By Penny Corkill
Partner Risk & Assurance
Your organisation has done the groundwork.
They've created a risk register.
There's a clear incident reporting form.
Somewhere, on the shared drive, your approved risk management policy is saved.
In theory, you’re prepared.
Then a serious incident occurs which has a major negative impact on operations.
In the post-incident investigation, it emerges that frontline staff weren’t clear on the risk escalation process. The controls that should have prevented the incident existed in policy but were never fully implemented. Near-misses in the weeks prior went unreported, documented best practices weren't followed, and the policy was not never well known to the staff who were expected to implement it.
Your risk management framework failed, but not because it didn’t exist.
It failed because it didn’t align with how real risk was managed in practice.
The gap between documentation and practice
The gaps exist for a variety of reasons. Risk registers usually sit dormant between reviews and are only updated after major incidents. Policies are written for auditors rather than for the people doing the work on a daily basis. Incident reporting systems capture only the most serious events. Staff have learned, often through experience, that raising concerns doesn't lead to change. And the tone from the top - however unintentionally - signals that raising problems is an unwelcome nuisance. As we explored in our article on creating a proactive risk and conduct culture, the organisational environment shapes whether people speak up or stay silent, the latter often leading to dramatic consequences to your clients, staff and the NFP's mission.
The consequences of such an event are compounded in settings with vulnerable clients, where the stakes are uniquely high. Organisations delivering aged care, disability services, mental health support, or primary health care operate in heavily regulated environments with complex clinical and operational risks. Generic risk frameworks often fail to capture the nuanced risks.
Better risk management isn’t about having more documentation - it’s about building a system that works in practice. Frameworks aligned with ISO 31000:2018 provide a structured foundation: clear risk ownership, documented controls, defined review cycles, and easily understood escalation mechanisms. But the framework is only as effective as the culture surrounding it.
What an effective risk management framework actually looks like
An effective system has several distinguishing features. Risk registers should reflect the full spectrum of organisational risk - not just financial and compliance risks, but also clinical governance, data, and workforce risks specific to the sector. For a disability-focused NFP, the risks are different to those of an aged care provider, and the risk management framework must reflect that. Controls must be implemented to be effective, and to manage risk effectively, the framework should make it easy to implement those controls.
Ask yourself: Does the person responsible know what to do and have the necessary tools when an incident arises?
Board visibility must also go beyond reading reports. Audit and risk committees require clear feedback and assurances that risk management is working - not just reviewing summaries of what management says is working. Risk considerations must be embedded in every significant Board decision, connected to what we explored in our article on setting a meaningful risk appetite - because without a defined appetite, risk considerations have nothing to anchor against. These risks that were considered must then be communicated to all those affected by each decision, as they're a vital part of that feedback loop.
Risk culture: the foundation everything rests on
The most sophisticated risk framework will fail if the culture doesn’t support it. Risk culture is the collection of shared values, attitudes, and behaviours that determine how an organisation manages uncertainty day to day - and is shaped far more by what leaders do than by what policies say.
For NFPs, the indicators of a healthy risk culture are specific. Near-misses are reported and treated as learning opportunities. Staff feel safe raising concerns and are celebrated for doing so. Incident data drives system improvement, not blame. Staff, volunteers and contractors must all understand their role in managing risk every day.
Assessing your risk culture means going beyond staff surveys (though those do matter). It means examining what your incident reporting data actually shows: if you’re only hearing about serious incidents and never near-misses, the culture is inadvertently suppressing key information rather than surfacing it.
Asking harder questions
The shift from compliance to genuine risk management requires a different set of questions.
Not “do we have a risk register?” but “does our frontline staff know what’s in it?”
Not “do we have an incident reporting system?” but “why are we only seeing major incidents, not near-misses?”
Not “does our Board receive risk reports?” but “how do we know the controls we’ve set actually work?”
Independent assurance mechanisms (such as internal audit, quality management systems, and regular testing of incident response procedures) bridge the gap between what gets reported and what’s actually happening. For NFPs working with vulnerable clients, this is particularly critical: regulators, including the Aged Care Quality and Safety Commission and the NDIS Quality and Safeguards Commission, expect organisations to demonstrate that their systems are working, not just that they exist. As our article on rebuilding reputation and culture after misconduct makes clear, recovery is far harder and far more costly than prevention.
The time to question whether your risk management system genuinely works is before the incident, not after.
How Centium can help
At Centium, we work with NFP Boards and management teams to assess whether their risk management systems are working in practice - not just on paper. We help health and community sector organisations implement enterprise risk management frameworks aligned with ISO 31000:2018, identify gaps between documented controls and operational reality, and build the internal assurance capability that provides genuine board visibility.
We also work with organisations to assess and strengthen risk culture - from determining pathways for your people to feel empowered to report concerns, to assessing whether the tone from the top encourages openness (or suppresses it).
To learn more about our risk management and governance advisory services, or to discuss your specific needs, please email: info@centium.com.au
If you're interested in strengthening your NFP's governance and risk management, follow our series of articles:
