Risk Management and Compliance for Clubs

1. Risk management isn't just for big organisations

There's a particular kind of denial that lives in committee meetings at small clubs. It sounds like this: "We're just a footy club. We don't need a risk management framework." Or: "We've been running for thirty years and nothing's gone wrong." Or the classic: "We'll cross that bridge when we come to it."

These are understandable positions. Nobody volunteers to run a community sports club because they're excited about risk registers. You're there because you love the sport, or because your kid plays, or because someone had to put their hand up and that someone turned out to be you.

But here's the thing. Risk management isn't about being paranoid. It's about thinking through the obvious stuff before it happens, so you're not making decisions at 9pm on a Friday night with an injured player on the ground and no idea whether your insurance covers the situation.

The Australian Sports Commission (now Sport Australia) has been saying this for years: risk management is a core governance function for every sporting organisation, regardless of size. Not because small clubs face the same risks as the AFL - they obviously don't - but because the consequences of unmanaged risk hit small clubs harder. A large national body can absorb a $50,000 legal bill. A club with $12,000 in the bank account? That's the end.

And it's not just about money. A safeguarding failure at a junior sports club doesn't just create legal exposure - it destroys trust in a community that might have been building it for decades. A volunteer gets hurt at a working bee and there's no insurance? That's a person who gave their Saturday to your club and now they're out of pocket for medical bills. That's not a risk management failure. That's a moral failure.

The good news: risk management for a community club doesn't look anything like corporate risk management. You don't need a consultant. You don't need software. You need a spreadsheet, a couple of hours of honest conversation at a committee meeting, and the discipline to review it twice a year. That's the bar. And most clubs aren't clearing it.

This guide will get you there.

2. The five risk categories every club faces

Risk is a big word that means different things to different people. When the treasurer hears "risk," they think money. When the junior coordinator hears it, they think child safety. When the president hears it, they think about that time a parent threatened to call the local paper.

They're all right. Risk comes in categories, and the mistake most clubs make is only thinking about one or two of them. Here are all five, with the kinds of things that actually go wrong.

Financial risk

This is the one committees talk about most, because it's concrete. You can see money in the bank account and money going out.

Financial risks include:

• Cash flow gaps - your biggest expenses (affiliation fees, insurance premiums, equipment) fall due before your membership income arrives
• Fraud or misuse - a single person has unsupervised access to the bank account and there's no dual-signatory requirement
• Grant dependency - you've built your budget around a grant that might not be renewed
• Uninsured losses - the equipment shed gets broken into and you don't have contents insurance
• Membership decline - your membership has been dropping 5% a year for three years and nobody's adjusted the budget

The fix for most financial risk is brutally simple: dual signatories on every transaction, a budget reviewed quarterly (not just approved annually at the AGM), and a reserves policy that says "we always keep three months of operating costs in the account."

Safety and physical risk

This is where duty of care lives, and it's the category where the stakes are highest because people can get hurt.

Safety risks include:

• Playing surface hazards - uneven ground, broken glass, sprinkler heads that stick up, goal posts that aren't anchored
• Equipment failure - nets with holes, worn padding, rebound walls that have come loose
• Heat and weather - training through 38-degree days because nobody has a heat policy, or playing in electrical storms because "the game's nearly over"
• Inadequate first aid - no trained first aider at training, no first aid kit, or a first aid kit that was stocked in 2019
• Transport and travel - volunteers driving minibuses without the right licence, or without adequate insurance
• Working bee injuries - someone falls off a ladder putting up bunting for the season launch, and nobody thought to check whether volunteer personal accident insurance covers it

The Safe Work Australia guidance on volunteers is clear: organisations that engage volunteers have a duty to ensure their health and safety, even though volunteers aren't employees. We'll come back to this in section 8.

Legal and compliance risk

Every incorporated association has legal obligations. Most committee members don't know what they are, which is itself a risk.

