk management is set by the nonprofit organisation; the benchmark for legal compliance is set by the law.
What is risk management?
Risk is a reality for all of us. Each day, in the normal course of our lives, we risk:
- injury to ourselves or others
- loss or damage to our and others property
- having legal action taken against us for things we do or fail to do.
These risks can be managed in many ways. Think about what most of us do when we enter an unfamiliar setting. We tend to look around where we are to see what, if any, risks we are facing. If we identify a risk, we will generally assess its probability and likely impact. Most of us are prepared to accept risks that have a low probability and only minimal consequences. As the likelihood or seriousness of effects increases, we become increasingly concerned. Those risks that concern us most are those that are likely to happen and which would have quite serious effects.
Once we have identified a risk and have an idea of its probability and likely impact, we need to work out our response to the risk. One strategy we use to respond to some risks is to simply avoid them. For example, one good way of reducing or eliminating the risks associated with smoking tobacco is to simply stop smoking.
A second way of dealing with a risk is to transfer it to someone else. For instance, while it might be possible – and cheaper – for most of us to install a television antenna on our own roofs, some of us perceive the risk of falling to be sufficiently great that generally we will get a tradesperson to do it.
Another approach is to control things like the frequency or extent of loss arising from a risk. Loss control measures include seat belts in cars, fire alarms and sprinklers in buildings, and keeping copies of important documents.
Insurance is another common way in which we respond to risk. Life insurance, property insurance and public liability insurance are all ways that we insure ourselves against the risks that we face.
Finally, people may choose to retain risks, for example there is a risk that you might catch a cold if you get wet from the rain. People whose health is otherwise fine might be prepared to accept that risk, while those whose health is not so fine, or who otherwise wish to avoid catching a cold, will take measures to avoid catching a cold. Risk retention is an acceptable strategy particularly for those risks, which are both unlikely to occur, and of only minimal severity.
Introducing risk management in your organisation
The types of strategies outlined above are ways that we manage risks in our own life. They can also be used for managing risks in your organisation. This material will show you how to develop and implement a risk management plan through:
- Identifying the risks your organisation faces
- Assessing the probability and likely severity of those risks
- Developing strategies for managing those risks
- Implementing and monitoring your risk management plan
The ideas provided here will assist your organisation in managing its risks across a range of areas. A risk management plan can be applied to areas such as human resource management, control of your organisation’s stock and property or choice of insurance policies. In fact, risk management principles can be applied anywhere that a risk exists.
Your risk management plan will need to be regularly reviewed and updated. Risks, and the strategies available to manage them, change over time. For example, the mass marketing of low cost fire alarms has provided an affordable addition to the range of strategies available to manage the risk of fire in the home. Likewise, new ventures, changed legislation, altered work practices, a change in staffing, and so on, can all affect the range of opportunities and risks you face. Your risk management plan needs to be kept up to date to reflect such changes.
Risk management is a management committee responsibility. The management committee has the ethical, and in most cases, the legal responsibility for what happens within the organisation they govern. As a first step, the management committee can form a small working group to develop a risk management plan. To ensure that the broad ranges of interests within the organisation are considered, the working group should include at least one staff member and one member of the management committee. While the working group will be responsible for developing the risk management plan, the management committee should oversee the process and make the final decisions required to implement the plan.
You will find a number of templates and forms for this process in Useful Resources at the end of this chapter, such as “Running the Risk? A Risk Management Tool for Volunteers Involving Organisations” by Volunteering Australia.
Identifying the risk
The types of risks your organisation could be exposed to include:
- Loss, theft or damage to property
- Loss of life or damage to health
- Breaches of corporate duties by an organisation or its officers
- Breaches of other laws
- Professional negligence
- Loss of your organisation’s good name
Listed below are a range of steps which a risk management working group could use to identify the risks your organisation faces. The Risk List (Fig. 1) is a useful way to begin documenting what you find out as part of your risk management plan. As you identify the various risks your organisation faces, write them in the first column of the list. The purpose of the other four columns is explained later in this chapter.
Inspecting the site
Look around your work place. What potential risks can you find? Look at the workplace from the perspective of the different people who use it. Are there hazards for children, older people or people with impaired sight? What are the fire hazards? Are there loose electrical connections, or damaged furniture? How hot is your hot water, and how accessible is it to children? Take some photos, perhaps even a video if you can, and study it closely. It is a good idea to have a couple of people do the site inspection, so that you can compare notes.
