Creating a Risk Register for Your New Zealand Sports Club

Sarah runs a hockey club in Hamilton. One hundred and twenty senior members, fifty juniors, one pavilion shared with a cricket club. Last autumn, the Waipa District Council sent her an email about the ground allocation review for next season. Buried in paragraph two was a new requirement: "All user groups must provide a current risk assessment covering activities conducted on the reserve."

She'd never been asked for one before. The club had been using those fields for twenty-three years.

She Googled "risk register template" and found an ISO 31000 document designed for multinational corporations. There was a section on "risk appetite calibration" and another on "assurance mapping." She closed the browser.

That's not what she needs. What Sarah needs is something she can put together with her committee over a couple of hours on a Tuesday night, write up on two pages, and send to the council by the deadline. That's what this guide is for.

If you're looking for the UK version, we've written a separate guide - risk register guide for UK sports clubs - covering the specific risks and regulatory context relevant to clubs there. The framework is similar, but the details differ quite a bit.

What a risk register actually is

Strip away the management consultancy language and a risk register is just a list. Things that could go wrong at your club. How likely each one is. How bad it would be. What you're doing about it. Who's responsible for making sure the mitigation actually happens.

Five columns and some honest conversation. That's the whole thing.

But why should your club bother? Several reasons - and they're practical, not theoretical.

The Health and Safety at Work Act 2015. This applies to your club. If your club has workers - and that includes volunteers under the Act's framework - you are a Person Conducting a Business or Undertaking (PCBU) with duties to identify and manage risks. A risk register is how you demonstrate you're doing that. WorkSafe New Zealand can and does investigate incidents at community sports events.

Council and venue allocations. Territorial authorities across New Zealand are increasingly including risk management as a condition of ground allocations and facility bookings. Sarah's experience is becoming the norm, not the exception. District and city councils are tightening governance expectations for community use of reserves and parks.

Funding applications. Pub Charity, Lion Foundation, NZCT, Lotteries Grants Board - most gaming trust and public funding applications now ask about your risk management arrangements. Having a register puts you ahead of the clubs that leave that section blank.

Insurance. Most sports club insurers ask whether your club has a risk management process. And if you ever make a claim, showing you'd already identified and were managing that particular risk puts you in a materially stronger position than scrambling to explain why nobody saw it coming.

Personal liability. Committee members and officers carry duties under the Incorporated Societies Act 2022 - including a duty of care. If something goes wrong and nobody ever considered the possibility, that's a governance failure. A risk register is evidence of due diligence.

Geoff Wilson writes about this well - the idea that governance isn't about producing documents for their own sake, but about protecting the volunteers who give their time. We reviewed Geoff's book here, and it's worth reading alongside this guide.

The five risk categories

Most clubs, when they think about risk at all, think about injuries and money. Those matter. But they're not the whole picture. Here are the five categories that cover what actually goes wrong at New Zealand sports clubs.

Financial

Money coming in, money going out, and the gap that opens when assumptions don't hold.

• Membership fee shortfall. You budgeted for 150 financial members and 120 renewed. That's a hole of several thousand dollars, depending on your fee structure.
• Gaming trust decline. Many NZ sports clubs depend heavily on one or two gaming trust grants. If a trust changes its priorities or your region's gaming machines generate less revenue, your funding can drop sharply with little warning.
• Acquittal failure. You received a $15,000 grant from Pub Charity and didn't acquit it properly. Now you can't apply for the next round - and you might have to return the money.
• Loss of a major sponsor. If one sponsor accounts for 30% or more of your income and doesn't renew, that's a crisis. Concentration risk is the formal term. "We're in trouble" is the committee term.

Safety

The category with the most serious consequences. Also the one where good process makes the biggest difference between a near-miss and a catastrophe.

• Player injury - particularly concussion. Concussion protocols are now standard across most NZ sports. NZ Rugby's Blue Card system, Football NZ's concussion guidance - if your club doesn't have a documented return-to-play process, you're exposed.
• Spectator or volunteer injury at the ground. A broken step near the pavilion. Uneven paving in the car park. A goalpost not properly anchored. These aren't hypotheticals - they're the stuff of insurance claim data.
• Severe weather. New Zealand weather can shift rapidly. Lightning protocols, flooding on low-lying grounds, extreme heat - if you're still sending teams out in conditions that are obviously dangerous, that's a safety risk and a liability risk.
• Allergic reaction at a club event. Home baking at the junior prize-giving with undisclosed allergens. Preventable with a basic labelling process. Potentially devastating without one.

Legal and compliance

The quietly dangerous category. Consequences arrive months later, by letter, from a government department or regulatory body.