Legal risks include:

• Failing to lodge annual returns - every state requires incorporated associations to lodge annual statements. Miss the deadline and you can be struck off the register
• Privacy breaches - you're holding member data (names, addresses, medical information for juniors) and you're subject to the Privacy Act if your revenue exceeds $3 million, or to state privacy principles regardless
• Safeguarding failures - not having Working with Children Checks for everyone who needs one, or having them but not maintaining a register
• Constitutional non-compliance - your constitution says you need a quorum of 20 for an AGM and only 14 people showed up, but you passed motions anyway
• Discrimination claims - a member is excluded from selection or membership in a way that breaches anti-discrimination law

For ACNC-registered charities, the compliance bar is higher again. The ACNC's obligations page lays out reporting requirements, governance standards, and the external conduct standards that apply if you operate overseas.

Reputational risk

Reputation is the one risk category that can't be insured. And in a small community, reputational damage travels fast.

Reputational risks include:

• Social media incidents - a player posts something offensive from the club account, or a parent's complaint goes viral
• Sideline behaviour - spectators or coaches behaving badly at junior games, and the club being seen to do nothing about it
• Financial scandal - even the appearance of financial impropriety can empty a club faster than actual insolvency
• Safeguarding incidents - even allegations, handled badly, can destroy a club's standing in the community
• Poor facility management - your ground looks neglected, the toilets are broken, the canteen fails a health inspection

The common thread: reputational risk usually isn't caused by the incident itself. It's caused by the response. A club that handles a complaint transparently and quickly can emerge stronger. A club that goes silent, gets defensive, or blames the complainant? That's the one that ends up in the local paper.

Operational risk

This is the boring one. It's also the one that quietly kills clubs.

Operational risks include:

• Key person dependency - one volunteer knows how to run the membership system, do the accounts, and book the facilities. They move interstate
• Loss of institutional knowledge - the entire committee turns over and nobody documented how anything works
• Technology failure - your website goes down, your membership database gets corrupted, or your email system stops working and nobody knows the admin password
• Volunteer burnout - you're running a club with 200 members and five active volunteers. That's not a plan, it's a countdown
• Facility loss - your council lease comes up for renewal and the council has other plans for the site

We'll spend a lot of time on key person dependency in section 10, because it's the single most common operational risk in community sport and the one that gets the least attention.

3. Building a risk register that fits on two pages

A risk register is just a list of things that could go wrong, how bad they'd be, how likely they are, and what you're doing about them. That's it. The name makes it sound more formal than it is.

The problem with most risk register templates you find online is that they're designed for corporates. They have columns for "risk owner," "inherent risk rating," "residual risk rating," "control effectiveness assessment," and seventeen other fields that make a volunteer secretary want to close the laptop and watch Netflix instead.

Your risk register needs five columns:

Risk	Likelihood	Impact	What we're doing about it	Who's responsible
Treasurer has sole access to bank account	High	High	Add president as second signatory by March	President
No first aid kit at Tuesday training	Medium	High	Buy new kit, assign to head coach to bring	Junior coordinator
Annual return not lodged on time	Low	High	Set calendar reminder for 30 days before due date	Secretary

That's a risk register. Three rows, five columns. You could write it on the back of a beer coaster at a committee meeting. (Don't actually do that. Put it in a shared document. But you get the point.)

Here's how to build yours:

Step 1: Brainstorm. Get your committee in a room (or on a video call) and spend 30 minutes listing everything that could go wrong. Use the five categories above as prompts. Don't filter - just list. You'll get duplicates and silly ones. That's fine. The goal is to get everything out of people's heads and onto paper.

Step 2: Consolidate. Remove duplicates, combine related items, and throw out the ones that are genuinely implausible. ("What if a meteor hits the clubhouse" is not a risk you need to manage.) You should end up with 15–25 risks for a typical community club.

Step 3: Score. Give each risk a likelihood score and an impact score. We'll cover how in the next section.

Step 4: Prioritise. Sort by combined score. The top five to eight risks are your priorities.

Step 5: Assign. For each priority risk, write down what you're doing about it and who's responsible. Not the committee collectively - a named person.

The whole thing should fit on one to two pages. If it's longer than that, you've overcomplicated it.

