Great change needs good leadership
Posted on 12 Dec 2024
Change is an inevitable part of running a good not-for-profit. In fact, some leaders suggest that…
Posted on 10 Apr 2024
By Matthew Schulz, journalist, Institute of Community Directors Australia
Not-for-profits must brace for the challenges of an increasingly volatile world in which risks span regulation, climate, ESG (environmental, social and governance factors), reputation, AI, and cyber and IT threats.
In a recent study of more than 400 organisations by Maddocks – ICDA’s legal partner – participants said the areas in which their operations were highly vulnerable were:
The Risk, Regulation and Resilience report, released late last year, represents the first time the firm has benchmarked Australian businesses in these areas, and it found that “no one sector … is better or worse equipped to deal with the risk of a major incident”.
The report provides useful guidance on understanding crises, and it distills characteristics of a crisis and suggests appropriate responses:
In the report, Maddocks proposes organisations consider conducting drills and exercises to test organisational capabilities.
"It is important that NFPs understand the common features of a crisis and test your systems bearing those features in mind, so that you will be well prepared if you are faced with a crisis,” Maddocks partner Catherine Dunlop said.
The central conclusion of the 36-page document is that the set-up, management and enforcement of compliance and risk policies are crucial to preparedness.
It is no surprise that cyber risks are now at the forefront of many NFP leaders’ minds, given the recent spate of cyber attacks affecting the community sector.
In a worrying trend, the report found that small organisations (with less than 100 staff) were far less likely to have existing cyber risk plans (47%), consequence management plans (19%), business continuity plans (55%) or crisis management plans (32%).
A separate study last year by community tech advocate Infoxchange suggests that the cyber risk situation could be even more dire than the Maddocks report suggests: it found that as few as 23% of smaller NFPs had “effective processes to manage information security risks”.
Ms Dunlop said that a significant area of concern for not-for-profits would be “those where the risk is difficult to quantify or address merely with internal resources”. She cited situations in which organisations and their leaders were reliant on external advice in relation to cyber and privacy risks or ageing IT systems.
Ms Dunlop said NFPs would also need to take a close interest in risks “arising from the behaviour of people, such as fraud or poor behaviour (e.g. sexual harassment), which can be unexpected and confronting given how many NFPs rely on dedicated and hard-working staff who are committed to the principles of their organisation.”
According to the Maddocks study, the top three barriers to good risk management are:
The Maddocks report suggests a series of strategies to overcome these barriers:
Those suggestions align with ICDA’s own recommendations, as outlined in this helpsheet: An introduction to the risk management process.
The Maddocks report also provides a sample risk management checklist and places risk management within an overall “organisational resilience framework”, which also encompasses incident management and recovery management.
Maddocks report: Risk, Regulation and Resilience
ICDA tools and resources: Insurance and risk management