Reviewing your organisation’s work practices
The activities carried out in your organisation will have varying degrees of risk. Do staff members work with potentially dangerous clients? Is staff required to perform physical activity which may result in injury (for example, lifting clients)? Is your organisation’s work particularly stressful? Is staff required to do a lot of driving, and if so, are they using their own cars, your organisation’s cars or both?
Review your work practices from the perspective of other people who use your service. Are clients exposed to risks from other clients, people off the street, or from other sources? What about volunteers and management committee members?
Explore your legal exposures
Your organisation may be exposed to a number of legal risks associated with issues such as workplace health and safety, liability to clients, judiciary duty or anti-discrimination legislation. Remember, many laws require strict compliance and their prescriptions must be met as there is no option to just ‘accept the risk’ of being detected by regulators. You must comply with the law. Other chapters in this manual explore a number of these issues in more detail.
Do a “What If” analysis
For example, what if:
- Your organisation’s coordinator or manager had a serious accident tomorrow?
- Your organisation’s files were burnt or stolen?
- You discovered someone had embezzled several thousand dollars?
- There was a major industrial accident?
- Industrial action was taken?
- Your organisation was sued?
Talk to staff
The people who do the work often have the best idea of the risks the organisation faces. Talking to staff and volunteers can be done through individual interviews, raising the issue of risk at a staff meeting, or having specially structured sessions.
Get as many staff, volunteers, and management committee members along for a brainstorming session. Write up every suggested risk.
Workplace health and safety
The Queensland Government’s Worksafe website provides guidelines and information about relevant legislation to help keep your organisation’s staff and volunteers healthy and safe.
The Work Health and Safety Act 2011 (Qld) and its Regulations came into operation on 1 January 2012 to bring into force a harmonised National workplace health and safety approach. Historically, workplace health and safety legislation was introduced to prevent a person’s death, injury or illness being caused by a workplace, workplace areas or activities or by plant and substances used in a workplace.
A broad range of activities and working situations are covered by the legislation. One of the aims of the legislation is to encourage self regulation by employers towards the development of internal responsibility for health and safety systems, health and safety training and programs. In particular, this means that all employers (including a person conducting a business or undertaking and/or a person with management or control of the workplace) must assume responsibility for identifying hazards arising from the activities of their organisation and workplace, assessing the risks that may result from those hazards, deciding on appropriate control measures to prevent or minimise the risks and putting those control measures in place. Constant monitoring and reviews of those control measures are also necessary.
Obligations under the Work Health and Safety Act
Under the Work Health and Safety Act 2011 (Qld), a number of persons with responsibilities in or around a workplace have obligations to ensure the health and safety of workers and others. Significant penalties have been incorporated into the legislation to ensure compliance by all persons in the workplace.
A person (including a corporation) conducting a business or undertaking must ensure, so far as is reasonably practicable, the health and safety of workers engaged or caused to be engaged by the person and workers whose activities in carrying out work are influenced or directed by the person while the workers are at work in the business or undertaking. A person who owes a duty or obligation under the Act, must exercise due diligence to ensure that the company complies with the duty or obligation. The definition of a person extends to an officer as defined within the meaning of section 9 of the Corporations Act 2001 (Cth).
On this basis, employers are required to ensure that the work health and safety of each of their workers and other persons (including members of the public) is not affected by the conduct of the employer’s business or undertaking. As an employing organisation, your obligations include:
- Ensuring your employees are not exposed to risks to their health and safety
- Providing and maintaining a safe and healthy work environment
- Ensuring safe systems of work
- Providing and maintaining safe plant
- Providing information, instruction, training and supervision to ensure health and safety
- Putting in place effective health and safety management practices which protect visitors to the workplace
- Ensuring that all others who enter into your workplace, including volunteers, contractors and members of the public are not exposed to risks to their health and safety
Ensuring that access to and from the workplace, and plant and substances used at the workplace, do not pose a health or safety risk to persons who are not your employees but who are nevertheless working at the workplace – cleaning contractors or delivery drivers providing services at a workplace would fall into this category. The Act places responsibility on employees to comply with their employer’s instructions about work healthy and safety. Other people such as visitors, volunteers or contractors also have a legal obligation to comply with the directions for work health and safety given by the employer, e.g. a motorist driving a vehicle into a workplace has a duty to comply with any standards imposed by the organisation to ensure health and safety at the workplace.
Employees and others at a workplace also must not wilfully or recklessly interfere with or misuse anything provided for workplace health and safety and must not wilfully place at risk the health and safety of any person.