Sport Australia's risk management resources include templates if you want a starting point, and the Clearinghouse for Sport has sport-specific examples. But honestly, a blank spreadsheet and 30 minutes of honest conversation will get you further than any template.

4. Risk scoring - likelihood vs impact matrix

Risk scoring sounds technical. It isn't. You're answering two questions about each risk:

1. How likely is it? (Almost certain, likely, possible, unlikely, rare)
2. If it happens, how bad is it? (Catastrophic, major, moderate, minor, insignificant)

Then you plot them on a grid. The classic version is a 5x5 matrix, but for a community club, a 3x3 is perfectly adequate:

	Low impact	Medium impact	High impact
High likelihood	Medium risk	High risk	Extreme risk
Medium likelihood	Low risk	Medium risk	High risk
Low likelihood	Low risk	Low risk	Medium risk

The matrix gives you a way to compare unlike risks. A financial risk and a safety risk feel very different, but the matrix lets you see that "no first aid at training" (medium likelihood, high impact) is a higher priority than "membership fees increase too slowly" (high likelihood, low impact).

Some guidelines for scoring honestly:

Likelihood - don't score based on whether it's happened before. Score based on whether the conditions exist for it to happen. If you have one person with sole access to all financial accounts and no oversight, the likelihood of financial irregularity is at least medium, regardless of how trustworthy that person is. The risk isn't about the individual. It's about the system.

Impact - think beyond the immediate incident. A minor injury at training has a minor immediate impact. But if the club has no incident report, no first aid record, and no insurance, the downstream impact of even a minor injury could be major. Score impact based on the worst plausible consequence, not the best case.

Don't argue about exact scores. The difference between "possible" and "likely" doesn't matter as much as the conversation itself. If your committee is debating whether a risk is medium or high, that's a good sign - it means they're thinking about it. The value is in the discussion, not the number.

Once you've scored everything, colour-code your register. Red for extreme and high risks, amber for medium, green for low. When a new committee member opens the document, they should be able to see the priorities in three seconds.

The AICD's risk governance principles go deeper on risk assessment methodology if your organisation is large enough to warrant it. For most clubs, the 3x3 matrix above is more than adequate.

5. Insurance - what you need and what it actually costs

Insurance is the part of risk management that most clubs find genuinely confusing. There are different types, different providers, different levels of cover, and a lot of jargon. Here's what you actually need to know.

Public liability insurance

This is the big one. Public liability covers your club if someone who isn't a member gets injured or their property gets damaged because of something your club did or failed to do. A spectator trips over an unmarked hazard at your ground. A cricket ball goes through a car windscreen in the car park. A child at an open day falls off equipment that wasn't properly supervised.

Do you need it? Yes. Full stop. Most councils require it before they'll lease you a facility. Most state sporting bodies require it as a condition of affiliation. Most grant programs require it as a condition of funding. Even if nobody required it, you'd be negligent not to have it.

What does it cost? For a typical community sports club, public liability insurance runs between $500 and $2,000 per year, depending on the sport, the number of members, and the level of cover. Contact sports and high-risk activities cost more. Many state sporting bodies include basic public liability cover in their affiliation fees - check before you buy a separate policy.

How much cover? $10 million is standard. $20 million is common for clubs that use council facilities (councils often require it). Don't go below $10 million - the premium difference between $5 million and $10 million is usually trivial.

Volunteer personal accident insurance

Public liability covers other people when your club is at fault. Volunteer personal accident insurance covers your volunteers when they get hurt doing club activities, regardless of fault.

This matters because volunteers aren't employees. They're not covered by workers' compensation. If a volunteer falls off a ladder at a working bee and breaks their wrist, they're paying their own medical bills unless you have this cover.

Do you need it? You should have it. Some states (Victoria, for example) require incorporated associations to have volunteer insurance or to inform volunteers in writing that they're not covered. Even where it's not legally required, it's the right thing to do. Your volunteers are giving you their time. The least you can do is make sure they're not financially destroyed if they get hurt doing it.

What does it cost? Typically $200–$800 per year for a small to mid-size club. Some state sporting bodies include it in affiliation, and some state governments offer subsidised volunteer insurance schemes.

