This section of the Governance Toolkit examines safeguarding vulnerable people and outlines practical steps to ensure your charity is doing this effectively.

Read the guide and then check your understanding by taking the assessment available at the bottom of this page. You do not need to submit this assessment to the ACNC - it is optional and designed to help you measure your understanding of the topic and identify areas for training or improvement.

What does safeguarding mean?

Safeguarding is protecting the welfare and human rights of people that are, in some way, connected with your charity or its work – particularly people that may be at risk of abuse, neglect or exploitation.

The definition of safeguarding used to be narrower – it used to refer to protecting children or vulnerable adults. However, Australian legislation broadened the definition to include everybody. As such, safeguarding is part of a charity’s primary duty of care.

Vulnerable people

While all people must be protected from harm, there are additional legislative and ethical considerations for protecting vulnerable people.

Vulnerable people can include:

  • children and seniors
  • people with impaired intellectual or physical functioning
  • people from a low socio-economic background
  • people who are Aboriginal or Torres Strait Islanders
  • people who are not native speakers of the local language
  • people with low levels of literacy or education
  • people subject to modern slavery, which involves human exploitation and control, such as forced labour, debt bondage, human trafficking, and child labour.

Vulnerable people are not limited to a charity’s beneficiaries or the users of its services. They can include a charity’s staff, volunteers, and people in third parties, such as partners.

Being able to recognise vulnerability in its various forms is important and the first step to being able to protect vulnerable people.

Risks and consequences

Safeguarding is a matter of concern for all charities. Your charity needs to be aware of the risks that come with its work and the potential incidents of harm.

Incidents of harm may include:

  • Sexual harassment, bullying or abuse
  • Serious sexual offences, such as rape
  • Threats of violence or actual violence
  • Verbal, emotional or social abuse
  • Cultural or identity abuse, such as racial, sexual or gender-based discrimination or hate crimes
  • Coercion and exploitation
  • Abuse of power.

These incidents of harm can have a wide range of consequences:

  • Mental and physical health issues, or even death, for affected people.
  • Civil or criminal sanctions for the charity or individuals.
  • Anger in the community.
  • Damage to reputation and negative media attention.
  • Disruption to services.
  • Decrease in team cohesion, morale and productivity.
  • Inability to attract staff and volunteers.
  • Loss of donors and access to grants.

Legal Obligations

All charities registered with the ACNC must continue to be not for profit and pursue solely charitable purposes. They must also keep financial records, and report information to the ACNC annually – including financial information.

Most charities must also comply with the ACNC’s Governance Standards and for charities operating overseas, the External Conduct Standards.

The Governance Standards do not refer to specific obligations for safeguarding. However, they do require charities to comply with Australian law and they set duties for a charity’s Responsible Persons, which include the requirement to act with care and diligence and in the best interests of the charity.

For charities that operate overseas – including charities that just send funds overseas – the External Conduct Standards have explicit requirements for protecting vulnerable people. For more on this, see our guidance on External Conduct Standard 4.

Depending on the location and nature of your charity’s operations, there may be other state, federal or overseas legislation with which your charity must comply. You may consider getting legal advice to fully understand what legal obligations there may be for your charity.

Managing risks

While everyone involved in a charity has a role to play in protecting people, the ultimate responsibility for a charity sits with its Responsible Persons.

It is the Responsible Persons who must consider the unique and specific circumstances of their charity and ensure it is able to identify and manage the relevant risks.

The action to manage risks will vary significantly between charities, but there are seven steps that every charity can take to help protect people from harm:

  • Identify and assess the risks and any legal and ethical obligations.
  • Commit to managing risks of working with vulnerable people.
  • Prevent harm and mitigate risks with clear and comprehensive policies, procedures and systems.
  • Engage people, including those from third parties, to help manage risks by adhering to policies, procedures and systems.
  • Detect changes in risks, instances of harm and of non-compliance with obligations.
  • Take action when concerns, suspicion or complaints arise.
  • Assure the charity’s board that risks are being managed.

Your charity may find it helpful to set out these steps, and the actions it will take under each, in a formal action plan. That way, it can keep track of what it is doing, when, and who is responsible.

Remember that safeguarding is a serious matter. It is important to consider whether your charity’s staff and volunteers have the appropriate skills and experience to carry out the action in each of the seven steps. If they do not, seek outside help. Not doing things properly can lead to more harm.

