The current state of play. The future of risk in the Australian health sector

Similar documents
The winning tax transformation trinity. Data, technology and operations

Economic Incentives Key Insights

Risk reduction? Value creation?

Mental Health & Wellbeing Strategy

Risk culture. Building great organisations and growing your foundation for success CAPABILITY STATEMENT 2016

NSW DIGITAL GOVERNMENT STRATEGY. digital nsw DRIVING WHOLE OF GOVERNMENT DIGITAL TRANSFORMATION DESIGNING IN OUR NSW DIGITAL FUTURE

Risk Management Strategy

Cultivating a Risk Intelligent Culture A fresh perspective

Global trends for community services in Western Australia

Business resilience in the provider care sector. Actively adapting to a changing environment

IoD Code of Practice for Directors

Risk Management Update ISO Overview and Implications for Managers

Growth. Advisory. Technology. Advisory. Technology Advisory. Capability Statement. May 2017

Surveillance Program Design and Behavioral Analytics Implementation

Building an. Effective Board

Risk Advisory Services Developing your organisation s governance for competitive advantage

Fisher & Paykel Healthcare Limited Review of Directors Fees Summary of EY report dated 19th June 2017

Session 4C: Model Governance: What Could Possibly Go Wrong? (Part I) Moderator: Dwayne Allen Husbands, FSA, MAAA

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

Unleashing the power of innovation

KPMG s Audit Committee Institute

The compliance investment

Extracting business value through operational intelligence

Your unique family, our unique approach.

Automotive Industry. Capability Statement

ACI s Quick Guide to Culture, Ethics, Governance, Compliance, Risk and Corporate Social Responsibility

The people dimension of amalgamations. Machinery of government The people dimension of amalgamations. Three part series

Our Corporate Strategy Information & Intelligence

ASSURANCE FRAMEWORK. A framework to assure the Board that it is delivering the best possible service for its citizens SEPTEMBER 2010.

Transformation confidence Helping you get closer to your transformation programme

COMMUNICATIONS STRATEGY

What s the cost of control? Keeping control of your business when cash is king

Information and Communication Technologies Strategic Plan 2016/ /20

Summary HEFCE operating plan for

Leveraging IT risk management to boost competitive advantage

Measuring digital advertising revenue to infringing sites

Robotic Process Automation friend or foe for your risk profile?

The future enterprise. A transformation road map for the automotive organization

Advisory Services Governance, Risk & Compliance

Enterprise risk management Protecting and enhancing value Advisory

report that their financial impact of all fraud, corruption and/or money laundering incidents is over per incident

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Achieving High Performance in Internal Audit

Peter Fuss Senior Advisory Partner Automotive Ernst & Young

Highways England People Strategy

Find your career formula. Your guide to the EY school and college leaver programmes

Developing high performance teams. 2 3 October 2017

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

Building and operating the UK s infrastructure. Establishing your roadmap to success

Building the talent of the future

Implementing an Employee Engagement Programme

AUDITING. Auditing PAGE 1

Guidelines: Whole-of-organisation governance

Risks, Strengths & Weaknesses Statement. November 2016

Katungka Napanangka Tali at Intinti 2002 Screenprint Image courtesy of the artist and Ikuntji Arts Centre

Executive summary. Guide to the Global Management Accounting Principles

Internal Audit Advisory

Enabling technology for success

HOW CAN YOU ENSURE SUCCESSFUL BUSINESS TRANSFORMATION? By Suzanne Costella

ISO Your implementation guide

ISO whitepaper, January Inspiring Business Confidence.

Public Engagement with Research

Enterprise risk management Protecting and enhancing value Advisory

Institute of Public Care. Outcome-focused Integrated Care: lessons from experience

Get ready for robots: why planning makes the difference between success and disappointment

Level 5 NVQ Diploma in Management and Leadership Complete

Company Monitoring Framework Risks, Strengths and Weaknesses Statement January 2017

Organisational Capability and Risk HR s biggest untapped opportunity

IMPLEMENT A PIPELINE SMS

Whitepaper September Middle East Perspective State of the Internal Audit Profession 2016

LADY MANNERS SCHOOL CAREER, EMPLOYABILITY AND ENTERPRISE POLICY

CGMA Competency Framework

Turning Strategy Into Action: Why Many Organizations Are Not Fit to Deliver

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Director Procurement & Value Delivery

