Risk and Improvement
Learning v Compliance Reporting and Tracking
In organisations of many types, compliance reporting and tracking have led to a compliance-driven approach to operations.
However, a paradigm shift is now underway in the not-for-profit sector. Having long struggled to get staff on board with compliance and policy implementation, many nonprofit agencies are shifting from a compliance-driven approach to a learning-focused one.
In this blog, we’ll explore why a learning approach to compliance is superior to compliance tracking and reporting for an organisation that is required to meet regulations and standards like the Social Sector Accreditation Standards, Community Housing Performance Standards and Ngā Paerewa Health and Disability Service Standards.
1. Fosters a Culture of Continuous Improvement
Unlike compliance reporting, which often focuses solely on meeting minimum requirements and is backward looking, a learning approach to compliance encourages ongoing growth and development. By prioritising learning, agencies can foster a culture of continuous improvement, where kaimahi/staff members are empowered to seek out new knowledge, skills, and best practices.
2. Learning approach aligns with non-profit kaupapa
Nonprofit agencies typically have a person/whānau centred kaupapa and value the concept of voluntariness highly. A learning approach to compliance aligns with this, particularly, these short online courses developed specifically for non-profit agencies in Aotearoa. The learning approach to compliance assumes that most people want to meet their obligations. It allows the broadest possible compliance at the least cost both to the agency and to the individual.
3. Compliance reporting and tracking
Agencies accept these as a necessary evil. But compliance reporting and tracking can incentivise fast tracking and a tick-box mentality in an organisation. This can ultimately undermine an organisation’s capacity to improve and build quality of service and reduce staff motivation to innovate and “go outside of the box.” Check out our previous blog about the disadvantages.
4. Drives Innovation and Creativity
Compliance reporting tends to focus on maintaining the status quo—ensuring that existing processes and procedures meet regulatory standards. In contrast, a learning program encourages staff members to think outside the box, explore new ideas, and experiment with innovative approaches. This is facilitated by interactive content like scenarios and quizzes in the Policy Place’s online courses.
5. Supports Engagement and Retention of Kaimahi
Research consistently shows that organisations that invest in employee learning and development experience higher levels of engagement and retention. A learning approach to compliance demonstrates to kaimahi that their growth and professional development are valued as much as the organisation values compliance with external standards. This contributes to greater job satisfaction and loyalty and to an organisation’s ability to retain and attract quality staff.
6. Builds skills and ability to comply
Interactive elements and engagement in online courses can help reinforce key concepts and information retention about requirements for compliance. They provide real-world examples and practical scenarios to illustrate how policy content is applied in different contexts.
This practical application helps staff understand the relevance of policy content and how it translates into everyday practices and decision-making. Ultimately, it means that staff are better prepared for and empowered to meet their obligations.
Conclusion
While compliance reporting serves an important function in ensuring accountability and regulatory adherence, its limitations are increasingly apparent in the nonprofit sector. By embracing a learning-focused approach, nonprofit agencies can unlock a wealth of benefits—from fostering a culture of continuous improvement to driving innovation and creativity.
Ultimately, investing in learning programs isn’t just about checking boxes; it’s about empowering staff, enhancing organisational resilience, and advancing the kaupapa of human service agencies.
RiskManagement with the help of good policies and procedures
Risk management is a key reason for policies and procedures – risks like financial mismanagement, accidents, cyberthreats, privacy.
Take a broad view. No need to be afraid of risk. The wider your view of risk the better prepared you can be and the more able and confident you can feel in your business/organisation.
While risks will be unique to your operation, there are also risks that all of us in business need to manage. At the Policy Place, we help organisations manage these risks with online policies that are regularly reviewed and updated and with other strategies like guidelines and checklists.
Some of the common risks for organisations are listed below, with some of the more common policies and strategies to help manage these risks:
Financial Risk Management
- Policy and procedures relating to financial planning and controls
- Fraud and Corruption policy
- Protected Disclosures policy
- Financial Planning and Investment policies
Information Risk Management
- Preventative & Troubleshooting Maintenance Contracts
- Privacy and Confidentiality policy
- Record Management and Archiving system
- Privacy Breach Procedure
- Information Safeguards policy and procedure
Managing Economic & Political Risks
- Media-related policies and processes
- Hazard-management policy and procedure
- Staff and Governance Recruitment Policies and Procedures
- Strategic & Business Planning
- Hazard & Risk Register
Health and Safety Risk Management
- Wellbeing policy and procedure
- Health and Safety procedures including Hazard and Risk Register; Staff Participation
- Induction and ongoing staff training
- Pandemic Planning
- Infection Control policy and procedures
- Cultural Safety and Responsiveness policy and training
- Harassment and Bullying policy and procedure
Service-related Risk Management
- Complaints and Feedback Policy and Procedures
- Performance and service planning and review processes
- Quality Management policy and procedure
- Training and development of staff
- Policies to guide delivery
- Business Continuity Plan
Risky business – when offending hits the workplace
The case of Philip Barnes was recently laid bare in New Zealand media when his name suppression order was lifted. It’s a good reminder about what not to do when, as a manager, you learn that a staff member may have been involved in offending.
The case
In 2017, International Accreditation New Zealand (IANZ) management learned that Barnes (a General Manager) was involved in a Police investigation of spying in a gym changing room. Police uplifted Barnes’ computer from IANZ and returned it a few days later.
In June 2018, Barnes pleaded guilty to making an intimate visual recording. He sought and got name suppression. In 2020, he was discharged without conviction and granted permanent name suppression. Both orders were successfully appealed by Police and recently, the name suppression order was lifted.
While Barnes was being investigated by Police, IANZ conducted an investigation. A minimal investigation. They questioned Barnes and accepted his assurances that he was involved, basically, as “someone in the wrong place at the wrong time.”
3 lessons
Don’t turn a blind eye
In this case, offending occurred outside work. Even so, as a manager, you can’t assume that the offending will not impact on the business.
An employee’s conduct outside of work may bring an agency into disrepute. This was clearly a risk for IANZ.
Turning a blind eye, by accepting Barnes’ explanation for the Police investigation without checking objective facts, exposed IANZ to significant risk.
Even if offending is alleged to have occurred outside work, as a manager, it’s important that you make reasonable inquires to apprise yourself of the facts.
You don’t have to duplicate the Police investigation. It’s important not to interfere with it.
But it is important that you make sufficient inquiry to fully understand the nature and possible consequences of the allegation(s) to your staff, organisation and client base.
Don’t assume innocence or guilt
We all want to believe the best of people, particularly of staff who we work beside each day and we know to be hardworking. Conversely, we may be more inclined to think a staff member is guilty if we don’t like them.
Either way, hold off. Resist any such assumption.
Your best bet is to be as dispassionate as possible about the allegation(s), while being compassionate and fair to the staff member concerned and any affected staff or others. This will enable you to undertake a reasonable and balanced inquiry into the nature of the allegation(s) and scope the risks associated with them.
Assess and manage risk
The major omissions in the IANZ/Barnes case were the failure to make a reasonable inquiry into the Police investigation. Secondly, IANZ failed to fully scope, assess and manage risks, including risk to its reputation as an agency that’s all about upholding standards.
Risk assessment and management are key tasks for management when confronted with alleged offending by an employee.
Risks to the victim(s), staff member, clients, colleagues, and to the reputation of the agency must all be assessed.
Mitigations established as necessary. They might involve suspension, a change of duties, extra supervision, change of workplace or work hours, etc – depending on the situation, level and nature of risk(s). Mitigations need to be worked out with the employee concerned and their effectiveness monitored and adjusted accordingly.
So…
Learn from what IANZ didn’t do.
Review your policies and procedures to make sure they guide you and your staff to respond if staff become involved in a Police investigation.
At the Policy Place we’ve got you covered if you’re a member of our online policy service. Risk management is an important feature of our online policies eg policies on Background and Child Safety Checking, Quality Assurance, Service delivery and Health and Safety.
If you want to know you’re covered with good policies that are reviewed and kept up-to-date contact us to join the online policy service or book a free consultation to talk about your needs.
When the martians come: policy and procedure tips for cybersecurity
No matter what business you’re in, you’re likely to rely on information technology(IT).
In social service, health and education agencies, we use IT for a multitude of functions – enrolments, intakes, planning etc. Essentially, we would be lost without it.
But have you given sufficient thought to preventing and defending against cyber threats?
If you think that cyber attacks are still the stuff of sci-fi movies then think again. It was only 6 weeks ago that the New Zealand Stock Exchange was rendered inoperative because of a cyber attack. Not just once but multiple times.
We are all vulnerable and need to be on guard to prevent and defend against attacks. We need to become cyber-brave!
A good start
For cyber smart week, CERT NZ has published some basic tips to help each of us improve our defence against cybersecurity attacks. These include password protection, install updates and using multifactor authentication for login access.
We all need to be cyber-aware but it’s especially important if you’re an organisation. Awareness means understanding and regularly reviewing your cyber risks. There may be risks to individuals, your functions, finances, reputation and/or to your agency’s very existence.
Knowing the risks, will guide the safeguards you need to take and what your policies and procedures should address to help you prevent and respond to cyber-attacks.
You need policies and procedures
Given the rate of change in the IT world, it’s important to review and update your policies and procedures to cover off the “must-dos” for your organisation’s security. Key areas to cover include:
- acceptable use of information and communications technology
- access to data
- remote working
- incident planning.
Staff should be trained to implement the policies and to maintain cyber awareness.
Acceptable/unacceptable use of electronic devices at work
Your policies should cover the use of personal devices eg cellphones, as well as what may or may not be done on work computers eg internet and email access not to be used to download unauthorised software and install games and prohibitions against activities such as gambling and use of pornography.
Access to data
As a general rule, access to data should be restricted to those who need it for work purposes. This helps prevent data breaches. It also helps protect privacy which can be jeopardised by unauthorised access to client or staff personal information.
You should have clear procedures in place for removing and changing access rights as people change and leave roles. No one should have access to data and systems they don’t need for their work purposes.
Remote working
With COVID-19, remote working is much more prevalent. But with remote access, there’s potentially more pathways for cyber attacks. Your policies and procedures can help manage these risks. For example:
- outline organisational responsibilities like organising a VPN
- state the safeguards to be taken by staff/remote workers – that they use their home internet to access the work network and notify management immediately of any unusual events on the system.
If personal devices are used, precautions by remote staff can include:
- keeping their operating system up-to-date
- using a strong password and multi-factor authentication
- uploading documents they save locally to the network
- running and updating their antivirus software regularly.
Incident planning and responses
Your policies and procedures should guide staff when responding to a cybersecurity issue, in particular:
- who they should notify if concerned
- who will manage recovery from the incident
- who should be told (eg Privacy Commissioner from 1 December for serious privacy breaches)
- how to use data backups and resume operating
- steps to mitigate and prevent a recurrence of the incident.
Become cyber-brave
Even though it may feel like a minefield, grow your awareness and become cyber-brave.
The Martians may or may not be coming. But either way, it’s best to be prepared.
If you’re wanting your policies and procedures reviewed and updated, contact us. We aim to protect social service, childcare, health and tertiary education agencies from risks of non-compliance with regulations and standards.
We want to help you become cyber brave!
5 ways to increase the effectiveness of your complaints process
So you’ve got a complaints process but how effective is it?
Is receiving no complaints the best you can hope for as a sign of effectiveness? Or is it the complaint outcome that matters most – ie that you were right or wrong?
Here’s 5 things that we think are important to a good complaints process:
- Your policy
- Your culture
- Accessibility
- Your process of escalation, and
- Your resolution approach.
1. Good policy
Staff need to understand the process and rationale for your complaints process. That’s where your policy comes in. It should cover the legal and regulatory imperatives, your commitment to client/customer responsiveness and participation and to organisational learning and improvement. The insertion of some principles like equality, timeliness and fairness will also help staff navigate the process for themselves and with clients/customers.
2. Welcoming and receptive culture
Most of us struggle with criticism and complaints can feel like criticism. So it’s understandable if we feel negative about complaints. But taking a negative approach is deeply problematic.
Negativity can lead to behaviours that stop or prevent people from giving feedback and risks poor quality client service. It can mean that we don’t promote the process, we might respond defensively to feedback and we could minimise and avoid concerns rather than addressing them.
A tendency towards or risk of negativity should therefore be offset in a workplace by strategies such as these:
- adopt a broad focus – invite both positive and negative feedback and make it easy for people to give feedback. Feedback can be as simple for a client as answering a question every now and then about how they’re finding the service and if they would like to see any changes made to improve their experience. Keep a record, consider the feedback with the client and/or others and respond to it;
- take a learning and improvement ethos in the organisation where mistakes and complaints, as much as feedback, are regarded and treated as opportunities to learn and improve;
- share and celebrate feedback and use it to assist team collaboration and planning;
- ensure that staff understand they have rights in the complaints process and that they will be treated fairly and be able to access support if they are involved personally in the process.
3. Easy access and use
How many times, have you gone to make a complaint or raise a concern with an agency to find that there’s no real mechanism for complaining despite claims they have a process.
This might mean you don’t get complaints. But it’s also disastrous in terms of being able to provide a good service as you don’t end up knowing where you’re customers are feeling let down by your service. Some key lessons then:
- Lesson 1 – if you’ve got a complaints process, make sure your clients/customers can easily find it and use it. Yes, it’s important to have a complaints process, it’s also important to have multiple channels for clients and customers to give feedback.
- Lesson 2 – make sure your staff understand the process and can help people with it. It should be part of staff induction and regular staff training.
- Lesson 3 – anticipate and address potential barriers to clients making complaints by making sure that information about the feedback and complaints process is appropriate to your client group (eg age and developmentally appropriate; different languages); there is access to external advocates and there are multiple ways for giving feedback and complaints.
4. Appropriate escalation
A complaints process needs to recognise that people like to deal with conflict and concerns in different ways. Most prefer early and quick resolution.
Promoting and providing a pathway for the early raising and resolution of concerns is important. Remind and encourage clients/customers to share their concerns directly with staff and offer support if needed. This can be a part of the complaints process or separated out from a more formal “complaints” process.
At the other end of the process, provision should also be made for a right of internal and/or external review if a party to the complaint is not happy with the complaint outcome or the process.
5. Systemic approach
Problems rarely arise in a vacuum. They are likely to be systemic and to reflect context. Even if there seems to be an immediate and obvious cause and answer to a complaint there will often be more to it. Certainly, it’s worth thinking about.
Consider how wider systems, organisational norms, work schedules etc may have contributed to the behaviour or attitude that is being complained about and what can be done to address the deficiency(ies). This, plus addressing the more immediate cause, will help prevent recurrence of the matter in the long term.
Conclusion
So going back to start – how do you know if your complaints process is effective? Not receiving complaints is not a reliable indicator. It may indicate top-notch service but if you’re not getting any feedback or complaints then it may well signal the need for more opportunities for client/customers to participate and provide feedback.
Complaint outcome or, who won or lost, is also unreliable. The value and benefits of good feedback and complaints processes are to help an organisation learn and improve and be responsive and relevant to clients/customers.
When assessing effectiveness, think instead about access, use and participation in the process, client/customer feedback on their experience of the process and cost/benefits of resourcing the process against the short and long term benefits of learning and improvement.
5 takeaways from the Coroner’s and Ombudsman’s children’s reports
The Ombudsman and Coroner reports, released this month, identified inadequate treatment and care of children/tamariki by Crown agencies. The Coroner was reviewing the tragic death of a young two-year-old. The Ombudsman was reviewing policies and practices relating to the removal of newborn babies from their parents and whānau by Oranga Tamariki- the Ministry for Children.
Both reports identified big policy problems that we can all learn from.
Coroner’s report – In the matter of Hineihana Sosefina Mausii
The Coroner was looking into the tragic death of 2-year-old Hineihana Sosefina Mausii in 2013. There had previously been a serious adverse event (SAE) review by the Southern District Health Board(SDHB) and an investigation and review by the Health and Disability Commissioner. Both reviews had found critical failures in Hineihana’s care.
The question for the Coroner was whether she should make any comments or recommendations to reduce the chance of further deaths in similar circumstances.
Key findings of facts
The key facts were that Hineihana was taken twice, within 48 hours, to the Emergency Department(ED) of Dunedin Hospital with an acute health condition. On her second presentation, she was assessed by a junior doctor working under the supervision of a senior doctor. His assessment was found to have been inadequate and to have missed “red flags” about Hineihana’s poor health.
The senior doctor, responsible for supervising the junior doctor, failed to provide an adequate level of supervision appropriate to the junior doctor’s level of experience. As a result, Hineihana’s acute condition was not identified when it should have been. She was wrongly discharged with her parents not given any discharge information about follow up care and when to return to the ED.
Policy gaps
With her preventive hat on, the Coroner identified a couple of big policy gaps that had contributed to Hineihana’s inadequate treatment.
At the time of Hineihana’s re-presentation to the ED there had been no clear policy requiring her (ie as a child) to be assessed by a senior registrar or consultant. The SDHB claimed that requirement had since been introduced. The Coroner however disagreed.
Although it was stated as a requirement in several documents, there was no “single source of truth” aka operational policy requirement for unscheduled representations of children to ED within 48 to be assessed by a senior doctor. The status of the documents mentioning the requirement was unclear. So was the “requirement.” She recommended that this be addressed to prevent future tragedy.
The second policy gap concerned safety-netting at discharge. The SAE Review recommendations included the development of a written policy for safety-netting, and provision of both spoken and written advice for patients/parents/caregivers regarding when to return to the ED. It hadn’t yet been done. The Coroner reinforced the recommendation.
Ombudsman’s Inquiry
The Ombudsman reported back this month on their inquiry into the removal of newborns/pēpi from their parents. It made a number of key findings about poor practice. They also identified some critical policy gaps and errors concerning:
- the use of without notice s78 applications (interim custody applications) and criteria for how staff should identify and assess the viability of other options to make tamariki safe
- working effectively and equitably with disabled parents and other parents suffering from mental distress and drug and alcohol issues (ie using a disability-rights approach)
- for unborn and newborn pēpi, policy requiring:
- trauma-informed social work practice to be applied to assessments of the parents’ own childhood histories of abuse or neglect
- specialist assessments for parents with alcohol or drug misuse, mental health needs or intellectual disabilities.
