Strengthening Your Risk Framework

Australia’s care sectors (aged care, child care, disability services) are all in the midst of major change.  Royal Commissions, system-wide reforms and significant abuse findings have led to legislative changes and greater responsibility and accountability for Boards & Directors of care services.  All these changes create uncertainty, and uncertainty can give rise to strategic risk.

For the care sector, keeping vulnerable people safe, managing significant workforce and financial risks and remaining insurable are key concerns for Boards and Directors.  But how can organisations strengthen their Enterprise Risk Framework to add value and create confidence rather than be a list of ‘stuff’ to be managed?

For the last five years Ansvar’s Risk Solutions team has provided complimentary risk consultancy services for its clients.  Ansvar has identified four key themes to help grow the risk maturity of care organisations: Risk Governance, Risk Processes, Risk Resources and Effective Implementation of risk frameworks. Self-reflection questions are provided for each theme.

1) Risk Governance

This refers to the risk structures in the organisation, accountabilities and delegations with respect to risk and the design and implementation of an Enterprise Risk Management Framework.

Consider:

• Is risk management aligned with uncertainties to achieving business strategy?
• Do you have the right skill mix on your Board to govern risks to complex care and safeguarding to prevent abuse?
• Do the structures in your organisation enable information flow to the Board and support informed decision making?
• Has the organisation set a risk appetite for higher-risk decisions such as significant projects, major expenditure or acquisition/sale of assets?
• Does the Board review its Enterprise Risk Management Framework and have a plan for its continuous improvement?

2) Risk Processes

A Risk Management Framework is brought to life through risk procedures.  A risk procedure should define how the organisation identifies, assesses and treats risk. As well as how the outcomes of risk assessments should be recorded, reported, monitored and communicated.  It should include reflection on incident management records to provides intelligence about the efficacy of risk controls

Consider:

• Do you have clear processes to help staff understand how to assess a risk?
• Do your risk assessments consider the effectiveness of current controls?
• Does your risk reporting link to measurable data to strengthen the confidence in your risk management activities?
• Does your risk register direct Board attention to the risks that matter most to help prioritise allocation of finite resources?

3) Risk Resources

This refers to an organisation’s staffing resources to manage risk, training and capability within the organisation and at Board level and IT systems or practices to support risk reporting and monitoring

Consider:

• Do you have adequate resources and capabilities within the organisation to ensure the Risk Management Framework operates effectively?
• Does Board orientation include information about strategy, enterprise risk management, care governance and the roles and responsibilities of Directors?
• Where capability gaps may exist, do you support training to build the skills and competence required to manage risk?
• Do you have organisation-wide risk management information systems that are integrated and support risk data aggregation and transparent reporting?

Effective Implementation

Frameworks and procedures are just a piece of paper if not implemented.  Often failures in risk management are as a result of poorly implemented frameworks or committees not undertaking their full scope of duties per their Terms of Reference.

Consider:

• Have you completed a gap analysis of your Risk Management Framework and Audit and Risk Committee terms of reference to see if all the described duties and practices are actually in place?
• Is there a staged plan to implement any outstanding actions? Is it reviewed regularly at Board?

Written by:

Stephen Ratcliffe, Senior Risk Consultant – ERM