Professional indemnity insurance

This covers your club if someone claims they suffered a loss because of advice or services your club provided. It's less common in sport but relevant if your club offers coaching, training, or professional development.

Do you need it? If you have paid coaches or instructors, yes. If all coaching is volunteer-based and informal, it's lower priority but still worth considering if your sport involves technical instruction (martial arts, gymnastics, diving, equestrian).

What does it cost? $300–$1,500 per year, depending on the nature of instruction and the number of coaches.

Property and contents insurance

Covers your physical stuff - buildings (if you own them), equipment, uniforms, canteen stock, trophies, computers, the ride-on mower.

Do you need it? If you own or lease a building, yes. If you have equipment worth more than you could replace out of your operating budget, yes. If everything you own would fit in a car boot, probably not.

What does it cost? Varies enormously. Contents-only cover for $50,000 worth of equipment might be $400–$800. Building insurance depends on the building. Get a quote.

The insurance gap most clubs don't see

Here's what catches people out: insurance has exclusions. Every policy. Your public liability policy probably excludes abuse and molestation claims (you need a separate endorsement). Your property policy probably excludes flood (you need to add it). Your volunteer insurance probably doesn't cover travel to and from the venue.

Read the Product Disclosure Statement (PDS). Yes, it's 80 pages of small print. Yes, it's boring. But the alternative is finding out what's excluded when you're making a claim, which is the worst possible time to discover it.

The Insurance Council of Australia has general resources, but for sport-specific advice, your state sporting body is usually the best starting point. Many have negotiated group insurance schemes that offer better cover at lower cost than you'd get buying individually.

UK equivalent: In England and Wales, public liability insurance requirements are similar but governed by the Employers' Liability (Compulsory Insurance) Act 1969 if you have any paid staff (even part-time). The UK HSE guidance for the voluntary sector covers the basics. Most NGBs include insurance in affiliation, but check the scope - some only cover activities directly related to the sport, not social events or fundraisers.

NZ equivalent: Sport NZ's risk management guidance covers insurance expectations for affiliated clubs. Public liability is standard in NZ sport, typically bundled through regional sports trusts or national body affiliation.

6. Incident reporting and documentation

An incident report is a written record of something that went wrong. Not just injuries - near misses, property damage, complaints, behavioural issues, anything that indicates a risk that either materialised or nearly did.

Most clubs don't do incident reports. When something happens, it gets dealt with on the spot, discussed informally, and then forgotten. Which means:

• There's no record if a legal claim comes later (and claims can come years later)
• There's no way to spot patterns (the same corner of the pitch causing ankle injuries every winter)
• There's no evidence that the club took reasonable steps to manage the risk (which is what duty of care requires)

What to record

Every incident report should capture:

• Date, time, and location - be specific. "Saturday arvo at the ground" is not useful. "Saturday 15 March 2026, approximately 2:45pm, on the eastern boundary of Field 2" is.
• What happened - factual description. What happened, not whose fault it was. "Player A collided with Player B during a contested mark. Player A fell and reported pain in their left ankle" - not "Player A went in recklessly."
• Who was involved - names and contact details of anyone involved, including witnesses
• What was done - first aid administered, ambulance called, area cordoned off, parent notified, whatever the response was
• Who completed the report - name and role
• Follow-up actions - what needs to happen next? Does the hazard need to be fixed? Does the insurance company need to be notified? Does the incident need to be reported to the state sporting body?

Near misses matter more than incidents

Here's something counterintuitive: near misses are more valuable than actual incidents for risk management purposes. An incident tells you something went wrong. A near miss tells you something almost went wrong - which means the conditions still exist for it to go wrong next time.

A sprinkler head sticking up that a player tripped over but didn't get hurt? That's a near miss. If you record it and fix the sprinkler, you've prevented the incident where someone tears an ACL. If you don't record it, you're waiting for the injury.

Safety research across industries consistently shows that for every serious incident, there are roughly 10 minor incidents and 30 near misses. The near misses are your early warning system. Ignore them and you're choosing to be surprised by the serious one.

Storage and access

Incident reports need to be stored securely (they often contain personal and medical information) but accessibly (the committee needs to be able to review them). A shared cloud folder with restricted access works. A locked filing cabinet works too, as long as the key isn't with the one person who moves interstate.

Keep incident reports for at least seven years. For incidents involving minors, keep them until the minor turns 25. These aren't arbitrary numbers - they reflect limitation periods for legal claims. If someone makes a claim five years after an incident and you can produce a detailed report written at the time, you're in a vastly stronger position than if you're relying on people's memories.

For more on documentation practices, see our guide on essential policies every club needs.

7. Duty of care obligations

Duty of care is a legal concept that sounds abstract until you understand what it actually means in practice. It's this: if your club creates a situation where someone could reasonably foresee being harmed, and the club doesn't take reasonable steps to prevent that harm, the club (and potentially individual committee members) can be held liable.

That's not just members. It's spectators, visitors, contractors, trespassers on your property, and people affected by your activities off-site.

What "reasonable" means

The law doesn't expect you to eliminate all risk. Sport is inherently risky - that's partly the point. What it expects is that you take reasonable steps to manage foreseeable risks. The legal test considers:

• The probability of harm - how likely is it that someone could be hurt?
• The seriousness of potential harm - a bruise vs a broken neck
• The burden of taking precautions - how hard and how expensive would it be to reduce the risk?
• The social utility of the activity - sport has recognised social value, so a higher inherent risk is tolerated than for, say, a corporate team-building exercise

So: you don't need to eliminate the risk of a collision in a contact sport. But you do need to make sure the playing surface is safe, the equipment is maintained, the coaches are qualified, and the competition is age- and skill-appropriate.

Committee member liability

Here's the bit that makes treasurers nervous. In most Australian states, committee members of incorporated associations have personal liability protection - meaning they can't be sued individually for the organisation's debts or negligence, as long as they acted in good faith and with reasonable care.

But that protection has limits. If a committee member knew about a hazard and did nothing, or deliberately ignored a compliance obligation, or made a decision that no reasonable person in their position would have made, the protection can be pierced.

The AICD's governance principles for NFPs cover director duties in detail. The short version: act honestly, act in the organisation's best interest, don't use your position for personal advantage, and make informed decisions. If you do those four things, you're almost certainly protected.

UK equivalent: Charity trustees in England and Wales have similar duties under the Charities Act 2011 and at common law. The Charity Commission's CC26 guidance explains what "reasonable care" looks like for trustee boards.

Duty of care and safeguarding

Duty of care has a particularly sharp edge when it comes to children and vulnerable adults. If your club involves anyone under 18, you have heightened obligations - Working with Children Checks (or equivalent), supervision ratios, codes of conduct, and complaint mechanisms.

This is a big enough topic that we've written a separate guide on it. See our safeguarding in sport implementation guide for the full picture.

8. Workplace health and safety for volunteer organisations

This is the section that confuses people most, because the name itself - "workplace health and safety" - implies it only applies to workplaces with employees. It doesn't.

The legal framework in Australia

Under the model Work Health and Safety (WHS) Act - adopted by all states and territories except Victoria and Western Australia, which have their own equivalent legislation - a "person conducting a business or undertaking" (PCBU) has a primary duty of care to ensure, so far as is reasonably practicable, the health and safety of workers and others affected by the work.

The critical word here is "workers." Under the model Act, a worker includes a volunteer. Not an employee. A volunteer.

This means that if your club engages volunteers - which almost every club does - you have WHS obligations. You don't need to do everything that a large employer does. But you need to:

• Provide a safe environment - the venue, the equipment, the conditions
• Provide adequate information, training, and supervision - a volunteer operating a barbecue at a sausage sizzle should know how to use the equipment safely. A volunteer supervising juniors should know the supervision ratios and emergency procedures
• Consult with volunteers about safety matters - if you're changing how something works, ask the people doing it whether it creates new risks
• Report notifiable incidents - if a volunteer (or anyone else) is killed, seriously injured, or exposed to a serious near miss, you may have a legal obligation to notify the regulator

WorkSafe Victoria has particularly clear guidance on what this looks like for volunteer-run organisations, even though Victoria operates under its own OHS Act rather than the national model.

