Building a mature approach to risk governance

You have probably read about the importance of the Board’s role when it comes to providing oversight of risk management in an organisation. But how do you do this practically? What sorts of activities are common to organisations that have a mature approach to risk governance?

Boards play a key role in overseeing the culture, governance and risk management framework. Different organisations have varying degrees of sophistication and rigour as it applies to the practice of risk management.

Depending on the sector that your not for profit is operating within, there are differing and frequently changing compliance standards to comply with. New Aged Care Quality Standards came in to place last year which address governance and risk management systems.

With the ongoing evolution of the disability sector, there have been increasing compliance requirements for risk management – such as through the risk management section within the NDIS Practice Standards which is administered by the NDIS Quality and Safeguards Commission. With the Disability Royal Commission underway and investigations into several tragic and neglected deaths, it’s likely we will see further changes to systems and governance with the NDIS.

Risk intelligent organisations are rarely surprised by the outcomes of processes like this since they have often addressed any shortcomings of compliance/regulation within their own risk management processes.

Risk governance maturity is different to risk management maturity which we wrote about last month in this article.

Deloitte consultants in the UK have written a number of publications on risk intelligent businesses, and we have used their insights in compiling this article.

Deloitte identified six actions that boards can take to enable a risk intelligent approach to governance. From our experience, we will look at practical applications of how these actions can be applied to not for profit and disability focused organisations.

The six distinct actions are:

  1. Define the board’s risk oversight role

In my experience with not for profit Boards, I have seen the Board’s role on risk oversight articulated and defined in documents such as the Board charter, Board committee terms of reference, governance policies and Director position descriptions. If you don’t have documents like this, then you should consider putting them in place, or reviewing and updating if you haven’t done so for a few years.

  1. Foster a risk intelligent culture

The risk culture needs to flow from your values, and also relates to your code of conduct. Your culture is set by the tone of leadership. Board members and executives should think about how the questions they ask focus on risk – not just from the perspective of avoiding it, but understanding how to effectively manage the risks inherent in providing your core services.

For example, many disability providers need to provide unsupervised services within the NDIS participant’s home and this introduces risks to care workers such as safety, and potential for them to be involved in theft or other forms of abuse to a vulnerable client. It’s not possible to avoid this risk and still deliver the service – so providers need to be selective on who they recruit, supervision processes and other checks and balances.

Being risk intelligent involves taking on the risks that you know best how to manage – and not just avoiding risk.

  1. Understand and approve an appropriate risk appetite

It is becoming increasingly more common for Boards and CEOs to define a risk appetite statement that defines the tolerances around different categories of risk: e.g. financial, safety, environment, customer satisfaction and public reputation.

As part of the risk appetite, you should define the risks that you want to take and those you want to avoid.

For example, organisations with low financial reserves will have little room for error on missed financial goals, and while no one wants to lose money, organisations with larger reserves have the ability to fund projects – such as launching a new office or new product/service under the NDIS – that can take some time to grow, achieve a surplus and provide financial returns.

  1. Help management incorporate strategic risk thinking into strategy

One way to consider risks in the strategic planning process is to look at the strategic plan from the perspective of multiple scenarios and different perspectives on the future. You may like to read about this idea further in the article Your post COVID-19 Strategic Plan.

One of the most practical ways I have seen risk being addressed in the strategic plan is to specifically have a section in the plan for risk which identifies the main risks to achieving the plan, and the mitigation strategies to put in place.

To go a step further, risk mature organisations will also address risks and opportunities within the budget build-up. A budget always has inherent assumptions and sometimes they turn out to be conservative while other times they are underestimated. For example, a medium size disability provider might target a budgeted surplus of $100k, but have identified 4-5 risks (potential negative impact) and 4-5 opportunities (potential positive impact) that might be realised in the year which could result in the actual results being better or worse. This analysis provides a sensitivity analysis to how ambitious or ‘risky’ the budget is.

  1. Assess the “maturity” of the risk governance process

Boards can benefit from completing a self-assessment to compare their practices to best practice standards. Different sectors will often have relevant standards to measure against.

For example with disability service providers, it is the NDIS Practice Standards, and so a self-assessment should include reviewing compliance against the NDIS Practice Standards for Risk Management. Inherent in this is a practical application for these Boards to have visibility over complaints and incidents reporting and follow up.

  1. Make sure the organisation discloses the risk story to stakeholders

The Deloitte framework applies to publicly listed companies which would include requirements relating to disclosure to the shareholders and stock exchange. However, when applied to the NFP and disability sector, it is important to provide disclosures to the ACNC, NDIA, external auditors and your members via an AGM. It would also be appropriate to consider risk as relating to your customers, and any risk that needs communication with them.

We trust this article has provided some insights to consider in reflecting on your own board’s risk governance processes.

CBB has a number of consultants with experience in risk management and governance. If this article has identified something that you would like assistance with for your organisation, then please contact one of our consultants for an initial obligation free consultation on 1300 763 505.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Deloitte – Risk Intelligent governance – Lessons from state-of-the-art board practices

Your post COVID-19 Strategic Plan

What were you hoping that 2020 would be about? What did your strategic plan or business plan say that you wanted to achieve this year? What underlying assumptions did you have in the strategic plan that no longer hold true?

I saw a statistic recently that 82% of the time a strategy fails can be attributed to misleading assumptions. Think of Kodak and how they were left behind in the transition from film to digital photography.

Many businesses have thrown out whatever strategic plan they had for 2020 and have been reacting day to day and month to month as the COVID-19 health crisis and related economic crisis have unfolded. Whatever you assumed in your strategic plan for 2020 has quite possibly already proven to be false.

Growing uncertainty

It can be challenging to prepare strategy in a VUCA environment – VUCA stands for volatility, uncertainty, complexity, and ambiguity.

Even pre COVID-19, the more innovative organisations were questioning the value of a three to five year strategic plan given the likely changes to the operating environment over that period – meaning the shift to a more agile strategy process.

Now we have the COVID-19 health crisis, ensuing economic crisis, reduced travel and other social restrictions, and many geopolitical risks are escalating too.

Even in this ever changing and VUCA environment, organisations need to stay true to their ‘anchors’. In the absence of being able to operate to a structured plan, what are the things that are critically important to you as an organisation (could be values, client focus, impact etc)? These will provide your context for decision making when the external environment turns your strategy to dust.

Future scenarios

Organisations often think about different strategic planning horizons – with the short, medium and longer term – but this is usually focused on a linear progression.

With this mindset, we think in strategic plans about the one desired future that we are working towards. What if instead we were to have multiple views of the future under different scenarios, and to develop a strategic plan on that basis?

In a recent presentation to members of peak body National Disability Services, futurist Professor Sohail Inayatullah spoke about a range of potential unfolding social and economic scenarios.

It is possible in the time ahead that a range of scenarios could play out: the coronavirus could mutate, wages growth be flat, nations could break apart, international travel could be restricted for years and/or we could fall in to a multi-year recession. Despite best efforts and bipartisan support, could a multi-year recession put budget pressure on the NDIS program to be reduced in size and scale?

Less dramatic but still significant, this current economic period could be a time of slowing down in order to speed up – with the potential for the crisis to drive innovation and reforms that will provide for greater economic growth and prosperity.

There may also be ‘sticky changes’ that flow from our present crisis, with changes made to personal and business behaviour becoming more mainstream: increased working from home, a greener economy to reduce pollution, added COVID safety/risk measures, increased domestic travel over international and increased telehealth or remote service provision.

Within the disability sector, there are other uncertainties like the potential impacts of the Disability Royal Commission on regulation and compliance, and continued changes to the NDIS marketplace including to the Price Guide.

For many disability providers, there is some surety in funding with the NDIS business model but COVID-19 has had an impact on the way services are delivered.

It’s more work to build out a strategic plan with possible different future scenarios, but if there is any time this is worthwhile it would be in the current situation. Successful organisations now will be the ones that spend more time planning and strategizing rather than being blown around by the changes.

Business recovery shape

As you look to the future of your own organisation and its growth trajectory (whether measured by customer numbers, revenue or staff numbers), what shape does it look like? Is it:

  • V-shaped with a sharp decline and sharp recovery?
  • U shaped with a more gradual decline and recovery?
  • W-shaped with a double dip – perhaps corresponding to a COVID-19 scenario where there is a second wave of the virus outbreak?
  • L-shaped with a sharp decline settling in to a new normal smaller size?
  • Hockey stick shaped with a small decline but expectation that the trajectory will return to growth?

Making the right assessment of the future is important in preparing your organisation to be in the best position for the future. Getting this wrong could prove disastrous – for example, maintaining your existing cost base assuming a U or V-shaped recovery only to find down the track that it is L-shaped.

Organisations should be having regular conversations about unfolding risks, market changes and implications to strategic plans at a management and Board level.

Taking a view on future scenarios and the shape of the recovery are important strategic discussions to focus on.

CBB has a number of consultants with experience in business and strategic planning. We could help you with the whole strategic planning process, or just to workshop one or a few elements like this.

If you’d like any assistance with reviewing or developing elements of your strategic plan, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


For a good strategy you don’t need much time…

Strategy needs space

In an interview the productivity consultant David Allen said that strategic thinking does not require large amounts of time (Clark, 2015).  More importantly, it’s space that allows innovative ideas and decisions that will guide the future direction of your not for profit.

Being strategic is one of the most important behaviours that guarantee an organisation’s long term success and almost every leader would like to have more time for strategic planning (Clark 2018). We are all too busy, dealing with the daily fires, and now that many of us are working from home, we feel like we’re working all the time.

Keeping track of our time and setting a regular time aside for strategic thinking and planning can help to embed strategic thinking into our schedule (Clark, 2018). Getting away from our routine and ‘to do lists’ can create some mental space. Encouraging our managers and team leaders to set some time aside for strategy and offering opportunities to share their thoughts and ideas can also foster strategic thinking throughout our organisation.

Strategy needs knowledge

You would not buy new a family car without doing some research, a test drive and without asking a friend who knows more about cars to have a look under the bonnet. Yet, I am regularly meeting not for profit leaders who open a new office or start a new service based on their gut feel.

Gut feel and intuition are important instigators but once you have formed your idea you should also consciously and thoroughly evaluate your strategy. Time pressure can work against assessing a decision, however often it only takes a few hours of top line research and number crunching to find the necessary data and evidence that supports or dismisses the idea. If you or your leadership team doesn’t have the time or know-how, you could engage a student to do some basic data analysis, or for something more sophisticated seek assistance from a consultant with experience in the sector. Spending some more time and effort on researching your idea can open new alternatives or modified ideas that can lead to better outcomes and more effective use of your limited resources.

Strategy needs multiple views

‘The government representative or the consultant has told us that there is the future and there is great potential for us’.  If this was the case why isn’t everyone doing this – or is everyone doing this? Good listeners tend to have more ideas, yet listening to just one source risks establishing a strategy on a distorted, or narrowly focussed reality. A stakeholder analysis can help us identify who has an interest and who will be impacted by the strategy. Talking and listening to all parties involved can help form a more realistic approach and lead to better outcomes. Engaging people who may influence the success of the project early on can help to overcome barriers and create more allies once you begin to implement the strategy.

Strategy needs empathy

Just because we have worked for many years in the sector and our clients tend to be loyal, it does not necessarily mean that we really understand and know the people we support. Do we know our clients’ aspirations, interests and passions? Do we understand what is currently working well and what is not? Do we understand the hardship, the barriers and the worries of our beneficiary? What are their physical and emotional needs, how do they think about the world and what matters to them? What would they like to achieve and how would they like to live their lives. We live in a fast moving world and while basic needs are likely to stay the same, external pressures heavily impact on barriers and support needs.  Unless we ask the right questions and we are prepared to empathise we are unlikely to come up with a strategy that creates meaningful and lasting change. Defining and understanding the need will help us to establish a strategy that creates outcomes that are needed and wanted, and drive meaningful improvements in quality of life.

Strategy needs courage

‘We have trialled this and it did not work’ is a common sentence that I hear in strategy workshops. It is an effective innovation killer and indicates that we are too scared to do things differently.  It also reveals that we are often too focussed on the activities, the ‘how’ of our strategy before we define the ‘what’. What do we want to achieve that creates lasting change?

Once we have defined the outcomes we require some courage to do things differently to the past.  Our beneficiaries and other stakeholders could assist us to co-design the activities or clarify why our attempts in the past failed. Most importantly we should have the courage to make ourselves redundant. Does our work create dependencies or do we empower our beneficiaries, facilitate independence and create long term impact?

Strategy needs ideation

Have you ever done a home renovation or built a new house? Usually it takes several plans, discussions and modifications until the final plan can be approved. Strategy needs ideation and time to form. If we rush the approval process the end result will reveal many unwanted surprises. Gaining better knowledge, reviewing our internal strengths and weaknesses, listening to everyone involved and giving our beneficiaries a strong voice will necessarily lead to variations along the way. Engaging a critical sounding board can broaden our thinking, or adopting an outsider’s view can help us review our assumptions and biases to develop a strategy that is bigger and better.

If you need assistance with your next strategy workshop, market research or if you would like an outsider’s view, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.

Dr Ellen Schuler 
Business Consultant
Phone: 1300 284 364


The community impacts of COVID 19

We recently ran a grant program for community organisations, offering 20 places on a ‘Working Mind’ program to apply mindfulness and neuroscience practices to organisational leadership in a VUCA environment. We opened the program to organisations who had been particularly impacted by COVID 19.

Unsurprisingly, the program was oversubscribed. The applicant organisations were diverse – coming from every state and territory; metro, regional and remote; and covering all areas of the not for profit sector. It was hard to pick the 20 most deserving and suitable for the program, but the process gave us an insight into the way that COVID 19 is affecting communities, and the organisations that support them.

In recent months I’ve been reflecting on how COVID 19 impacts all of us differently as individuals. For all the talk of people being bored in lockdown with nothing to do, others have never been busier, or more in need of the opportunity to return to the sanctuary of their home and shut out the outside world. At CBB we work with nearly 600 community service organisations nationwide. Since the COVID 19 restrictions kicked in, we’ve been trying to predict how shutdown would affect our clients. Any attempt to segment our clients to analyse the potential impact has been futile – they’re all affected differently. Whilst we can anticipate that most organisations will have shifted their office-based employees to home working, the rest is determined by the interplay between their client group, their service model and their funding. Disability organisations are providing essential services, but if all your services are group work or activity based, the only way to operate under COVID 19 has been to take services online. Organisations dependent on event-based fundraising income will feel an immediate impact, but those that rely on regular donations – well that depends on your donor profile and how their income has been impacted by COVID 19. Grant funded organisations have a secure income (for their grant period), and have been able to continue operating, as long as they can distance, or work online.

Each of our applicants to our Working Mind program was asked to describe how COVID 19 had impacted their business. Their stories were varied. As expected, most had moved employees to home working and event based fundraising was taking a hit. Some had shifted face to face or group based activities to online platforms, but in some cases client access and capability with technology meant that online platforms simply wouldn’t cut it – end of program. Others had to move premises, so that they could still operate with social distancing in place. Employees and volunteers were also impacted. Volunteers – particularly those in high risk cohorts – were staying away, and employees were struggling with the isolation of home working. This was a particular issue for those with counselling and case management roles, where working from home removed them from the peer support networks to spontaneously debrief a difficult or distressing client interaction. Those offering cultural or heritage venues were facing extended closure periods with no visitors, a key source of income. Major organisational milestones were going uncelebrated – a missed opportunity to raise funds and engage with communities.

Inevitably, given the nature of the program, organisation leaders described the personal toll of the complex challenges. The combined pressures of business continuity, maintaining employee wellbeing and delivering community services, alongside fulfilling their family and domestic responsibilities, is putting their own wellbeing at risk. Looking after self and ensuring recovery time is a key aspect of the Working Mind program.

In terms of community impacts it was not surprising that some organisations were seeing an increased demand – particularly those working with food poverty and family violence – at a time when securing employee and volunteer engagement was unusually challenging. Several reported the impact of lockdown in ‘trapping’ people. Whilst this has been discussed in the context of family violence, it is also an issue for carers – hit by a double whammy where they have been unable to access community support or respite services, and the provision of paid supports into the home has declined.  Those living in remote communities have not been able to leave to access work or services, and the supports that normally come into communities have stopped. And people with pre-existing mental and physical health conditions, or those with previous experience of trauma or stigma, have found anxiety levels increased as they are triggered by the pandemic.

Collectively, these accounts of COVID 19 paint a picture of the impact of the virus itself, and the measures to restrict its spread, on the most disadvantaged and marginalised people in our communities, and the organisations that serve them. We’ve seen some great examples of organisations being innovative with their business model – taking training programs and arts groups online; shifting from group based to one to one activities. Collectively we’ve shown that we can adapt and change quickly when there is a big enough driver to do so. We can see potential for some of the positive changes to sustain beyond the virus and the lockdown restrictions – more flexible working, reduced travel time and costs, increasing reach through more digital working. We’ve honed our skills in risk and crisis management, and we’re looking at business continuity plans from a different perspective. But we can also see the costs (financial and non financial), particularly in fatigue, mental energy and wellbeing – in communities, in organisations and in individuals. These aren’t going to go away quickly when the pubs reopen. We’re all going to need some recovery time.

If you’d like any assistance with your organisation’s recovery from the impacts of COVID 19, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.

Jane Arnott
General Manager, Consulting and Business Services
Phone: 1300 763 505

Risk maturity

Does this sound like you or your organisation?…..

We’ve got a risk register and mitigation plans. We report to the Board on risk every meeting. We’ve got dozens of procedures that help us with compliance and work health safety. We’re accredited to the NDIS Quality and Safeguarding standards and maybe even another different accreditation body as well. We tick the boxes on what we need to do with clinical compliance. We even have a risk policy that was based on the international standard. Surely, we are doing everything we need to on risk management, right?

Maybe. If this example sounds like you, then you are certainly doing a lot of things right on risk management, and that is really important for minimising the risk of incidents and ensuring you achieve the objectives in the strategic plan that you are aspiring towards.

Maybe you don’t have many or all of the above elements in place, and that’s ok too. Every organisation starts somewhere, and risk management measures need to be scaled from small, low risk organisations up to larger, complex and higher risk organisations.

Deloitte produced The Risk Intelligent Enterprise Maturity Model about a decade ago and I think it provides a great perspective to look at your risk management activities, no matter the size or focus of your organisation.

Level 1 Tribal and Heroic is about ad hoc risk management which might be done well by one person or group within the organisation

Level 2 Specialist Silos is where there are some risk mitigations in place and steps taken to reduce risk. You might have insurance in place and a few simple policies, but risk is only thought about by a few people.

Level 3 Top-down is where the tone of risk management is set at the top and policies/procedures are in place, but risk management is still somewhat reactive. Many disability and aged care organisations are at this point now – the quality and safeguarding standards that we operate under have ensured that most organisations get to this point. However, accreditations are about setting minimum standards, and best practice requires doing more than the minimum.

Level 4 Systematic is where risk management is getting more sophisticated. By this point, risk is a factor in every business decision being made, staff take ownership bottom up in the organisation, and a cultural transformation has taken place where all staff view their decisions and actions through a lens of risk management.

Level 5 Risk Intelligent is the highest aspiration, and it is difficult to get an entire organisation to this level. I’ve seen some teams operate at this level, and when you do, you can make amazing decisions which boost profitability and remove the downside risks when things go wrong, as they sometimes do.

There is a big difference between being Risk Intelligent and Risk Averse. Being Risk Intelligent is about knowing what risks your organisation is better than anyone else at taking on, rather than avoiding risk altogether.

The international standard on risk management defines risk in terms of the effect of uncertainty on achieving objectives. Risk management is linked inextricably to your strategy and what you are aspiring to achieve. If your strategy and business model involve working in difficult situations or with challenging people, and you have the right people and systems in place, then you can operate a business model like that in a Risk Intelligent way.

I’ve been in workshops where this model has been shown and it is fascinating to see people look at it and calibrate the risk practices against all the different parts of their organisation.

We all want to be level five. It’s only human when you put up a model like this to think that you are doing well. However, more often than not, I have heard people reflect that there are functions or parts of the organisation which operate at different levels.

Maybe some of the clinical elements of the work are at about a level three or four, but other back office administration functions are more like a level two. If your goal is to put in place the minimum standards of quality and safeguarding for your industry sector, then you are likely only operating at level three at best. Achieving a higher level requires leadership modelling and an organisation commitment to resource it appropriately.

What are some practical steps you can take to improve your level of risk intelligence?

Stop and think – do we need to change? What needs to change? Who do I need to talk to about making changes? Have I got the right people or tools/technology to get there? Do I need to update or write a new risk policy? What do you need to do to improve the risk culture? Do you need some external help to map out a path to becoming more risk intelligent, or a specialist consultant to help with one element of it?

CBB consultants have experience in helping organisations plan their risk management activities. If you’d like any assistance with risk management, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Reference: Deloitte – The Risk Intelligent Enterprise: ERM Done Right


Everyone has probably heard of a SWOT analysis, and most people have done one before. A SWOT can be a great way to quickly summarise many of the key issues that need to be considered in the strategy process.

In a SWOT, the strengths and weaknesses are looked at in terms of the organisation’s internal perspective. For example, what strengths and weaknesses are there with the organisation’s people, systems, technology, products/services, marketing and so on.

In my experience, many people and organisations think more highly of their strengths than they should. You might have a piece of software or a key person that you see as a strength, but wouldn’t the competitor down the road say the same thing about their organisation? Strengths need to be thought of in relation to competitors.

The opportunities and threats reflect external considerations. It might relate to growth opportunities in the market, new technology being developed, competitor actions or government policy changes, for example.

While simple to complete, a SWOT analysis can suffer from being too negatively focused on the Weaknesses and Threats. It can become about fixing what is wrong, rather than pursuing the opportunities and potential growth available.

CBB consultants recommend that organisations consider using a SOAR model instead of a SWOT analysis. We used this model when working with disability service providers to plan their transition to the NDIS. We have found that it encourages people to look past the immediate challenges to what can be in the longer term.

SOAR stands for Strengths, Opportunities, Aspirations and Results. The model removes such a heavy focus on the Weaknesses and Threats (which make up two of four elements, or half of the model), and focuses more on Opportunities aligned to the Aspirations.

The Aspirations part of the model also helps to provide a greater alignment to the organisation’s vision and purpose. The Aspiration and Results help people contributing to the SOAR to be more positive and future oriented.

We used the SOAR model with a disability services client recently to look at growth options for one of their business areas. In discussions about the model, we agreed to add a new element in to the model for the workshop which was the Constraints. The client wanted to document and consider both the internal and external Constraints that could stop them getting to the Aspirations and Results.

With this addition, we adapted the model to SOCAR. There was a suggestion from someone who thinks that acronyms used as management tools need to sound like a real word, and that the new element be Barriers, so that the model would be SOBAR!

Here’s an example of SOAR used with a local occupational therapist provider working with children or young people with disability.

We trust that this article has got you thinking more about the benefits of using the SOAR model instead of doing a SWOT because “that’s what we have always done”.

To make the learnings from this article more real, why not delay whatever you were planning on doing next just for 15 minutes and have a think about where your business is now. If you are like me, then pick up a pen and paper and put the four headings across an A4 page, or if you prefer,  just open up a Word document and create a 2×2 table.

We’ve heard from many organisations at the moment that they are needing to review their current strategy as a result of the continually changing environment we find ourselves in with COVID-19. There’s never been a better time to stop for a few minutes and think about your strategy. I guarantee that the time spent writing this down now will provide some greater clarity for you in the priorities for coming weeks and months.

CBB has a number of consultants with experience in using different business modelling tools as part of the strategy development process. We could help you with the whole strategic planning process, or just to workshop one or a few elements like this.

If you’d like any assistance with reviewing or developing elements of your strategic plan, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Keeping a regular eye on risk

Has there ever been a more important time to be monitoring new and emerging risks to your organisation? Perhaps it is becoming one of 2020’s most overused words that we are living in “unprecedented” times.

The emergence of the global coronavirus pandemic this year has forced every organisation to review its business continuity plan and take a number of other steps to ensure the safety of employees and clients, modify operations, change marketing priorities and shore up the financial position.

On the subject of coronavirus, CBB have shared a link to some resources available through the South Australian Department of Human Services via our LinkedIn page which readers may find of interest. Other information is available from the NDIS Quality and Safeguards Commission.

However, even in the midst of this significant risk scenario unfolding, there are other emerging risks that also need regular attention.

We have seen the impact of the summer bushfires which has been a challenge in some regions, and put together with current job losses and share market volatility will put pressure on donations to some not for profits . Regulatory changes are emerging with the Disability and Aged Care Royal Commissions, and the NDIS continues to evolve and make changes almost daily. Cyber attacks have continued, and not for profits are not immune from events like this. Social behaviours have changed as a result of shutdowns within society now, and it remains to be seen how society will permanently change after the current crisis.

Last month we looked at the specific risk in relation to whistleblowing after issues at World Vision. You can click here to go back to that article. We have also written recently on steps to protect your organisation from cyber risk.

It is important that Boards and management committees regularly review and monitor for new and emerging risks, and that risks other than the coronavirus still remain part of regular board discussions.

The frequency of reviewing risks and the risk register will vary depending on the complexity of the organisation, pace of internal and external change, and risk exposure. Whilst lower risk organisations in a stable environment might review risks quarterly, many organisations should look at it more frequently.

However, best practice organisations make risk a part of the business as usual with regular monitoring of the internal and external elements of the organisation for changes, and then alerting decision makers to these changes in a timely way, so that appropriate actions can be taken.

We believe that best practice risk management monitoring includes the following:

  1. Ensuring a well-constructed risk register is in place and reviewed regularly for changes.
  2. Undertaking broad engagement across the organisation to identify new and emerging risks, ensuring that different perspectives are taken in to account and the full range of risks have mitigation plans.
  3. Risk appetite is discussed, understood and calibrated across the board and management, with changes made as context changes.
  4. Making a report on new/emerging risks a regular part of the board reporting template helps the Board and management team consider the risks in a timely manner.
  5. Including responsibilities within key management team member position descriptions to monitor and report on risk.
  6. Monitoring of relevant internal KPIs (staff turnover, safety incidents etc) to look for emerging internal trends and risks.
  7. Involvement in industry forums and conference attendance to hear from thought leaders on how the market is changing and new risks that are emerging.

In coming months and future editions of Foreword, we will provide more suggestions on how to develop your risk management to a greater level of maturity and integrate it into everyday decisions and business practices to provide a robust framework for managing risk.

If you have a topic that you would like us to consider when writing more about risk, then please get in touch with us and we will endeavour to include it in a future edition. HOW??

CBB consultants have had experience in helping organisations plan their risk management activities. If you’d like assistance with risk management, please contact 1300 763 505 for an obligation free consultation.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Understanding your market dynamics

Question: Why did the thief rob the bank?
Answer: Because that’s where the money is.

In this situation, the thief understood enough about his market to know where to find the money!

It’s important for an organisation to have a solid understanding of where the money is in their own market segment before they can maximise their organisation’s potential.

Data on the market can be used to answer a number of questions that lead to better decision making. What is the size of your market? Is it growing or contracting? Why? How is the market evolving or changing? What disruptive forces are impacting the market? How are competitors’ actions changing the market? What are the bounds and scope of the market that you are operating in? Should we look to another market segment in order to continue growing the business? How much should we spend on acquiring the knowledge necessary to answer these questions?

Unfortunately, this is one area of business where it can be easier to ask a question than to answer it! Getting reliable and detailed information on your market is challenging in many sectors, but there is now considerable information available to providers working within the NDIS.

In some sectors, it might only be possible to find aggregate data on the whole of an industry rather than something specific to the sector of interest. In those cases, high level observations might be drawn about the market, but there would be varying degrees of accuracy.

Where can I get data on the market? Industry associations often publish reports with this kind of information. For disability providers, the NDIS quarterly reports provide a wealth of information – but this needs to be analysed closely to understand the relevant trends down to your market segment.

A robust market assessment is perhaps the most important part of the strategic planning process. Without it, the strategy can suffer from just being a plan about what direction you think the organisation should be heading in, without actually having the logical and rational thought to why that should be the right direction.

The market assessment involves a number of steps and exercises that create a critical analysis of the organisation which aids in understanding the market dynamics better and leads to better strategic decisions and direction.

We believe that a best practice market assessment includes the relevant aspects of the following:

  • Understanding the market context at a macro level through using a tool like PESTEL.
  • Considering your organisation’s place within the market context using a model like SWOT or SOAR.
  • Internal Analysis – identifying critical internal issues that need to be addressed within the strategic plan.
  • Market Size – projecting forward changes in the size and dynamics of the market segments you are operating in; and understanding how to adapt the business and services to fit that.
  • Customer Analysis – understanding the changing needs of customers, and what makes them choose your services.
  • Competitor Analysis – looking at the major competitors in the market and developing strategies for how you compete against them.

This approach can be scaled to small and large organisations with varying levels of detail.

A structure like this helps the Board and management team to focus on the myriad different issues impacting on the organisation’s strategy and ensure the strategic plan fits that context.

Last month we looked at how the market is continually changing; and how to ensure that the market conditions are monitored and part of regular management/board discussion. Click here to go back to that article.

In coming months and future editions of Foreword, we will provide more detail on these elements that make up the market assessment.

CBB has worked with a number of organisations to help them better understand the market they operate in. We can help your strategic planning process by preparing a market scan or review.

For providers working in the NDIS currently or planning to in future, we suggest you can sign up to the NDIS Success Program. This program aims to increase the supply of NDIS services in communities, with a particular focus on regional, remote and rural communities and Aboriginal and Torres Strait Islander communities. Delivered via webinars and online resources, we’ll give you all the tools and information you need for NDIS Success.

If you’d like any assistance with reviewing your market environment, please call 1300 763 505 for an obligation free consultation with one of our Business Consultants.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Understanding market changes

Coronavirus, stock exchange losses, countries going in to lockdown, businesses being shut down, stock shortages in the shopping centres.managers having a conversation

We live in unprecedented times with the business models of decades’ old organisations quite literally changing overnight.

The radical changes we have seen over the past few weeks have demonstrated the speed at which market dynamics can change, and the need for businesses to respond quickly.

Boards and management teams are needing to respond with urgency to scenario plan and make decisions with imperfect information as the situation unfolds.

The markets that we operate in and the customers we serve are always changing. Whilst the speed of change is not necessarily what we have seen recently, now is a time not just to focus on the immediate crisis at hand, but to think about how to structure management and board meetings so that market changes form part of the regular and ongoing conversation.

From our experience, we observe that management reports typically fall into one of three different categories:

  1. Activities completed or in progress in the week or month.
  2. Business KPIs which are typically backward-looking and reviewed to ensure the business metrics are on track, trends can be identified and corrective actions put into place. e.g. finance, HR, work health safety.
  3. Progress against the strategy which is often a table that lists out the: goals/objectives, comments on the status against them and an indicator (e.g. traffic light).

As part of aspiring to best practice, any discussion of the strategic plan and, in this case, progress against the strategy, is worth including an item to identify and (as required) discuss any changes to the market conditions.

The review of market changes can often be addressed simply with a few bullet points and identifies by exception, any material changes in the market environment since the last report. It is important to identify both what is going on in the external environment and the potential impact on the business.

Sometimes, where a significant change is occurring or has occurred, it might be appropriate to include a white paper or an article talking about the change, or set up a special meeting to consider those changes. A major technology change; action such as a significant merger or acquisition by a supplier, customer or competitor; or change in government/stakeholder funding might lead you to establish a separate meeting of the Board or a sub-committee like risk/finance.

Within the disability sector, we have seen changes every few weeks or months that impact on organisations. Changes to the NDIS price guide, the Royal Commission and new quality and safeguarding requirements are just a few recent examples.

Making a report on market conditions a regular part of the board reporting template can help to keep the Board and management team coming back to the important strategic matters, and not to just be stuck in the operational issues.

Next month we will share more about some tools that can be used to analyse and better understand your market.

If you’d like any assistance with reviewing your market environment, please contact Andrew for an initial obligation free consultation.


Andrew Ellis
Business Consultant
Phone: 1300 763 505


Five steps to protect your organisation from cyber risk

Former Director of the FBI Robert S. Mueller, III, made the famous quote that:

“There are only two types of companies: Those that have been hacked and those that will be hacked.”

And others have since moved to suggest that the quote should now be: “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”

It is unfortunate that not for profit organisations are sometimes the target of a cyber-attack. Given that not for profits often hold a lot of personal data, they can be seen as a soft target. Attackers also don’t need to have a lot of data about a person in order to perform identity theft, so the consequences can be significant if personal data is stolen.

Being the subject of a cyber attack can have wide ranging impacts on the organisation; including damage to reputation, financial losses and an inability to service clients during any downtime caused by the incident.

On 28 February 2020, the Office of the Australian Information Commissioner (OAIC) released the latest Notifiable Data Breaches Report on the period July to December 2019. A few key statistics and observations can be made from the report:

  • Nationally, there are approximately 80-90 data breaches per month which are “eligible”* and are reported to the OAIC
  • Malicious or criminal attacks (including cyber incidents) are the leading cause of data breaches, amounting to 64% of all notifications in the past six months
  • About a third of breaches are the result of human error
  • The health sector has the highest number of breaches
  • Most data breaches affect less than 100 individuals, showing the vulnerability of smaller organisations, including not for profits
  • The most common data which is involved is personal contact information.

*Under the Notifiable Data Breach legislation, it is an “eligible data breach” where:

  • there is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
  • a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and
  • the entity has not been able to prevent the likelihood of serious harm through remedial action.

If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances, notify affected individuals and the OAIC as soon as practicable.

Ensuring that your systems are secure is fundamental to data security, but human error also presents significant risk.  Human error can involve a staff member inadvertently opening a phishing email or clicking a link to a suspicious website. One of the other sources of data breach can be, for example, when a staff member accidentally selects the wrong email address and sends an email with personal details to the wrong person.

Cyber risks are often one of the risks that are identified in a risk assessment, but many organisations struggle to know what to do next to mitigate those risks.

Five steps to mitigate cyber risk

Not for profit providers can take these steps to prepare now and mitigate the risk:

  1. Ensure that cyber risk scenarios are identified in the organisation’s risk assessment.
  2. Look at your people and the role of training in mitigating the risk– it’s important that employees understand how to detect and report threats, protect their devices and the organisation’s data.
  3. Preventative technologies and processes – encryption, secure backups, multi-factor authentication and modern hardware/software will all help to minimise the risk of data loss.
  4. Review relevant policies and preparation – plan ahead by ensuring you have an up to date privacy policy, data breach policy and data breach response plan, and undertake simulation exercises to test management.
  5. Work with a specialised external consultant undertake an independent security review and penetration testing.

CBB consultants have had experience in helping organisations plan their risk management activities. If you’d like assistance with risk management, please contact:


Andrew Ellis
Business Consultant
Phone: 1300 763 505



  1. October 2019 AICD Magazine – What boards can do in the event of a cyber breach
  2. OAIC Notifiable Data Breaches Report: July–December 2019
  3. OAIC Notifiable Data Breaches Scheme 12-month Insights Report