81% of NFP Boards Say Governance Is Improving. The Data Tells a Different Story.

81% of directors surveyed in the AICD/Commonwealth Bank NFP Governance Study 2024-25 believe governance at their organisation has improved over the past three years. This is the headline finding of the 16th annual edition, drawn from approximately 1,000 respondents across the Australian not-for-profit sector.

It sounds like progress. But the mechanism behind the improvement tells a different story.

53% of directors report spending more time on governance than they did last year. The top three performance improvement actions cited are board composition changes, regular progress reviews against strategic plans, and developing new strategic plans. These are effort-based inputs — more hours, more meetings, more documents — not systemic changes to how governance operates.

When you ask directors what improved, they describe working harder. When you look at how they measure that improvement, the picture shifts further. The sector is not building better governance systems. It is asking volunteers to absorb more governance load through personal commitment. As one respondent put it: "It's the time on compliance rather than purpose."

This is the paradox. Directors feel governance is better because they are giving more to it. But giving more to a structural problem does not make the structure better. It makes the people inside it more exhausted. And exhaustion has a ceiling that institutions do not.

The study reveals how NFP boards actually evaluate their own effectiveness, and the numbers are striking.

79% of boards measure performance primarily through CEO and management reports. The board asks management how things are going, and management tells them. This is not an evaluation mechanism. It is management self-reporting presented as board oversight.

Only 28% of boards use balanced scorecards — structured frameworks that track performance across multiple dimensions rather than relying on a single narrative. The remaining 72% are evaluating governance through methods that depend on the very management team the board is meant to oversee.

This is not a criticism of CEOs or management teams. Most NFP executives are diligent professionals operating with constrained resources. The issue is structural. When the primary evaluation tool is a report prepared by the person being evaluated, the board is not governing. It is receiving a curated account of governance. The information asymmetry between management and board becomes the operating reality, and the board's capacity to identify problems before they escalate depends entirely on management's willingness to surface them.

The 28% who use balanced scorecards are not necessarily doing it well — but they are at least attempting to measure governance through a framework that does not depend on the goodwill of the people being measured. The other 72% are trusting management to evaluate management, and calling the result governance.

19% of surveyed organisations experienced a cyber security incident in the past 12 months. In social services organisations — those handling the most sensitive client data — the figure rises to 25%. One in four social services NFPs was breached in a single year.

84% of boards report discussing cyber security at least annually. On its face, this looks like engagement. But discussion is not governance. Discussing cyber security once a year — or even quarterly — without the infrastructure to enforce security policies, track incidents, or audit compliance is performative oversight. It satisfies the procedural requirement that the board "considered" the issue without creating any mechanism to address it.

The Infoxchange 2025 report provides the structural context: only 23% of NFPs have a cyber security plan. So 84% of boards are discussing a risk that 77% of the sector has no documented plan to manage. The discussion happens. The governance does not.

15% of boards have never discussed cyber security, or only began discussing it in the last two years. For organisations handling client data, health information, or financial records, this is not a governance gap. It is a governance absence. The regulatory environment — the Privacy Act, the Notifiable Data Breaches scheme, ACNC governance standards — does not distinguish between organisations that discussed cyber and those that governed it. Liability follows the breach, not the board agenda.

The study finds that AI adoption in NFPs remains "ad hoc and exploratory." Less than 10% of organisations use AI regularly. 34% report ad hoc use of generative AI tools. The sector is, by the study's own characterisation, "significantly lagging behind corporate" in AI adoption.

This is presented as a problem. It is also an opportunity — and the window is closing.

The corporate sector adopted AI first and is now scrambling to retrofit governance around tools already embedded in operations. Policies are being written for tools that have been in use for two years. Risk frameworks are being applied to workflows that were never designed with governance in mind. The cost of retroactive governance is always higher than proactive governance, because by the time you govern something, people depend on it working the way it currently works.

NFPs have not yet reached that point. AI adoption is early enough — ad hoc, experimental, individual rather than institutional — that governance frameworks can be established before adoption becomes entrenched. The constraint can precede the tool rather than chase it.

75% of NFP respondents see productivity as the top benefit of AI. This is the same framing that drove ungoverned adoption in the corporate sector: AI is a productivity tool, so let people use it and worry about governance later. The productivity framing makes governance feel like friction rather than infrastructure. But productivity without governance is just velocity without direction — and in a sector handling vulnerable populations, sensitive data, and public trust, ungoverned velocity is a liability.

The pre-governance window is the period before AI is embedded in core operations, when establishing constraints costs almost nothing and disrupts almost no one. For most NFPs, that window is open right now. The AICD data suggests it will not stay open long.

76% of NFP directors are unpaid volunteers. 53% are spending more time on governance than last year. These two data points, taken together, describe a governance model that depends on an expanding commitment from people who are not compensated for it.

This is not sustainable, and the data is beginning to show the strain.

The study does not frame this as a crisis — the sector has always relied on volunteer directors — but the governance burden is not static. Regulatory requirements expand. Cyber security obligations increase. AI governance emerges as a new domain. Financial oversight becomes more complex as organisations diversify revenue streams. Each new governance obligation lands on the same volunteer directors who were already working at capacity.

46% of NFPs are profitable. 26% are loss-making. 44% have used reserves to fund operations. 42% have a reserves policy, up from 37% — a modest improvement, but still meaning 58% of organisations have no formal policy governing their financial buffer. In this environment, the idea that boards will hire governance professionals, purchase GRC tooling, or invest in governance infrastructure is not realistic. The budget is not there, and when it is there, it goes to service delivery because that is what mission-driven organisations prioritise.

The result is that NFP governance quality is a function of volunteer capacity. When volunteers have the time, expertise, and energy to give more, governance improves. When they don't — when they burn out, step down, or simply cannot give more hours to unpaid work — governance degrades. The governance capability of the sector is not built on systems. It is built on the generosity of individuals, and generosity is not an institutional capability.

The AICD/Commonwealth Bank study describes a sector that is governing through effort. More hours. More meetings. More reviews. More discussion. The 81% improvement figure is real — directors genuinely believe things are better, and in many organisations they are right. But the mechanism of improvement is human effort, not institutional infrastructure, and human effort does not compound.

Governance by exhaustion has a predictable trajectory. It works until the people sustaining it can no longer sustain it. Board turnover increases. Institutional memory leaves with departing directors. New directors inherit obligations without context. The cycle restarts, but each time with less accumulated knowledge and the same expanding compliance surface.

Governance by design operates differently. Constraints are defined once and enforced automatically. Decisions are captured with their reasoning, so institutional memory persists regardless of board composition. Compliance evidence is generated as a byproduct of governance operating, not as a separate documentation exercise. The governance load does not scale with the number of regulations — it scales with the infrastructure's capacity, which improves over time rather than degrading.

46% of NFPs are profitable. The sector cannot afford enterprise GRC platforms priced for organisations with compliance departments. But it also cannot afford the liability of ungoverned AI adoption, unmonitored cyber risk, and board oversight that depends on CEO self-reporting. The gap between "enterprise governance tooling" and "nothing" is where most of the sector lives, and it is where governance infrastructure — priced for mission-driven organisations, operable without specialist staff, self-service from day one — becomes not a nice-to-have but a structural necessity.

The AICD data makes the case clearly. The sector's directors are committed, capable, and giving more than ever. The governance model they operate within is not giving them anything back. Until governance runs on infrastructure rather than volunteer hours, the improvement will always be temporary, always dependent on the next cohort of directors willing to give more of themselves than the role was designed to ask.