• A focus on regulatory compliance in the aged care sector is necessarily a major priority.
• However, an overemphasis on compliance can lead organisations to miss opportunities and risks in other areas of the business
• An enterprise risk management approach provides a basis for continuous incremental improvements.
Organisations which operate in industries that are highly regulated naturally place a heavy emphasis on compliance. These industries typically are those where failure can have significant impacts on human health, financial well-being and the environment. Thus, industries such as financial services, aged care, mining, airlines and power generation are heavily regulated. Consequences for noncompliance can be major, including operators losing their license and incurring major financial and reputational damage.
However, such a heavy emphasis on compliance can lead organisations to habitually overlook or even ignore opportunities and risks in other areas of the business where a more whole of enterprise and risk-seeking approach may be in the interests of the organisation. McLaughlin and Sherouse1 noted this phenomenon when they observed that entrepreneurialism was often suppressed in organisations that were subject to an intense level of regulation.
So how do organisations get the right balance between risk and reward in order to both protect and create value? An enterprise risk management (ERM) approach, when properly designed and implemented, can provide guidance for enhanced decision-making at all levels of an organisation. The genesis for such guidance is clearly at board level as primary responsibility for oversight of risk sits squarely with directors of the organisation.
What is enterprise risk management?
ERM is a comprehensive approach to managing risk across the whole organisation which involves identifying and treating risks which can influence the achievement of objectives.
ISO310002 defines risk as the ‘effect of uncertainty on objectives … [and risk management as] a coordinated set of activities and methods that is used to direct an organisation and to control the many risks that can affect its ability to achieve objectives’.
The ‘effect’ on objectives is a positive or negative deviation from what is expected. This deviation can becaused by a particular event or general conditions which include environmental factors such as the state of the market and the economy.
ERM includes all risks to organisational objectives at various levels within the organisation including strategic, operational, regulatory, financial and reputational. As an example, a strategic objective at the executive level may
be to achieve a certain percentage of market share based on number of residential clients whereas at an operational level this may translate to an objective of a certain occupancy rate for a particular region or location.
A winning strategy in aged care
In the aged care sector focus on regulatory compliance is rightly a major priority, particularly in the area of clinical care. However managing risks such as regulatory and business interruption are about protecting existing value, meaning that successful management of these types of risks results in ‘staying in business’. There is no unique competitive advantage in complying with regulations, only downside if it is not done well. For this reason most boards will have a low appetite for exposing the organisation to compliance risks.
At the other end of the spectrum are strategic risks, where the appetite of boards for risk could be high subject to the opportunity or rewards on offer. Given the shift to consumer directed care (CDC) that is currently taking place in home care and the changes still to come in residential aged care (RAC), stakeholders will be faced with opportunities and risks.
In the case of providers, this will potentially be a competitive game changer, particularly the changes to be implemented in RAC, that is, deregulation exposes large and longterm investments in bricks and mortar to an increasingly discerning client base. A downward shift in occupancy and/or prices could have significant consequences for the bottom line. On the other hand, those organisations that can identify opportunities for new and improved services and more efficient operational models will stand to gain from the changes.
There is no better home for a risk management approach than in evaluating strategic options and crafting a winning strategy.
Designing and implementing a winning ERM framework
There are a number of factors to be considered when designing and implementing an ERM framework including:
1. Development of the organisation’s risk appetite. This is crafted by the board and typically involves input of senior executives.
The COSO3 Risk Management Standard describes risk appetite as the ‘amount of risk, on a broad level, an organisation is willing to accept in pursuit of value.’
In establishing and documenting the risk appetite of an organisation, both internal and external factors need to be taken into account. These may include
the organisation’s core values, culture and capabilities, regulatory environment and competitive positioning.
The risk appetite sets the scene regarding what risks are acceptable and which are not.
The risk appetite provides management with a high level perspective of acceptable risk taking that is to be taken into account when developing the risk policy and procedures.
2. Tone at the top. As with any new management initiative it is important that senior executives send clear and consistent messages to all employees that ERM is important to the future success of the organisation. This needs to be supported by changes to the existing system of management (refer also to below) and where appropriate investments to mitigate risk through a robust risk assessment process.
3. Embedding risk into the system of management. ERM is not a separate management process that sits outside the existing system of management. It must be embedded into existing policies, processes and reporting. The danger in not doing so is that ERM is seen as a ‘tick the box’ type approach by management that represents an additional workload rather than an integrated way of managing the business. Unfortunately, this type of approach usually adds little or no value but nevertheless is sometimes used by organisations to proclaim to their stakeholders that an ERM is in place, with the inference being that it must be effective. The reality can be very different and such proclamations are at best borne out of ignorance and at worst represents an exercise in appeasement rather than making real change, including enhancing the decision-making process to optimise organisational performance.
