Corporate Governance and Risk Management

Table of Contents


Werribee Mercy Health risk management framework.


Risk ownership and governance.

Risk Management process.

Risk owners.

Business planning and risk management

Risk Management Policy.

Risk Management Strategy.

Risk Culture.

Risk Appetite.

Conclusions and recommendations.


Introduction to Mercy Hospital Risk Management Framework

The concept of risk management has been used in banking and insurance services since the early 1970’s. Risk management has been an accepted practice in industries in the western countries since the 1900s and in many healthcare facilities since the mid-1970s (Ahmed & Manab, 2016).

Every business and organization face the risk of unexpected, harmful events that can cost the company money or cause it to permanently close. Risk management allows organizations to attempt to prepare for the unexpected by minimizing risks and extra costs before they happen.

Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings (Ahmed & Manab, 2016). These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

Risk management encompasses the identification, analysis, and response to risk factors that form part of the life of a business. Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively (Callahan & Soileau, 2017). Therefore, effective risk management offers the potential to reduce both the possibility of a risk occurring and its potential impact.

Thus, to protect an organization from the potential risks, organizations employ and follow a pre-determined risk management framework. A risk management framework (RMF) is the structured process used to identify potential threats to an organisation and to define the strategy for eliminating or minimising the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy. Risk management frameworks are tailored to do more than just point out existing risks (Shad, 2019). The Risk Management Framework (RMF) is a set of criteria that help to monitor and prevent risk. A good risk management structure should also calculate the uncertainties and predict their influence on a business. Consequently, the result is a choice between accepting risks or rejecting them. Acceptance or rejection of risks is dependent on the tolerance levels that a business has already defined for itself.

Risk management process helps in planning, organization, cost control, and budgeting. Having an effective risk management in place, the business will not usually experience many surprises, because the focus is on proactive risk management (Callahan & Soileau, 2017). Response to risks usually takes one of the following forms:

  • Avoidance: A business strives to eliminate a particular risk by getting rid of its cause.
  • Mitigation: Decreasing the projected financial value associated with a risk by lowering the possibility of the occurrence of the risk.
  • Acceptance: In some cases, a business may be forced to accept a risk. This option is possible if a business entity develops contingencies to mitigate the impact of the risk, should it occur.

When creating contingencies, a business needs to engage in a problem-solving approach. The result is a well-detailed plan that can be executed as soon as the need arises. Such a plan will enable a business organization to handle barriers or blockage to its success, because it can deal with risks as soon as they arise.

By implementing a risk management plan and considering the various potential risks or events before they occur, an organization can save money and protect their future. This is because a robust risk management plan will help a company establish procedures to avoid potential threats, minimize their impact should they occur and cope with the results. This ability to understand and control risk enables organizations to be more confident in their business decisions. Furthermore, strong corporate governance principles that focus specifically on risk management can help a company reach their goals.

Other important benefits of risk management include (Callahan & Soileau, 2017):

  • Creates a safe and secure work environment for all staff and customers.
  • Increases the stability of business operations while also decreasing legal liability.
  • Provides protection from events that are detrimental to both the company and the environment.
  • Protects all involved people and assets from potential harm.
  • Helps establish the organization's insurance needs in order to save on unnecessary premiums.

Werribee Mercy Health Risk Management Framework

Werribee Mercy Health provides a diverse range of services in the south western region of Melbourne. The hospital provides emergency, surgical, medical sub-acute, mental health, palliative, maternity and newborn care, as well as renal dialysis (Mercy Health, 2020). Werribee Mercy is required to plan for and manage growth and change, deliver on its objectives within the context of significant population, climate and urban change as well as increased legislative and regulatory compliance obligations and financial accountability. It is essential on Mercy Health to understand the internal and external risks that may impact the delivery of its organisational goals and have processes in place to identify, mitigate, manage and monitor those risks to ensure the best outcome for staff and consumers; protecting assets; building upon their reputation; and ensuring financial responsibility (Mercy Health, 2020).

Effective risk management is key to the successful achievement of organisational objectives. Apart from delivering on strategic and business objectives, good risk management can prove to be helpful by:

  • Taking advantage of the appropriate opportunities
  • Providing security to employee and consumers and safeguarding them
  • Protecting the assets and the facilities of the company
  • Ensuring financial sustainability.

As such the Mercy Health Board and Senior Leadership is committed to maintaining effective risk management practices, and to reinforcing behaviours of a positive risk culture. In delivering this commitment, it is necessary that a proactive and consistent approach to managing risk be adopted by management, staff, service providers and volunteers in all areas of the Mercy Health operation.

As such the Werribee Mercy Health and its management constantly tries and is committed to maintaining effective risk management practices, and to establish positive risk culture behaviours. In fulfilling this objective, it is necessary that a proactive and consistent approach is designed and employed in order to manage risk and be adopted by management, employees, service providers and volunteers in all areas of the Mercy Health facility and operation (Mercy Health, 2020).

The Mercy Health Risk Management Framework (RMF) articulates the key components to the organisational risk management approach. This includes the design, implementation, review and the continual improvement of Organisational Risk Management practices. The purpose of the RMF is to inform all staff of the structure and approach designed to achieve effective and consistent Risk Management practices across all operations. It is the responsibility of all the management, directors, all staff employees, service providers, and the volunteers Mercy health to comply and follow the risk management framework (Mercy Health, 2020).

An effective risk management framework considers the elements of risk governance, the process of risk management, and the resources (Choi, Ye, Lu & Luo, 2016). Through this report an analysis of the of Mercy Health’s risk governance is undertaken considering the following aspects of risk management system:

  • the risk management strategy
  • improving, monitoring and measuring of risk
  • the risk appetite and how it is incorporated into decision making and corporate planning
  • how the risks are being managed.

For the purpose of this review the Australian/New Zealand Standard ISO3100:2018 Risk Management and Principle Guideline will be used. This standard has been used to analyse Mercy Health’s Risk Management because ISO 31000:2018 provides guidelines on managing risk faced by any organizations. The application of these guidelines can be according to any organization.

ISO 31000:2018 is an appropriate guideline which can be used here as it provides a common approach to managing any type of risk and is not industry or sector specific (AS/NZS ISO 31000:2018 Risk Management Standard). ISO 31000:2018 can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels (AS/NZS ISO 31000:2018 Risk Management Standard). The AS/NZS ISO 31000 is a generic guideline only, and not intended to promote uniformity of risk management across all organisations.

Methodology of Mercy Hospital Risk Management Framework

The basic methodology of this review involves aligning the current Mercy Health Risk Governance Structure and the AS/NZS Standard ISO31000:2018 Risk Management and Principles Guideline.

Risk governance refers to the culture and arrangements developed by an organisation to manage the uncertainties to achieving its objectives. It includes the leadership, accountabilities and oversight that builds and improves the risk management approach (Choi, Ye, Lu & Luo, 2016). One of the essential components of good governance includes alignment the risk management framework with an organizations corporate planning and objective.

For this purpose, many organizations adopt a three lines defence model. Three lines-of-defence is most effective when there is active support and guidance from the governing body and senior management. Each of these three lines has a distinct role in a risk management governance and its implementation. The governing body, committees and senior managers are considered the primary stakeholders. This means they are in a position to ensure that the three lines of defence are reflected, enacted and reviewed as part of the organizations risk management control processes.

Accordingly, primary responsibility for managing risk at Mercy Health lies with the Mercy Health Board, senior management and all employees including contractors and volunteers. Mercy Health has also adopted a “three line of defence” model with respect to identifying, assessing and controlling risk (Mercy Health, 2020). The model provides for a cascading level of monitoring and assurance as risks are reviewed and assessed by each of the three key functions which can be explained as follows:

  • Operational Management – Staff and management are the first line of defence in terms of managing risk.
  • Risk Department – A specialist risk department provides support to line managers in their identification and management of risk. This function also serves as the second line of defence. In reviewing risks across the organisation, it is tasked with monitoring changes to the risk environment; scanning for future emerging risks; challenging current risk assessments; verifying controls; promoting consistency; enhancing and strengthening the risk culture and reporting to Senior Leadership and the Board. It also ensures fulfilment of Mercy Health’s Risk Management Policy.
  • Internal Audit - Mercy Health has an established Internal Audit and Risk Assurance program and team, which provides independent and objective assurance and consulting activity to the organisation. A risk based annual internal audit plan is approved by the Finance, Audit and Risk Committee (FARC) on an annual basis. This is the third line of defence.

Risk Ownership and Governance

Risk owners can be described as individuals accountable for managing and coordinating all aspects of a risk, ensuring that relevant information is available and assessed, and that appropriate individuals are aware of the risk, and involved in the decision-making.

Risk Management Process

The risk management process at Mercy health consist of the following seven steps:

  • Communicate and consult i.e. identifying who is impacted
  • Outlining the objectives i.e. understanding what we trying to achieve through this strategy
  • Identifying the risk
  • Analysing and evaluating risk
  • Treating risk and countering it
  • Recording and reporting to the appropriate authority
  • Monitoring and reviewing

Risk Owners

Mercy Health uses an objective-based model to identify risk owners. The model explicitly reflects the business planning process (Mercy Health, 2020). A risk owner is appointed according to the relevant strategic or operational business objective impacted; i.e. the Executive Director, Program / National Director, or Manager who is accountable for achieving the objective. At a local level, risks are managed in day to day operations, with direct line managers providing governance and oversight.

Business Planning and Risk Management

Business planning refers to the annual planning an agency undertakes at all levels to determine its objectives and develop supporting plans. Risk management must be aligned with corporate and business planning processes as a mandatory requirement. Incorporating risk management provides value to decision makers as it will:

  • identify what could impact the agency’s objective
  • provide an opportunity to develop strategies to minimise the impact
  • support decisions on how much risk can be taken to achieve an objective.

Failure of including risk management in business planning explains that decisions made have not considered what is uncertain and the possible resulting effects, implications and dependencies.

Risk Management Policy

A risk management policy outlines the intent of the agency with respect to risk management and describes the governance arrangements and expectations. It provides guidance and is fundamental to establishing a positive risk culture in an agency by clarifying expectations regarding the attitude, awareness and accountabilities related to risk management (Shad, 2019).

Risk Management Strategy

A risk management strategy describes an agency’s future vision, direction and objectives for risk management. It incorporates key activities designed to achieve these objectives and the plan to build risk management capability and maturity. The risk management strategy ensures the agency’s governing body and management have a common and clear view of the purpose of risk management, the activities to be pursued to enhance the framework and the capability building requirements to achieve this. An effective risk management strategy ensures the risk management framework is suitable to the context of the organization. It enables an and helps the organizations to achieve the following goals:

  • prioritising in monitoring activities such as risk maturity assessments
  • assisting in the direction of resources to support gaps in risk management capability
  • strengthen its approach to for constant improvement.

Risk Culture

Risk culture refers to the behaviours and environment that influence a person’s thinking and managing risk. Risk culture is a component of the overall culture of an agency. An effective risk management framework must support the development of a positive risk culture within the agency (Oliva, 2016). A positive risk culture is one where all staff see risk management as a core responsibility, actively engage in risk discussions and make appropriate risk-based decisions.

The governing body and the executive are responsible for developing a positive culture. It is a strong leadership who reinforce a consistent set of expected behaviours and model appropriate accountability, risk awareness and attitudes. They play a key role in influencing and articulating the desired risk culture. Developing a positive risk culture is essential to developing risk maturity and building capability, and is essential to:

  • create the tone and set expectations
  • modify behaviour to what is expected within the organization’s values and behaviours
  • for the basis of risk-based decision making

The Mercy Health Board and senior management or leadership are clear intend to promote an integrated Risk Management approach and a culture that aims to be risk aware rather than risk averse. A key activity to achieve this is the frequent review and use of the organisational Risk Profiles, which accounts for both current risks and those that are emerging. This multidirectional focus of risk i.e. learning from the past, understanding our current landscape and focussing on the future will helps build organisational resilience and agility. The continuous evaluation and improvement of the organisational risk culture forms part of annual risk management continuous improvement plan.

Risk Appetite

Risk appetite refers to the type and amount of risk that an agency is prepared to accept or avoid. It encourages the consideration of risk in strategic and tactical decisions by asking: “Is this course of action compatible with our risk appetite?” In the case of Government an agency’s risk appetite statement is the shared view of the Responsible Body and executive management on the nature and amount of risk it will retain or accept to achieve its strategic objectives (Oliva, 2016). The risk appetite statement influences and guides decision making, clarifies strategic intent and ensures choices align with the capacities and capabilities of the agency. Defining risk strategy assists in understanding:

  • opportunities and uncertainties
  • what type of risk the organization needs to pursue
  • how risk can an organization accept and its capacity
  • what risk is the organization is capable to tolerate
  • how much investment is required for risk management

