Identifying risks in your organisation

    THE TAKEAWAY: The classic test for identifying risks is to imagine a child coming into your premises or joining a group activity - what would you warn them about or keep them away from?

This is the third step in a seven-stage process of successfully tackling risk management in your organisation (go to the Insurance and Risk Management Help Centre for information about the other steps.

Identifying risks requires a broad approach - in fact, the broader, the better.

This is an ideal opportunity to get everyone in your organisation involved in the risk management process and, believe it or not, it is actually possible to have a bit of fun by starting with a giant brainstorming session to identify any and all risks that could confront your organisation.


Get everybody together in one room and have someone up the front with a pen and a whiteboard or sheets of butcher's paper. The scribe's job is simply to write down any risks that anyone can think of, from slipping on the polished floorboards to being hit by a stray meteorite.

Depending on the size of your organisation, you may want to break up into smaller groups to brainstorm ideas, then present them to the group - you can assign different groups to different areas of potential risk, for example. The scattergun approach is useful as a starting point, but you will need to start breaking down the potential risks into sub-headings to make sure all areas are covered.

It's important to document all the potential risks that you identify. The statute of limitations in public liability cases in quite broad, especially regarding incidents involving children. If someone claimed they were injured at your clubrooms six years ago, would you have any way of knowing if they were right, or if you had done anything to address a potential hazard? Documenting everything is vital.

What are you looking for? A risk is anything that can cause harm, ranging from an overfilled urn to the smell of cake stall leftovers left in the cupboard for three months. The classic test for identifying risks is to imagine a child coming into your premises or joining a group activity - what would you warn them about or keep them away from?

Your organisation should also keep in mind areas of risk beyond public safety issues, such as financial and reputational risks.

Some useful questions to ask when identifying risk include:

  • What can happen? When, where, why and how might this occur?
  • Who and what might be involved?
  • Who or what will be affected if this happens?

It is important to define risks in terms that are useful in figuring out how to treat that risk. A risk usually comprises three parts:

  1. A source
  2. Something/someone that is at risk
  3. An effect

For example, just listing "fire" as a risk doesn't provide enough information to properly evaluate or treat that risk. But if the risk is defined as "there is a risk the heater will catch fire and cause damage to the clubhouse" we have somewhere to start.

Every organisation is going to come up with a long list of potential hazards. So where do you start (and where do you stop)? There are a number of ways of tackling the task of identifying all the risks in your organisation, but each involves breaking them down so you're not trying to tackle the whole problem at once.

Depending on your circumstances, you might want to start by going through your premises room by room, or list your activities one by one, identifying areas of potential risk as you go.

For the fictional junior football team the Joeys, this might involve walking through the clubhouse and looking for anything that might cause a problem - take a close look at everything and imagine the worst-case scenario. Think "what if?"

If children use the premises, look around from their eye-level - remember that hanging cords or cables can be an attraction to a child.

Supposing the Joeys choose to tackle the task of identifying risks by simply walking through the different rooms in their clubhouse. Some of the questions for them to think about might be:


  • Are benches or hooks at a safe height, securely attached to the wall and free of sharp edges?
  • Are any medicines or potentially hazardous items kept in the rooms securely locked away?
  • Are doors and windows fitted with locks to prevent break-ins?
  • Are there measures in place to monitor who comes into the rooms on game days?


  • Are showerheads in good condition and at a safe height?
  • Is the hot-water system regularly serviced and well maintained?
  • What is the floor like? Can it get wet and create the danger of slips or falls?


  • Are there any electrical items that could create a fire hazard?
  • Do we have cooking areas, hot food or boiling water that could cause burns?
  • Is access to the kitchen or any particular items, such as an urn, restricted or supervised?
  • Do we have food handling measures in place?

These are just a few of the questions that may arise - many others will present themselves as you walk through your premises taking a close look at everything and just thinking about what could happen.

Remember to also think above and below your premises - the roof, basement, storage areas, etc. And, of course, the Joeys also have their oval to consider and other areas such as a car park.