Compliance digitalization The impact on the Compliance function. Deloitte Risk Services April 2016

WORLDSKILLS VISION 2025 STRATEGIC PLAN

Putting patients at the heart of your digital strategy

ROLE DESCRIPTION. Strategic Procurement Manager

The Future of Sourcing Begins Now

The Firm of the Future How Technology Will Impact and Enable Effective Firm Management. Sponsored By:

Group Chief Risk Officer

Enterprise Asset Management. Enterprise Asset Management 1

TOTAL REWARDS AT NESTLÉ: MORE THAN JUST A POLICY

HSE Integrated Risk Management Policy. Part 3. Managing and Monitoring Risk Registers Guidance for Managers

Efficient risk management. Presentation to the Interdepartmental Accounting Group 2013 conference

Best practice workshop. Training course outline

The Five Stages of a Successful Agile Transformation

Auditing risk culture

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

Human Resources and Organisational Development: Outcomes

NHS Milton Keynes Clinical Commissioning Group

The Urbis Academy Trust Risk Management Strategy

CEO RECRUITMENT PACK WE KINDLY REQUEST NO CONTACT FROM RECRUITMENT AGENCIES PLEASE

Trusted by more than 150 CSPs worldwide.

Take a bold, new path

Clinical Category Lead - Clinical Product Co-ordination

Mapping the gap. Highlighting the disconnect between governance best practice and reality in the NHS.

Spend visibility and shared services Strategies to address growing pains for long-term care organizations

Transcription:

The current state of play The future of risk in the Australian health sector

Foreword David Roberts Global Health Executive Asia-Pacific Health Leader Welcome to the EY series on the future of risk in the Australian health sector. We hope this series will help to both foster debate around the risk agenda in the health sector and drive continuous improvement. This publication, the first in the series, draws on the findings of an extensive survey of health sector leaders from public and privately owned organisations around Australia. Titled The current state of play, it reveals the areas of strength these leaders believe the sector can build upon and identifies other areas of need. The survey provides a base on which to build a series which will explore various aspects of risk. We look forward to sharing with you our views on how the sector can better harness risk to improve both performance and health outcomes. We hope you find this publication of interest and look forward to your contribution to this important debate around the future of risk in the health sector. Future of risk in the health sector the current state of play 2 The current state of play The future of risk in the Australian health sector

Introduction The Australian health sector is world-leading and innovative in many aspects of clinical care. There is however a great opportunity to better harness risk management to drive improved outcomes across the performance and compliance agenda in the health sector. Australia s health sector is at a tipping point. Never before have competing demands been so pronounced, and the pressure to improve performance so acute. Quality and safety, finance, workforce, stakeholder engagement, strategic and other operational improvements all need to be achieved. This, in the context of growing demand, funding pressures, shifting models of care, technological innovations and efficiency targets. Navigating these competing demands while accumulating measurable improvements across all areas of operations requires risk management that complements the rhythm of a business and helps decision makers say yes to the right risks and no to the wrong ones. Health sector companies that succeed in turning risk into results will create competitive advantage. They will deploy increasingly scarce resources more efficiently, improve decision-making, and reduce their exposure to negative events. To get to this point, however, the leaders of health sector organisations need to widen the lens through which they view risk. What s required is a crossorganisational focus that will throw the risks that matter into sharp relief and reveal their impact on the wider strategy of the organisation. Summary of key findings Our survey of health sector organisation leaders unlocked some compelling insights into the state of risk management in the sector. These include: 1. 82% of respondents believe they have clarity on what they want to achieve from their investment in risk management, however one in four don t have a plan to realise this ambition. Furthermore, one in three of those surveyed felt staff across their organisation lacked a clear understanding of their risk management responsibilities. 2. Embedding risk management into the rhythm of their business remains a challenge for most. Organisations need to extend consideration of risk from the confines of risk registers into business decision-making and effective governance. Part of the problem is a cultural one; too many still view corporate risk management as a compliance or policy requirement, not an essential part of operations. 38% 31% 18% 13% Survey respondents 3. This challenge, however, is also an opportunity to align internal control systems and activities with the risks that matter. Freeing up direct costs and sunk time through optimising control efforts would be a win-win for time poor executives, clinicians and staff operating in the current environment of fiscal constraints. 4. The majority of respondents believe their systems and technology do not enable effective, organisation-wide, risk management. Such management requires: a holistic view of clinical, corporate and strategic risk; integrated reporting of governance, risk and controls information; and the ability to analyse emerging risks. C-Suite (CE)/CFO/COO) Board/Audit Committee Other, e.g. risk manager, quality and safety manager Internal Audit The current state of play The future of risk in the Australian health sector 3

