Navigating emerging risks in Melbourne's healthcare sector

The healthcare risk landscape continues to evolve,particularly in the wake of the pandemic, the rise of digital systems, and an increasingly complex regulatory environment.

So, what should healthcare leaders be focusing on right now? 

A new era of risk management in healthcare

The three top risks  for hospitals right now are:

1. Workforce instability

2. Cybersecurity threats

3. Financial sustainability.

COVID-19 certainly changed the game. At the height of the pandemic, government funding flowed freely to support the crisis. But as the emergency subsided, the purse strings tightened—sometimes too quickly. Many hospitals were left scrambling, expected to deliver the same level of pre-pandemic care when the health landscape had significantly changed. It is fair to say the level of support received did not go far enough.

Add to that a more complex patient mix—people presenting later, sicker, and needing more acute care—and you’ve got a perfect storm of demand pressure and financial strain.

The workforce challenge

Staff shortages are another major concern. Burnout, changing expectations around flexible work, and an ageing workforce have reshaped the sector. In healthcare, you can’t always offer work-from-home solutions. But that doesn’t mean hospitals can’t rethink how certain services are delivered—like telehealth. It requires creativity, planning, and thoughtful implementation to balance fairness, safety, and practicality.

Is risk management a paper tiger?

In my experience, most healthcare organisations do have risk management frameworks in place. For public health, it’s a compliance requirement. But there’s often a gap between what’s written down and what’s embedded in operations.

That is where internal audit plays a vital role. Our job isn’t to point fingers. It’s to dig deeper and ask: Are your controls not just documented, but understood, implemented, and effective?

In many instances,  risk registers are full of controls that sound great—but when tested, fall short. One key area we’ve seen this is clinical incident management. Here, we’ve helped health services assess whether incidents are not only being reported but investigated thoroughly, with meaningful follow-up and continuous improvement initiatives being implemented and embedded within the organisation.

The goal isn’t just to avoid clinical incidents;it’s about learning from them. And that only happens when there’s a mature risk culture in place.

Cybersecurity is the health sector's Achilles heel

Health data is incredibly valuable to cybercriminals—rich in identity information and payment details. Unfortunately, the sector has become a prime target. With so many legacy systems and stretched resources, it's no surprise.

Our key message forhealthcare leaders is this: Make your organisation a harder target. Threat actors are strategic—they’ll go for the path of least resistance. You don’t have to be perfect. You just have to be better protected and put up enough obstacles to make it not worth the effort.

That means rigorous IT controls, regular testing, realistic assumptions, and layered defences. And when systems can’t be replaced immediately? Then segment them. Isolate them. Make sure a breach in one area doesn’t compromise the whole organisation.

Improving governance and board reporting

Boards and Audit Committees play a critical role in managing risk—but only if the culture allows for transparency. If leaders are afraid to raise concerns for fear of being punished, then no amount of documentation will help.

We need a shift towards risk culture over risk compliance. If people are having honest, constructive conversations about risk—even if the process is a bit messy—it can be better than if everything looks polished on paper, but no one’s asking questions.

Looking ahead

Our healthcare providers are doing incredibly important work under increasingly difficult conditions.

The next decade will be transformative. Innovation in healthcare is accelerating. So are the risks. The question is: will organisations be prepared?

Success lies in embedding a culture of curiosity, vigilance, and accountability — not just at the executive level, but across every department and discipline.

Because ultimately, our job isn’t just to manage risk. It is to protect people, patients, staff, and the communities we serve.

FOR MORE INFORMATION

If your organisation could benefit from an objective review of your risk management framework, internal controls, or cybersecurity posture, the Risk Advisory team at RSM is here to help.

Jayesh Kapitan is a Partner in RSM Australia’s Risk Advisory team and National Leader Health Services. He has years of experience working closely with hospitals and healthcare providers across Melbourne and Victoria to help them navigate a growing list of challenges and improve governance, internal controls, and risk resilience.