TL;DR:
- A governance gap analysis compares an organization's practices against standards to find missing or ineffective controls. It results in a risk-prioritized remediation plan rather than a simple report card. Regular updates and leadership involvement ensure continuous governance improvement and compliance.
The governance gap analysis process is a structured method for comparing your organisation's current governance practices against applicable standards to identify missing, partial, or ineffective controls. For Australian non-profits, this means testing your practices against the ACNC Governance Standards, relevant sector frameworks, and any applicable legislation. The output is not a report card. It is a gap register with severity scores and a remediation plan prioritised by risk. Done well, it shifts your board from reactive compliance to deliberate governance improvement.
What does the governance gap analysis process actually cover?
The first decision in any governance assessment framework is defining your governance universe. That means listing every standard, law, and framework your organisation must meet before you test anything.

For most Australian charities, the ACNC Governance Standards form the core. They cover five areas: purposes and values, governance, accountability, financial management, and operations. Each area carries specific evidence expectations, not just policy documents. The ACNC expects to see minute quality and board meeting records that demonstrate active governance, not passive attendance.
Beyond the ACNC, your governance universe may include:
- NDIS Practice Standards and the NDIS Commission's governance and operational management requirements
- Aged Care Quality Standards (Strengthened) and the governance obligations under the Aged Care Act
- National Principles for Child Safe Organisations where your work involves children
- HSQF (QLD only) for Queensland-funded community services
- Applicable corporations law under the ACNC Act, Corporations Act, or state-based associations legislation
- Related-party transaction controls and financial delegations
Multi-entity charity groups face an additional layer. Each legal entity must be treated separately in the gap analysis, with entity-specific oversight and documentation. Shared staff and resources can blur accountability unless the evidence trail remains entity-specific. This is where many complex charity structures carry unrecognised compliance risk.
Defining your governance universe converts vague governance concerns into specific, testable requirements. That specificity is what makes remediation decisions defensible.

