A Practical Approach to Risk Management Financial Management Institute, Toronto Chapter

A Practical Approach to
Risk Management
Financial Management Institute,
Toronto Chapter
February 17 2010
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI
Health Audit Services Team
Ontario Internal Audit Division
1
Contact Info:
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk
Management (Canadian Health Care Association
Senior Audit Manager
Health Audit Services Team
Ontario Internal Audit Division
Province of Ontario
Office: 416-327-7798
eMail: [email protected]
2
Basic Concepts
3
Outline

Objectives of today’s session

Basic principles, concepts, definitions

A simple framework

Stocking your toolkit – education, job aids, templates

What are you going to do back in the office?

Q &A’s

A case – Let’s practice!
4
Objectives

Give you a practical approach, framework and tools so
you can start implementing ERM when you get back to
the office.

Share some lessons learned. Share some tips and tricks.

Practice concepts and tools with a case study so that you
practice
5
Why do we need Risk Management?
The only alternative to risk management is crisis management --- and
crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Without good risk management practices, government cannot manage its
resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improve
services or lower costs.
Sheila Fraser, Auditor General of Canada
6
Why bother with RM?

Increase risk awareness – What could affect the
achievement of objectives? What could change? What
could go wrong? What could go right?

Increase understanding of risk – sensitivities. What
makes my risks increase/decrease/disappear?

Promote a “healthy” risk culture – It’s safe to talk about
risk. Open and transparent.

Develop a common and consistent approach to risk across
the organization. Not intuition-based.
7
Why bother with RM?

Allows intelligent “informed” risk-taking.

Focuses efforts –helps prioritize. Top 10 list. Or top 3.
Or…

Is proactive…. not reactive – Prepare for risks before they
happen. Identify risks and develop appropriate risk
mitigating strategies.

Improve outcomes – achievement of objectives
(corporate, clinical, etc)

Really comes to down to simple good management

Enables accountability, transparency and responsibility

And maybe even mean survival
8
Basic principles, concepts, definitions
A risk is ANYTHING that may affect the
achievement of an organization’s objectives.
It is the UNCERTAINTY that surrounds future
events and outcomes.
It is the expression of the likelihood and impact of
an event with the potential to influence the
achievement of an organization’s objectives.
9
Threats and opportunities
Threat – a risk that may HINDER the achievement of objectives
Opportunities - a risk that may HELP in the achievement of objectives

Interest rates

Foreign exchange rates

Supply of service/product/resources

Demand/uptake for service/product/resources

The economy

The weather

The stock market
10
Interactive Session #1 – 10 minutes
 Introduce yourselves to others at your table
 Pick 1 risk – discuss it as both a threat and
an opportunity
 Report to the large group. Pick a
spokesperson.
11
Definition of ERM
“… a process, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and across the enterprise,
designed to identify potential events that may affect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
12
Enterprise vs Integrated Risk Management
 Similarities:
 Formal process
 Consistent and systematic
 Includes projects, programs,
operations
 Is embedded in key processes
such as strategic planning,
budgeting, project planning,
evaluation, etc
 Must be driven and supported by
Leadership
 Adds value to decision-making
 Differences:
Enterprise-wide:
 Is organizational-centric
Success is defined as
implementation over the entire
organization
Integrated:
Take a systems-focus
May actually create risks for
individual organizations
13
Enterprise Risk Management
h
is
bl
ta
Evaluate
Communication
& Learning
Id
e
nti
fy
Division
Level
Es
r
nito
o
M
Assess
Periodic Summary Analysis & Report
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Assess
Assess
h
is
bl
ta
Communication
& Learning
Es
Evaluate
h
is
bl
ta
Assess
r
nito
Mo
Es
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Evaluate
h
is
bl
ta
Evaluate
h
is
bl
ta
Communication
& Learning
r
nito
Mo
Es
r
nito
Mo
Es
Evaluate
Branch
Level
r
nito
Mo
Assess
Periodic Summary Analysis & Report
Es
h
is
bl
ta
Communication
& Learning
Ide
nti
fy
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Evaluate
Unit or
Project
Level
r
nito
Mo
Assess
14
Integrated Risk Management
Communication
& Learning
Id
e
nti
fy
Level
h
is
bl
ta
Evaluate
System
Es
r
nito
o
M
Assess
Periodic Summary Analysis & Report
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Assess
Assess
h
is
bl
ta
Communication
& Learning
Es
Evaluate
h
is
bl
ta
Assess
r
nito
Mo
Es
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Evaluate
h
is
bl
ta
Evaluate
h
is
bl
ta
Communication
& Learning
r
nito
Mo
Es
r
nito
Mo
Es
Evaluate
Regional
Level
r
nito
Mo
Assess
Periodic Summary Analysis & Report
Es
h
is
bl
ta
Communication
& Learning
Ide
nti
fy
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Evaluate
Organizational
Level
r
nito
Mo
Assess
15
Risk Management Basics

Risk (uncertainty) may affect the achievement of
objectives.

