The Risk & Control Series | Part 3 of 3

General

Controls Risk: The Framework That Holds Everything Together

 

Expenditure controls protect your money. Governance controls protect your board. But without an overarching control framework, individual measures remain fragmented, and gaps between them become the greatest source of organisational risk.

 

For many not-for-profits, this is precisely the situation they find themselves in.

 

The State of Risk Management in the Sector

 

The statistics are stark. Research into small charities found:
  • 62% have never received risk and governance training
  • 10% do not have – or are unsure whether they have – any risk management measures in place
  • 87% have only one risk management measure in place
  • 47% are only partially confident in their capacity to identify and assess risk

 

These figures describe a sector that is, in many cases, operating without a safety net.

 

This is compounded by the broader environment in which not-for-profits are working. Increasing community demand for services, rising operational costs, workforce shortages, declining volunteer numbers, and remuneration constraints are placing enormous pressure on organisations that were already stretched thin.

 

When resources are limited, risk management is often the first thing deprioritised. Ironically, it is during periods of greatest pressure that robust controls matter most.

 

What Is Controls Risk?

 

Controls risk is the risk that an organisation’s internal control environment is inadequate, outdated, poorly understood, or inconsistently applied.

 

It manifests in many ways:
  • Policies that exist on paper but are not followed in practice
  • Risk registers that are created once and never reviewed
  • Processes that rely on institutional knowledge held by a single person
  • No clear escalation pathways when something goes wrong
  • Cyber security vulnerabilities that have not been assessed or addressed
  • Compliance obligations that are met reactively rather than proactively

 

The cost of these gaps can be significant. Approximately 12% of not-for-profits experienced a cyber security incident in the past 12 months, with the average cost of a breach for Australian not-for-profits estimated at $267,000. For many organisations, a loss of that magnitude could be existential. And yet, two-thirds of affected organisations do not report incidents to the police, suggesting a culture where problems are absorbed rather than addressed systemically.

 

The Control: An Integrated Risk and Control Framework

 

An effective control framework does not need to be complex. But it does need to be:
  • Documented, so it is not dependent on any one individual.
  • Comprehensive, covering financial, operational, governance, compliance, and cyber risk.
  • Reviewed regularly, at least annually, and after any significant incident or change.
  • Understood by all relevant parties, from the board through to operational staff.
  • Embedded in operations, not a standalone document, but a living part of how the organisation works.

 

Key components of a robust control framework include:

 

Component
Purpose
Risk register
Identifies, categorises, and rates organisational risks
Risk appetite statement
Defines the level of risk the board is willing to accept
Internal policies and procedures
Sets operational standards and expectations
Delegation of authority framework
Clarifies who can make decisions and commit resources
Incident reporting and escalation procedures
Ensures issues are captured and addressed
Compliance calendar
Tracks regulatory obligations and deadlines
Cyber security controls
Protects data, systems, and financial assets
Board reporting mechanisms
Provides directors with timely, accurate risk information

The Human Element

 

No framework works without people who understand it and are committed to following it.

 

Not-for-profits face a particular challenge here. With persistent staff shortages, high reliance on volunteers, and increasing pressure on existing teams, the risk of burnout – and the errors that come with it – is significant.

 

Organisations need to consider:
  • Whether their value proposition is genuine, clear, and meaningful enough to attract and retain the right people
  • Whether staff and volunteers have been trained on the controls that apply to their roles
  • Whether the workload distribution is sustainable, or whether key controls are being bypassed due to time pressure
  • Whether there is a culture of accountability that supports – rather than punishes – the identification of problems

 

Where to Start

  1. Assess your current state – do you have a risk register? Is it current? Does the board see it regularly?
  2. Identify your critical controls – which processes, if they failed, would cause the most damage?
  3. Map your control gaps – where are you relying on trust, memory, or a single individual?
  4. Invest in training – ensure board members, staff, and volunteers understand the controls relevant to their roles.
  5. Review your cyber security posture – if 12% of the sector experienced an incident last year, assume you could be next.
  6. Build a compliance calendar – never miss a regulatory deadline again.
  7. Report to the board – risk should be a standing agenda item, not an annual afterthought.

 

A control framework is not about eliminating risk. That is neither possible nor desirable. It is about ensuring your organisation can see risk clearly, respond to it proportionately, and demonstrate to stakeholders that their trust is well placed.

 

This is Part 3 of The Risk & Control Series from The Breakthrough Office – practical guidance to support not-for-profits to identify, understand, and manage organisational risk.

If you would like support in managing or assessing the controls of your organisation, reach out to us at: [email protected]

Special Offer: Mention this article series to receive 20% off a Governance Health Check.

View Article
Deposits: Paid, Then Forgotten
View Article
The Risk & Control Series | Part 2 of 3
View Article
The Risk & Control Series | Part 1 of 3