Risk strategy 97% Organisations who responded had a risk framework in place The survey suggests that health sector entities have a good understanding of their risk strategy. Most understand what they want to achieve from risk management. Less uniform, however, is the presence of a clear path to achieve these goals. Although 97% of respondents had a risk framework: This fell to 82% when respondents were asked if they had clarity on what they wanted to achieve from investment in risk management And it dropped further to 74% when limited to those who had documented and implemented a strategy to ensure they reach their goals 1 in 4 do not have a risk strategy To improve risk management we need to eliminate the temptation to undertake it as just a discrete issue and to properly integrate consideration about risk management issues into all key decision-making. (Survey respondent) Risk rewards Over the past decade, the practice of risk management has evolved and expanded. It was previously expected to yield a documented framework and register that would assist in identifying and preventing risks occurring. Risk management is now used to help organisations meet their objectives by: Providing freedom within boundaries for organisations to take risks that will enhance their ability to achieve and exceed objectives, while avoiding risks that would impact negatively on those goals Adopting an insight-driven and performance-oriented approach to risk management, one that becomes intrinsic to the business and is embedded in key business processes The health sector needs to consider these developments, which reflect the fact that the benefits of risk management flow from not just avoiding some risks. Successful and effective risk management also identifies risks an organisation should take. 4 The current state of play The future of risk in the Australian health sector

Risk and incident management Incident and risk management are not one and the same, however they are directly linked. One focusses on the management of a risk that is occurring currently and needs to be addressed immediately. The other requires an understanding of, and preparation for, the possibility that an event will occur that will affect the wider organisation and the achievement of its objectives. The preparation that is carried out is vital for effectively managing risks that do occur. The sector generally believes the differences between incident management and risk management are understood, however the survey results suggest that in some large organisations, there is poor alignment of risk management and clinical incident reporting systems. Although 81% believed that incident management is used to inform risk reporting: This reduced to 70% when asked whether there was strong alignment between clinical incident and risk management systems It fell further to 66% when respondents were asked about the clarity that staff have on their responsibilities regarding risk management 1 in 3 believe staff at all levels do not have a clear understanding of their responsibilities with regard to risk management??? Leadership is committed to implementing and directing risk management across the organisation, however, management continues to focus on issue management, not risk management. (Survey respondent) Linking incident and risk management systems allows for greater transparency and predictability of key risk events. Monitoring of clinical incidents can act as Key Risk Indicators where particular incident types are linked to identified risks. Using this approach, the likelihood of a risk occurring can be monitored continually and escalated appropriately when specified limits have been breached. The current state of play The future of risk in the Australian health sector 5

Governance over risk management Although the majority of respondents agreed that the risk information reported to governance bodies is important in strategic decision-making, approaches to risk governance differed across the sector. Who should be responsible for governance over risk? Both risk-savvy management and strong governance are vital for successful risk management. Management owns the management of risk and needs to ensure this occurs throughout the organisation within the parameters set by the Board; i.e. the risk appetite. Sub-committees play a key role in assuring risk frameworks and strategies are well designed and operate effectively. These subcommittees can also take on an oversight role for certain risk areas on behalf of the Board. However, the Board has ultimate responsibility for oversight of strategy formulation and organisational performance. This includes ensuring the risk appetite is clear and that the risks that matter are managed well. This does not mean that the sub-committee role is not important, in fact the co-ordination and consolidation of the Governance of key risks across the organisation can only occur effectively if these groups work closely together to plan, monitor and report on their risks consistently. There should be... recognition that risks need to be managed at ALL levels by ALL employees and that risk management is not simply a policy requirement. (Survey respondent) Our survey respondents told us that within their organisations, governance of risk is the responsibility of... Risk Committee 8% Other 21% Board 38% Audit Committee 25% Quality and safety 8% Effective risk management requires strong leadership (both in terms of policy framework and implementation) from Audit Committee Chair, CEO and key clinical leaders. (Survey respondent) 6 The current state of play The future of risk in the Australian health sector