• Lapsed police vetting. Your junior coach's police vet hasn't been renewed in four years and nobody noticed. That's a safeguarding compliance failure - and if something happens, your national sporting organisation and your insurer will both ask when the check was last done.
• Privacy Act breach. A spreadsheet with 200 members' names, dates of birth, medical conditions, and bank account numbers sitting in someone's personal Google Drive with no access controls. Under the Privacy Act 2020, that's a notifiable breach waiting to happen. The Privacy Commissioner can investigate, and the reputational damage from a data breach reported in the local paper is real.
• Incorporated Societies Act non-compliance. You haven't re-registered under the new Act. Your constitution doesn't meet the new requirements. You've missed the April 2026 deadline. Your club could be removed from the register - which means it loses its legal status.
• Missed AGM or constitutional breach. You changed the subscription structure without the resolution your constitution requires. Seems minor until someone disputes a committee decision and the first thing anyone checks is whether you followed your own rules.

Reputational

Harder to quantify, harder to recover from than you'd expect. A financial shortfall can be replenished over a season or two. Trust, once damaged in a small community, can take years to rebuild.

• Social media incident. A parent films a confrontation with a referee and posts it to the local community Facebook group. By Monday, the regional paper's called. This happens somewhere in NZ sport every single weekend.
• Safeguarding allegation. A parent raises a concern about a coach's behaviour. Whether it has merit or not, how you respond in the first 48 hours determines whether it becomes a managed incident or a story with legs.
• Public committee dispute. Two committee members fall out and take it public. Members take sides. Sponsors ask uncomfortable questions. It sounds trivial. It's one of the most common reasons clubs lose members.

Operational

The unglamorous risks. The ones that don't make the local news but can bring a season grinding to a halt.

• Key volunteer departure. Your registrar has been running membership for ten years and moves to Australia in March. Nobody else knows the systems, the passwords, or the national sporting organisation portal. This is the most underestimated risk in community sport.
• Loss of playing fields. The council decides to reallocate grounds, or a series of wet weekends makes the fields unplayable for two months. Ground access is never guaranteed.
• Pavilion structural issues. Many NZ sports clubs play out of pavilions and clubrooms built in the 1970s and 1980s. Earthquake strengthening requirements, deferred maintenance on ageing roofs and plumbing - a condemned building closes a club faster than anything else.
• Equipment failure. Floodlight poles corroded at the base. Defibrillator battery flat. Replacement equipment with an eight-week lead time. These are the risks that become crises because nobody put them on a list.

How to score risks

Not all risks are equal. You need a way to sort them, and the simplest method is a likelihood-times-impact matrix.

Likelihood scale:

| Score | Label | What it means | |-------|-------|---------------| | 1 | Rare | Could happen, but probably won't in the next 5 years | | 2 | Unlikely | Might happen once in 3–5 years | | 3 | Possible | Could happen once a season | | 4 | Likely | Will probably happen this season | | 5 | Almost certain | Happens regularly - expect it |

Impact scale:

| Score | Label | What it means | |-------|-------|---------------| | 1 | Negligible | Minor inconvenience, no lasting effect | | 2 | Minor | Small financial loss or brief disruption | | 3 | Moderate | Significant cost, temporary loss of capability | | 4 | Major | Serious injury, large financial loss, regulatory action | | 5 | Catastrophic | Life-threatening injury, club viability at risk, criminal liability |

Multiply likelihood by impact. That gives you a score between 1 and 25.

• 1–6 (Low): Monitor it. Review at the scheduled check-in. No immediate action needed.
• 7–12 (Medium): Have a plan. Assign an owner. Put mitigations in place this season.
• 13–20 (High): Act now. This needs committee attention this month.
• 21–25 (Critical): Stop and fix. Don't run the next event until this is resolved.

The point isn't precision - it's prioritisation. It prevents your committee spending an hour debating the lock on the equipment shed while ignoring the fact that three police vets expired in January and nobody renewed them.

Building your register: step by step

Set aside 90 minutes at a committee meeting. Bring a laptop or a whiteboard. And bring someone who works at ground level - the volunteer who runs the canteen, the groundsperson, the parent who helps with juniors every Saturday. They'll know which floodlight doesn't work properly and that the fire extinguisher in the changing rooms is two years past its service date.

Step 1: Gather the right people. Committee members, your child protection officer, your groundsperson if you have one, two or three experienced volunteers.

Step 2: Brainstorm risks using the five categories. Work through each category one at a time. Write everything down. Don't filter yet. Most clubs identify 15–25 risks in a first pass.