Suppliers and manufacturers of plant (this includes machinery, equipment, appliances, implements and tools) have a legal obligation to ensure that the plant is safe and without risk to health when used properly. Owners of plant must also ensure that the plant is maintained in a condition that ensures the plant is safe and without risk to health, when used properly.
The Act also imposes obligations upon, amongst others, persons in control of workplaces, principal contractors, designers and installers of plant and designers of structures used as workplaces.
Recording and notifying events
The Regulation requires that a record of the particulars of every work injury, work caused illness or dangerous event that occurs at a workplace be documented within three (3) days after the person required to make the record becomes aware of the event. The record must be made in the approved form and must be kept for one year after it was made.
Employers and their senior staff in each workplace should be aware of this requirement to ensure that documentation is completed in the event of such injury, illness or dangerous event. All records should be maintained at the workplace and must be made available for inspection by, or production to, an Inspector from Workplace Health and Safety Queensland if required.
The employer must advise the Department of every serious bodily injury, work caused illness or dangerous event that happens at the workplace. This notice must be provided to the chief executive within 24 hours after the employer becomes aware of the event. The notice must be in the approved form.
Employers and their senior staff in each workplace should be aware of this requirement and measures should be implemented to ensure that the documentation is completed in the event of a serious bodily injury, work caused illness or dangerous event. “Serious bodily injury” refers to an injury which causes death, loss of part of the injured person’s body or loss of an organ, or the injured person being absent from work for more than 4 days.
Where the injury, illness or event causes death, immediate notice must be given to the chief executive. Notice must also be given in the approved form within 24 hours after the employer becomes aware of the death.
There must be no interference with the scene of a workplace incident until permitted by an Inspector from Workplace Health and Safety Queensland or a police officer. However, it is acceptable to interfere with the scene where it is necessary to prevent damage to property, injury to persons, or to save life or relieve suffering.
Employee participation in work health and safety
The self regulatory nature of the Work Health and Safety Act 2011 (Qld) requires employee participation in the formulation, implementation and management of occupational health and safety issues. The legislation provides for the setting up of health and safety management structures at workplaces where employees and employee organisations may be actively involved in the management and consultation of health and safety. Such management structures may include the formation of a health and safety committee consisting of Work Health and Safety Representative and other members from the workplace. The functions of these committees may include:
- Encouraging and maintaining an active interest in health and safety at work
- Considering measures for training, consultation and education in health and safety
- Advising employees about the formulation, review and distribution of standards, rules and procedures relating to health and safety
- Assisting in the resolution of issues regarding health and safety
The Act makes provision for the appointment of Workplace Health and Safety Representatives. Workplace Health and Safety Representatives are elected by their co-workers.
Enquiries regarding the application of the Work Health and Safety Act 2011 (Qld), Regulation and Codes of Practice, including the supply of relevant forms, should be directed to Workplace Health and Safety Queensland on 1300 369 915. There are a number of offices in Queensland. Contact details can be obtained from the Department’s website.
Other useful resources are listed below:
To understand how to develop and assess emergency procedures in your workplace, visit:
Workplace health and safety laws
In 2012 workplace health and safety laws were harmonised across Australia and replaced the existing work health and safety legislation in all states, territories and the Commonwealth. While many parts of the new legislation remained the same or similar to previous arrangements it is important that industry and workers know what the differences are.
In October 2015 further amendments were made as part of the Queensland Government’s Improving safety for Queenslander at work policy. You can read about these amendements on the Workplace Health and Safety website.
Workplace Health and Safety Queensland published several resources to assist with understanding the changes. Here are some links to the most useful resources:
Access the Act, explanatory notes, and the model regulations.
Provides an overview of the Queensland Work Health and Safety Act 2011.
To find out more visit the Work Safe Queensland website or telephone Workplace Health and Safety Infoline on 1300 369 915.
Implementing your risk management plan
Having done all the work (and kept the management committee informed during the process), it’s now time for the working group to bring the risk management plan to a full meeting of the management committee. The management committee will need to consider the plan, clarify any questions it has, and after making any necessary adjustments, endorse the plan.
Once endorsed, the next step is to implement the plan. This will involve:
- Issuing a risk management statement
- Establishing and documenting procedures
- Allocating specific responsibilities.
Issuing a risk management statement
A good starting point is to let everyone in the organisation know that your organisation is serious about risk management and to outline the key risk management strategies. The risk management statement should also outline the proposed timetable and key contact people, and procedures for contributing to the risk management process.
It is most likely that training was identified as one of your risk management strategies. As well, the introduction of new practices will often require training. Training for risk management needs to be carried out in the context of your organisation’s overall training activities.
Establishing and documenting procedures
Your risk management plan will have identified areas where written procedures need to be developed and/or documented. In implementing the plan it will be necessary for staff, volunteers and management committee members to work together to develop these procedures. Existing procedures should be reviewed to ensure that they are consistent with new procedures.
Allocating specific responsibilities
A risk management plan does not just implement itself – different people within your organisation should be given responsibility for implementing different parts of the plan. It should be clear to everyone who is responsible for each aspect of implementing the risk management plan.
Ongoing risk management
Once your risk management plan is in place, it is necessary to ensure that it remains effective. There are four elements to maintaining the effectiveness of your risk management practices:
- Identify one person who will be responsible for risk management
- Keep procedures up to date
- Re-assess risks
- Report on risk management.
These are discussed in more detail below.
Person responsible for risk management
There is an old adage which goes “if it’s everybody’s responsibility, then it’s nobody’s responsibility”. It is essential that one person be given responsibility for risk management within your organisation. In this manual we refer to this person as the “risk manager”.
In smaller to medium sized organisations, the risk manager will no doubt have many other responsibilities. Very large organisations may have someone whose sole or main responsibility is risk management.
The risk manager should have a number of characteristics:
- Because they will be providing ongoing advice to the management committee and staff on organisational procedures, equipment purchase and so on, it is vital that they are a well respected person within your organisation.
- They should have a sound knowledge of all facets of your organisation and its environment
- Some skills in accountancy, law or management might be helpful.
As a rule when selecting a risk manager, `quality is better than quantity’. A skilled and experienced member of staff or management committee member who can only do the work on a part time basis is generally a better choice than a less skilled and experienced person able to devote more time to the work.
Finally, the organisation will need to decide whether the risk manager should be a senior employee or management committee member. Staff members generally have a better knowledge of the day to day functioning of the workplace than do management committee members. The management committee however carry the legal and ethical responsibility for most risks within the organisation (though remember, staff members also carry risks). Considerations of availability, interests, and practicalities need to be taken into account.
Whether your organisation chooses a member of the committee or staff, that person should report on risk management issues directly to the management committee in small to medium organisations, and at least to a senior member of staff in larger organisations.
Keeping procedures up to date
Over time, circumstances change and your risk management plan may become inappropriate. Experience gained from implementing risk management procedures can be used to further refine those procedures. Also, better procedures might emerge which can be used to replace less effective procedures.
Reassessing the risks
The risks you identified in your risk management plan, and your assessment of them, were probably fairly accurate at the time you did the plan. Twelve months later it is more than likely that some of those risks will have changed. What’s worse, it’s Murphy’s Law that the one risk you’ve missed will be the risk that happens.
There are two ways that you can ensure that your risk management plan is up to date.
Firstly, it should be reviewed on a regular basis. The more volatile and changeable your organisation and its environment, and the higher the level of risk you face, the greater the need to keep your risk management plan up to date. At a minimum, your risk management plan should be reviewed at least once a year.
Secondly, you should evaluate changes within your organisation, or within your organisation’s environment, in terms of their implications for risk within your organisation. New legislation relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of new positions should all be considered for their implications for risk management.
As well as protecting you against new risks, keeping your risk management plan up to date could well save you a significant amount of money. Routine replacement of old equipment, for instance, can lead to reduced risk exposures.
Reporting on risk management
The final step in keeping your risk management practice up to date is to report on risks. Reporting on risk should include:
- Description of any new risks
- The effectiveness of existing risk management practice
- The occurrence of risks (accidents, theft, and so forth) during the reporting period
Reporting on risk will normally be done by the person who has the responsibility for risk management. Risk reports should be filed and used in regular reviews of risks and procedures.
Running the Risk? A risk management tool for volunteer involving organisation, this practical tool was developed for Volunteering Australia by QUT’s Centre for Philanthropy and Nonprofit Studies. It includes tools and forms used in the risk management process together with a number of case studies and frequently asked questions.
Standards Australia has a number of publication about risk management and legal compliance:
- Legal Compliance AS 3806: 2006
- Risk management – principles and guidelines AS/NZS ISO 31000: 2009
The Volunteering Queensland website has information on volunteer insurance and details of policies available through Volunteering Queensland.
Insurance Chapter in “The Associations Incorporation Manual”, edited by Myles McGregor-Lowndes, Caxton Legal Service Inc, loose-leaf, ISBN 0949477303.
Workplace Health and Safety Guides Queensland Government, Workplace Health and Safety.