Identify and assess

There are three important actions in this step:

  • understand your charity’s risks
  • understand your charity’s obligations
  • determine what policies, procedures and systems your charity needs to manage both.

Conduct a risk assessment: identify the risks that come with your charity’s work with people, prioritise each risk according to its likelihood and consequences, and identify the policies, procedures and systems that will deal with the risks.

This is a methodical way to make sure that your charity has considered what could happen, and how it will deal with incidents that do happen. You can conduct risk assessments for the whole organisation, for a department, or even for specific processes, programs or projects.

Risk assessments do not have to be complex and bureaucratic. A simple and methodical approach is best.

When conducting a risk assessment:

  • Think broadly about all the people your charity affects. What forms of abuse, exploitation or coercion could happen to them, and who might be responsible for them?
  • Consider all activities, including those in your charity’s supply chain or of partners and subcontractors. What could go on just beyond your charity’s view?
  • Think about the likelihood of your charity’s resources being affected by these risks. How common are incidents like these?
  • Consider carefully the consequences of an incident – in particular, the effects on the victim, your charity’s beneficiaries, its reputation, financial position, partners, and the morale of your staff.
  • Seek lots of information to understand the risks. Consult widely, for example through meetings, workshops and surveys, and identify information sources such as previous incidents, reports, events in other organisations, and media reports.

Remember that safeguarding can be confronting, and people may struggle to talk about it – particularly if they have had a traumatic experience. When consulting people about safeguarding, be sensitive to their experiences and approach the topic with care.

It is important that your charity knows its legal obligations. Keeping a register that lists the national, state and international legislation that affects your charity’s work can help.

This register should:

  • Identify the jurisdiction and source of the obligation
  • Provide a short summary of the obligation
  • Record what your charity does to ensure that it complies with the obligation.

Review the obligations regularly to make sure the register is up to date.

Your charity can also use the register to record and monitor other external obligations, such as government policies or professional standards or codes of practices, that may apply.

Finally, when your charity has considered its risks and its obligations, it can evaluate whether it has the right policies, procedures and systems to manage them.


Committing to protecting people from harm means:

  • Having a clear and accessible policy on safeguarding
  • Allocating adequate resources, leadership and authority to manage the risks
  • Making sure that all people in your charity share the commitment.

A policy that outlines your charity’s approach to safeguarding is an important document. It should:

  • Have reference to your charity’s legal obligations
  • Outline the identified risks
  • Define key terms (for example, ‘safeguarding’ and ‘vulnerable person’)
  • Clearly state your charity’s expectations of staff, volunteers and partners
  • Outline your charity’s processes for managing risks
  • Identify who is responsible for managing safeguarding
  • Clearly define the roles and responsibilities of people involved in safeguarding
  • Extend obligations to your charity’s partners and contractors
  • Contain supporting resources, such as an incident response plan or an employee vetting document
  • Be endorsed by your charity’s board.

Use our template safeguarding policy to start your charity’s own.

Everyone in your charity should have access to the policy and it is a good idea to also make it publicly available.

It is important that safeguarding is given appropriate resources and is supported by your charity’s leaders.

Make sure the resources are proportionate to your charity’s work, its risks and its funding. It can be helpful to use the risk assessment, and the priorities that came out of it, to decide where to focus resources.

Make sure the leaders of your charity – whether they be the board, staff or volunteers – support the safeguarding approach and take it seriously. Have a senior person take responsibility for safeguarding and make sure it features regularly in board meetings.


Policies, procedures and systems can reduce the likelihood and consequences of incidents. These are known as internal controls. It is important that they are appropriate for your charity and address its specific risks.

Examples of procedures and systems include:

  • Due diligence. The research, background checks and preparation that your charity does to minimise the possibility of doing harm to people
  • Segregating duties and providing supervision. Policies or procedures that ensure the responsibility for high-risk situations is shared by more than one person
  • Managing third parties. Third parties are people or organisations that your charity works with, such as suppliers and partners. Managing third parties includes making sure they are capable of, and committed to, protecting people in their work. Written agreements, contracts or memoranda of understanding are useful ways to do this.


Engaging everybody involved in your charity and its work means communicating its expectations, raising awareness of the issue and building a positive culture of protecting people.

Your charity may communicate its expectations and raise awareness of the issue through formal channels such as policies, procedures and training resources, or less formal methods such as email updates, newsletters and staff meetings.

