Beyond box-ticking: Setting your NFP’s risk appetite to unlock new opportunities

By Penny Corkill

Partner Risk & Assurance

Your Board just approved an ambitious three-year strategy. New programs, expanded reach, deeper community impact. Everyone left the meeting energised. Two weeks later, a partnership opportunity lands on the executive director’s desk - one that could accelerate everything. It’s not without risk, and no one can agree whether it’s the kind of risk your organisation should take.

Three Board members say yes. Two say no.
Management doesn’t know whose lead to follow.

The decision is in deadlock.
The opportunity passes.

This plays out in boardrooms across Australia every week - not because Boards lack good judgement, but because they’ve not formally agreed on which types, and to what degree, of risk they’re willing to accept in pursuit of their mission. Without that clarity, every significant decision becomes a negotiation.

The risk appetite gap most Boards don’t know they have

Ask most NFP Boards whether they have a risk appetite, and they’ll either say a version of “low risk is better” or point to their risk register.  But a risk register tells you what could go wrong.  Risk appetite tells you how much uncertainty you’re prepared to accept in pursuit of what matters.

The consequences are more damaging than most Boards realise. Without a shared understanding of risk appetite, organisations drift without direction between one of two extremes: recklessly ambitious, pursuing opportunities without understanding the exposure, or paralytically risk-averse, declining anything uncertain. Neither serves the mission.

For non-profits, the stakes are even higher. Most operate in a heavily regulated environment, deliver essential services to vulnerable populations, and depend on funding relationships built on trust. Getting risk calibration wrong has direct consequences for the people they exist to serve.

As we explored in our article on understanding director duties in NFP governance, the Board needs to set the risk culture, and therefore must agree on the risk appetite.

What a genuine risk appetite statement is (and isn’t)

A risk appetite statement isn’t a declaration that an organisation should avoid risk. That’s risk aversion - and for a mission-driven organisation, it’s often the riskiest position of all.

An effective risk appetite statement articulates the types and levels of risk an organisation is willing to accept (and those they aren’t) across different categories, recognising that those categories are not equal.

Consider how this might look for an NFP that supports vulnerable clients:

• Client safety: Zero tolerance. No level of risk to client safety is acceptable, regardless of operational pressure or financial benefit.
• Regulatory compliance: Zero tolerance. Breaches of NDIS, aged care, or other regulatory obligations may be non-negotiable.
• Financial sustainability: Low appetite. Short-term financial risk may be acceptable in limited circumstances, but not at the expense of long-term viability.
• Reputational risk in advocacy: Moderate appetite. Taking public positions on policy issues may generate controversy, but advocacy is central to the mission.
• Strategic growth: Moderate to high appetite. Expanding services carries inherent uncertainty that is acceptable when aligned with strategy and capacity.

This nuanced approach - rather than a blanket “low risk appetite” statement - is what actually guides decisions. Different risks require different responses, and some are inherent to doing meaningful work.

Connecting risk appetite to strategy

One of the most common governance failures we see is the disconnect between a Board’s stated strategy and its actual risk appetite. The strategy says “ambitious growth”; the risk appetite is effectively “no surprises.” These positions are incompatible, yet co-exist in many NFPs because no one has linked the two.

Effective risk appetite isn’t set in isolation from strategy - it’s derived from it. If, for example, you set low financial sustainability risk, how will you protect yourself against it? Perhaps a starting point is to agree on a set of financial misconduct prevention strategies for NFPs as we’ve explored previously.

When a Board defines its strategic goals, the next question should be: What risks must we accept to achieve this? When Board and management are aligned on that answer, decision-making becomes faster and more aligned. Management knows which risks fall within their delegated authority. The Board focuses on what genuinely needs their attention.

From statement to practice: making risk appetite usable

Some practical ways to embed risk appetite into how the organisation operates:

• Key Risk Indicators (KRIs): Define indicators for each risk category with thresholds that trigger escalation (e.g. staff turnover, funding concentration, etc.).
• Decision-making frameworks: Clarify which risk decisions sit within management’s authority and which require Board consideration - reducing unnecessary Board involvement in operational matters while keeping genuine strategic risks visible.
• Scenario planning: Periodically ask the Board and management to independently assess the same strategic risk, then compare responses.
• Annual appetite reviews: Risk appetite isn’t static. As an organisation’s capacity and operating environment change, so should its appetite.

The governance failure no one talks about

When incidents occur, Boards often discover their risk appetite was never truly agreed upon - different directors held different views about what was acceptable, and management had been operating on untested assumptions.

The absence of a clearly defined risk appetite is itself a governance failure - one that creates uncertainty, slows decision-making, and strains the Board-management relationship. When it compounds with other governance weaknesses, the consequences can be severe, as we explore in our article on how NFPs rebuild reputation and culture after misconduct.

The good news? Defining risk appetite isn’t complicated. It requires thoughtful Board conversation and documentation that reflects strategic priorities - not generic governance language. Most Boards can make meaningful progress in a single focused session.

How Centium can help

At Centium, we work with NFP Boards and management teams to define risk appetite frameworks that are practical, specific, and connected to strategy. We facilitate the conversations that surface where perspectives diverge, translate risk appetite into tools management can use with confidence, and build the governance infrastructure to sustain it.

Whether you’re starting from scratch or refining an existing framework, we help your Board move from abstract risk statements to governance that actively promotes mission delivery.

To learn more about our governance and risk management services, or to discuss your specific needs, please contact our please email: info@centium.com.au

If you're interested in strengthening your NFP's governance and risk management, follow our series of articles:

1. Misconduct in NFPs: Creating a Proactive Risk and Conduct Culture
2. Are you confident of recognising the early signs of misconduct within your NFP?
3. Misconduct doesn't always start with bad intent: Why governance matters for every not-for-profit organisation
4. Protecting your mission: Financial misconduct prevention strategies for NFPs
5. Breaking the silence: Creating safe reporting channels for misconduct in NFPs
6. When misconduct occurs: A practical guide to conducting effective investigations in NFPs
7. How to avoid Board failure: Understanding Director duties in NFP governance
8. Safeguarding your mission: How proactive misconduct prevention protects your NFP's reputation and community trust
9. The hidden cyber risks NFPs cannot afford to ignore
10. Restoring trust: How NFPs rebuild reputation and culture after misconduct
11. Beyond box-ticking: Setting your NFP’s risk appetite to unlock new opportunities