Risk prevention in aged care

Share this article

A guide to resetting risk and governance in aged care

There were many case studies discussed in the Royal Commission into Aged Care Quality and Safety (aged care royal commission) hearings (and others in industries outside our sector) that illustrate the serious outcomes that flow when a board and leadership team fail to govern, oversee or manage risk in the right way. 

These outcomes include:

  • Death, permanent harm, injury or loss to consumers
  • Harm or loss to employees, contractors or visitors
  • Loss of reputation 
  • Disruption to operations
  • Financial loss to the business
  • Fines or penalties, enforcement action
  • Threat or loss of ‘licence to operate’

It’s common sense to have the right governance and risk management controls in place to prevent or minimise failures or negative impacts. However, the nature of care is complex, and as many aged care organisations have grown up and out over time, they may not have adapted their governance and risk management processes to keep pace. As a result, getting a robust standardised, organisation-wide approach can require re-engineering of practices and processes, and importantly, retraining and upskilling of the entire workforce, to ensure these improvements are embedded and consistent.

This is chapter 4 in our step-by-step guide to ‘get the basics right’ when it comes to aged care governance and risk management. Chapter 1 focussed on understanding how the risk and governance bar is lifting; chapter 2 considers the basics of good governance in aged care; and chapter 3 looks at effective risk management and issue resolution in aged care. In this chapter, we consider the outcomes when risk is not managed effectively, and when prevention and control approaches to assess and mitigate risk across your organisation are either absent or fail to be embedded.

Good risk outcomes - follow the risk prevention approach

There’s a tried and tested approach to preventing poor risk outcomes of the kind described above: 

4 steps to prevent risk

1. Identify the risks

Take a disciplined and systematic approach involving a number of stakeholders to identify all the material risks in play. Risks can be identified using a variety of techniques including analysis of near-miss incidents, process assessment and consideration of worst case scenarios. Both direct and indirect risks specific to your organisation should be identified across multiple categories (see categories of material risk below). In identifying risk, it is important to include people from across your organisation to ensure there is an appropriate variety of perspectives of organisational risk.

2. Assess the risks 

  • What’s the likelihood of this risk arising? (likelihood)
  • What could be the consequences if it does? (impact)

Have a system to rate the likelihood and impact of your risks in a consistent way, using a rating methodology. Risks are often assessed using a risk assessment matrix which supports you to prioritise your risks. Once completed, your risk assessment informs your risk management framework. Then ask:

  • Are we periodically refreshing risks based on our framework to capture emerging risks? 

3. Control the risk 

Once your risks are prioritised, select and implement appropriate controls which are applied to each risk, having a clear view of any residual risk that remains.  

  • Preventative controls: what different mechanisms could we use to prevent this risk arising in the first place? For example, standardisation of controls (frequency and design) centrally; applied across all facilities with tools and templates; benchmarking to identify deficiencies/emerging risks.
  • Detective controls: what different mechanisms could we use to detect and stop this risk, as early as possible when it emerges? 
  • Mitigating controls: what mechanisms could we use to reduce the risk impact e.g. insurance? 

4. Test and verify 

  • Test (audit) our controls are working as intended.
  • Ensure reports, incidents or issues which illustrate control deficiencies are escalated to accountable committees and the board, reinforcing transparency and oversight of control weaknesses and potential unmitigated risks.
  • Ensure key controls and their performance have been verified by someone independent to the team who implemented them (e.g. third line).

These four steps may sound simple, but many organisations don’t do them as well as they could. There are different reasons for this: the risk may be ‘flying under the radar’; the risk may be known but its impact is under-estimated; or, the organisation may think they are doing a good job at controlling the risk, when they are not.

Prioritisation: spend the time identifying ‘the key things that must go right’

Over time, organisations get better at identifying emerging risks and understanding the types of controls they have in place that have the greatest impact on managing risk. Once you have your total inventory of controls, it is imperative that you spend time identifying the controls that are the most important, and that have the greatest impact. Prioritising these and ensuring, as an executive and a board, that you have visibility over the performance of these controls will be critical to ensuring your approach to risk management is effective and optimised.