The clinical vs corporate risk management debate Achieving high quality health outcomes is integral to the mission and success of most, if not all, organisations in the health sector. However realising this ambition requires effective risk management across all aspects of the business from front line clinical operations, to non-clinical corporate aspects such as financial management and asset management. Many organisations have established clinical governance, clinical incident management systems and processes for the identification, assessment and management of clinical risks. However, sometimes there can be a disconnect between clinical risk management practices and those applied to corporate risk management. This can manifest itself in an inability for Boards or executive to be able to gain a real view of all material risks facing the business and how to prioritise the risks that matter. Equally, it can present challenges in gaining a holistic understanding of all the implications of potential risk decisions e.g. the financial and workforce risk implications of a key clinical decision or the clinical risk implications of a major corporate decision (e.g. asset maintenance strategy). It is important to consider the following when addressing these concepts: Risk management approaches should be consistent across corporate and clinical risks without impacting on the effectiveness of managing both. A consistent (but not necessarily uniform) approach to evaluating and prioritising risk means those risks most important to the organisation are highlighted and managed appropriately, whether they are clinical, or corporate in nature. It is important for staff at all levels to understand their roles in relation to both clinical and corporate risk management and why both sets of responsibilities are important. Buy-in from all areas of the organisation will help to ensure that risk management forms part of everyday thinking, without adversely impacting on the day-to-day management of key services. The current state of play The future of risk in the Australian health sector 7

Cost of Control 59% do not know what impact control activities have on productivity and staff time 56% do not know how much the organisation spends each year on maintaining its internal control environment 67% of organisations have not benchmarked themselves in terms of their internal control environment and cost of control Smart controls For those organisations that feel they do have a good understanding of their cost of control and are confident they are spending the correct amount, the following may apply: These organisations may have implemented analytics and technology-enabled automation of controls. These tools are becoming increasingly common and can reduce the cost of controls. There organisations may also assume that spending on compliance (i.e. increased investment in controls) should not be increased as it does not directly benefit the organisation. Organisations spend a significant amount of time understanding and managing the cost of undertaking certain processes, however such investigations have, until comparatively recently, not extended to controls. This may have been due to the lack of a widely-used method to accurately cost control activity that would identify changes, additions/removals while maintaining mitigation and management of key risks. However, over the past few years, organisations have begun to do this, which has enabled the production of Smart Controls that are cost-effective while maintaining effective mitigation of risks (for example through automation). It is not clear how risk is considered in budgeting and resource allocation processes. (Survey respondent) 8 The current state of play The future of risk in the Australian health sector

Risk management systems, tools and technologies While 70% of respondents said risk management reporting is helpful in making informed decisions, the sector finds it difficult to form a holistic view of risk exposure due to lack of aligned/ appropriate systems, tools/technology and reporting. Effectively using technology to support risk management represents both the greatest weakness and clearest opportunity for most organisations. 54% of respondents said it is not easy to get a holistic view of all potential material risks and how these inter-relate through the systems and reporting they have in place 57% said they lack strong systems (technology) to support the risk management process 53% said it is not easy, through the systems and reporting that are in place, to get a complete and holistic view of all potential material risks and how they inter-relate 63% of respondents agreed that systems (technology) currently in use do not provide an early warning of potential risks Better risk management requires an improved technology platform and improvement in the systems used to report and monitor risks. (Survey respondent) The right systems and technology to fit your needs There is no one-size fits all solution to using technology in managing risk. You should consider the following when making decisions relating to technology to support your risk management journey: The cost and timeframes involved in implementation and support of the system The ability for the system to integrate with, and work alongside, other systems, such as the incident management system The type of reporting you need and what level of flexibility you require Functional and technical requirements (further details on these are outlined in EY s March 2013 edition of Insights on governance, risk and compliance) The current state of play The future of risk in the Australian health sector 9

