Home > For Consumers > Aboriginal and Torres Strait Islander Health > Risk and Compliance

Risk and Compliance

OATSIH Risk Framework Fact sheet

Frequently Asked Questions

Under what authority can OATSIH undertake a risk assessment?

Clause 22 of the 2011/12 Department of Health and Ageing Head Agreement for Multi-Project Funding specifies that: ‘If the Commonwealth gives the Participant a notice requiring any financial or non-financial information relating to any aspect of the Participant’s business or operation for the purpose of assessing and managing the Participant’s risk, the Participant must provide that information to the Commonwealth within 10 Business Days of receiving the notice’.

How has the OATSIH Risk Assessment Process been developed?

The OATSIH Risk Process (ORP) has been developed to align with the Australian/New Zealand Risk Management Standards ISO 31000:2009 – Risk Management Principles and Guidelines. This enables OATSIH and the Sector to demonstrate capacity against a nationally recognised benchmark. The ORP is also consistent with the Department’s Risk Management Framework.

How often is an Organisation’s risk assessed?

The frequency in which a risk assessment of an organisation will be undertaken will depend on: the previous overall risk rating of the organisation (as determined via an on-site assessment); and/or whether there has been an occurrence that poses a risk to the Commonwealth. As a general guide, the frequency of risk assessments is as follows: Where the organisation has a previous risk rating of low or medium and there has not subsequently been an occurrence that poses risk to the Commonwealth, assessment will occur every two (2) years. Where the organisation has a previous risk rating of high or extreme, an annual assessment will occur. Risk assessments may also be conducted at other times as required by the Department, for example, where there has been an unexpected and significant change in the organisation’s performance or operations.

Why is OATSIH undertaking Risk Assessments with Organisations?

OATSIH considers risk assessment and risk management a key element of ensuring the delivery of sustainable, continuous, and quality focused services, which in turn helps to achieve the shared aim of improving health outcomes for Aboriginal and Torres Strait Islander people.

What is the purpose of the OATSIH Risk Assessment?

The purpose of the OATSIH Risk Assessment is to ensure that processes and procedures are in place within the governance structures and systems of an Organisation to appropriately manage key risks. It is in the interest of Organisations, OATSIH and the broader community that Organisations are effectively managing risks in a proactive manner.

Who will conduct the risk assessment?

OATSIH Risk Assessments will be conducted by independent consultants engaged by the Department (the Independent Assessor). Where a Risk Assessment is conducted under an alternative risk assessment methodology.

Does an Organisation have to participate?

Yes. Organisations receiving either recurrent OATSIH funding and/or recurrent Departmental funding through the Department of Health and Ageing Head Agreement for Multi-Project Funding are required to participate in a risk assessment as per the terms and conditions of the Agreement.

Will an Organisation’s funding be reduced or ceased based on the outcome of the OATSIH Risk Assessment?

No. Funding to an Organisation will not be reduced or ceased solely based on its OATSIH Risk Assessment rating. OATSIH’s first strategy is always to try to assist an Organisation to build capacity. OATSIH will work with the Organisation to develop a risk management plan to help address identified risks.

What risk rating is required for Organisations to be eligible for a multi year agreement?

Low or medium risk ratings are required for an Organisation to be eligible for a multi year Agreement.

Who is the risk assessment conducted on?

A risk assessment will be conducted on all Organisations funded by OATSIH and all Organisations funded by the Department through the Department’s Head Agreement for Multi-Project Funding.

Why does the risk assessment look at corporate governance?

The scope of the OATSIH Risk Assessment Profile Tool is focused on the corporate governance framework of Organisations because it is the corporate governance framework that directs and controls Organisations, and is responsible for the management of risk within the Organisation. Where an Organisation is able to demonstrate that sound corporate governance systems, structures and processes are in place, it is considered that the Organisation may have adequate risk management systems across the broader Organisation and would indicate that the risks of the Organisation are being actively managed.

What are the AS/NZS ISO 31000:2009?

The AS/NZS ISO 31000:2009 is a recognised framework for risk management that has been developed by Standards Australia and accredited by JAS-ANZ, the government-appointed accreditation body for Australia and New Zealand responsible for providing accreditation of conformity assessment bodies in the fields of certification and inspection. The AS/NZS ISO 31000:2009 can be used in any business environment. Further information on the AS/NZS ISO 31000:2009 can be obtained by visiting www.riskmanagement.com.au or www.standards.org.au

What are the 4 levels of Risk?

To align with AS/NZS ISO 31000:2009 Standards, OATSIH uses a risk rating scale that ranges from ‘Low’ to ‘Extreme’ for each indicator. The ratings and descriptions are listed below:

‘Low’ – This is the lowest possible risk rating. This rating acknowledges that the risk is being managed by an internal process; however, no risk can ever be fully mitigated (managed) and some residual risk is always present. No action is required to address a ‘Low’ risk as the potential consequences of the risk are negligible.

