Risk Management

Will Holmes à Court
Will Holmes à Court
Last updated 
Guidelines for risk management across the organisation

Overview

Introduction
  • Risk management involves identifying and managing risks. These include various risks to HWH's operation, workers, and clients. 
  • Risks are inevitable, but risk management aims to reduce the chance of a client event from happening. If it does happen, risk management helps to reduce its impact. 
  • Benefits of risk management can include:
    • reduced business downtime
    • reduced loss of cash flow
    • reduced injuries or illness to clients and workers
    • increased health and well-being of clients and workers
    • increased innovation, quality and efficiency through continuous improvement.
Identifying risks
Risk is the combination of an event's likelihood (chance) and the consequences (impact) if it does. Risk management aims to increase the likelihood and impact of a desirable outcome as much as possible. Risk identification is the process of finding, recognising and describing risks

Risks
  • Unmanaged risk is the level of risk before any action has been taken to manage it.
  • Managed risk is the level of risk remaining after considering the effectiveness of current controls (e.g., training, management plans, or using personal protective equipment). It is the level of risk remaining after plans have been put in place and followed. 
Risk tolerance
Risk tolerance is an informed decision to accept a particular risk, with or without risk treatment, to achieve a goal.

Risk analysis
  • Risk analysis is understanding the nature, sources and causes of risks to determine the degree of risk. 
  • The degree and consequences of risk together inform risk evaluation and decisions about risk treatment.
Risk assessment
Risk assessment is the overall risk identification, analysis, and evaluation process.

Risk evaluation
Risk evaluation is the process of determining whether the risk is tolerable or whether it requires risk treatment.

Risk treatment
Risk treatment is the measures taken to change the level of risk. Possible treatment responses include:
  • avoiding the risk
  • removing the risk source
  • making decisions or taking actions that change the likelihood and, or the consequences
  • sharing the risk with another party
  • tolerating the risk by informed decision.
Applies to all
  • parts of the service
  • HWH representatives, including key managers, principals and home support workers
Related Items
  • NDIS (Provider Registration and Practice Standards) Rules 2-18 (Cth)
  • NDIS - Risk Management Rules 2013 (Cth)
  • Home visit safety checklist
  • Medication risk mitigation form
  • Client Risk Assessment
  • Risk Management Plan
  • Risks Register

Policy

Client risk management
Identifying risks to clients is an important part of providing services. Identifying risks to clients and regular reviews of those risks is an ongoing process. Regular reviews help ensure that risk management strategies are effective and adequately address identified risks.

With this in mind:
  • Risk assessments for new clients must be conducted during the onboarding process
  • Risk assessments for existing clients must be conducted every 12 months or more often if there are changes in the client's needs.
  • Risk management plans for clients should be reviewed quarterly or more often if there are changes in client needs.
Strategic risk management
Risk management should consider strategic risks. This includes identifying and managing risks related to the service achieving its business objectives.

This may include risks to:
  • Funding—this might include donors, gifts and funding bodies
  • Mismanagement—risks to the company's reputation
  • Founders risk—where the Principals lack the required business and financial skills to run the service appropriately.
Strategic risk management strategies involve thorough research and planning.

Compliance risk management
Ensuring the organisation operates within the law carries its compliance risks. These risks must be identified and assessed under a risk management framework. Examples of compliance risks may include:
  • unregistered and, or uninsured company vehicles
  • fulfilling reporting requirements to comply with legislation or funding agreements
  • key managers operating outside their authority
  • activities that are outside HWH's constitution.
Compliance risks must be eliminated, unlike other risks where elimination may not be possible. Strategies to prevent compliance risks include (among others):
  • a robust compliance culture
  • internal controls in areas of compliance
  • regular internal audits in areas of compliance.
Workforce risk management
Risk management should consider risks related to human resources, including:
  • unplanned exit or retirement of HWH's key managers
  • not having workers with the required knowledge and skills
  • industrial action and disputes or absenteeism
  • lack of diversity (gender, race, age, ability)
  • recruitment of workers and their retention or dismissal.
Strategies to manage or reduce human resources risks include:
  • a robust leadership, a positive culture, and a values framework
  • succession planning for key roles
  • documenting critical information and key processes so others can continue to run the service
  • comprehensive training program for new workers
  • training workers so that more than one person knows how to perform each task
  • a supervision and mentoring program for workers.
Special events risk management
Risk management is a required part of organising or participating in an event. The main risks at events include anything that could:
  • cause harm to another person
  • cause damage to equipment, infrastructure or the event site or
  • harm the future of the event organiser.
Risk assessments for events may require, where appropriate:
  • A risk assessment of the event site—including existing risks, risks caused by inclement weather, and risks from bodies of water
  • A risk assessment of the event, including all proposed activities, e.g. rides, vehicles and security
  • A risk assessment of all external risks, such as an evacuation—if so, are there any guests that may have higher risks?
An event organiser will require appropriate management plans to prevent, minimise, or manage identified risks.