Effective mitigation strategies/controls can reduce
negative risks or increase opportunities.

Residual risk is the level of risk after evaluating the
effectiveness of controls.

Acceptance and action should be based on residual risk
levels.
INHERENT
16
Slide 16
A Simple Framework
Step 1
Establish
Objectives
Step 2
Identify
Risks &
Controls
Step 3
Assess
Risks &
Controls
Step 4
Evaluate
& Take
Action
Step 5
Monitor
&
Report
Communicate, learn, improve
17
Risk Management is critical to ALL levels of decisions
UNCERTAINTY
Strategic Decisions
Stra
tegic
Decisions transferring
strategy into action
Prog
ramm
e
Stra
tegic
m
gra
Pr o
me
Decisions required for
implementation
Pr o
ject
&O
per
a
tion
al
ject
Pr o
al
tion
a
r
pe
&O
The HM Treasury’s The Orange Book
Decisions can be categorized into three types. The amount of risk (uncertainty) varies
with the type of decisions. Most decisions are concerned with implementation.18
The relationship between IRM & MOHLTC’s Complex Risk
Environment
External Risk Environment
re L a
gu ws
la &
tio
ns
ial
Political
Outcomes
nc
Fina
St
r
Po ateg
lic ic
y /
Communication
& Learning
Inf
Te orma
ch
no tion
log
y
Assess
rm
ati
on
Human
Resources
e
Th nom
o
Ec
y
LHINs
e ra
Op
n
tio
al
S
ex tak
pe eh
ct o l d
at e
io r
ns
Leg
Com al/
plian
ce
Ot
h
nis er
trie
s
er- s
rtn on
Pa izati
n
ga
Or
l
na
io
a t ce
iz an
a n rn
rg e
O Gov
Communication
& Learning
Ide
n
tify
t
en
ym
Pa ty &
fer bili e
ns nta
c
Tra ccou rnan
A o ve
G
Inf
o
h
is
bl
ta
tor
i
n
Mo
Es
Mi
MOHLTC
Risk Environment
Evaluate
Capacity
Communication
& Learning
ic n
bl tio
Pu cep
r
Pe
MOHLTC Extended
Enterprise
Corporate Governance
Requirements
19
Categorizing Risk – Comprehensive
1.
Political or Reputational Risk
2.
Financial Risk
3.
Service Delivery or Operational Risk
4.
People / HR Risk
5.
Information/Knowledge Risk
6.
Strategic / Policy Risk
7.
Stakeholder Satisfaction / Public Perception Risk
8.
Legal / Compliance Risk
9.
Technology Risk
10.
Governance / Organizational Risk
11.
Privacy Risk
12.
Security Risk
13.
Equity Risk
14. Patient Safety
NEW
20
Slide 20
Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring

Very High: Is almost certain to occur

High: Is likely to occur

Medium: Is as likely as not to occur

Low: May occur occasionally

Very Low: Unlikely to occur
Risk Impact: Level of damage that
can occur when a risk event
occurs

Very High: Threatens the success of
the project

High: Substantial impact on time, cost
or quality

Medium: Notable impact on time,
cost or quality

Low: Minor impact on time, cost or
quality

Very Low: Negligible impact
21
Slide 21
Third dimension for rating risks - proximity

Immediate – now

Less than 6 months

Between 6-12 months

Between 12 – 24 months

Between 24 – 36 months

More than 36 months
22
Risk rating
…Combining impact and likelihood
RISK PRIORITIZATION MATRIX
5
RISK
IxL
IMPACT
4
RISK
IxL
3
2
RISK
IxL
1
1
2
3
4
LIKELIHOOD
Slide 23
5
23
Risk reporting and communications
Risk Level
Critical Risk
High Risk
Moderate Risk
Low Risk
Action and Level of Involvement Required
 Inform Chief Executive Officer and Board of Directors
 Immediate action required
 Inform Chief Executive Officer
 Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate
 Management mitigation and ongoing monitoring required
 Inform relevant Strategy Team members
 Accept, but monitor risks
 Manage by routine procedures within the program and site
24
25
Key Risk Indicators (KRIs) are linked to
strategy, performance and risk
Strategy & objectives
Risk
Cause
Consequence
KRI
Performance
KRIs need to be linked to strategy, objectives and target performance
levels, with a good understanding of the drivers to risk.
26
EXAMPLES OF KRIs
Human resource
• Average time to fill vacant
positions
• Staff absenteeism /sickness
rates
• Percentage of staff appraisals
below “satisfactory”
Age demographics of key
managers
Information Technology
• Systems usage versus
capacity
• Number of system upgrades/
version releases
• Number of help desk calls
Finance
• Daily P&L adjustments (#,
amt)
• Reporting deadlines missed
(#)
• Incomplete P&L sign-offs (#,
aged)
Legal/compliance
• Outstanding litigation cases
(#, amt)
• Compliance investigations (#)
• Customer complaints (#)
Audit
• Outstanding high risk issues
(#, aged)
• Audit findings (#, severity)
• Revised management action
target dates (#)
Risk management
• Management overrides
• Limit breaches (#, amt)
27
Measure and report RM implementation progress
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent
Strong
• Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
•
•
•
•
•
•
Adequate
•
•
Weak
Clear vision of risk tolerance and overall risk profile
Risk control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted
returns
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical “silo” based risk management
Not fully developed process to optimize risk adjusted returns
• Incomplete control process for one or more major risks
• Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
Source: Standard & Poor
28
Progress to Date – ERM Report Card
Quality of Care and Patient Safety
Corporate Governance
Operation & Business Support
Reputation and Public Image
Human Resources and Staff Relations
Financial Resources
Information Systems and Technology
Physical Assets
Legal and Regulatory
Environmental Health and Safety
Policies
Standards
29
An Approach to Risk Management

Establish centralized support

Develop a standardized framework

Provide education and coaching

Ensure ministry-wide implementation

Embed IRM into all major processes including strategic
planning and resource allocations decisions

Enable our stewardship role
30
The Approach

Incorporates risk information into the strategic directionsetting, making decisions that consider established risk
tolerance levels.

Takes a systems approach to managing risk at the
strategic, operational and project levels which is
continuous, proactive and systematic.

Fosters a working culture that values learning, innovation,
responsible risk-taking and continuous improvement.
31
Your toolkit – education, job aids, templates

We wanted to add value not work. We developed forms
and templates.

So we developed and delivered educational sessions –
usually attended by all team members. Included risk 101
and then time for the team members to discuss how to
apply concepts to their work.

We assisted teams in actual risk assessments. Sometimes
we used voting software.

We trained the trainer.
32
A Process for Embedding IRM
HAST Sessions
Risk 101
Presentation
Es
r
nito
Mo
h
is
bl
ta
Ide
nti
fy
Evaluate
Communication
& Learning
Assess
Management IRM
Planning Meeting
Risk Assessment
Workshop
Es
Communication
& Learning
Ide
nti
fy
Evaluate
h
is
bl
ta
r
nito
Mo
Components
Participant Outcomes
Introduction – Integrated Risk Management
Understanding of risk management process
Introduction to basic risk concepts and terminologies
Understanding of how risk management is relevant to their day-to-day
work
Introduction to the MOHLTC’s Integrated Risk
Framework
Knowledge of IRM in MOHLTC
Status of IRM in MOHLTC
(Most effective when followed-up with facilitated risk
assessment workshop or application to actual project)
Planning
Commitment to IRM implementation in area or stream of work
Discuss best way to implementation IRM in area
Risk management roles and responsibilities clearly defined
Proposed IRM implementation plan presented for area
Review of IRM roll-out; timelines , deliverables, related forums
Clarify roles & responsibilities for risk management
Commitment to continuous risk communication & learning
Facilitated Training – Identification of risks &
mitigation strategies
Hands-on experience allowing assimilation of consistent risk
management techniques
Identification of objectives
Hands-on practice of IRM process, enabling application of risk
management principles and tools to work
Brainstorming and identification of risks to meeting
objectives (for project, branch, initiative, etc. )
Greater understanding of work and inter-dependencies
Identification of source, mitigation strategies, ownership
and residual risk for each ‘risk category’
Assess
Risk Prioritization
& Voting
Workshop
Es
Communication
& Learning
Ide
nti
fy
Evaluate
h
is
bl
ta
M
or
onit
Risk follow-up
Session
Es
h
is
bl
ta
Ide
nti
fy
Evaluate
Communication
& Learning
Assess
Review of risks, mitigation strategies, ownership, residual risk to their
work in a seamless manner
Review of risks, mitigation strategies and ownership
Unbiased risk prioritization and identification of high risks
Anonymous voting on the impact and probability of each
risk
Enables application of complete risk management process to every
day work
Prioritization of risks on ‘heat map’
Discussion of mitigation strategies for high priority risks
Assess
r
nito
Mo
Facilitated Training – Assessment of mitigation
strategies & prioritization
Monitoring & Review
Review of risks and status
Review of risks six months after initial assessment
Continuous improvement
Review mitigation strategies and residual risks
33
IRM RISKS AND CONTROLS
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
Responsible Org &
Name (Implement /
ID Number Operate)
Risk
Category: Financial
None in this category
Category: Equity
None in this category
Category: Service Delivery or Operational
064
Person A
055 – Insufficient knowledge transfer
102 – Conflicting management
instructions
065
Person B
056 – Lack of communication (Serious
service delivery issues)
352 – Different business and IT
processes (incident management)
Control
Risk
Rating
(Impact)
Risk
Rating
(likelihood) Date Required Status
Update impacted policies and procedures M
for integration into knowledge support tools.
Harmonizing policies and procedures (e.g.,
access procedures – X has one and Y has
one – there needs to be one
process/policy/procedure).
M
31-Mar-09
Refer to Privacy
Action Plan Work on
Ongoing Operations
Commitments
Report
(a) IT incident and Triage (harmonization M
between IT and Business).
(b) X and Y need to develop an incident
management process/service to deal with
issues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement
requirements; well tracked and reported.
M
31-Mar-09
(a, b) Refer to
ongoing Operations
IRM document
34
35
36
37
The Cyclist and the Risk Manager
38
Interactive Session #2 – 15 minutes
 Identify risks that the cyclists faces in
cycling to work.
 Report back.
39
Risk Factors – the cyclist
.
40
Risk Factors – the weather, the road, visibility, the
bike, the lock
.
41
Risk Factors – the driver
.
42
Risks
Threats:
Opportunities:

Death

Exercise

Head Injury

Sunlight

Injury

Reputation

Reputation

Financial

Financial

Role model

Damage to the bike

Environment

Sunburn/frost bite
43
Mitigation Strategies for threats

Death, head injury, other injury – helmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger
management course

Reputation – great outfit, change of wrinkle-free clothes, shower,
time management

Financial – high quality locks, “beater”, stopping at stop signs

Damage to the bike – regular maintenance, avoiding pot holes

Sunburn/frost bite – sunscreen, mittens, hats, token/change

Dehydration- filled water bottle
44
ERM/IRM can be complex and messy
45
Keep it simple
46
Back at the office

Why is the organization interested in RM? What are they hoping
will be achieved with its implementation?

Who is doing what? Roles & responsibilities must be clearly
defined. Make sure Leadership supports RM and uses RM results to
make decisions. Everyone is a risk manager. Make sure that all risks
have owners and the responsibilities for mitigation are assigned

How will it be implemented? What is your framework? What is the
common language? How will risks be measured and reported?

Where will you start? Choices could be where you can most easily
succeed or where it is needed the most or where interest is high.

When will it be implemented? It is a journey not a destination; 3-5
years for complete roll-out; how often will risks be assessed; when
will mitigation plans be implemented and monitored; when will risks
be reported.
47
Ask questions and develop your approach

Do we understand our major risks? Do we know what is causing our
risks to increase, decrease or stay the same?

Have we assessed the likelihood and impact of our risks?

Have we identified the sources and causes of our risks?

How well are we managing our risks?

Are we trying to prevent the downside risks from happening? Or are
we trying to simply recover from them?

Who is accountable for these risks?

How do we talk about risk? Do we have a common language across
branches, across divisions, across the ministry, across the OPS, across
the health care system?

Are we taking too much risk? Or not enough risk?

Are the right people taking the right risks at the right time?

What’s our culture? Are we risk adverse or are we risk-takers? Or are
we somewhere in between?
48
TAKE SMALL BITES………. IRM IMPLEMENTATION
49
Questions?
50
The case - You are responsible for Risk Management
for:

Case 1 – The Pan Am Games 2015

Case 2 – The provincial response to the next Pandemic

Case 3 – The extension of Hwy 404

Case 4 – The rescue efforts in Haiti

Case 5 – Human Resources in the Ontario Public Services

Case 6 – A big teaching hospital in Toronto
51
The case

Consider the 13 categories of risk

Identify top 5 threats (downside) and top 5opportunities (upside)

Propose mitigation strategies

Discuss how the following risk factors would affect your assessment:
 Economy
 Demographics
 Weather
 Technology
 Timing of events such an election
 Others
52
Questions?
53