Effective risk management and issue resolution in aged care

Share this article

A guide to resetting risk and governance in aged care

The final report handed down by the Royal Commission into Aged Care Quality and Safety (aged care royal commission) calls on providers to uplift their management and oversight of risk. Two important recommendations are: 

  • Establish effective risk management: providers must put in place effective risk management practices addressing care, financial and other enterprise risks (in particular, ensuring continuity of care if a contractor defaults) (R90(e))

  • Annual attestation by the board: The Board is to attest it is satisfied the provider has in place the structures, systems and processes to deliver safe and high quality care to customers, on an annual basis (R90(f))

This is chapter 3 in our step-by-step guide to ‘get the basics right’ when it comes to aged care governance and risk management. Chapter 1 focussed on understanding how the risk and governance bar is lifting, while chapter 2 considers the basics of good governance in aged care. In this chapter, we lead you through the elements of good risk management practices, reflecting better practice of Australian business and illustrating what is needed across the aged care sector.

These requirements will be contained in an updated governance standard for aged care providers, which will be issued by the Australian Commission on Safety & Quality in Health and Aged Care as part of the response to the recommendations of the aged care royal commission. While the detail of the new standard is not yet available, the recommendations provide a clear instruction to providers on the need to uplift risk practices in anticipation of the change to Standard 8. 

The elements of good risk management practices are outlined below, providing a practical guide to strengthen your own practices to prepare for the new standard.

Effective risk management

Effective risk management always starts at the top, with the board setting a strong tone on risk. This should be cascaded and communicated throughout the organisation, with the board able to hear an ‘echo’ from the front line reflecting a clear understanding of organisational risk management. This creates a connected, inclusive and holistic approach to risk management across the entire organisation. 

There are eight leading risk practices we see consistently adopted by leading healthcare and other organisations:

Risk appetite statement

A statement on the level of risk that will be accepted in the delivery of the services. Flags are raised when risk measures are nearing (trigger) or at/over appetite (breach).

Risk management strategy

A documented framework for managing risk, using an ‘identify, detect and respond’ risk cycle. It covers risk governance, roles, material risks and identification of the same, and the system of policies, procedures and tools to manage them.

Quality assurance

Defined roles, responsibilities and activities to provide checks and balances in the way risk is managed.

Risk culture

Good risk and consumer outcomes require a strong risk culture. The ability for consumers, families and staff to provide ‘no blame feedback’ and encourage a ‘speak up culture’ should be prioritised.

Risk reporting

Programmed reporting to the board and the leadership team enables them to monitor and supervise risk and take necessary actions to mitigate or prevent loss or harm.

Accountabilities and consequences

Clear expectations are set for conduct and on individual accountabilities for risk. A robust system of consequence management is in place to reinforce this.


A rigorous incident management system is in place, supported by policy and procedure, education and training for reporting, investigating, responding and learning from incidents.

Risk response

Using a risk matrix tool to develop risk response strategies to identify and assess events/factors, based on probability and impact. 

Other important risk practices 

There are other risk practices vital to delivering good risk outcomes, in addition to those described above:

  • Voice of risk: risk has a strong voice in leadership deliberations and decision making 
  • Systems: employees enter risks and incidents into a centralised system from which trend analysis can be undertaken and reported to management and the board
  • Capability: there is training for risk and incident competency and capability 
  • Prioritisation: investment is balanced across consumer, financial and risk outcomes 
  • Continuous improvement: based on the sharing of lessons learned from near misses and incidents, and with an eye to new and emerging risks coming over the horizon which also feeds into organisation continuous improvement required for compliance with the aged care quality and safety standards
  • Responsive: the organisation demonstrates transparency by acting and communicating changes in response to outcomes from risks, incidents, near misses, complaints and consumer feedback

Questions to ask:

  • Do you have an embedded feedback and risk management framework that has been clearly communicated across the organisation to consumers, staff and board and other key stakeholders?

  • How big is your gap to better practice risk management, described above? 

  • Which areas require immediate attention?

Getting ready for annual attestations by the board 

The board is ultimately responsible for the management of risk. It follows the board should regularly apply its mind as to whether the risk framework, strategy and practices are designed appropriately for the scale and complexity of the organisation, and whether the system is working as it is intended to, to deliver strong risk oversight and outcomes.

In some industries, this responsibility is formalised, with the board required to provide an annual, public declaration on these matters. This is the case in the public sector, where annual attestations are a common requirement for boards or heads of state agencies. In financial services, the bar is set higher, with the board having to sign an annual declaration on risk management, that is also supported by an independent review of the risk system every three years. 

The aged care royal commission final report recommends that the boards of aged care providers should have a majority of independent directors, with the board providing an annual attestation to the effect they are satisfied the provider has the structures, systems and processes in place to deliver safe and high quality care to customers (R90(f)). The specific details of how this will be enacted are not yet known, but the requirement for a board attestation will likely follow generally accepted risk practice. 

Setting up an effective attestation process

Looking to better practice in the way these annual risk attestations are run, we observe that: 

  • Attestations involve clearly articulating the system of control in an organisation (covered more in Chapter 5: The system of control in aged care).

  • Prior to signing the attestation, the board receives an assurance report from management which assesses how the system is working and surfaces issues requiring improvement.

  • The assurance activities include:

    • A self-assessment by the first line of defence (Service/Operations).

    • Review and internal assurance by the second line of defence (Quality Team) over the first line attestation where appropriate.

    • Independent third line (Internal Audit) checks to provide independent assurance direct to first line and/or second line to the extent that they also complete attestations, or to assess the effectiveness of their review process where appropriate.

  • There is likely a plan developed, with actions to improve the risk management system, which is funded and supported by the board.

The board considers the assurance report alongside the actual risk profile and risk outcomes produced by the system (incidents, consumer impacts, complaints and near misses) to support the signing of its public attestation.

Questions to ask:

  • How confident would your board be today to sign a public attestation that your structures, systems and processes deliver safe and high quality effective care to consumers? 

  • What steps could you take now to prepare for this future attestation process?

For more information on governance hot topics and board issues, visit PwC’s Governance Insights Centre.

Look out for the next chapter to help you with your reset journey, including questions, tips and ideas - Chapter 4: Risk prevention in aged care.


Contact us

Nicola Lynch

Nicola Lynch

Health & Education Industry Leader, PwC Australia

Tel: +61 425 147 707

Edwina Star

Edwina Star

Risk Consulting Lead, PwC Australia

Tel: +61 416 301 798

Tracy Robertson

Tracy Robertson

Senior Manager, Assurance, PwC Australia