A strong and effective management system is one of the best methods of risk mitigation in a business – as well as a driver of improved organisational performance.

The management system is made up of the different policies, procedures and forms which describe  the way that things should be  done in your organisation. It’s about how things are done in the organisation, and documenting it in these ways helps to ensure a consistent approach.

As providers transitioned from state government block funding in to the NDIS, many had to simultaneously comply with the requirements of three different quality frameworks: 1/ legacy funding state government quality accreditations, 2/ NDIS quality and safeguards requirements (supporting participants up to age 64), and 3/ the aged care quality standards often under the Commonwealth Home Support Program (for clients 65 and over).

This change has meant organisations need to continually improve their management system policies and procedures to comply with each of these quality frameworks. Boards also have needed to adapt their practices to ensure more specific oversight of critical areas that accreditation bodies and the community expect them to be across.

A centrepiece of the policies to be reviewed under these changing requirements is the Risk Policy. In preparing the risk register, many of the risk treatments will be activities that you want to be applied consistently and systematically so are best addressed in the management system and linked to relevant policies and procedures.

While there are many common themes across the different quality frameworks, there are some elements that are unique.

It can be confusing for staff to have one system for the 64 year old client they are servicing one day under the NDIS, to then need to work under a different system the next day for the 65 year old who is funded by CHSP.

After working in quality management in a previous role overseeing a management system that needed to comply with various different external accreditations, I found that the best way to manage these differences was to design the management system so that it became the “Your Company Way” of how we do things. In my example working for CBB, I would describe it as the “CBB Way”.

With that approach, staff learn to do things the “CBB Way” and our CBB policies and procedures are written around the different external requirements (accreditations and legislation), as well as having evolved to include the lessons learned from our decades in this business.

That second part is worth highlighting and is where continual improvement becomes most important as a risk mitigant and driver of better organisational performance. Each time a lesson is learned perhaps from an incident or near miss, the best organisations have a learning process and review what needs to change about the management system to ensure the risk is better managed in the future.

Learning organisations will do a lessons learned of the actions they have taken in response to COVID-19, and incorporate them into an update of the Business Continuity Plan. Sitting down with your team to brainstorm a few simple questions will create insights that help improve your processes for the next crisis: what worked well? What didn’t work well? What should we do differently next time?

What improvement will address the root cause of why the incident or near miss happened? Do you need to change the procedure or form, implement new or different staff training, put another quality check in place?

Having a management system that just meets the minimum standards of legislation and accreditations will make you an average business at best. Applying the accumulated lessons learned from your organisation’s history and pursuing best practice in the management system is what will drive your organisation to perform at the highest level.

One way that I have found it useful to think about this is to look at the audit triangle.

There are external requirements which the management system needs to comply with such as accreditations to quality standards mentioned above and relevant legislation such as applies to human resources and WHS.

The suite of internal policies, procedures and forms define and guide the “CBB Way” of doing things and are the organisation’s “management system”.

And then there is the work that staff do in implementation of the policies and procedures.

With these three elements, it can be seen that most internal audits which look at how implementation matches to the requirements of the relevant internal policy/procedure are compliance audits. That is, how staff are following the relevant procedures – for example, record keeping on clinical practices.

A desktop audit is done internally, usually by a subject matter expert, to review how your existing policies and procedures need to be updated to meet changing external requirements – for example, a HR Manager reviewing changes to the Fair Work Act. This is most helpful to do and document at a time when the external requirements are changing – such as with the release of the Aged Care Quality Standards last year.

It’s possible to perform a system audit internally which looks at implementation compared back against the external requirements, and this type of audit is commonly done by external auditors who look at your implementation practices when compared to the external accreditation standard. For example, an auditor looking at how your practices meet the NDIS Practice Standards.