Risk management is an important part of any volunteering program. Risk is defined as ‘the effect of uncertainty on objectives’ (AS/NZS ISO 31000:2009). Risk is usually measured in terms of likelihood and consequence. Risk management is ‘the coordinated activities to direct and control an organisation with regard to risk.’ Staff at all levels of an organisation are responsible for managing risk, and volunteers may have key responsibilities when it comes to reporting and managing risk. Many organisations have a Risk Appetite Statement, which sets out the appetite for risk across key areas. Based on this, organisations then create strategic and operational risk management plans.
Risk management is most relevant to National Standard 1: Volunteering is embedded in leadership, governance and culture. National Standard 1.2 states: ‘Governance and risk management arrangements facilitate safe and meaningful volunteer participation.’ Suggested evidence for this Standard includes:
- Risk management systems are in place to identify, assess and respond to risks relating to volunteer participation.
- The governing body and senior leadership oversee volunteer risk management.
- Volunteers are informed of potential risks and are supported to manage or mitigate risk factors.
Risk management is also relevant to National Standard 6: Volunteer safety and wellbeing is protected.
The complexity of your risk management documentation will usually be dictated by your entity type, the activities of your organisation, the environment in which you operate, and the stakeholders you engage with. Managing risk is the responsibility of all staff, including volunteers and the governing body of your organisation. Good risk management involves continuous monitoring and regular reporting.
Documents you may consider creating to support your risk management activities include:
- Risk Appetite Statement
- Risk Management Framework
- Strategic Risk Management Plan
- Operational Risk Management Plan
- Risk Policy
- Risk Procedure
Risk appetite is the amount of risk the organisation is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the organisation’s attitude towards risk taking.
Risk tolerance is a measure of the levels of risk taking that are acceptable to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite.
Both risk appetite and risk tolerance are usually set by the governing body of the organisation in collaboration with the CEO.
Risk matrices are one of the primary ways to manage risk in an organisation. They define likelihood ratings (e.g. low, medium, high) and consequence ratings (e.g. low, medium, high, severe). The number of ratings across these two metrics will likely be dictated by the complexity of your organisation and your volunteering program.
Risk management plan
Risks are usually grouped into key categories, which may include:
- Strategic risks
- Financial risks
- Reputational risks
- Human Resources risks
- Systems and Infrastructure risks
- Client risks
The first step in creating a risk management plan is identifying the key areas of risk your organisation is likely to encounter. From there, it is important to identify all the risks that fall within each category. Each risk should be allocated a likelihood rating and a consequence rating. Following the categorisation of risks, the next step is to apply mitigation strategies that lower the likelihood of the risk occurring and/or the consequence should the risk occur. After applying mitigation strategies, you should be left with a residual risk rating against each identified risk. In an ideal world, mitigation strategies lower both the likelihood and consequence of an identified risk; however, there are always risks that cannot be mitigated or eliminated. These generally form severe risks and should be monitored appropriately.
Continuous monitoring and regular reporting are integral parts of effective risk management. It is not enough to simply create a risk management plan and never revisit it. New risks will arise over time and will need to be added and circumstances within your organisation may change, which reduce or remove existing risks. Risk reporting should occur at both a strategic and operational level. As a general rule, the governing body will monitor all high and severe risks on an ongoing basis. Lower classified risks are usually managed operationally.
The best way to ensure risk reporting, including the identification of new risks, is happening effectively is to create a risk management culture within your organisation. Empower volunteers to identify and report potential risks and communicate your risk management procedures with them. Make reporting easy and accessible.
Volunteers are often deployed in client-facing roles and may work without direct supervision. Many volunteering programs provide programs and services to people in the community, and this is often enabled through the involvement of dedicated volunteers. Additionally, your volunteers will likely have access to private and confidential information such as client data, logins and passwords, and sensitive corporate documentation. Risk management should form part of the policies and procedures for your volunteering programs.
Ensure that risk management is discussed with volunteers during their induction, and they are provided with clear direction about the expectations of your organisation regarding risk. Be specific about what volunteers are required to do to contribute to risk management. An important part of this conversation is outlining the boundaries of a volunteering role, including what is in and out of scope.
Insurance and risk go hand in hand. Insurance is one mechanism of managing and mitigating risk, and in some cases your organisation may choose to invest in insurances that protect you in the event of an accident or injury. It is critical to be aware that not all risk can be outsourced, and most insurances have liability limits and claim conditions. Volunteering Australia recommends having an in-depth conversation with your insurer about risk and seeking their advice on the best insurances to put in place to provide protection.
There is a wealth of information online about risk management, including tools and templates to support the creation of your risk documents. You can see the full suite of Risk Management resources on the Volunteering Resource Hub here.