- the Ministry to assist parents and whānau where their pēpi has been identified as at risk.
- a lack of policy guidance about the process of removing a pēpi from their parents once a s78 interim order has been granted.
The Ombudsman recommended these gaps be addressed to support better decisions and large scale practice change by the Ministry when care and protection are held for newborns.
Key takeaways
Although these reports were looking at different issues. They shared a focus on the care, health and wellbeing of our most precious tamariki. They identified and recommended that some key policy problems be fixed.
Although they concerned Crown agencies, there are some key takeaways for social and health services:
- critical issues that require the application of professional judgement and skill should be supported by operational policy requirements
- policy should reflect legal requirements and in the area of disability and mental health the United Nations Convention on the Rights of People with Disabilities
- to avoid confusion and uncertainty in the workforce, there should be a “single source of truth” when it comes to requirements and this should be your operational policy
- organisational policy must be usable and accessible for busy operational staff
- training should align with and support good operational policy.
If you want to know more about how our online policy and procedure service can support good practice and your compliance with regulations and standards, contact us.
Don’t let it happen to you.
People running charities should be selfless, honourable. That’s what we expect right?
Certainly, we expect honesty and that they can be trusted to receive and use public money for charitable purposes and not for personal gain.
But what’s in place to help those governing and managing organisations to keep on the straight and narrow and fulfil our expectations?
The short answer is not much. Organisations have trust deeds but they are highly variable about what they cover. There’s the Charities Act but it’s outdated and currently under review. There’s not much other guidance readily available.
We feel shocked, let down when wrongdoing in charities is exposed.
Sometimes, the organisations are in receipt of huge funding (ie huge for a community service). Yesterday, for example, the New Zealand media revealed that Trustees of Quitline continue to be remunerated although the service itself ceased to operate more than 5 years ago. Moreover, it had more than $2-3 million in reserves including more than $430,000 of Health funding. In a similar vein, a report on an Inquiry into spending by the Hepatitis Foundation, released late 2019, found excessive spending, a lack of recordkeeping and misuse of the charity’s funds.
This is why organisational policies and procedures are so important. I’ll use the policy and procedures in the online Policy Place service to demonstrate.
It’s important to instil the organisational mission and values
Policies and procedures are central to instilling organisational values throughout an organisation. When organisations join our online policy and procedure service or want a policy overhaul, we provide them with customised policies and procedures. This is so that their policies and procedures reflect their kaupapa and organisations’ unique differences.
In areas like governance and financial management, subscribers gain access to policies that reflect and embed a decision-making approach that would be reasonably expected of an organisation receiving public money. For example, when managing income, expenditure and assets, Policy Place subscribers must consider and apply these principles:
- Value for money
- Accountability
- Transparency
- Responsible
- Ethical
- Equality
Each of these principles is defined. As a component of all aspects of financial management, the principles help prevent situations of excessive expenditure in sensitive areas eg travel, meals and accommodation.
Help with financial management
Board members come from all walks of life. That’s a good thing. But not all of them are going to know about careful and prudent financial management.
The Policy Place online financial management policies and procedures are therefore crucial to board members and managers complying with their financial management responsibilities. In particular, policies and procedures dealing with financial controls, delegations, recordkeeping, reporting and prevention of fraud.
Reimbursement of expenses is often a big issue in organisations. The Policy Place policy includes a number of controls eg:
- the above financial principles
- reimbursement criteria
- pre-approval requirement
- the requirement that expenses were both reasonable and actual.
Applied properly, these financial management policies and procedures safeguard our subscribers against the misuse of funds and excessive spending. Trustees and managers are helped to make financial decisions in the best interests of their organisations.
Recruitment of trustworthy board and management
We know how hard it can be to recruit and retain good people for boards. It’s getting harder and harder.
There’s little guidance around on how to do it. Trust deeds usually provide for the election of Trustees. There are also some legal disqualifications. It’s another area that needs to be addressed in policies and procedures.
The Policy Place does this with its online policies and procedures. Policies guiding the recruitment and induction of board members, their responsibilities and outlining membership, disqualification and termination criteria are all relevant and helpful.
Take-aways
We can’t be naive when we’re responsible for public money and fulfilling charitable purposes.
Make sure your organisation’s policies and procedures are consistent with your charitable purpose and kaupapa.
Don’t leave your board and management to sink or swim. Provide the guidance they need with policies and procedures addressing key areas of responsibilities like financial management and governance.