To help develop and maintain a culture that values safeguarding consider these questions:

  • Are your charity’s values expressed in a Code of Conduct and do these values support safeguarding?
  • Has your charity considered the kind of culture it wants?
  • Does the leadership of your charity embody the desired culture, and do their words and actions encourage others to be part of it?
  • How do attitudes and events in your charity compare with the culture it wants to develop?


It is important to detect incidents of harm, but it is also important to detect moments of non-compliance with commitments and indicators that risks might be changing.

To detect an incident of harm effectively, ensure that:

  • Staff, volunteers and third parties report any concerns they have, including the option to do so confidentially
  • There are ways for people to provide feedback, raise grievances and report suspected or actual incidents of harm
  • People who report concerns or incidents of harm are protected
  • There is guidance for managers and staff on detecting incidents – what kinds of situations have risks of abuse, neglect and exploitation?
  • There is a supportive culture that encourages staff and volunteers to speak up – perhaps a whistleblower policy may be appropriate
  • There is a clear and transparent system for investigating and responding to concerns.

Examples of how your charity may do this include:

  • Training on safeguarding for new staff and volunteers
  • Having clearly defined reporting procedures in its policy
  • Providing staff and volunteers with simple, memorable guidance on the indicators of incidents of harm (known as red flags)
  • A communication campaign that shows volunteers, staff and beneficiaries that it is safe to make reports. This might include, for example, posters, leaflets, e-mails and text messages
  • An e-mail address, contact number or other system people can use to make anonymous disclosures.

Take action

In the event of a suspected incident, your charity needs to take prompt action to understand what might have happened, what risks might exist, and how to protect the people affected.

To effectively respond to a suspected incident, it is helpful to be able to follow a response plan. This will help your charity manage the suspected incident and the risks involved. A response plan should:

  • Clearly assign roles and responsibilities for responding to the incident (with major roles and responsibilities reserved for people with appropriate training, skills and experience)
  • Set out what is required at each stage of the response
  • Include an internal investigation to understand what may have happened
  • Provide guidance for when matters should be reported to an external party, for example, the police, the ACNC or a partner or donor agency
  • Include a step focussed on development and learning lessons

Use our template to start your charity’s own response plan.

Carefully consider the risks before beginning an internal investigation into a matter. Some incidents may be beyond your charity’s ability to investigate effectively, and it may need to get external help. And some incidents may be so serious that your charity will need to refer them to the police.


Your charity’s board needs to make sure that there are regular reviews of safeguarding policies, procedures and systems.

Review them at least annually and after any incident. Consider, for example, the following questions:

  • Are they up to date, reflecting the current working environment and legislation or regulation?
  • Do they reflect the current risks for your charity’s work?
  • Do staff, volunteers and third parties follow the policies, procedures and systems properly?
  • Do the policies and procedures work, or are they ineffective?
  • What feedback has your charity received about its policies, procedures and systems?
  • What improvements could be made?

Case study: A risk assessment

A charity in Sydney runs workshops and mentoring sessions to help people re-enter the workforce.

The charity had not previously done a safeguarding risk assessment, but an incident at one of its workshops made it think about some of the risks involved in its work. When discussing risks, the charity’s management committee realised that the charity served people who might be considered vulnerable.

The management committee decided to do a risk assessment. They thought critically about the charity’s work and identified risks by talking to staff and mentors, meeting with volunteers and having service users complete an anonymous survey.

Following the risk assessment, the charity developed a new safeguarding policy as well as new procedures to help manage its risks. In developing the new policy and procedures, the charity consulted:

  • its staff responsible for workshops and mentoring services
  • its finance officer to understand costs
  • its pro-bono legal advisor to understand its legal obligations, including work health and safety responsibilities.

The charity also took extra steps to ensure it was addressing the risks of working with vulnerable people:

  • It organised training sessions for staff and volunteers to help them identify and work appropriately with vulnerable people
  • It implemented a simple ‘whistleblowing’ system through which service users and others could report concerns.

The importance of safeguarding vulnerable people is now at the forefront of the charity’s governance practices. It features in all policies, is a regular item on meeting agendas, and all staff and volunteers are aware of how to work with vulnerable people.

Safeguarding vulnerable people assessment

Safeguarding policy template

Incident response plan template

Safeguarding checklist

Useful resources