Registered NDIS Provider

Risk Management

Pathways to Better Living Pty Ltd – Risk Management Policy


Risk management involves identifying and managing risks. This includes a wide range of risks including risks to the organisation’s operation, to independent support workers, employees and participants. Risks are inevitable but risk management aims to reduce the chance of a particular event from happening. If it does happen, risk management helps to reduce its impact. Benefits of risk management can include:

  • Reduced business downtime
  • Reduced loss of cash flow
  • Reduced injuries or illness to participants and workers
  • Increased health and well-being of participants and workers
  • Increased innovation, quality and efficiency through continuous improvement

Risk Management Areas

All of our supports and services will be provided in a way that is consistent with our risk management system. Our risk management system will cover:

  • incident management
  • complaints management and resolution
  • financial management
  • governance and operational management
  • human resource management
  • information management
  • work health and safety
  • emergency and disaster management
  • infection prevention and control.

Identifying risks

Risk is the combination of the likelihood (chance) of an event occurring and the consequences (impact) it if does. Risk management aims to increase the likelihood and impact of a desirable outcome as much as possible. Risk identification is the process of finding, recognising and describing risks.

Unmanaged risks

Unmanaged risk is the level of risk before any action has been taken to manage it. Managed risk is the risk remaining after taking into account the effectiveness of current controls (e.g. training, management plans or using personal protective equipment). In other words, it is the level of risk remaining after plans have been put in place and are being followed.

Risk tolerance

Risk tolerance is an informed decision to accept a particular risk, with or without risk treatment, in order to achieve a goal.

Risk analysis

Risk analysis is the process to understand the nature, sources and causes of risks to determine the degree of risk. The degree and consequences of risk together inform risk evaluation and decisions about risk treatment.

Risk assessment

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation.

Risk evaluation

Risk evaluation is the process of determining whether the risk is tolerable or whether it requires risk treatment.

Risk treatment

Risk treatment are the measures taken to change the level of risk. Possible treatment responses include:

  • Avoiding the risk
  • Removing the risk source
  • Making decisions or taking actions which change the likelihood and/or the consequences
  • Sharing the risk with another party
  • Tolerating the risk by informed decision
  • Applies to all parts of the service
  • Applies to all representatives including key management personnel, directors, full time workers, part time workers, casual workers, contractors and volunteers

Risk Matrix

A risk matrix is used during risk assessment to define the level of risk by considering the category of likelihood against the category of consequences. A risk matrix aids to increase visibility of risks and assist management decision making.

LikelihoodAlmost Certain (More than 90% likelihood of occurringMediumMediumHighCriticalCritical
LikelyBetween 50% and 90% likelihood of occurringLowMediumHighHighCritical
PossibleBetween 20% and 50% likelihood of occurringLowMediumMediumHighHigh
UnlikelyBetween 10% and 20% likelihood of occurringLowLowMediumMediumHigh
RareLess than 10% likelihood of occurringLowLowLowMediumHigh

Participant risk management

Identifying risks to participants is an important part of providing supports and services. Identifying risks to participants and regular reviews of those risks is an ongoing process. Regular reviews help to ensure risk management strategies in place are effective and that they adequately address identified risks. With this in mind:

  • Risk assessments for new participants must be conducted during the on-board process
  • Risk assessments for existing participants must be conducted every 12 months or more often if there are changes in the participant’s needs
  • Risk management plans for participants should be reviewed quarterly or more often if there are changes in the participant’s needs

Strategic risk management

Risk management should consider strategic risks. This includes identifying and managing risks related to the service achieving its business objectives. This may include risks to:

  • Funding – this might include donors, gifts and funding bodies
  • Mismanagement – risks to the organisation’s reputation
  • Founder risk – where the organisation’s original benefactor lacks the required business and financial skills to run the service appropriately

Strategic risk management strategies involve thorough research and planning.

Compliance risk management

Ensuring the organisation operates within the law carries its own compliance risks. These risks must be identified and assessed under a risk management framework. Examples of compliance risks may include:

  • Unregistered and/or uninsured company vehicles
  • Fulfilling reporting requirements to comply with legislation or funding agreements
  • Fundraising activities or sources which breach legislative requirements
  • Key management personnel operating outside their authority
  • Activities that are outside the organisation’s constitution

Compliance risks must be eliminated entirely unlike other types of risks where elimination may not be possible. Strategies to prevent compliance risks include (among others):

  • A robust compliance culture
  • Internal controls in areas of compliance
  • Regular internal audits in areas of compliance

Human resources risk management

Risk management should consider risks related to human resources including:

  • Unplanned exit or retirement of key management personnel
  • Not having workers with the required knowledge and skills
  • Industrial action and disputes or absenteeism
  • Lack of diversity (gender, race, age, ability)
  • Recruitment of workers and their retention or dismissal

Strategies to manage or reduce human resources risks include:

  • A robust leadership, a positive culture, and a values framework
  • Succession planning for key roles
  • Documenting critical information and key processes so others can continue to run the service
  • Comprehensive training program for new workers
  • Training workers so that more than one person knows how to perform each task
  • A supervision and mentoring program for workers

Special events risk management

Risk management is a required part of organising or participating in an event. The main risks at events includes anything that could:

  • Cause harm to another person
  • Cause damage to equipment, infrastructure or the event site, or
  • Harm the future of the event organiser

Risk assessments for events may require, where appropriate:

  • A risk assessment of the event site – including existing risks, risks caused by inclement weather, and risks from bodies of water
  • A risk assessment of the event including all proposed activities e.g. rides, vehicles and security
  • A risk assessment of all external risks such as an evacuation – if so, are there any guests that may have higher risks?

To prevent, minimise or manage identified risks, an event organiser will require appropriate management plans to ensure risks are appropriately managed.

Work Health Safety risk management

Under WHS laws, key management personnel (or person conducting a business or undertaking) have a duty to eliminate WHS risks as far as reasonably practicable. This means risk management needs to consider work health and safety (WHS) risks. Managing WHS risks is an ongoing process which should begin when:

  • Starting a new business or purchasing a business
  • Changing work practices, processes or work equipment
  • Purchasing new or used equipment or using new substances
  • Planning to improve productivity or reduce costs
  • Responding to workplace incidents (even if they have caused no injury)
  • Responding to concerns raised by workers or others at the workplace
  • Required by the WHS regulations for specific purposes

Identifying hazards involves finding things and situations that cause harm to people. This includes workers:

  • Physical work environment
  • Equipment, materials and substances used
  • Work tasks and how they are performed
  • Work design and management

Common hazards include:

  • Manual handling – when lifting or moving objects or people
  • Gravity – fallen objects, falls, slips and trips of people
  • Electricity – shock, fire, burns or electrocution
  • Machinery and equipment – hit by moving vehicle or caught by moving parts of machinery
  • Hazardous chemicals – chemicals, dusts
  • Extreme temperatures – heat stroke, burns, fatigue, hypothermia
  • Noise – permanent hearing loss
  • Radiation – microwaves, lasers
  • Biological – infection, allergies
  • Psychosocial hazards – stress, bullying, violence, fatigue

Finding hazards involves:

  • Workplace inspections
  • Consulting workers
  • Training workers to report hazards and risks
  • Reviewing incident reports and complaint registers

WHS risk assessments should be carried out:

  • If there is uncertainty about how a hazard may cause an injury or illness
  • The work involves a number of different hazards and it is unclear how these hazards may interact to produce new or greater risks
  • Changes in the workplace that may impact control measures

Once a WHS hazard or risk is identified and assessed, managing the risk may involve:

  • Elimination – where possible a WHS risk should be eliminated
  • Substitution – replacement with less hazardous options
  • Isolation – if elimination or substitution is not possible isolate the hazard so workers cannot come into contact with it
  • Control – where elimination, substitution or isolation is not possible, controls such as safe work practices and/or personal protective equipment

Fraud risk management

In this context, “worker” means any representative of the organisation including key management personnel, directors, employees, contractors and volunteers.

Risk management should cover risk of fraud. This includes:

  • Internal fraud – fraud that is carried out within the organisation such as when workers:
    • Steal money or assets that belong to the organisation
    • Steal cash donations that belong to the organisation
    • Claim non-existent, excessive or fraudulent purchase orders to obtain payment for goods and services that are not supplied
    • Submit false applications for grants or other benefits
    • Create non-existent beneficiaries or employees for the purpose of directing unauthorised payments
  • External fraud – scams and fraud initiated externally from the organisation, such as when an external factor:
    • Submits false invoices to the organisation
    • Steals identities in order to obtain credit card or bank account details
    • Uses a charity’s name to obtain funds fraudulently e.g. a fraudulent fund raising appeal
    • Makes phone calls or sends text messages or emails which pose as another organisation in order to obtain funds fraudulently.