‘Medium’ – This risk rating would indicate that an internal system or procedure is possibly not being followed, and the consequence of this risk is a loss of efficiency of effectiveness of some elements of an Organisation. A ‘Medium’ risk would be managed through specific monitoring by the Organisation.

‘High’ – This risk rating typically refers to areas which may lead to a potential breach of the Head Agreement for Multi-Project Funding, or seriously affect the continued delivery of services. Where a risk indicator receives a rating of ‘High’, treatment strategies will need to be developed and negotiated with OATSIH and implemented under the accountability of the Organisation’s governing body. The consequences of a ‘High’ risk may threaten the continued effective functioning of an Organisation.

‘Extreme’ – This risk rating is the highest possible risk rating and refers to a potential breach of legislative, other regulatory, and or Head Agreement for Multi-Project Funding requirements, significant financial issues, or indicates an extreme risk activity. Where a risk indicator receives a rating of ‘Extreme’, immediate action must be taken by the Organisation to rectify the situation under the accountability of the Organisation’s governing body in consultation with OATSIH.

How does this process link with current accreditation processes?

The OATSIH Risk Assessment Profile Tool (6th Edition) was developed with reference to the Royal Australian College of General Practitioners Standards for Practice (4th Edition), the Quality Improvement Council Core and Community Services Standards, and the ISO 9001:2008 Quality Management Systems Requirements. This was done to ensure consistency between the risk assessment and the respective standards. Some indicators on the RAPT are similar to questions in these Standards and a comparison table has been developed to identify where these questions are. Accreditation against any of these Standards does not negate the need for a risk assessment. However, compliance against these Standards may be used as evidence that a particular risk indicator has been partially or fully met. If an Organisation has demonstrated compliance with a standard identified in the table this may be used as evidence for risk assessment purposes if: - accreditation or reaccreditation has been achieved within twelve months prior to the OATSIH Risk Assessment being undertaken; and - the accreditation report clearly demonstrates compliance against the standard.

How does this risk assessment differ from previous risk assessments conducted by OATSIH?

The OATSIH Risk Assessment has been through a major revision in 2012 to align the process with the AS/NZS 31000:2009 and the Department’s Risk Management Framework. The scope of the OATSIH Risk Assessment continues to be focused on corporate governance and financial management and evidence requirements have been strengthened to ensure transparency and consistency in assessments.

How long will it take?

It is anticipated that the on-site risk assessment is likely to take a minimum of three and a half hours to complete, however this will vary due to a number of factors, including; the level of preparation undertaken by the Organisation, the availability of documents, the availability of staff and Board members to participate in the process, and whether the Organisation has secondary sites or auspice arrangements in place.

Will Organisations be given an opportunity to provide feedback or respond to identified risks before the final risk rating is determined?

Yes. Organisations will be able to give feedback, as well as provide additional information towards their risk assessment after the onsite risk assessment has been conducted. The period for feedback will be no more than 10 business days being allowed.

Can the local NACCHO Affiliate participate in the process?

Yes. Organisations may invite their affiliate (or other advocate) to participate in any step of the risk assessment process. However, these representations are there as observers only. It is the responsibility of the organisation to work with the Independent Assessor to complete their Risk Assessment.

How might an Organisation prepare for the risk assessment?

To prepare for the OATSIH Risk Assessment, Organisations may conduct a self assessment against the Risk Assessment Profile Tool. This gives Organisations an opportunity to familiarise themselves with the risk assessment, as well as get an indication of risks that may be able to be addressed prior to the on site risk assessment.

Why does documentation have to be sighted?

Sighting documents is an integral part of the OATSIH Risk Assessment as the use of evidence helps improve the consistency of assessments, as well as making the process transparent for all parties.

How is confidentiality protected through the process?

Independent Assessors are bound by the confidentiality agreement as per their contract with the Department. It is considered appropriate for Independent Assessors to sign an Organisation’s confidentiality agreement if requested to do so by the Organisation, not withstanding any obligation the Independent Assessor has to the Department.

What will be done with information collected through the risk assessment?

The information collected through the risk assessment will be used to inform the development of a Risk Management Plan (where necessary), as well as assist OATSIH in the management of the funding agreement in place with Organisations. Non-identified, aggregated data may be used to inform local and national capacity development activities.

What happens if an Organisation does not participate in the risk assessment?

Refusal to participate in a risk assessment constitutes a breach of the Department’s Head Agreement for Multi-Project Funding (Clause 22). If an Organisation refuses to participate in an on-site risk assessment the Organisation will be assessed as ‘Extreme’ due to a breach of the risk clause of the Agreement and this level of risk will not be reassessed until such time as a full on-site assessment is able to be undertaken.