How do you map existing policies against governance requirements?
Mapping is the analytical core of the gap analysis methodology. The goal is a cross-walk document that aligns every governance requirement to the controls and evidence your organisation currently has in place.
A practical cross-walk works through these steps:
- List every requirement from your governance universe, clause by clause.
- Identify the corresponding control for each requirement. This might be a policy, a board charter, a delegations register, or a standing agenda item.
- Locate the evidence that the control operates in practice. A policy document is not evidence of operation. Board minutes, conflict disclosures, and decision records are.
- Record the gap where evidence is absent, partial, or inconsistent with the requirement.
- Note the gap type: missing control, undocumented control, or control that exists on paper but is not executed.
The distinction between documented policies and operational practice is where most governance reviews for non-profits find their most significant findings. A conflicts of interest policy sitting in a folder is not the same as a conflicts register with entries, disclosures, and handling decisions recorded in minutes.
Evidence gathering techniques include structured interviews with board members and executives, review of the last 12 months of board and committee minutes, testing of financial delegations against actual approval records, and review of contracts with related parties.
Pro Tip: When interviewing board members, ask them to describe how a specific governance process works without prompting. The gap between their description and your documented procedure is often more revealing than any document review.
Evidence gaps occur when policies exist on paper but controls are not executed in practice. Remediation efforts should focus on practice-related controls such as board oversight cadence and documentation trails, not on rewriting policies that nobody follows.
How do you score gaps and build a remediation plan?
Scoring turns a list of gaps into a prioritised workplan. Without scoring, every gap looks equally urgent and nothing gets fixed.
Assess each gap against two criteria:
- Likelihood: How probable is it that this gap will result in a compliance breach or adverse event? Consider the frequency of the relevant activity and the maturity of existing controls.
- Impact: What is the consequence if this gap is not addressed? Consider regulatory sanction, funding risk, reputational damage, and harm to the people your organisation works with.
Multiply likelihood by impact to produce a risk score. High-scoring gaps go to the top of the remediation roadmap. Low-scoring gaps may be scheduled for a later phase or accepted with documented rationale.
A well-structured remediation plan includes:
- The specific gap and the requirement it relates to
- The remediation action required
- The owner responsible for completing the action
- A deadline that is realistic but firm
- The resources or approvals needed
Governance gap analyses often produce a 12–24 month compliance roadmap prioritised by risk and remediation urgency. That timeframe helps executives decide between short fixes and longer-term governance uplift. Regular review maintains momentum and verifies control effectiveness as regulations evolve.
| Gap severity | Remediation timeframe | Ownership |
|---|---|---|
| Critical (high likelihood, high impact) | Within 30 days | CEO or Board Chair |
| High (high likelihood, moderate impact) | Within 90 days | Relevant executive |
| Moderate (moderate likelihood, moderate impact) | Within 6 months | Operational manager |
| Low (low likelihood, low impact) | Within 12–24 months | Scheduled review cycle |
What evidence should Australian NFPs focus on during a gap analysis?
Certain governance records carry disproportionate weight in any compliance analysis process. Getting these right signals genuine governance maturity, not just administrative compliance.
Board minutes are the single most scrutinised document in an ACNC review. The ACNC expects minutes to record meeting details, quorum, conflict disclosures, and decision rationales. A minute that records only decisions, without recording who declared a conflict or why a particular course of action was chosen, is an evidence gap.
The table below contrasts what organisations typically have against what regulators actually look for:
| What organisations often have | What regulators look for |
|---|---|
| A conflicts of interest policy | A conflicts register with dated entries and handling decisions |
| Minutes recording decisions | Minutes recording quorum, conflicts declared, and decision rationale |
| A single board for multiple entities | Separate board meetings and minutes for each legal entity |
| Financial reports tabled at board | Evidence the board questioned, challenged, and approved reports |
| A risk register | Evidence the board reviewed and acted on risk register items |
For multi-entity charities, each legal entity requires its own board meetings, its own minutes, and its own oversight of inter-entity transactions. One board meeting covering multiple entities does not satisfy the ACNC's expectations for separate governance.
Pro Tip: Build a governance documentation checklist that maps each ACNC Governance Standard to the specific document and recorded activity that evidences it. Review this checklist quarterly, not just before an audit.
Key takeaways
A governance gap analysis is only as useful as the remediation it drives. Without scored gaps, assigned owners, and firm deadlines, findings sit in a report and nothing changes.
| Point | Details |
|---|---|
| Define your governance universe first | List every applicable standard and law before testing any controls. |
| Map requirements to operational evidence | A policy document is not evidence. Board minutes, registers, and decision records are. |
| Score gaps by likelihood and impact | Prioritise high-risk gaps for remediation within 30–90 days. |
| Treat each legal entity separately | Multi-entity charities need entity-specific minutes, meetings, and oversight records. |
| Build a remediation roadmap with owners | Assign each gap a responsible person, a deadline, and the resources needed to close it. |
What I have learned from running governance gap analyses
The most common mistake I see is treating a governance gap analysis as a one-off audit rather than a management tool. Boards commission a review, receive a report, and then move on. Twelve months later, the same gaps reappear because nobody embedded the findings into how the organisation actually works.
Good governance is forward-looking, grounded in values, and assessed through diagnostic questions about current practice, not just document existence. The organisations I have worked with that get the most from a gap analysis are the ones where the CEO and board chair treat the gap register as a standing agenda item, not a project to be closed.
Securing leadership buy-in before the analysis begins is not optional. If the board sees the process as an external imposition, the findings will be contested and remediation will stall. When the board commissions the analysis itself and owns the remediation roadmap, the outcomes are materially different. I have seen organisations move from significant compliance exposure to a position of genuine governance confidence within 18 months, simply by maintaining that ownership and reviewing progress quarterly.
The compliance vs governance distinction matters here. Compliance asks whether you have met the minimum requirement. Governance asks whether your practices actually protect the organisation and the people it works with. A gap analysis that only answers the first question is leaving value on the table.
— Rachel
Working with The Planning and Practice Hub on governance gap analysis
Non-profit leaders often know their governance has gaps. The harder question is knowing which gaps carry the most risk and what to do about them first.

The Planning and Practice Hub works with Australian human services non-profits to define their governance universe, map requirements to current controls, test evidence quality, and build remediation roadmaps that boards can actually implement. Rachel Willis brings close to three decades of sector experience to this work, which means the analysis reflects the real regulatory environment your organisation operates in, not a generic compliance checklist. If your board is ready to move from identifying concerns to closing them, governance consulting support is available for organisations across NDIS, aged care, child safe, and community services.
FAQ
What is a governance gap analysis?
A governance gap analysis is a structured comparison of your organisation's current governance practices against applicable standards to identify missing, partial, or ineffective controls. The output is a gap register with risk scores and a prioritised remediation plan.
Which standards apply to Australian charity governance gap analysis?
Australian charities must test against the ACNC Governance Standards as a baseline. Depending on sector, additional frameworks include the NDIS Practice Standards, Aged Care Quality Standards (Strengthened), National Principles for Child Safe Organisations, and HSQF (QLD only).
How long does a governance gap analysis take to complete?
The analysis itself typically takes four to eight weeks depending on organisational complexity. The resulting remediation roadmap commonly spans 12–24 months, prioritised by gap severity and compliance urgency.
What is the difference between a gap analysis and a governance audit?
A governance audit tests whether controls exist and were applied at a point in time. A gap analysis goes further by scoring gaps by risk, assigning remediation ownership, and producing a forward-looking improvement plan.
How often should a non-profit conduct a governance gap analysis?
A full gap analysis should be conducted at least every two years, or following a significant regulatory change, a change in organisational structure, or a compliance incident. High-risk gaps identified in the analysis should be reviewed quarterly until closed.
