Close this search box.

Risk Management for Not-for-Profit Organisations

not for profit

Australia rates in the top 5 charitable countries in the world and there is currently around 60,000 registered charities/ not-for-profit organisations in Australia, very small compared to the Unites States which has 1.54 million charitable organisations.

Nevertheless, each charity and not-for-profit organisation makes an important impact to someone and ‘giving’ to a charity or not-for-profit is at the heart of our social fabric.  Good governance, financial management and risk management are critical to maintaining registration as a charity which is effectively its ‘license to operate’ and the Board and management should do what they can to protect their charity from adverse risks and compliance breaches.

Compliance obligations

The Australian Charities and Not-for-profits Commission (ACNC) is the national regulator of charities and not-for-profit organisations.  To be registered with the ACNC, charities and not-for-profit organisations need to show that their organisation meets the requirement of being a not-for-profit.  In addition, they have mandatory reporting, notification, compliance and record keeping obligations that include:

  • Reporting change of company details.
  • Advising change in responsible persons.
  • Reporting  changes to governing documents (such as its constitution, rules or trust deed).
  • Keeping financial records that correctly record and explain their transactions and financial position.
  • Submitting an Annual Information Statement every year within six months of the end of a charity’s reporting period.
  • Complying with the Governance Standards that set out the minimum standard of governance, risk management and audit, to help promote public trust and confidence in charities.
  • Charities that operate overseas, must comply with the External Conduct Standards that require them to take reasonable steps to ensure appropriate standards of behaviour, governance, oversight and recordkeeping when undertaking activities or providing resources overseas.

These ‘minimum’ requirements are in addition to any other obligations a charity may have under other laws or to other Commonwealth, state and territory regulators such as the Australian Securities and Investments Commission (ASIC) and Australian Taxation Office (ATO).

Staying compliant as a not-for-profit

Complying with ACNC’s minimum reporting, notification, compliance and record keeping obligations is critical to maintaining your registration as a charity and not-for-profit organisation.  This registration is your ‘license to operate’ as a charity.  Without this, you may not exist at all and your purpose/vision cannot be achieved.

The ACNC’s Governance Standards are the foundations.  They are a set of core, minimum standards that deal with how a charity is run (including its processes, activities and relationships).  There are 6 Governance Standards:

1: Purposes and not-for-profit nature
2: Accountability to members
3: Compliance with Australian laws
4: Suitability of Responsible Persons
5: Duties of Responsible Persons
6: Maintaining and Enhancing Public Trust and Confidence in the Australian Not-For-Profit Sector

In addition, there is a useful self-evaluation tool that aims to help charities assess whether they are meeting their obligations, and to identify issues that may prevent them from doing so. The self-evaluation comprises of 10 short parts that cover each of the ACNC’s 6 Governance Standards and a charity’s other obligations to the ACNC.  The questions and examples in the self-evaluation are only a guide and not a comprehensive list of compulsory requirements.

The ACNC has many other resources to support charities and not-for-profit organisations meet their compliance obligations.

Risk management considerations

What are the ACNC’s risk management requirements?

The self-evaluation and Governance Standards outline a number of specific risk management related matters that charities and not-for-profit organisations should consider.  The questions include:

  • What are the risks most relevant to the charity’s work? Think about the risks the charity needs to manage. For example, working with vulnerable people, or working with third parties to deliver services.
  • Is the charity complying with all its regulatory obligations? This includes ACNC, ATO, ASIC etc.
  • Is there a process in place to identify and manage all compliance risks, including the risk of misuse from terrorism financing and other serious criminal activities?
  • Is the charity identifying and managing risks relating to conflicts of interest, failure to address potential harm to beneficiaries, and financial mismanagement?
  • Is there a policy to mitigate risks when working overseas or sending funds overseas?
  • Are there other financial controls in place to protect against risks such as fraud, terrorism financing and misuse of funds?
  • Do the Responsible People regularly conduct reviews of the charity’s risks and its risk management systems and processes?
  • Is there are processes in place for identifying and managing the charity’s risks, including financial, operational and reputational risks?
  • Are the charity’s risks recorded in a Risk Register?

So what does this mean for the Board and management?

At minimum, the ACNC wants each charity and not-for-profit entity to manage the risks most relevant to the work it performs.  Better practice risk management would require:

  • Maintaining a risk management framework and practices that are appropriate to the size and operations of the organisation.
  • The Board defining its risk appetite and how it will be monitored.
  • Drafting a Board-approved risk management policy and plan/strategy that describes the key elements of the risk management framework.
  • Building management capabilities for understanding and manging risks.
  • Ensuring adequate time and resources are dedicated for reviewing risks and considering emerging risks.
  • Periodic reporting to the Board for risk oversight.

Done well, risk management is a powerful management tool and may be the difference between success and failure.

Compliance powers

Whilst the ACNC aims to promote good governance and risk management practices, it also has significant powers to ask questions, gather information and monitor whether charities are meeting their obligations, and it can take action against charities not meeting their obligations.

If a charity fails to meet its obligations, the ACNC may:

  • Issue a warning: notify the charity that it is not meeting its obligations and explain what action the ACNC may take.
  • Make a direction: direct the charity to do or not do something.
  • Issue an enforceable undertaking: make arrangements with the charity for what it needs to do to meet its obligations – these arrangements can be enforced by a court.
  • Seek an injunction: ask a court to make the charity do or not do something.
  • Suspend or remove a Responsible Person (for example, a member of the charity’s board or committee).
  • Disqualify a Responsible Person who has previously been suspended or removed for 12 months. During that time, the person is not allowed to be a responsible person of any charity and will be listed on the disqualified persons register.
  • Revoke the charity’s registration (which may affect its eligibility for tax concessions).
  • Apply administrative penalties if it makes false or misleading statements or fails to submit documents on time.
  • Publish compliance decisions to ‘name and shame’ the organisation and warn the public.

Risk based approach to regulation

When deciding whether to use its powers or make certain decisions, the ACNC considers the following matters:

  • Type of problem/issue/incident.
  • Person or situation at risk (for example, whether it affects people, money or public trust and confidence generally).
  • Nature and degree of potential harm.
  • Likelihood and frequency of the problem occurring or reoccurring.
  • Risk profile of the charity (for example, its size, its processes for accountability and its history of compliance and cooperation).
  • Behaviour of the charity’s Responsible Persons.

As you can see, the ACNC uses a risk based approach to regulation.  Therefore manging the risks in your charity or not-for-profit is not negotiable and absolutely critical.

How we can help your not-for-profit take better risks

InConsult works with leading not-for-profit organisations.  We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management, resilience and audit capabilities include:

  • Supplying an interim Chief Risk Officer to backfill a vacancy.
  • Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
  • Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
  • Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
  • Conducting risk workshops covering strategic, operational and project risks.
  • Undertaking risk culture assessments.
  • Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, sustainability, modern slavery, third party risk and fraud risk.
  • Providing a co-sourced or outsourced internal audit service that is appropriate to the size, risk and complexity of your organisation.
  • Web-based risk management, audit, compliance and incident management technology.

Take your charity or not-for-profit to the next level and contact us to discuss your needs.