Risk management
Aboriginal and Torres Strait Islander corporations, like any other organisation, face various types of risks that can impact their operations, reputation and ability to achieve their purpose and objectives. Risk management practices are essential to help prevent these risks and make sure the corporation can succeed and grow.
Effective risk management involves identifying, assessing and managing risks before they are a problem, usually with the support of clear policies, and strong leadership.
Managing risk should not be a separate or discreet activity. Considering and addressing weaknesses or threats to the success of your corporation should be embedded in everyday processes and decision-making.
What is risk?
Risk is uncertainty about something happening that will have a negative effect on the corporation.
Risks can come from:
- inside the corporation, such as from poor processes, staff misbehaving or board disputes
- outside the corporation, such as from natural disasters or scammers.
Risk is not necessarily bad. What’s important is that you understand what the risks are for your corporation, and make decisions about how to manage them.
Why corporations need to manage risk
The goal of risk management is to:
- identify potential problems before they occur
- identify the possible consequences of risk
- make a plan for addressing them.
Good risk management can:
- reduce the uncertainty of the corporation not being successful in achieving its goals
- help directors to understand and agree when an opportunity is worth taking.
When directors understand the risks they face and take steps to control or manage risk, it puts them in a good position to make better decisions for the corporation.
Role of the board
The corporation’s board is ultimately responsible for:
- ensuring the corporation has a risk management framework
- deciding how much risk the corporation should take in working towards its goals. This is called setting the risk appetite. The board might set different risk appetite for different risks
- deciding how risks should be managed
- monitoring risk and how the corporation is managing it.
This doesn't mean that it's the board's job to address all the risks themselves. It means the board must be satisified that there are controls, procedures and plans in place to identify and address risks. The board must also monitor to be sure the actions are working and if not, modify them.
Generally speaking, if a board has taken steps to ensure there are risk controls in place, risks are being addressed and actively monitored, then most likely they will be protected from liability if the worst happens. However, if a board has neglected its responsibility to oversee risk, then the individual directors on the board may become personally liable.
Categories of risk corporations may face
The types of risks that corporations might face will vary depending on their purpose and operational activities. Some common categories include:
Financial risk
Corporations could have risks through dependency on a single or limited number of income sources. Financial risks can also arise through poor financial management such as cash flow or budgeting, and oversight. Directors are not expected to be financial wizards but they are required to know enough to understand the corporation's financial position and performance, and ensure controls are in place to prevent and detect fraud or misuse of corporation resources.
Operational risk
There range of risks in this category depend on your corporation's daily operational activities, services or products. A key one is mismanagement of human and financial resources, such as inefficient use of staff time, or the corporation's equipment, facilities, assets or funds.
Other operational risks include not meeting obligations required in a contract or funding agreement, quality of services, customer interactions and retention, maintaining equipment and assets, risks in business growth and commercial success. Corporations operating in remote or rural areas may also face geographical, logistical or infrastructure barriers. Corporations may lack the resources to keep up with evolving technologies, which could impact efficiency, data security, or the ability to effectively reach and serve their communities.
Reputational risk
Corporations are often in the public eye, and their reputation can be easily harmed by negative press, controversies, or the actions of staff, volunteers, or board members. It goes without saying that fraud, unethical behavior, or mishandling of corporation resources can damage the reputation of a corporation and have serious consequences across a range of other risk categories.
Indigenous cultural legitimacy risk
To be registered as an Aboriginal and Torres Strait Islander corporations you must maintain minimum standards of ownership and control by Aboriginal and Torres Strait Islander people. Beyond that, the extent to which your traditional culture and lore is part of your purpose, values or operational activities could create different levels of risk.
Compliance and legal risk
Corporations must comply with a range of laws, regulations, rules, standards and codes of conduct. The laws and regulations may come from Commonwealth, state/territory and local laws. They might come from your corporation's rule book or policies, or from industry standards or codes of conduct relevant to your operational activities. Examples include the requirements of the CATSI Act, accounting standards, taxation laws, charity laws, native title laws, workplace safety, and employment laws. Failure to comply can result in legal penalties or loss of tax-exempt status or registrations.
There are also legal risks related to employment practices, including issues with employee contracts, workplace health and safety, or discrimination.
Corporations receiving grants need to follow requirements for reporting and acquitting grants, or they may risk the loss of funding.
Strategic risk
Strategic risks may prevent a corporation from achieving success. They arise when the corporation’s strategy or activities are not aligned with its core purpose or long-term goals. They may also arise through risks in internal performance or from expectations or changes in the external environment.
Internally, changes in leadership can lead to strategic disruption, particularly if the succession plan is unclear or poorly executed.
Externally, changes in the political, economic, or social environment can affect the corporation’s ability to deliver its services or achieve its goals. Disagreements or a lack of consensus within the community regarding the direction of the corporation, its projects, or leadership decisions can lead to conflict, alienation, or loss of community or stakeholder support.
Governance and leadership risk
By far the greatest risk ORIC observes in unsuccessful corporations is risk of internal conflicts or power struggles within the board or between leaders and community members. Governance structures and contexts can sometimes be complex in Indigenous corporations which may lead to disagreements.
Limited capacity in terms of skilled leadership, governance, and operational management can lead to inefficiencies, misalignment with members’ expectations, or failure to meet objectives. Indigenous corporations may face challenges in maintaining effective leadership, especially when there is a lack of succession planning.
Human resource risk
Corporations that employ people may face risks related to employment laws, employee turnover and succession planning, retaining skilled and motivated employees, inconsistent or biased hiring practices, missing or incomplete background or reference checks, casual employees or contractors working more than their agreed-upon hours, misuse of travel benefits or corporation assets supplied to perform work duties, data and information security breaches of employee data
The lack of a clear succession plan for key staff or volunteers can create instability if someone leaves unexpectedly.
Cybersecurity and data risk
Corporations often collect personal or sensitive information from members, directors, employees, clients and people it deals with. A breach in information security can lead to legal consequences and loss of trust.
As with any organisation, corporations can fall victim to cyber threats such as hacking, ransomware, or phishing, which can compromise their operations and reputation.
In some communities, access to digital technology may be limited, which creates a risk for corporations using digital platforms for communication, fundraising, or service delivery. Similarly, corporations may lack people with skills in using digital technology.
Sharing passwords to accounts for online services or platforms such as banking, financial accounting, social media, can compromise security of those accounts risking misuse or attacks from disgruntled people. Multiple people using one email address can compromise information security. It makes it difficult to track activity and therefore accountability.
Natural disasters and crisis management
Unexpected events like natural disasters, health crises (e.g., pandemics), or political unrest can disrupt operations or require a reallocation of resources. Having insufficient plans for business continuity or disaster recovery can leave a corporation vulnerable in times of crisis. It's important to distinguish unexpected events from expected, if your corporation operates in a location where seasonal weather events are predictable then you can and should plan for them accordingly. For example, if you need to hold your annual general meeting earlier in the year or host it virtually to ensure access by members isn't at risk.