Conclusions and Recommendations on Mercy Hospital Risk Management Framework

Due to globalization the business dynamics and market environment are changing rapidly. With the increasing volatility or uncertainty in the market, the organizations are at continuous risk and this risk is evitable. Thus, it is essential for organizations to have structures and framework in place to protect itself and its stakeholders for the potential risk. Risk management has become an integral part of all the organizations operating across the globe. Risk management is the systematic process of identifying, evaluating, and addressing potential and actual risk. In simpler terms, risk management can be explained as the process to protect the assets and minimize financial loss to the organization. It is the process of taking action to reduce the frequency and severity of unexpected incidents, reduce the impact of legal claims, and promote high reliability performance, system design. Management of risk is essentially the proactive function of any organization. Risk management should be an important objective that should be communicated to all the employees of the organization and these employees should participate proactively in managing risk. It is important for the organizations to align their corporate objectives with risk management strategy. It is recommended that each employee and volunteer should be charged with risk management.

Mercy Health does not currently have a formalised Risk Appetite statement (Mercy Health, 2020). However, the business monitors a set of key performance indicators that are frequently reported through the governance committee structure. e.g. Quality and Safety Indicators; Work Health and Safety indicators; Complaints Management targets; Mandatory Competencies etc.

The following recommendations can help Mercy Health to have a more efficient risk management strategy. To develop a risk management policy an agency should consider how it will:

  • tailor it to the agency context u state the rationale for managing risk
  • illustrate the connections between the agency objectives and other relevant policies to define accountabilities and responsibilities for managing risk
  • identify the human resources and systems required to manage risk u describe how risk management performance will be measured and reported
  • specify how the risk management framework will be reviewed
  • provide a provision for how risks will be escalated
  • include how the policy will be communicated.

To develop a positive risk culture an agency should:

  • ensure the message is communicated by the governing body and the executive and also assess whether staff understand the message
  • determine how risk culture is reflected in day-today practice
  • assess how a positive attitude towards risk management is modelled through line managers
  • develop a safe environment to report and escalate risk
  • determine whether action to occur for risk taking is outside an individual’s delegated authority or scope
  • Continuing education of staff and responsible key persons
  • Monitoring and evaluation of the integrated programs. 3) Communication with peers at local, regional, state, and national organizations in order to improve the program.

Risks management is an important process because it empowers a business with the necessary tools so that it can adequately identify and deal with potential risks. Once a risk’s been identified, it is then easy to mitigate it. In addition, risk management provides a business with a basis upon which it can undertake sound decision-making. For a business, assessment and management of risks is the best way to prepare for eventualities that may come in the way of progress and growth. When a business evaluates its plan for handling potential threats and then develops structures to address them, it improves its odds of becoming a successful entity.

References for Mercy Hospital Risk Management Framework

Ahmed, I. & Manab, A.N. (2016). Influence of enterprise risk management framework implementation and board equity ownership on firm performance in Nigerian financial sector: An initial finding. Journal of Business and Management, 18(1), 61-68.

AS/NZS ISO 31000:2018 Risk Management Standard (n.d). Retrieved from:

Callahan, C. & Soileau, J. (2017). Does Enterprise risk management enhance operating performance? Advances in Accounting Journal, 37, 122-139.

Choi, Y., Ye, X., Lu, Z. & Luo, C.A. (2016). Optimizing enterprise risk management: a literature review and critical analysis of the work of Wu and Olson. Annals of operation research journal, 237., 281-300.

Mercy Health (2020). Mercy Health risk management framework. Retrieved from:

Oliva, F.L. (2016). A maturity model for enterprise risk management. International Journal of Production Economics, 173, 66-79.

Integrating sustainability reporting into enterprise risk management and its relationship with business performance: A conceptual framework. Journal of Cleaner Production, 208, 415-425.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Management Assignment Help

Get It Done! Today

Upload your assignment
  • 1,212,718Orders

  • 4.9/5Rating

  • 5,063Experts


  • 21 Step Quality Check
  • 2000+ Ph.D Experts
  • Live Expert Sessions
  • Dedicated App
  • Earn while you Learn with us
  • Confidentiality Agreement
  • Money Back Guarantee
  • Customer Feedback

Just Pay for your Assignment

  • Turnitin Report

  • Proofreading and Editing

    $9.00Per Page
  • Consultation with Expert

    $35.00Per Hour
  • Live Session 1-on-1

    $40.00Per 30 min.
  • Quality Check

  • Total

  • Let's Start

Browse across 1 Million Assignment Samples for Free

Explore MASS
Order Now

My Assignment Services- Whatsapp Tap to ChatGet instant assignment help