Step 3: Score each risk. Use the matrix. Don't agonise over the difference between a 3 and a 4 on likelihood. If there's genuine disagreement, go with the higher score.

Step 4: Assign an owner. Every risk needs one person's name next to it. Not "the committee." A person.

Step 5: Write the mitigation. Two parts: what you're already doing (existing controls) and what you need to do (additional actions).

Step 6: Set review dates. Pre-season and mid-season. Put them in the committee calendar.

Example entries

Here's what a few entries might look like for a typical NZ club:

| Risk | Category | L | I | Score | Owner | Mitigation | |------|----------|---|---|-------|-------|------------| | Junior coach police vet lapsed - not renewed since 2022 | Legal/Compliance | 3 | 5 | 15 | Child Protection Officer | Track all vetting dates centrally; send reminders 90 days before renewal; stand down any coach whose vet lapses until renewed | | Council reallocates Saturday ground to another code mid-season | Operational | 2 | 4 | 8 | President | Maintain relationship with parks department; attend user group meetings; have backup venue identified; diversify to reduce dependence on single ground | | Single registrar holds all membership system knowledge | Operational | 4 | 4 | 16 | Vice President | Document all registration and NSO portal processes; train a second person; store credentials in club password manager | | Member data stored in personal Google Drive with no access controls | Legal/Compliance | 4 | 3 | 12 | Secretary | Migrate data to club-managed system with role-based access; delete personal copies; include in privacy policy | | Pavilion roof leaks during heavy rain - water near electrical fittings | Safety | 3 | 4 | 12 | Facilities Officer | Temporary repair completed; formal quote for full replacement obtained; apply to gaming trust for funding | | Parent posts video of sideline confrontation to community Facebook group | Reputational | 3 | 3 | 9 | President | Adopt social media policy; train team managers on de-escalation; prepare media response template; display codes of conduct at pitch-side |

That's six entries. A typical club register will have 15–20. It shouldn't be longer than two or three pages.

How TidyHQ helps

You can build a risk register in a spreadsheet - and for the register itself, a spreadsheet is fine. But tracking the compliance items underneath it is where spreadsheets fall apart. Police vetting dates, first aid certifications, coaching qualifications, food safety certificates - somebody has to manually check dates and chase renewals. When that person is also running registrations, organising the prize-giving, and dealing with the council about ground bookings, things slip through.

TidyHQ's member profiles store compliance credentials against individual contacts, with expiry dates that trigger automated reminders before anything lapses. Your risk register says "track all police vetting dates centrally" - that's not an aspiration, it's a feature you can set up this afternoon. You can also store the register itself in TidyHQ's document storage, attached to your committee workspace, so it doesn't live on one person's laptop and disappear when they step down.

Frequently asked questions

How often should we review our risk register?

Twice a year at minimum. Once before the season - that's when you catch changes from the off-season: new activities, new facilities, committee turnover, expired certifications. And once at the halfway point, when you've had a few months of reality to compare against your assumptions. If something significant happens between scheduled reviews - a serious incident, a regulatory change, a facility closure - update it immediately.

Does our club need a risk register if we have public liability insurance?

Yes. They serve different purposes. Insurance covers you financially after something has gone wrong. A risk register helps prevent things going wrong - or reduces the impact when they do. Most public liability policies contain a condition requiring the insured to take "reasonable steps" to manage foreseeable risks. If you make a claim and the insurer finds you hadn't identified an obvious risk, your claim could be challenged.

What's the risk most NZ clubs overlook?

Key person dependency, without question. Nearly every club has someone - usually the secretary, registrar, or membership coordinator - who knows how everything works. The bank account process, the national sporting organisation affiliation portal, the membership database, the combination to the lock on the gear shed, where the spare set of corner flags lives. When that person leaves - and eventually they always do - the club loses months of operational capability. Document what they know. Train a second person. Store credentials centrally.

You don't need a risk management qualification. You need a table, ninety minutes with your committee, and honest answers about what could go wrong. That's a risk register. And it's one of the most useful things a volunteer committee can produce - not because anyone will read it with admiration, but because the process of creating it forces you to think about the things you've been hoping won't happen.

References

• WorkSafe New Zealand - Health and safety guidance for volunteer organisations and PCBUs
• Sport New Zealand - Risk management resources and Good Governance Guide for community sport
• Office of the Privacy Commissioner - Privacy Act 2020 breach notification requirements and compliance guidance
• Incorporated Societies Register - Officer duties and governance requirements under the Incorporated Societies Act 2022
• Geoff Wilson - Practical risk and governance guidance for grassroots sports clubs