top of page
  • Sarah Barter

Risky Business

Good risk management is critical to business success and an essential skill for people from the Board down to frontline staff to master. It is also one of those topics that, in my experience, switches many people off or elicits groans or yawns from the audience, even if they are not audible/ visible! Why is it that many people find risk management hard, or difficult to engage with? An article by the Harvard Business Review (2014) provides some good suggestions which include that many people are naturally optimistic and not keen on focusing effort or expending time and resources on what could happen in the future, particularly when things are going right, right now! It’s easy to feel that taking people away from the job of doing – be that delivering care, providing a service, developing a product, managing a team etc. – to prepare for uncertainty and if/when things go wrong, is not a great investment. Risk management is not typically an income generating activity, yet it can certainly save your organisation from substantial unbudgeted expenditure (read: financial penalties, legal costs, compensation; never mind the losses arising from damage to people, property and reputation)!

Approach to risk

Risk management is about considering and preparing for the unknown and uncertainty. This means it’s not only about things that could cause harm to the organisation, but also opportunities. However, the connotations of risk are often negative or glass half empty. As a result, an organisation’s approach to risk typically falls along a spectrum ranging from a risk blind/ risk denying to one that is overly risk averse and over-reactive to risk, with its own negative impact on culture and quality. We want to hit the sweet spot of enterprise risk management with a clearly defined risk appetite that embraces opportunity, enables innovation and supports achievement of the organisation’s objectives with a healthy consideration and management of things that could go wrong or undermine the achievement of these objectives (Audit Office of NSW, 2018).

A big consideration for aged care organisations under the new Quality Standards is how to manage risk, including high impact and high prevalence risks, and dignity of risk. In both instances, it is a case of understanding the individual, speaking with them in their language about the risks and working with them and their representatives to identify appropriate controls. To give an example from my personal life: I have a pretty high tolerance for risk, particularly in raising children. I believe that the best understanding and learning is achieved through practical experience and application. It’s by trying to eat the blueberry that the baby learns how to swallow and not choke, it’s only by attempting the stairs that the baby learns how to climb. But I manage the risk of harm or injury through demonstration, close supervision, and good first aid knowledge!

Risk registers

In organisations, this sort of exercise commonly results in a risk register that:

  • Identifies risks and controls.

  • Assesses risk on a matrix of likelihood and severity pre- (inherent risk) and post-implementation of controls (residual risk).

  • Assigns ownership.

  • Requires regular review to determine if the risks have changed and the controls are effective.

Although risk registers are incredibly common at both a governance and operational or project level, I am not sure they inspire lively discussion – except to argue if the correct rating/ colour coding has been applied! – or are that effective. In fact, I think some risk registers undermine enterprise risk management because the allocation of ownership/ responsibility can result in silos and a disintegrated response to risk. For example, consider privacy and data management/ breach. This may be given to the CIO to “own” as the major risk is in cyber-attacks but the responsibility for ensuring appropriate data management and identification of potential breaches rests with everyone in the organisation.

Can risk management be effective and fun?

What are some steps an organisation can take to turn risk management into a lively, practical and potentially enjoyable exercise and away from bland risk registers unexciting for most people and uninterpretable for those who are colour blind?!

Here are my thoughts:

  • As suggested by the AS ISO 31000:2018, take the time to consider and assess the organisation’s culture in respect to risk and its risk appetite. This is not just what the Board and Executive says, but also how it’s interpreted on the ground and at the frontline. This will be influenced by the internal context but also the external. Face head on any potential clashes between where you want to go with risk and where the organisation and workforce are currently at – we want to acknowledge the elephant in the room, which in the current environment will be consumer expectations, the media and the Royal Commission!

  • Be crystal clear about your purpose and objectives and make sure these are communicated before commencing any risk management exercise. This will make it easier to agree a risk appetite and assess risk accordingly.

  • Brainstorm with a range of stakeholders from across the organisation and client base what they think the key risks are to the achievement of the organisation’s purpose or objectives. You may wish to help generate ideas by considering categories such as: workforce/ HR, legal, financial, data management/IT, environmental.

  • Role play scenarios and practice mock responses to major organisational risks e.g. data breach, serious workplace injury, significant loss of revenue, criminal or dangerous act, emergency requiring evacuation, infectious outbreak, mass resignation of staff etc.

  • Review case studies and major incidents that have happened in other organisations: discuss what you think went wrong and how to guard against this in own organisation; like a journal club.

  • Encourage and enable early identification of risks and hazards:

  • Research and engage with other organisations, the government and regulator (e.g. Commission and SafeWork). Understand what’s happening in the wider sector and how other sectors manage similar risks and hazards.

  • Continuous consult and support two-way communication with and between frontline staff, management, community and visitors. Understand what people are concerned about and obtain their thoughts on how the organisation should respond.

  • Regular observe and inspect the environment and relationships where the work is done. This is not just about identifying obvious hazards and inspecting equipment, but observing work practices and interactions between staff, managers, consumers and visitors.

Hopefully this article some practical suggestions here on developing your organisation’s approach to risk. What are some other challenges in identifying and assessing risk? Do you think risk management is effectively integrated into decision-making at all levels of the organisation? How do you balance risk management with providing person-centred care and dignity of risk? If you need help developing your approach, please get in touch!


AS ISO 31000:2018, Risk management – Guidelines. Available at:

Audit Office of NSW. (2018). Managing risks in the NSW public sector: risk culture and capability. Available at:

Aged Care Quality and Safety Commission. (2019). Guidance and resources for providers to support the Aged Care Quality Standards. Available at:

Pillay, S. (2014). 3 Reasons You Underestimate Risk. Harvard Business Review. Available at:

53 views0 comments

Recent Posts

See All

The Art of Conversation

Now, more than ever, it is imperative to provide person-centred care. The COVID-19 response has resulted in reduced face-to-face interaction and physical contact in care and service provision making i

To Err is Human: Incident Management and Open Disclosure

When Jonathan and Timothy were born, I vividly recall looking at them in sheer amazement that the human body could come together so perfectly. As we sadly know, things can go wrong in the delicate pro


bottom of page