Work Health Safety risk management.
Under WHS laws, key management personnel (or persons conducting a business or undertaking) must reasonably eliminate WHS risks. Risk management needs to consider Work Health and Safety (WHS) risks. Managing WHS risks is an ongoing process that should begin when:
  • starting a new business or purchasing a business
  • changing work practices, processes or work equipment
  • purchasing new or used equipment or using new substances
  • planning to improve productivity or reduce costs
  • responding to workplace incidents (even if they have caused no injury)
  • responding to concerns raised by workers or others at the workplace
  • required by the WHS regulations for specific purposes.
Identifying hazards involves finding things and situations that cause harm to people. This includes workers:
  • physical work environment
  • equipment, materials and substances used
  • work tasks and how they are performed
  • work design and management.
Common hazards include:
  • Manual handling—when lifting or moving objects or people
  • gravity—fallen objects, falls, slips and trips of people
  • electricity—shock, fire, burns or electrocution
  • machinery and equipment—hit by a moving vehicle or caught by moving parts of machinery
  • hazardous chemicals—chemicals, dust
  • extreme temperatures—heat stroke, burns, fatigue, hypothermia
  • noise—permanent hearing loss
  • radiation—microwaves, lasers
  • biological—infection, allergies
  • psychosocial hazards—stress, bullying, violence, fatigue.
Finding hazards involves:
  • workplace inspections
  • consulting workers
  • training workers to report hazards and risks
  • reviewing incident reports and complaint registers.
WHS risk assessments should be carried out:
  • if there is uncertainty about how a hazard may cause an injury or illness
  • the work involves many different hazards, and it is unclear how these hazards may interact to produce new or greater risks
  • changes in the workplace that may impact control measures.
Once a WHS hazard or risk is identified and assessed, managing the risk may involve:
  • elimination—where possible, a WHS risk should be eliminated
  • substitution—replacement with less hazardous options
  • isolation—if elimination or substitution is not possible, isolate the hazard so workers cannot come into contact with it
  • Control—where elimination, substitution or isolation is impossible, controls such as safe work practices and personal protective equipment.
Fraud risk management
In this context, "worker" means any HWH representative, including key management personnel, directors, employees, contractors and volunteers.

Risk management should cover the risk of fraud. This includes:
  • Internal fraud—fraud that is carried out within HWH, such as when workers: 
    • steal money or assets that belong to HWH 
    • steal cash donations that belong to HWH 
    • claim non-existent, excessive or purchase orders to obtain payment for goods and services that are not supplied 
    • submit false applications for grants or other benefits 
    • create non-existent beneficiaries or employees to direct unauthorised payments 
  • External fraud—scams and fraud initiated externally from HWH, such as when an external actor: 
    • submits false invoices to the HWH
    • steals identities to obtain credit card or bank account details 
    • uses a charity's name to obtain funds fraudulently, e.g. a fraudulent fundraising appeal 
    • makes phone calls or sends text messages or emails, which pose as another organisation to obtain funds fraudulently.
The likelihood of fraud can be reduced by:
  • having a strong ethical culture with clear commitments to integrity and ethical values
  • strategies to protect the organisation from fraud rather than just accepting the risk.
There are three accepted ways to mitigate against the risk of fraud:
  • prevention—controls designed to reduce the risk
  • detection—controls designed to uncover risk when it occurs
  • response—controls designed to facilitate corrective action and harm minimisation.
Prevention controls can include:
  • fraud risk assessments
  • conflict of interest policy
  • strong internal controls
  • screening for new workers
  • effective supervisory processes
  • due diligence checks on suppliers and contractors
  • worker training to increase awareness of ethics and risk management strategies
  • support programs for workers
  • independent audits.
Detection controls can include:
  • continuous internal monitoring and auditing of processes
  • allocation of resources for fraud detection
  • fraud detection software to provide real-time data monitoring and analysis
  • mechanisms to report fraud while protecting the whistleblower
  • unannounced financial and asset audits
  • fraud testing.
Response controls include an internal investigation team and a fraud response plan.

Financial risk management
Risk management should include managing risks to finances such as:
  • liquidity risk—not enough funds to pay debts
  • interest rates—when there is a dependence on borrowed funds or income generated from interest-bearing deposits
  • credit risk—when goods and services are sold on credit
  • risks from competitors—competition can impact market share
  • risks from the market or economy—changing trends, impacts from an economic downturn
  • unexpected exit from the business owner or partner—in the case of death or incapacitation.
Risk management strategies include:
  • having the right insurance
  • backup plans if things go wrong
  • researching market trends.
Key personnel succession risk management
Risks to the service which relate to key personnel should be considered.

A succession plan is one way to minimise the impact of one or more unplanned absences of key personnel.

References