Common gaps in risk management frameworks
To be successful in business means to have a purposeful and confident attitude to the future – whether that be to continue to serve vulnerable people, to remain insurable and to be resilient. But this doesn’t just happen automatically.
The key is to take a consistent and effective way to managing risk across the whole business – that’s what is known as Enterprise Risk Management (ERM).
Over the last 18 months, Ansvar has conducted Risk Health Checks and deeper dive Risk Maturity Quality Reviews for our clients across Australia. These equip boards, CEOs and senior managers with information on the effectiveness and capability of their risk frameworks, the suitability of their current approach, and opportunities for improvement.
Regardless of the type of sector you’re in, our reviews routinely found that audits against governance standards under the respective legislative frameworks were not picking up key gaps in enterprise risk management. Relying upon being accredited can create a false sense of security and may place clients at governance and insurability risk if relied upon for assurance.
Through our work with clients, we have identified six common gaps in risk management frameworks. By focusing on these areas of concern, clients can make a significant difference to their operational performance.
Gap 1: Risk frameworks not aligned to strategy
At its heart, ERM is about helping you achieve your objectives. Your framework should be assisting you to identify key risks to your strategy and the actions required to manage them. By managing these risks, you are more likely to improve performance, reduce harms and focus on what really matters to the community you serve.
Gap 2: Risk register is full of issues rather than emerging risks and opportunities
Too often we encounter risk registers that are in fact a list of issues or known problems. Addressing current business problems is still necessary but you might miss emerging risks or opportunities coming over the horizon. Nobody likes being caught off-guard and unprepared. Does your risk register help you make decisions about the future? It should.
Gap 3: Risks controls not adequately analysed
Risk is dynamic and can change over time. It is important to periodically assess how well your risk controls work and to identify the ‘key controls’ (the ones that make the most difference) as these require higher priority focus. As people, processes and systems change, some controls may no longer be effective. For example, in home-based services, using a traditional system you may not know if a staff member attended their job until you receive a complaint, but by incorporating real-time software into your systems, you can be notified immediately if a staff member doesn’t sign in.
Gap 4: Overlooking the big risks
There are five big risks that should be on the radar of all clients:
- workforce (access to, attraction, retention, capability)
- governance (including care governance, where relevant)
- safeguarding to prevent abuse
- changing consumer-focused models of care
- financial sustainability
Gap 5: Lack of clarity with board structures and roles in ERM
Having a clear structure to govern the risk framework and having the appropriate capabilities and level of curiosity to monitor risks are critical facets of a successful business. Board committee and sub-committee charters are often too vague when it comes to clear roles and accountabilities with risk management and too focused on leaving it to ‘the Audit and Risk Committee’.
Gap 6: Risk culture is left off the agenda
Humans manage risk, yet so much of the risk consideration focuses on processes, spreadsheets and heat maps. The risk framework must support a positive risk culture, whereby awareness, attitudes and accountabilities regarding risk management are aligned. When is the last time you assessed your organisation’s culture for its influence on ERM?
Stephen Ratcliffe, Senior Risk Consultant – ERM