How not-for-profits can manage risks and build resilience

Posted on 10 Apr 2024

By Matthew Schulz, journalist, Institute of Community Directors Australia

Weightlifter shutterstock 461236648

Not-for-profits must brace for the challenges of an increasingly volatile world in which risks span regulation, climate, ESG (environmental, social and governance factors), reputation, AI, and cyber and IT threats.

In a recent study of more than 400 organisations by Maddocks – ICDA’s legal partner – participants said the areas in which their operations were highly vulnerable were:

  • cyber security (68%)
  • employees (50%)
  • reputation (37%)
  • regulatory breaches (34%)
  • economic (30%)
  • ageing IT systems (22%)
  • climate (18%)
  • supply chain (14%)
  • ESG frameworks (8%).

The Risk, Regulation and Resilience report, released late last year, represents the first time the firm has benchmarked Australian businesses in these areas, and it found that “no one sector … is better or worse equipped to deal with the risk of a major incident”.

Dice shutterstock 1375244588
There are many ways in which NFPs can better understand and manage risks, according to legal experts Maddocks.

The report provides useful guidance on understanding crises, and it distills characteristics of a crisis and suggests appropriate responses:

  • It will be difficult to obtain accurate and timely information
  • Decisions made during a crisis can have long-term consequences
  • Not everyone is a good in a crisis, which means any response team must be carefully selected
  • Being able to keep all your stakeholders happy in a crisis is rare, and priorities must be established
  • Consider how documents produced and shared during a crisis might be viewed later
  • Assign a liaison person to work with authorities and regulators
  • Considering how you would respond to multiple crises occurring in a confluence of events
  • Consider the value of rest for key team members.
Catherine Dunlop
Maddocks partner Catherine Dunlop

In the report, Maddocks proposes organisations consider conducting drills and exercises to test organisational capabilities.

"It is important that NFPs understand the common features of a crisis and test your systems bearing those features in mind, so that you will be well prepared if you are faced with a crisis,” Maddocks partner Catherine Dunlop said.

The central conclusion of the 36-page document is that the set-up, management and enforcement of compliance and risk policies are crucial to preparedness.

It is no surprise that cyber risks are now at the forefront of many NFP leaders’ minds, given the recent spate of cyber attacks affecting the community sector.

In a worrying trend, the report found that small organisations (with less than 100 staff) were far less likely to have existing cyber risk plans (47%), consequence management plans (19%), business continuity plans (55%) or crisis management plans (32%).

A separate study last year by community tech advocate Infoxchange suggests that the cyber risk situation could be even more dire than the Maddocks report suggests: it found that as few as 23% of smaller NFPs had “effective processes to manage information security risks”.

The most common risks for organisations highlighted in the report.

Ms Dunlop said that a significant area of concern for not-for-profits would be “those where the risk is difficult to quantify or address merely with internal resources”. She cited situations in which organisations and their leaders were reliant on external advice in relation to cyber and privacy risks or ageing IT systems.

Ms Dunlop said NFPs would also need to take a close interest in risks “arising from the behaviour of people, such as fraud or poor behaviour (e.g. sexual harassment), which can be unexpected and confronting given how many NFPs rely on dedicated and hard-working staff who are committed to the principles of their organisation.”

According to the Maddocks study, the top three barriers to good risk management are:

  • budget constraints (34% of participants)
  • being unaware of best practice (27%)
  • not having resilience/risk as a priority (17%).

The Maddocks report suggests a series of strategies to overcome these barriers:

Maddocks report
Tap on the cover to access the full report.
  • risk assessment and identification
  • better risk-awareness culture
  • clear roles and responsibilities
  • risk management frameworks
  • good risk monitoring and reporting
  • considering the use of external experts.

Those suggestions align with ICDA’s own recommendations, as outlined in this helpsheet: An introduction to the risk management process.

The Maddocks report also provides a sample risk management checklist and places risk management within an overall “organisational resilience framework”, which also encompasses incident management and recovery management.

More information

Maddocks report: Risk, Regulation and Resilience

ICDA tools and resources: Insurance and risk management

More from Community Directors Intelligence

Become a member of ICDA – it's free!