This prioritisation and simplification is also critical in clinical, care and service staff education and training, in helping them to understand and apply risk and control at the front line. We have seen this work well when risk and control is reframed to ‘the key things that must go right’ in, for example, medications management, falls or pressure injury management, and infection control.

Questions to ask: 

How good are we at risk prevention? Work through each category of material risk below and ask: 

  • What are the key risks affecting us in this category? What controls (if any) do we have in place to manage these risks? Have we prioritised our controls and identified ‘the key things that must go right’ and have the greatest impact on outcomes?

  • Do we have relevant and accurate information to inform our key risks? What processes do we have in place to identify and respond to emerging risks?

  • For the categories of material risk, how would we rate our risk prevention approach out of 10? (1 = no risk mitigation strategies in place; 10 = risk is mitigated)

Categories of material risk

Consumer care

Failure to meet minimum standards of care for consumers (clinical, quality, personal care or support for daily living) resulting in death or physical, psychological or psychosocial harm, injury or loss.


Failure to build an open and constructive relationship with regulators, to understand their perspectives and concerns, or the organisation’s responsibilities, and under-estimate the risk of regulatory action.

People and culture

Insufficient skilled and capable people, or the right culture to help deliver the consumer outcomes and experience the organisation aspires to.

Business disruption

There is a risk of disruption to critical operations or technology systems, and a failure to access data, communications, utilities, premises or critical supply services and absent business continuity plans.

Data and privacy

There is a risk of failure to adequately protect the confidentiality and privacy of the people under the organisation’s care, including loss of sensitive consumer data by internal error, external cyber attack or other action.

Financial and treasury

Failure to accurately invoice and charge consumers or manage other financial risks such as liquidity and capital management, preventing fraud and/or meeting accounting/regulatory standards in the way the organisation manages and reports financial matters.


Avoidance or failure to comply with all laws, regulations, industry codes or contractual arrangements regulating services, the care of consumers or operations.

System enabled information management

Inadequate or non-existant systems and processes to support, manage and plan current and future safe quality consumer care, or to report outcomes to the governing body.

Supplier relationships

The selection or management of key suppliers falls short of better practice.  This includes medical and allied health providers, catering, cleaning and all other vital support services.

Work health and safety

Not providing a safe place of work for employees or contractors, by failing to control the significant physical and psychosocial hazards in the workplace and mitigating them to an acceptable level.


The risk of damage to the organisation’s reputation and brand as a trusted name in aged care services, in the eyes of our consumers, employees, investors, regulators and stakeholders.

Strategic and market

Not being responsive to industry changes or exposures to economic, market or demographic considerations affecting the sector and the organisation’s offer in the market.

Tips and traps to avoid

  • Do we have a ‘filter’ stopping us from seeing a risk that’s in play?  
  • Do we tell ourselves it’s a ‘one off’ when it may not be? 
  • Do we tell ourselves “it won’t happen here?” or “we’ve got this in hand”? 
  • How willing are our people including our staff, consumers and other key stakeholders (e.g. families) to speak up on risks and issues they see or know about?
  • How willing are our leaders to ‘listen up’ when they do? 
  • Do we rely on risk owners to report on risks, or are we getting any form of independent comfort (second or third line) that our controls are operating as intended?

Don’t leave managing risk to chance, or rely on informal mechanisms. Build the fundamentals for a strong and effective system of governance and risk management. Invest in lifting your peoples’ capabilities and disciplines to scan for, uncover, assess and control the material risks in your operations.

Questions to ask 

  • How well have we documented a risk appetite for each of our material risk categories? 

  • Do we have a risk framework in place that facilitates input from all levels of the organisation?

  • To what extent are our people willing to speak up about risks or issues that they are seeing?

For more information on governance hot topics and board issues, visit PwC’s Governance Insights Centre.

Look out for the next chapter to help you with your reset journey, including questions, tips and ideas - Chapter 5: The system of control in aged care.


Contact us

Nicola Lynch

Nicola Lynch

Health & Education Industry Leader, PwC Australia

Tel: +61 425 147 707

Edwina Star

Edwina Star

Risk Consulting Lead, PwC Australia

Tel: +61 416 301 798

Tracy Robertson

Tracy Robertson

Senior Manager, Assurance, PwC Australia