What this looks like in practice

For most community clubs, WHS compliance isn't complicated. It means:

• Walk the ground before each session. Check for hazards - glass, sprinkler heads, uneven surfaces, damaged equipment. Takes five minutes. Do it every time.
• Maintain your equipment. Have a schedule for checking goal posts, nets, mats, whatever your sport uses. Record the checks.
• Have a first aid plan. Know who's trained, where the kit is, and how to call an ambulance to your venue (you'd be surprised how many people don't know the exact address of their own club ground).
• Have a heat policy. In Australia, this isn't optional. If your sport doesn't have a specific heat policy, use the Sport Australia guidelines. Cancel or modify activities when it's dangerously hot. Nobody's season record is worth a heat stroke.
• Brief your volunteers. Before a working bee, before a canteen shift, before they take on a new role - make sure they know what they're doing and what the risks are.

The Safe Work Australia model WHS Act is the primary legislation. Your state regulator (SafeWork NSW, WorkSafe Victoria, Workplace Health and Safety Queensland, etc.) has the detailed guidance and enforcement authority.

UK equivalent: The Health and Safety at Work Act 1974 applies to volunteer organisations in England and Wales if they have any employees, even one part-time worker. Volunteer-only organisations have a common law duty of care but aren't subject to the Act. The HSE's voluntary sector guidance explains the distinction clearly. In practice, the expectations are similar: provide a safe environment, adequate supervision, and proper information.

9. Compliance obligations - annual returns, state body reporting, ACNC

Compliance is the administrative backbone of risk management. It's not glamorous, but missing a deadline can cost your club its legal status, its tax concessions, or its affiliation with the state body that gives you access to insurance, competitions, and funding.

Incorporated association obligations

If your club is an incorporated association (and most Australian sports clubs are), you have annual obligations to the relevant state or territory regulator:

• Annual statement/return - every state requires this, though the name and deadline vary. In Victoria, it's an annual statement due within one month of your AGM. In NSW, it's an annual summary due within one month of the AGM. In Queensland, it's an annual return due by 31 December. Check your state's specific requirements.
• Financial reporting - the level of detail depends on your revenue. Small associations (typically under $250,000 revenue) can lodge simplified financial statements. Medium and large associations need reviewed or audited accounts. Your constitution may also specify requirements.
• Notification of changes - if your committee changes, your registered address changes, or your constitution is amended, you typically need to notify the regulator within 28 days.

NSW Fair Trading, Consumer Affairs Victoria, and equivalent bodies in other states publish detailed guides. Bookmark yours. Set calendar reminders.

ACNC obligations

If your club is registered as a charity with the Australian Charities and Not-for-profits Commission (ACNC), you have additional obligations:

• Annual Information Statement - due within six months of the end of your reporting period. This is separate from your state annual return.
• Governance standards - the ACNC has six governance standards covering purpose, accountability, compliance with Australian laws, suitability of responsible persons, duties of responsible persons, and maintaining and enhancing public trust.
• Reporting significant changes - changes to your governing document, responsible persons, or address must be reported within 60 days.

The ACNC website is genuinely well-designed (not something you can say about every government website) and has clear checklists for each obligation.

State sporting body reporting

Your state sporting body probably requires:

• Annual affiliation return - including member numbers, committee details, and sometimes financial summaries
• Insurance compliance - proof of public liability and other required insurance
• Safeguarding compliance - evidence that all required personnel have Working with Children Checks, and that the club has compliant safeguarding policies
• Constitutional alignment - some state bodies require affiliated clubs to adopt a model constitution or to include specific clauses

This reporting is usually annual, but some bodies are moving to more frequent reporting (particularly around safeguarding) as governance expectations increase.

The compliance calendar

The single most useful thing you can do is create a compliance calendar. One page. Every obligation, every deadline, every responsible person. Tape it to the inside of the clubhouse noticeboard. Put it in the shared Google Drive. Set automated reminders.

