10 steps to a safer organisation

There is no avoiding responsibility or dangerous activities. But what one person considers dangerous another may believe poses a minimal risk. Therefore, all community groups need to ensure that every effort is made to protect public safety at all levels of the organisation.

The 10 tips provided below are not a substitute for a well-planned, coordinated and communicated risk management strategy but are provided as a brief indication of some of the steps that can be investigated to assist in protecting your organisation.

1. Take risk seriously

Everybody who starts up a community group is focused on all the good things that they're going to do and how much everybody needs the group's work and how appreciative people will be when it's up and running. That's a necessary part of the motivation to take on the task, but it can mean that in the early days you don't really turn your mind to the things that could go wrong.

Everything may go smoothly, certainly, and your organisation may be so well run and so lucky that it doesn't need to cover itself against the consequences of errors and collapses and Murphy's Law.

But if you haven't identified some of the possible risks and set up some protection against foreseeable problems in the future, the chances are someone is likely to get hurt – and when they do you have left your organisation wide open.

2. Become incorporated

If something does go wrong, somebody is quite possibly going to be sued. The first step in risk management is to make sure that it isn't going to be any of you. Becoming incorporated creates an entity that can be sued, and this has an effect of drawing fire away from members of the group as individuals.

Incorporation pursuant to the Corporations Law means that board members will not be liable merely because they are board members. The members and officers of incorporated associations are similarly protected from liability when the organisation is incorporated under the Associations Incorporation Act.

The effect of incorporation is to limit liability. However, board members and employees of corporations and members and officers of incorporated associations do have a risk of incurring liability if a personal breach of duty by them causes personal injury or damage to property.

Partnerships and unincorporated associations

Small organisations that take the form of a partnership are more directly exposed to potential liability. Each partner has unlimited liability in respect of any liabilities incurred by the partnership.

There is a similar risk for members and officers of unincorporated community groups.

Incorporation details and requirements and procedures vary from state to state, so look up the applicable details, and then to be on the safe side (this is a risk management program) check the details on the relevant website in your state to make sure they're current and correct.

3. Put somebody in charge

If you're a very small organisation, either do it yourself or appoint one person as risk manager. If you're a slightly larger group, set up a risk management committee with representatives from all the people involved – the board, staff, volunteers, clients – to review the risks you face.

4. Work out the likely hazards

Have the risk management person or committee review your premises, your financial procedures, your equipment, your human relations practices, and your client operations to identify any risks, risky behaviour or practices. Ask what could go wrong and what protections you have in place against them going wrong.

It's important to get everyone involved to discuss any possible flaws in your practices and procedures. Risks come in two kinds; standard risks that apply to every workplace or organisation, and risks that come from doing the particular work you do. For example, there are unique risks that are faced by a welfare agency with volunteers working at night in high-risk areas, or a football club training on a poor surface, that are not shared by a bridge club meeting in the home of a committee member.

Standard risks

Get everyone together for a brainstorming session where you can go through a range of hypothetical possibilities or "what ifs" – what if all your records disappeared in a fire? What if a key staff member left suddenly? What if you were sued for $10 million dollars? – and ask how well you'd function if that happened, and – importantly – what you can do to ensure it doesn't.

Occupational health and safety risks
  • your physical surroundings (e.g. dangerous machinery, kitchen, blind corners, electrical equipment, car parks, asbestos, passive smoking, playing surface, slippery floors, safety rails, working at heights. etc.)
  • your work practices (e.g. overwork, sexual harassment, termination procedures, night work, equal opportunity, etc.)
  • your transport policy (e.g. bus license, car maintenance)
  • your hazard management training (Is it safe? Do you comply with the relevant legislation?)
Financial and administrative risks
  • your financial controls (e.g. cheque handling, expenditure authorisation, financial reporting, insurance, petty cash box, bank accounts)
  • your investment risks (e.g. building society crash, share loss, property market fluctuations)
  • your record maintenance (e.g. computer backup, file integrity, privacy protection, meeting minutes, member database, accounts database)
  • your legal status (incorporation status, corporate/government returns, etc.)
  • What could go wrong? What do you utterly depend on working?

Unique risks

Professional liability

Not-for-profit groups are set up to service, to assist, to entertain, to support communities, etc. but with any special service that your group provides, there is the margin for things to go wrong. It could be providing bad advice, or placing someone in a position you knew was dangerous. What are the possible downsides if it does go wrong or you have a bad episode? Have a look at the potential for harm and look at how bad it could be.

General liability

Your employees, or your volunteers, may be dangerous in themselves – child abusers, or prone to hit people, or abusive. Have you set up a screening service or taken measures to guard against the possibility of these sorts of people getting into your organisation? Have you set up procedures to ensure you can rid your group of such people fairly and according to government standards?


You may be perfectly in the right, and someone may sue you anyway, and you may have to spend thousands of dollars to defend yourself.

(See also our help sheet on The main areas of risk for community organisations.)

5. Evaluate and Prioritise the Risks

All of this involves quite a lot of estimation. The next step involves even more estimation. Don't be afraid of guessing; it's better than waiting until you know for sure, because then it could be too late.

Likelihood rating

Frequent – likely to occur frequently
Probable – would occur but not frequently
Occasional – could happen occasionally
Remote – rare, not likely but possible
Improbable – highly unlikely but still possible

Consequence rating

Catastrophic – may result in death or loss of bodily functions
Critical – may cause severe injury, illness
Marginal – may cause injury or illness resulting in loss of work as an example
Negligible – may cause minor injury or illness

A rating table can then be developed that will assist in evaluating your risks in the next step.

The chart below can provide a good starting point to approach the management of risks in some order. Look at the adequacy of existing controls and then decide which risks are to be treated or accepted.

Frequent Probably Occasional Remote Improbable
Catastrophic High High High High High
Critical High High High Medium Low
Marginal High Medium Medium Low Low
Negligible Medium Low Low Low Low

6. Fix What You Can Fix

Change your systems, your procedures, your physical plant, or your attitudes to address the hazards. Have the risk manager or the risk management committee check that the changes have been made. Evaluate the effect of the changes. Review them regularly and modify them when needed. Remember, too, that your liability for whatever happens is going to be affected by whether or not people think that you've done all you reasonably could have to avoid it.

7. Shift what you can shift

If you're not able to remove the risk – and some activities (skydiving, whitewater rafting, living) are inherently risky – you may be able to shift the burden of the risk onto someone else's shoulders. You may be able to hire sub-contractors, for example, or share the job with another organisation.

You may also consider asking the people who use your service to sign waivers. However, it is important to realise that waivers do not constitute an excuse or protection for people or organisations that act in a negligent manner. And a waiver does not relieve the organisation from its duty of care to the person signing the waiver. A waiver is valid only if all the possible foreseeable risks have been fully explained and that everything has been reasonably done to either eliminate, minimise or control the risk. A waiver works only to cover inherent risks, and does not cover negligence or excuse an organisation's failure to act when it could or should have. This area is a legal minefield in itself and waivers tend not to hold much credence in courts. However, it does make people think twice about suing if they have signed something saying that they are aware that they are participating in an activity and have been made aware of all the possible risks that that activity could possibly entail.

Disclaimers – statements about what you're accepting responsibility for or not accepting responsibility for – are even less effective at excusing you from your duty of care. Putting up a sign saying that you're not liable for people slipping on the rug is not a protection if you have acknowledged that the rug is dangerous, have had numerous complaints and still not actioned anything to remove the danger.

8. Insure what you can insure

Insurance is not a substitute for risk management. Getting insurance only comes into the picture when you've done all you can to minimise risk. You can't foresee everything, though, and you can't avoid quite a lot of what you can foresee, and so you want to spread the risks across the sector; which means you need insurance.

9. Get ready for the worst

You can't foresee all possible risks, and you're still going to be faced with the unexpected. Even so, it helps to have procedures. If you've planned for a flood, for example, and you get a fire, at least you have an evacuation plan in place. How are your catastrophe management plans? Do you have the numbers handy for the police/fire brigade/ambulance? Who knows first aid? When was your last fire drill? On the wider canvas, do you have a recovery strategy that will enable you to survive a heavy blow and come back?

10. Build all this into a policy

Put it in writing. Have a manual available with all the necessary detail so that people can draw on the work that's been done. Make sure everybody knows the policy and follows it. Arrange to review it regularly. Train and regularly communicate with all staff, volunteers, helpers and members. This is an excellent way of getting the message of risk management across and potentially can provide a great way of getting feedback. Seek support and advice from your insurer or a risk management adviser. Ask for help from local council or your peak association.

Become a member of ICDA – it's free!