Going from room to room is one way of identifying risks, but it might not be suitable for every organisation. In any case, it is definitely a good idea to try to break down hazards into particular topics - e.g. environmental risks; personnel risks; equipment risks; activity risks; financial risks; reputational risks, etc. What headings you choose will depend on your organisation.

For more suggestions, see the help sheet titled 'The main areas of risk for not-for-profit organisations'.

It's your responsibility to make your organisation into a safe environment for anybody (staff, volunteers, members, players, supporters, clients, patients, contractors, visitors) who is likely to come into contact with it (and that doesn't just mean people who have permission to enter). A key point is to make sure you inspect your facilities, equipment and premises regularly.

Beyond brainstorming

There are a number of other ways to help complete a list of potential risks, including:

  • Incident review - have events occurred previously that are recorded or remembered? Going through past events will help you to generate a very real picture of the risks that remain in your site/s, activities or functions.
  • Interviews - talk to locals, council risk managers, other professionals, staff, emergency services personnel - people who know the area or function particularly well. Talk to people who run groups similar to yours to find out what risks they have encountered.
  • Documentation - what maps, procedures, photographs, video, records, articles, signs, notes or reports are already in existence?
  • Guidelines - e.g. Check out guidelines that relate to the work you do - the Joeys group might refer to sports ground line marking and boundary standards, electrical safety standards, and signage guidance manuals, for example.
  • Site visits - Don't go from memory, have a good walk around, making notes as you go.
  • Scenario analysis - set up a scenario, a series of "what ifs", and see what may be lacking. This could even include a live run-through to see how your organisation reacts.
  • Get outside help - if your organisation is large or particularly complicated it may well be that you need to hire a risk management consultant to assist you in your process.

Remember to keep your focus broad. In a 2001 court case in South Australia, a woman in her sixties was shopping in a supermarket when she slipped on a grape, or grapes, and fell to her knees, injuring her right knee permanently. The supermarket argued that it had in place a system of inspection and cleaning, and that mats were on the floor to prevent people slipping. But the court found in favour of the woman because the cleaning was found to be poorly supervised and was not carried out as it had been claimed, and awarded her damages of almost $30,000. Claims of well above this figure have been recorded.

Although the case outlined above occurred at a supermarket, this type of event can and does happen at the premises of not-for-profit groups. You might not have grapes on the floor, but the same scenario could be written with slippery tiles, a badly-placed doormat, equipment left lying around for people to trip over or an uneven pathway. This is also a lesson to carry out procedures you come up with for fixing hazards you identify!

Another case illustrates the fact that risks might vary at different times of the day or year - the footpath might not be slippery now, but what about on a wet winter night? In Canberra a woman aged in her 50s was awarded more than $86,000 after slipping outside the entrance to a supermarket (again, it could just as easily be your organisation's premises) and sustaining injuries that eventually required a hip replacement. The judge found non-slip mats were in place but were worn and no longer serving their purpose, and the situation was worsened by wet leaves and slippery cotton blown on the wind from a nearby cottonwood tree, a phenomenon well known in Canberra at that time of year.


It's important to document all the risks that you identify. A good way of doing this is to compile a risk register, an example of which is provided below. The aim of the register is to proactively, but without a major imposition on time and effort, begin to raise the profile of what risks exist within your group.

Leave spaces blank and ask members, staff and volunteers to add items that they feel could be a problem (e.g. the fraying electrical cord to the jug or urn, the slippery tiles at the entrance, the jagged wire on the fence). This is the first step along a detailed process. The other columns on the risk register will allow you to document and monitor the process of analysing, evaluating and acting on these risks.

Circulate and/or display your risk register to staff, members and volunteers. In the case of central bodies, the register could be sent to your member clubs to help them work out their own list of risks.

The list of potential risks will be longer for some organisations than others. For instance, the risks associated with an outdoor rock-climbing group (falls, unsafe equipment, under-qualified supervisors, etc.) would outweigh those for a chess club (unsafe chairs, etc.).

You can read more about particular areas of risk in this help sheet.

Identifying risk is the third step in a seven-stage process of successfully tackling risk management in your organisation. The fourth step is analysing risk.