Risk Management Policy

1. PURPOSE

DCIRS Community Care (“DCIRS”) has a legal and ethical obligation to reduce risk in its workplaces as far as is reasonably practicable. This policy outlines how DCIRS prepares for and responds to risks as part of its ongoing commitment to providing safe, compliant, and quality focused services.

This Policy will commence from 9 July 2025. It replaces all other risk management policies of DCIRS (whether written or not).

2. APPLICATION AND SCOPE

This Policy applies to employees, agents, supports, and contractors (including temporary contractors) of DCIRS. The Managing Director is the primary contact for this Policy and provides key oversight of the company’s risk register. This Policy informs the management of the risk register.

DCIRS operates in the community services sector, providing support to clients with disability. Risk management in this context encompasses the broad areas of corporate governance, legal responsibilities, business processes, finances, support services, safety, and business continuity.

This Policy does not form part of any worker’s contract of employment or service.

3. DEFINITIONS

b is the process of preparing the business for threats and working to lessen their effect.

4. PRINCIPLES

• DCIRS services should be safe for people to use.

• While some risks cannot be eliminated, DCIRS will act to identify risks and remove, minimise, or manage them.

• Risks and the plans to mitigate them are documented.

• DCIRS employs ethical risk management practices, with consideration of its responsibilities as a registered company, employer, community participant, and NDIS provider.

• DCIRS is committed to continual improvement and adapts its services to improve safety and risk management on an ongoing basis.

5. POLICY

4.1 Overview

It is DCIRS’s policy to undertake risk assessments on its organisational processes, services, products, and assets. Risks are assessed based on their likelihood and potential for harm. DCIRS is committed to assessing risks associated with its business, services, and people to ensure the continuity of services, and the safety of workers, participants, and other stakeholders associated with the organisation or its operations.

Management of risk will include assigning appropriate resources proportionate to the level of risk to eliminate, minimise, and/or manage risks. Resourcing for risk mitigation is the responsibility of the Managing Director, in conjunction with senior team members, and resources will be delegated where reasonably practicable.

DCIRS will maintain a risk register and undertake regular review of risks according to risk level. Risk reviews will form part of continual improvement, including following feedback or complaints, accidents, or incidents. DCIRS has a separate policy to manage worker health and safety reporting. However, this Policy works in conjunction with the Incident and Risk Reporting Policy.

DCIRS complies with mandatory reporting requirements related to safeguarding of people with disability, quality management, and workplace safety. People accessing services along with their families and carers, staff and volunteers are made aware of relevant risks as far as is reasonably practicable.

4.2 Risk management process

There are 8 key elements to DCIRS’s risk management process:

1. Communicate and consult with internal and external stakeholders with consideration for risks that may impact on individuals and groups, as well as business functions and services.

2. Establish the risk context to enable relevant and robust evaluation with the right stakeholders. Maintain set criteria by which the organisation will evaluate risk.

3. Identify risks including where, when, why, and how various events could prevent, delay, or reduce DCIRS’s achievements against objectives.

4. Record risks using relevant documentation (e.g. Risk Assessment Form, Incident Reporting Form) and DCIRS’s risk register.

5. Analyse risks by determining risk likelihood and consequence to define a risk score (see 4.4). Identify and evaluate existing risk controls.

6. Evaluate risks by comparing estimated risk levels against criteria. Consider the balance between potential benefits and adverse outcomes to enable decisions on the extent and nature of risk treatments and risk management priorities.

7. Treat risks by developing and implementing cost-effective strategies and action plans. Aim to increase benefits and reduce potential costs.

8. Monitor and review the effectiveness of the risk management process, including treatments and actions taken against risk. Manage risk priorities and change in the risk environment. Risks may come from any internal or external event. External events need to be monitored for their impact (positive or negative) on DCIRS’s business and services. For example, changes in the legal, economic, and social environments can provide threats and/or opportunities to business.

4.3 Risk Identification

All workers, participants, supports, agents, and contractors of DCIRS are invited to participate in risk identification. It is recognised that risk identification is improved when multiple parties are involved in the process. Risks may be identified in many ways, including (but not limited to) home visits, audits, feedback and complaints, changes to legislation or standards, changes to business practices, exit interviews with

employees, and consultation with professional business partners.

DCIRS will consider feedback from its stakeholders in the identification process to inform its risk management practices. However, the final decision on risk classification lies with DCIRS’s management. Identified risks will be captured in DCIRS’s risk register and assessed according to the procedure outlined in this Policy.

It is important that documented risks are relevant to DCIRS’s business and environment. Irrelevant risk classification uses resources and may reduce effective management of relevant business risks.

4.4 Risk Assessment

Risk assessments are conducted for identified risks and this process may include consultation with workers, clients, and interested stakeholders. The procedure for assessing and managing risk is as follows:

• Each risk is given a brief description to ensure clarity about the risk.

• A risk score is allocated to each risk, created from individual likelihood and consequence scores. DCIRS may use the traffic light system to easily identify risk and prioritise resources.

• Any risk controls in place are reviewed for adequacy.

• Potential actions and treatments are defined for the identified risk.

• A responsible person/group is assigned to the risk, with action details outlined.

DCIRS will consult with its workers and clients on risks within their environment.

4.5 Risk Mitigation

The risk assessment process will inform how a risk will be managed. Resource priority will be given to risks with a medium to high score. DCIRS will focus on eliminating higher level risk where possible, with other possible outcomes including substitution of the risk, and/or management of the risk (e.g. administrative processes, etc.).

Not all risks can be removed, but DCIRS will focus on reducing and monitoring risks to business, services, and people. Business continuity is a key focus to ensure ongoing access to quality services.

4.6 Risk Review

Risk review includes the process of continual feedback from those impacted by or associated with a risk. Review of risks is a dynamic process and is captured during staff meetings, in incident reports, and by other informal or formal means. New risks will be added to the risk register as they are identified.

DCIRS’s risk register will be formally reviewed each quarter by the Managing Director and Operations Manager. Risk classification and risk scores may be updated during periodic reviews based on changes in the environment and on the actions and treatments applied. However, management of risk is a continual and practical process, with actions and treatments administered on a needs basis. Risk must be managed in real time.

Risk review should include a focus on:

• Whether a risk has changed since the last review and, if so, how.

• Analysis of risks, including why they exist and whether the risk could be eliminated.

• The relevance of the risk.

• Necessary resourcing to manage the risk, including external resourcing or advice needed.

• What actions and treatments are complete or still need actioning.

• Likelihood and consequence to business, services, or people.

• New risks.

• Issues or delays in the management of risks.

4.7 General Responsibilities

Every employee of DCIRS is responsible for the effective management of risk, including identifying potential risks within their work environment and reporting them according to DCIRS policy.

Managers and supervisors are responsible for developing risk mitigation plans and for the implementation of risk reduction strategies. Risk management processes should be integrated with other planning processes and management activities.

Senior management is responsible for identifying and mitigating financial and asset risk and risks to business continuity. Part of risk management includes integrity in decision making and general management practices.

Where legislation is in place, such as financial reporting, occupational health and safety, and employment standards, DCIRS will adhere to requirements to manage those specific risks. This may include obtaining external advice to support adherence to legal requirements.

6. ASSOCIATED DOCUMENTS

• Incident and Risk Reporting Policy

• Cyber Security Policy

• Data Security Policy

• Conflict of Interest Policy

• Whistleblower Policy

• Risk Assessment Form

7. LEGISLATION AND STANDARDS

• Disability Discrimination Act 1992

• Universal Declaration of Human Rights

• National Standards for Disability Services

• Aged Care Quality Standards

• Aged Care Act 1997 (and pending 2025 updates)

• NDIS Quality and Safeguarding Practice Standards 2018

• Corporations Act 2001

• Occupational Health and Safety Act 2004

• Fair Work Act 2009

8. VERSION AND REVIEW INFORMATION

DCIRS reserves the right to amend and vary this policy from time to time.

Version 1.0: 31 January 2022

Version 1.5: 9 July 2025 | Review date: 9 July 2028

Version 1.6 18 March 2026 | Review Date: 9 July 2028