Ten steps to a safer organisation

All not-for-profit organisations need to ensure that every effort is made to protect public safety at all levels of the organisation.

The 10 steps provided below are not a substitute for a well-planned, coordinated and communicated risk management strategy but are provided as a general guide to what sort of steps you need to take to protect your organisation.

1. Take risk seriously

Everybody who starts up a not-for-profit organisation is focused on all the good things that they're going to do and how much everybody needs the group's work and how appreciative people will be when it's up and running. That's a necessary part of the motivation to take on the task, but it can mean that in the early days you don't really turn your mind to the things that could go wrong.

Everything may go smoothly, certainly, and your organisation may be so well run and so lucky that it doesn't need to cover itself against the consequences of errors and collapses and Murphy's Law.

BUT if you haven't identified some of the possible risks and set up some protection against foreseeable problems in the future, chances are someone is going to get hurt - and when they do you have left your organisation wide open.

2. Become incorporated

If something does go wrong, somebody is quite possibly going to be sued. The first step is to make sure that it isn't going to be any of you.

The point about your organisation becoming incorporated is that it creates an entity that can be sued, and this has an effect in drawing fire away from members of the group as individuals.

Incorporation pursuant to the Corporations Law means that directors and shareholders will not be liable merely because they are directors and shareholders. The members and officers of incorporated associations are similarly protected from liability when the organisation is incorporated under the Associations Incorporation Act.

The effect of incorporation is to limit liability. However, directors and employees of corporations and members and officers of incorporated associations do have a risk of incurring liability if a personal breach of duty by them causes personal injury or damage to property.

Small organisations which take the form of a partnership are more directly exposed to potential liability. Each partner has unlimited liability in respect of any liabilities incurred by the partnership. There is a similar risk for members and officers of unincorporated community groups

3. Put somebody in charge

If you're a very small organisation, either do it yourself or appoint one person as a risk manager.

If you're a slightly larger organisation, set up a risk management committee with representatives from all the groups of people involved - the board, staff, volunteers, clients - to review the risks you face.

Make sure that whoever is responsible for risk management knows they are responsible and is accountable for reporting back to the board on what's being done.

4. Work out the likely hazards

Have the responsible risk management person or committee review your premises, your financial procedures, your equipment, your human relations practices, and your client operations to identify any risks, risky behaviour or risky practices.

Ask what could go wrong and what protections you have in place against them going wrong. It's important to get everyone involved to discuss any possible flaws in your practices and procedures.

Risks come in two kinds: standard risks that apply to every workplace or organisation, and risks that arise from doing the particular work you do. In other words, there are unique risks that are faced by a welfare agency with volunteers working at night in high-risk areas, or a football club training on a poor surface, that are not shared by a bridge club meeting in the home of a committee member.

Standard risks


  • Your physical surroundings (e.g. dangerous machinery, kitchen, blind corners, electrical equipment, car parks, asbestos, passive smoking, playing surfaces, slippery floors, safety rails, working at heights, etc.)
  • Your work practices (e.g. overwork, sexual harassment, termination procedures, nightwork, equal opportunity, etc.)
  • Your transport policy (e.g. bus license, car maintenance, etc.)
  • Your hazard management training (is it safe? Do you comply with the relevant legislation?)
  • Your financial controls (e.g. delegations, cheque handling, online accounts, expenditure authorisation, financial reporting, insurance, petty cash box, etc.)
  • Your investment risks (e.g. building society crash, share loss, property market, etc.)
  • Your record maintenance (e.g. computer backups, virus protection, file integrity, online and offline security, privacy protection, meeting minutes, member database, accounts database, etc.)
  • Your legal status (incorporation status, corporate/government returns, etc.)

Ask yourself, What could go wrong?

Get everyone together for a brainstorming session to go through a range of hypothetical possibilities or "what ifs" - What do you utterly depend on working? What could go wrong? What if all your records disappeared in a fire? What if a key staff member left suddenly? What if you were sued for $10 million dollars?

Now ask, how well would we function if that happened? And - importantly - what can we do to ensure it doesn't?

Unique risks

Not-for-profit groups are set up to service, to assist, to entertain, to support communities, but with any special service that your group provides, there is the margin for things to go wrong. It could be incorrect advice, poor treatment or placing someone in a position you knew was dangerous.

What are the possible downsides if it does go wrong or you have a bad episode? Have a look at the potential for harm and look at how bad it could be.

Your employees, or your volunteers, may be dangerous in themselves - child abusers, or prone to hit people, or abusive. Have you set up a screening service or taken measures to guard against the possibility of these sorts of people getting into your organisation? Have you set up procedures to ensure you can rid your group of such people fairly and according to Government standards?

You may be perfectly in the right, and someone may sue you anyway, and you may have to spend thousands of dollars to defend yourself.

5. Evaluate and prioritise the risks

All of this involves quite a lot of estimation. The next step involves even more estimation, but that doesn't mean you don't have to do it.

6. Fix what you can fix

Change your systems, your procedures, your physical plant, or your attitudes to address the hazards. Have the risk manager or the risk management committee check that the changes have been made.

Evaluate the effect of the changes. Review your policies and systems regularly and modify them when needed.

Don't bury your head in the sand - your liability for whatever happens is going to be affected by whether or not people think that you've done all you reasonably could have to avoid it.

7. Shift what you can shift

If you're not able to remove the risk - and some activities (skydiving, white-water rafting, living) are inherently risky - you may be able to shift the burden of the risk on to someone else's shoulders.

You may be able to hire subcontractors, or share the job with another organisation.

You may ask the people who use your service to sign waivers before entering your service. It's important, however, to realise that waivers do not constitute an excuse or protection for people or organisations that act in a negligent manner. A waiver does not relieve the organisation from its duty of care to the person signing the waiver. A waiver is valid only if all the possible foreseeable risks have been fully explained and that everything has been reasonably done to either eliminate or minimise or control the risk.

This area is a legal minefield and waivers tend not to hold much credence in courts. However, it does make people think twice about suing if they have signed something saying that they are aware of the risks.

Disclaimers - statements about what you're accepting responsibility for or not accepting responsibility for - are even less effective at excusing you from your duty of care. Putting up a sign saying that you're not liable for people slipping on the rug is not a protection if you have acknowledged that the rug is dangerous, have had numerous complaints and still not done anything to remove the danger.

8. Insure what you can insure

Insurance is not a substitute for risk management. Getting insurance only comes into the picture when you've done all you can to minimise risk.

You can't foresee everything, though, and you can't avoid quite a lot of what you can foresee, and so you want to spread the risks across the sector; which means you need insurance.

9. Get ready for the worst

You can't foresee all possible risks, and you're still going to be faced with the unexpected.

Even so, it helps to have procedures. If you've planned for a flood, for example, and you get a fire, at least you have an evacuation plan in place. How are your catastrophe management plans? Do you have the numbers handy for the police/fire brigade/ambulance? Who knows first aid? When was your last fire drill? On the wider canvas, do you have a recovery strategy that will enable you to survive a blow and come back?

10. Build all this into a policy

Put it in writing. Have a manual available with all the necessary detail so that people can draw on the work that's been done. Make sure everybody knows the policy and follows it.

Arrange to review the policy regularly. Train and regularly communicate with all staff, volunteers, helpers and members. This is an excellent way of getting the message of risk management across and potentially can provide a great way of getting feedback

Seek support and advice from your insurer or a risk management adviser. Ask for help from local council or your peak association.

Become a member of ICDA – it's free!