Next steps Five key steps for successful risk management in the health sector. 1. Risk strategy Strong governance and a clear strategy setting out what the organisation wants to achieve from risk management and how it will do so. This should specify risk management roles and responsibilities at all levels from the Boardroom to the wards/ clinics. 2. Embed risk management Health sector organisations that embed risk management practices into business planning, decision making and performance management cycles are more likely to achieve strategic and operational objectives. Risk identification, analysis, treatment and reporting are aligned wherever possible with existing business practices so as not to create a disjointed, siloed endeavour. 3. Optimise risk functions Most health sector organisations will spend hundreds of thousands, if not millions, of dollars each year on various risk functions including internal audits, clinical governance, external audits and accreditation audits. By aligning and co-ordinating risk activities across all risk and compliance functions, organisations can reduce their risk burden (overlap and redundancy), lower their total costs, expand coverage and drive efficiency. 4. Improve controls and processes Health sector organisations that optimise controls around key business processes, harness automated (as opposed to manual) controls and continuously monitor critical controls and key performance indicators using GRC (governance, risk management and compliance) software tools to improve performance and reduce the cost of controls. 5. Enable risk management, communicate risk coverage Some health sector organisations can suffer by rejecting opportunities because they are too risk averse either in perception or reality. Moving from being risk averse to risk ready requires leaders to walk the talk with tone from the top support. Regular and open communication with all stakeholders, smart use of enabling tools and fostering a culture that supports managed risk taking are all necessary factors for success. 10 The current state of play The future of risk in the Australian health sector

Checklist What do you need to think about? Based on the results of our survey, you should consider the following questions in relation to your own organisation: Plan Do you know what you want to achieve from risk management? Do you have a clear strategy on how you will achieve this? Is your risk, control and compliance operating model aligned to your long term business strategy? Have you defined your risk appetite and is it communicated and understood throughout the organisation? Does management understand the Board s risk appetite and is it evidenced in the reporting on risks? Have risk management roles and responsibilities at all levels and across all risk areas (e.g. clinical and corporate) been defined and communicated? Embed Is risk considered in business planning, decision-making and performance monitoring? Does executive management and the Board have a clear view (in some form of risk coverage map) of how each significant risk is being managed on an ongoing basis? Does the Board feel that the right risk and compliance activities are being performed for the organisation s key risks? Does the Board feel that risk management is embedded in the organisation and is part of day-to-day culture? Is the Board comfortable that there are no gaps in risk management? Does the Board have visibility on action being taken on any gaps in risk management? Is risk management aligned and supporting established business practices? Has your risk, control and compliance operating model kept pace with the rest of your business? Optimise Are your risk and assurance activities (e.g. internal audit, clinical governance, external audit, accreditation audits.) aligned? Are your risk, control and compliance resources and capabilities residing in the right function and location to minimise their cost while maximising compliance, scalability, agility and transparency? Do you understand the capacity and capabilities that exist in lower cost countries that support risk, control and compliance activities that other organisations are already tapping into? Do you know what your current cost of risk, control and compliance is today and the operational opportunities to reduce it? Do you maximise the use of automated controls where possible? Do you continuously monitor critical controls? Enable Do you leverage GRC (Governance, Risk, Control) software to assist in managing and monitoring of risk? Do you capitalise on opportunities through a consistent approach to evaluating when to take risk as well as avoid them? How do you ensure third parties who play important roles in your health value chain and patient journey have sound risk management capabilities? The current state of play The future of risk in the Australian health sector 11

EY Assurance Tax Transactions Advisory EY contacts If you have any questions regarding this publication, please contact one of the following: Asia-Pacific Adelaide Brisbane David Roberts Global Health Executive Asia-Pacific Health Leader Tel: +61 2 8295 6661 david.roberts@au.ey.com Amy Grace Partner Advisory Tel: +61 8 8417 1779 amy.grace@au.ey.com Suzanne Wauchope Executive Director Risk Advisory Tel: +61 7 3011 3544 suzanne.wauchope@au.ey.com Jon Lucas Senior Manager Risk Advisory Tel: +61 7 3243 3731 jon.lucas@au.ey.com Canberra Catherine Friday Partner Advisory Tel: +61 2 6267 3955 catherine.friday@au.ey.com Melbourne Perth Sydney Stuart Painter Partner Advisory Tel: +61 3 9288 8622 stuart.painter@au.ey.com Nicole Matthews Senior Manager Risk Advisory Tel: +61 3 9288 2896 nicole.matthews@au.ey.com Heidi Riddell Partner Advisory Tel: +61 8 9429 2136 heidi.riddell@au.ey.com David Hodges Partner Advisory Tel: +61 2 8295 6761 david.hodges@au.ey.com About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com. 2014 Ernst & Young, Australia. All Rights Reserved. APAC No. AU00001995 M1426517 ED None This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. Liability limited by a scheme approved under Professional Standards Legislation. ey.com Find out more about our Government & Public Sector team: Australia ey.com/au/government Global ey.com/government Download our EY Insights app via the itunes store or Google Play.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback