Six common gaps in risk management frameworks
Australians want our aged care sector to thrive. A sustainable, effective, professional, well-run industry means older Australians benefit from quality care – something we may all need, someday.
To be successful in business means to have a purposeful and confident attitude to the future, in order to continue to serve the vulnerable, to remain insurable and to be resilient. But this doesn’t just happen automatically.
The key is to take a consistent and effective way to managing risk across the whole business – that’s what is known as Enterprise Risk Management (ERM).
Over the last 18 months, Ansvar has conducted Risk Health Checks and deeper dive Risk Maturity Quality Reviews for aged care providers across Australia. These equip boards, CEOs and senior managers with information on the effectiveness and capability of their risk frameworks, the suitability of their current approach, and opportunities for improvement.
Our reviews routinely find Standard 8 audit assessments are not picking up key gaps in enterprise risk management, which can place providers at governance and insurability risk if relied upon for assurance.
Through our work with aged care providers, we have identified six common gaps in risk management frameworks. By focusing on these areas of concern, providers can make a significant difference to their operational performance.
Gap 1: Risk frameworks not aligned to strategy
At its heart, ERM is about helping you achieve your objectives. Your framework should be assisting you to identify key risks to your strategy and the actions required to manage them. By managing these risks, you are more likely to improve performance, reduce harms and focus on what really matters to the community you serve.
Gap 2: Risk register is full of issues rather than emerging risks and opportunities
Too often we encounter risk registers that are in fact a list of issues or known problems. Addressing current business problems is still necessary but you might miss emerging risks or opportunities coming over the horizon. Nobody likes being caught off-guard and unprepared. Does your risk register help you make decisions about the future? It should.
Gap 3: Risks controls not adequately analysed
Risk is dynamic and can change over time. It is important to periodically assess how well your risk controls work and to identify the ‘key controls’ (the ones that make the most difference) as these require higher priority focus. As people, processes and systems change, some controls may no longer be effective. For example, in home care, using a traditional system you may not know if a staff member attended their job, until you receive a complaint, but by incorporating real-time software into your systems, you can be notified immediately if a staff member doesn’t sign in.
Gap 4: Overlooking the big risks
There are five big risks that should be on the radar of all aged care providers:
- governance, including clinical governance
- safeguarding from abuse
- consumer-focused models of care
- financial sustainability.
Gap 5: Lack of clarity with board structures and roles in ERM
Having a clear structure to govern the risk framework and having the appropriate capabilities and level of curiosity to monitor risks are critical facets of a successful business. Board committee and sub-committee charters are often too vague when it comes to clear roles and accountabilities with risk management and too focused on leaving it to ‘the Audit and Risk Committee’.
Gap 6: Risk culture is left off the agenda
Humans manage risk, yet so much of the risk consideration focuses on processes, spreadsheets and heat maps. The risk framework must support a positive risk culture, whereby awareness, attitudes and accountabilities regarding risk management are aligned. When is the last time you assessed your organisation’s culture for its influence on ERM?
Stephen Ratcliffe, Senior Enterprise Risk Management Consultant at Ansvar Insurance