Here's a skeleton:

Month	Obligation	Responsible	Status
July	Affiliation renewal to state body	Secretary
August	Working with Children Check register review	Safeguarding officer
September	AGM + annual return lodgement (VIC)	Secretary
October	ACNC Annual Information Statement	Treasurer
November	Insurance renewal	Treasurer
February	Pre-season risk register review	President

Adjust for your state and your reporting periods. The point is: if it's not written down with a date and a name, it won't happen.

For a detailed list of club policies that support these compliance obligations, see our guide on essential policies every club needs and the essential policies checklist for Australian sports clubs.

10. Business continuity - what if your key person gets hit by a bus?

It's a morbid question, but it's the right one. What happens to your club if the person who knows everything - the treasurer who does the accounts, the secretary who manages the memberships, the coach who runs the entire junior program - suddenly isn't there?

In corporate governance, this is called "key person risk" or, more bluntly, the "bus factor." How many people would need to be hit by a bus before your organisation can't function?

For most community clubs, the answer is one.

One person who has all the passwords. One person who knows where the insurance documents are. One person who has the relationship with the council. One person who understands the financial spreadsheet they built six years ago and never documented.

This isn't a criticism of that person. They're usually the most dedicated volunteer in the club - the one who took on more and more because nobody else would. The problem isn't their commitment. The problem is the system that allows all that knowledge to live in one head.

The minimum viable continuity plan

You don't need a corporate business continuity plan. You need to answer three questions:

1. Who knows what?

Map every critical function to the person who currently does it and the person who could do it in an emergency. If the "could do it" column is blank, that's your number one risk.

Function	Primary	Backup	Documentation
Bank account access	Treasurer	President	Login details in password manager
Membership database	Secretary	Vice President	User guide written, login shared
Insurance documents	Treasurer	Secretary	Copies in shared drive
Facility booking	President	-	GAP - no backup, no documentation
Junior coordinator	Sarah M	-	GAP - all in Sarah's head

Every blank in the "Backup" or "Documentation" column is an action item.

2. Where is everything?

Create a master document - sometimes called a "key information register" - that lists:

• All bank accounts and who has access
• All online accounts (website hosting, membership system, email, social media) and login credentials
• All insurance policies, broker details, and renewal dates
• All contracts and leases, with expiry dates
• Key contacts: council, state body, insurance broker, accountant, solicitor
• Location of the constitution, minutes, financial records

Store this document securely. A password manager shared between the president, secretary, and treasurer is ideal. Update it annually at minimum.

3. What's the handover plan?

When a committee member finishes their term, how is their knowledge transferred? In most clubs, the answer is: it isn't. The new person figures it out themselves, or the old person hangs around informally for a while, or critical knowledge simply disappears.

Build a handover checklist for each committee role. It doesn't need to be long - half a page of "here's what you need to know and where to find it." Require it to be completed before the outgoing committee member is formally discharged at the AGM.

We've written about this in more detail for UK organisations in our article on business continuity for sports organisations, and the principles are identical regardless of jurisdiction. The good governance guide covers the broader governance framework that business continuity sits within.

11. Annual risk review process

A risk register that gets written once and never looked at again is not risk management. It's a document. Risk management is a process, and that process needs a rhythm.

Here's an annual risk review cycle that works for community clubs:

Pre-season review (before your main season starts)

This is your big one. Set aside 30–45 minutes at a committee meeting and work through the entire risk register.

• Review each existing risk. Has the likelihood or impact changed? Have the controls you put in place actually worked? Did anything happen since the last review that changes the picture?
• Add new risks. Are you doing anything new this season? New venue? New event? New junior age group? New equipment? Each change can introduce new risks.
• Remove resolved risks. If a risk has been fully mitigated (you've installed the safety fence, you've got the second signatory, you've written the policy), move it to a "closed" section. Don't delete it - you might want to check that the fix is still working.
• Check insurance. Is your cover still adequate for your current activities and membership numbers? Have you added a new activity that might not be covered?
• Check compliance. Review the compliance calendar. Are all deadlines on track? Are all required documents current?

Post-season review (after your main season ends)

Shorter. Fifteen to twenty minutes. Focus on:

• Incident review. Look at every incident report from the season. Are there patterns? The same hazard causing multiple near misses? The same type of complaint recurring?
• What nearly went wrong? Ask the committee: what was the closest call this season? What kept you up at night? These are often risks that aren't in the register yet.
• Handover preparation. If committee positions are changing at the AGM, make sure the risk register and compliance calendar are part of the handover.

Trigger reviews

Outside the regular cycle, review your risk register whenever:

• A significant incident occurs
• You change venues, activities, or programs
• Legislation or regulations change (your state body or regulator will usually notify you)
• Your insurance policy changes or is renewed
• You receive a complaint that reveals a systemic issue

Document the review

This matters for legal protection. If a claim is made and you can show that the committee reviewed risks regularly, identified the relevant risk, and took reasonable steps to manage it, you're in a vastly stronger legal position than if you have no evidence of any risk oversight.

A simple note in the committee meeting minutes is enough: "Risk register reviewed. Three new risks added. Insurance cover confirmed adequate. Action items assigned - see register."

Sport Australia's governance principles explicitly include risk oversight as a board responsibility, and the Volunteering Australia National Standards cover risk management expectations for organisations involving volunteers.

12. Tools and templates

You don't need specialised software for risk management at the community club level. You need a spreadsheet, a shared document, and calendar reminders. Here's what to set up.

Risk register template

Create a spreadsheet with these columns:

1. Risk ID - just a number, for easy reference in minutes
2. Category - financial, safety, legal, reputational, operational
3. Description - one sentence describing what could go wrong
4. Likelihood - low, medium, high
5. Impact - low, medium, high
6. Risk rating - the combined score from your matrix
7. Current controls - what you're already doing about it
8. Additional actions needed - what else needs to happen
9. Responsible person - a name, not "the committee"
10. Review date - when this risk was last reviewed
11. Status - open, in progress, closed

Put it in Google Sheets or Microsoft 365 so the whole committee can access it. Lock it so only the risk owner (or secretary) can edit, but everyone can view.

Incident report form

Create a simple form - Google Forms works, or a paper form in the first aid kit. Include:

• Date and time
• Location (be specific)
• Description of what happened
• People involved (names and contact details)
• Witnesses (names and contact details)
• Action taken
• Follow-up required
• Completed by (name and role)
• Date form completed

Store completed forms in a secure shared folder with restricted access.

Compliance calendar

A shared calendar (Google Calendar, Outlook) with:

• All annual return deadlines
• Insurance renewal dates
• Affiliation renewal dates
• ACNC reporting deadlines (if applicable)
• Working with Children Check expiry dates for each person
• Risk register review dates (pre-season and post-season)

Set reminders for 30 days before each deadline. Assign a backup person for each item.

Key information register

A secure document listing all accounts, credentials, contacts, and document locations. Update it at every committee changeover. Store it in a password manager shared between at least three committee members.

Where TidyHQ fits

If you're already using TidyHQ to manage your membership and club administration, you've got a head start on several of these requirements. Your member database is already centralised (not in one person's spreadsheet), your financial records are already documented, and your committee member details are already tracked. That doesn't replace the need for a risk register and compliance calendar - but it means the operational risks around key person dependency and information access are already significantly reduced.

For clubs managing risk across a network of affiliated clubs, TidyConnect provides visibility into compliance status across the entire organisation - which is particularly relevant for state sporting bodies managing affiliation compliance, insurance verification, and safeguarding oversight at scale. For more on how that works, see the risk analysis for sport boards article.

---

Risk management isn't about being pessimistic. It's about being realistic. Every committee meeting that spends five minutes on "what could go wrong this month" is a committee meeting that's doing its job. And every risk register that gets reviewed twice a year - even imperfectly - is better than the 90% of clubs that are running on luck and the hope that nothing goes wrong.

Start with the spreadsheet. Score the risks. Assign the actions. Review it in six months. That's the whole system.