The likelihood of fraud can be reduced by:

  • Having a strong ethical culture with clear commitments to integrity and ethical values
  • Strategies in place to protect the organisation from fraud rather than just accepting the risk

There are three accepted ways to mitigate against risk of fraud:

  • Prevention – controls designed to reduce the risk
  • Detection – controls designed to uncover risk when it occurs
  • Response – controls designed to facilitate corrective action and harm minimisation

Prevention controls can include:

  • Fraud risk assessments
  • Conflict of interest policy
  • Strong internal controls
  • Screening for new workers
  • Effective supervisory processes
  • Due diligence checks on suppliers and contractors
  • Worker training to increase awareness of ethics and on risk management strategies
  • Support programs for workers
  • Independent audits

Detection controls can include:

  • Continuous internal monitoring and auditing of processes
  • Allocation of resources to fraud detection
  • Fraud detection software to provide real time data monitoring and analysis
  • Mechanisms to report fraud while protecting the whistle blower
  • Unannounced financial and asset audits
  • Fraud testing

Response controls can include having an internal investigation team and a fraud response plan.

Financial risk management

Risk management should include managing risks to finances such as:

  • Liquidity risk – not enough funds to pay debts
  • Interest rates – when there is a dependence on borrowed funds or income generated from interest-bearing deposits
  • Credit risk – when goods and services are sold on credit
  • Risks from competitors – competition can impact market share
  • Risks from the market or economy – changing trends, impacts from economic downturn
  • Unexpected exit from business owner or partner – in the case of death or incapacitation

Risk management strategies include:

  • Having the right insurance
  • Backup plans if things go wrong
  • Researching market trends

Key personnel succession risk management

Risks to the service in relation to key personnel should be considered. A succession plan is one way to minimise the impact of one or more unplanned absences of key personnel.

Consequence ratings for participants

The steps to manage risks for participants are:

  • Identify risks – identify risks specific to each individual participant
  • Assess risks – understand how likely it is to happen and how bad it could be
  • Control risks – implement appropriate lifestyle plans to lessen the likelihood and/or the amount of harm
  • Review control measures – check and ensure risks are under control and there are no new risks
Less than first aid injuryBrief emotional disturbanceFirst aid injuryEmotional disturbance impacting more than two days – does not require treatmentSubstantial injury resulting in medical treatmentTemporary impairment or developmentExacerbation of mental illness requiring treatment or some cases of abuse or neglect of the participantSignificant injury causing permanent impairmentSevere, long lasting or significant exacerbation of mental illness requiring long-term treatmentSignificant faults allowing significant abuse or neglect of participantsAvoidable death of a personSystemic faults allowing widespread abuse or neglect of participants

Risks for participants must be managed:

  • With a risk assessment as part of a periodically reviewed individual support plan
  • During a transition from one service provider to another

Consequence ratings for organisational risks

In the organisation, persons conducting a business or undertaking:

  • Are required by law to manage WHS risks
  • Are required by law to minimise the risks of breaches of privacy

The steps to manage risks in the organisation:

  • Identify risks – find out what could cause harm
  • Assess risks – understand the nature of the harm that could be caused by the risk, how serious the harm could be and the likelihood of it happening
  • Control risks – implement the most effective control measures reasonably practicable in the circumstances
  • Review control measures – ensuring control measures are working as planned and there are no new risks

Responsibilities of key management personnel

Key management personnel are ultimately responsible for setting all risk management appetite in the organisation. Their responsibilities are to:

  • Set overall risk management strategy
  • Understand the scope of risks faced by the organisation
  • Ensure robust oversight of risk at senior management levels
  • Promote a risk-focused culture
  • Promote open communications within the organisation
  • Assign clear lines of accountability and encourage effective risk management framework

Key management personnel must also ensure risk management policies and processes are implemented and followed across the organisation.

Responsibilities of risk manager/risk management committee

If appropriate, key management personnel may assign a risk manager or a risk management committee to assume the responsibilities described.

The responsibilities of a risk manager/risk management committee:

  • Form overall risk management strategy
  • Identify and prioritise risks across the organisation
  • Make risk management recommendations to key management personnel/board of directors/management committee

Responsibilities of workers (including independent contractors)

All workers (including independent contractors) should:

  • Follow participant risk management plans
  • Support participants to communicate and self-advocate if the participant requests or requires support
  • Assist the participant, if they request or require support, to maintain a risk management plan as safety needs change
  • Inform the team of any changes to a participant’s safety needs
  • Seek support from key management personnel to manage a risk, if required
  • Collaborate with relevant parties when concerns about risk management escalate to key management personnel
  • Be actively engaged during supervision and team meetings to work through risk management issues
  • Have a basic understanding of NDIS Quality and Safeguarding Framework
  • Have a basic understanding of relevant WHS policies