Risk Management

No matter how small or big your organisation is, risk management is a board responsibility. You can delegate some risk related tasks to management but overall the board is responsible for the organisation’s approach.
Think systematically about all the possible risks, problems or disasters that could affect your organisation and its staff, clients, families, volunteers, or the public.
Put in place procedures to avoid the risk, minimise it or cope with its impact. Risk management also means making a realistic evaluation of the true level of risk (how likely it is to happen to your organisation).

Dealing with Risk

How to identify risk

Some ways to deal with risks are keeping a risk register, having insurance; developing policies and procedures; staff and volunteer training and ongoing monitoring.

Three questions are useful:

  1. What could go wrong?
  2. What will we do to prevent it?
  3. What will we do if it happens?

Some categories of risk to think about:

  • Compliance risks (e.g. failure to lodge statutory information in allowed time; legal requirement to keep records; privacy and confidentiality of information).
  • Financial risks (e.g. loss of funding, insolvency, fraud, expense blow-out; inaccurate or lack of records, lack of internal checks and balances).
  • Governance risks (e.g. ineffective oversight; not having clear policies and procedures, lack of responsiveness to mana whenua).
  • Operational risks (e.g. poor service delivery, potential to cause harm to people; loss or corruption of digital information and data; cybersecurity risks, staff or employment issues such as wrongful dismissal or harassment; volunteers’ lack of training or screening).
  • Environmental, including event risks (e.g. natural disasters and states of emergencies).
  • Physical spaces and equipment (eg fire, flooding, workplace health and safety issues, theft or misuse).
  • Brand and reputational risks (e.g. due to worsened stakeholder or community perceptions, from major event failure; criticism of your performance via traditional or social media).
  • Strategic risks (e.g. not keeping up to date with environmental scans, poor consideration of Treaty of Waitangi application to the organisation’s purpose; stakeholder behaviour change, increased competition for funding).


This link provides a risk scoring matrix and an example of a risk register:


This link is to a Risk Management Toolkit resource developed for arts organisations and includes templates for risk registers:


A useful link to manage any potential conflicts of interest from Charities Services


Download this page as a PDF to print or read later