4. Focus on material risks. There are risks in every business activity. The objective in establishing an effective risk framework is not to avoid all risks, but rather to establish a risk assessment criteria that identifies material risks (to the achievement of objectives) that are then treated in accordance with the risk assessment criteria. Those risks that are assessed as minor or within tolerance require no further action. In contrast, those risks that are assessed as exceeding tolerance are subject to further evaluation and where possible and practical further mitigation to reduce the level of residual risk. On the other
hand if it is not feasible to reduce the risk to within tolerance and the board and executive management are not comfortable with accepting such a level of risk, there are other options that can be considered to reduce risk. These include re-calibration of objectives or the actions for achieving same, transferring the risk or even avoiding the risk if this is feasible.
5. Fit for purpose. There are a number of internal and external factors that must be considered when designing a risk solution that will actually assist
organisational performance. One approach is to make an assessment of the organisations existing level of risk maturity. Risk maturity can be measured on a number of dimensions including the level of capability in areas such as strategy and governance, process and monitoring and review. There are a number of risk maturity models available which can provide guidance for conducting this risk maturity assessment. One example is the Assessment of Risk Management Maturity and Toolkit published by the Audit Office of NSW.4 This model applies a maturity scale for five areas of competence to provide a picture of overall risk maturity.
There are a number of risk maturity models available which can provide guidance for conducting this risk maturity assessment. One example is the Assessment of Risk Management Maturity and Toolkit published by the Audit Office of NSW.4 This model applies a maturity scale for five areas of competence to provide a picture of overall risk maturity. This in turn provides valuable input regarding the initial construction of the risk solution and the manner of implementation.
As an example, an organisation with little in the way of formal policies and procedures, lacking well defined processes and with minimal experience with a formal risk approach, would generally lend itself to a simple design and a staged implementation approach. It is not a case of ‘one size fits all’.
6. ERM an ongoing activity. Monitoring existing material risks and being alert to new emerging risks is an on-going activity. This reality is hardly
surprising given that the process of managing an organisation is an organic and continuous process. In addition, the risk framework itself requires annual, or more frequent review, if there are significant internal or external changes to ensure that it continues to serve the needs of the organisation.
ERM and aged care
As all aged care providers will understand, their organisations face a number of major risks due to changing and more demanding expectations of stakeholders. Consumer expectations are increasing in terms of the standard of accommodation, the number and quality of services and under the CDC model these consumers will increasingly be seeking value for money. Governments are seeking to control spending on aged care as they seek to move towards balancing their budgets. Investors are likely to seek greater financial returns if they perceive there is greater uncertainty due to market de-regulation.
While ERM is not a silver bullet for providers to solve all these challenges, it does provide a disciplined framework for robust discussions and decisionmaking at all levels of the organisation. In addition, it provides a basis for continuous incremental improvements arising from the ongoing identification and appropriate response to current and emerging risks within the organisation’s business.
In a rapidly changing market environment aged care providers are faced with developing new ways of competing if they are to survive and prosper and deliver on their mission. An effective risk management approach will be essential in crafting new ways of doing business.
Many providers in the sector will not have the internal resources, appropriate expertise and experience to design and implement an effective risk framework. This is not necessarily a reflection on management but rather the reality that having permanent specialist management resources on the books will not always be feasible. If organisations attempt to ‘go it alone’ in terms of designing and implementing their own ERM solution, it may well result in wasting valuable and finite internal resources that culminates in a solution that provides limited value to the decision-making process. An alternative is to seek specialised external assistance to kick start and guide the process because going it alone is fraught with danger and doing nothing is not a viable option.
John Pounder can be contacted on 0414 472 473 or by email at email@example.com.
- Patrick McLaughlin and Oliver Sherouse, The McLauglin-Sherouse List: The 10 Most Regulated-Industries in 2014, 21 January 2016, www.mercatus.org/publication/mclaughlin-sherouse-list-10-most-regulatedindustries-2014.
- The International Organisation for Standardisation (ISO), ISO31000:2009 Risk Management — Principles & Guidelines, November 2011.
- The Committee of Sponsoring Organizations of the Treadway Commission, COSO Enterprise Risk Management — Integrated Framework, September 2004.
- Audit Office of New South Wales, Assessment of Risk Management Maturity and Toolkit, September 2015.
This article was first published in Governance Directions the journal of the Governance Institute of Australia in the October 2017 edition (5/10/2017).