1 a practical approach to risk management financial management institute, toronto chapter february...
TRANSCRIPT
1
A Practical Approach to Risk Management
Financial Management Institute, Toronto Chapter
February 17 2010
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI Health Audit Services Team
Ontario Internal Audit Division
2
Contact Info:
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk Management (Canadian Health Care Association
Senior Audit ManagerHealth Audit Services Team
Ontario Internal Audit DivisionProvince of Ontario
Office: 416-327-7798
eMail: [email protected]
3
Basic Concepts
4
Objectives of today’s session
Basic principles, concepts, definitions
A simple framework
Stocking your toolkit – education, job aids, templates
What are you going to do back in the office?
Q &A’s
A case – Let’s practice!
Outline
5
Objectives
Give you a practical approach, framework and tools so you can start implementing ERM when you get back to the office.
Share some lessons learned. Share some tips and tricks.
Practice concepts and tools with a case study so that you practice
6
The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Without good risk management practices, government cannot manage its
resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improve
services or lower costs. Sheila Fraser, Auditor General of Canada
Why do we need Risk Management?
7
Why bother with RM?
Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?
Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?
Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.
Develop a common and consistent approach to risk across the organization. Not intuition-based.
8
Why bother with RM? Allows intelligent “informed” risk-taking.
Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…
Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.
Improve outcomes – achievement of objectives (corporate, clinical, etc)
Really comes to down to simple good management
Enables accountability, transparency and responsibility
And maybe even mean survival
9
A risk is ANYTHING that may affect the achievement of an organization’s objectives.
It is the UNCERTAINTY that surrounds future events and outcomes.
It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.
Basic principles, concepts, definitions
10
Threats and opportunities
Threat – a risk that may HINDER the achievement of objectives
Opportunities - a risk that may HELP in the achievement of objectives
Interest rates
Foreign exchange rates
Supply of service/product/resources
Demand/uptake for service/product/resources
The economy
The weather
The stock market
11
Interactive Session #1 – 10 minutes
Introduce yourselves to others at your table
Pick 1 risk – discuss it as both a threat and an opportunity
Report to the large group. Pick a spokesperson.
1
12
Definition of ERM
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
13
Enterprise vs Integrated Risk Management
Similarities: Formal process
Consistent and systematic
Includes projects, programs, operations
Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc
Must be driven and supported by Leadership
Adds value to decision-making
Differences:Enterprise-wide: Is organizational-centricSuccess is defined as
implementation over the entire organization
Integrated:Take a systems-focusMay actually create risks for
individual organizations
14
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Periodic Summary Analysis & Report
Enterprise Risk Management
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Periodic Summary Analysis & Report
Communication & Learning
Monitor
Evalu
ate
AssessIdentify
Establish
Division Level
Branch Level
Unit or Project Level
15
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Periodic Summary Analysis & Report
Integrated Risk Management
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
aluate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Periodic Summary Analysis & Report
Communication & Learning
Monitor
Evalu
ate
AssessIdentify
Establish
System
Level
Regional Level
Organiz-ational Level
16 Slide 16
Risk Management Basics Risk (uncertainty) may affect the achievement of
objectives. Effective mitigation strategies/controls can reduce
negative risks or increase opportunities.
Residual risk is the level of risk after evaluating the effectiveness of controls.
Acceptance and action should be based on residual risk levels.
INHERENT
17
A Simple Framework
Evaluate & Take Action
Evaluate & Take Action
EstablishObjectives
EstablishObjectives
IdentifyRisks & Controls
IdentifyRisks & Controls
AssessRisks & Controls
AssessRisks & Controls
Monitor& Report
Monitor& Report
Step 1 Step 2 Step 3 Step 4 Step 5
Communicate, learn, improve
18
Risk Management is critical to ALL levels of decisions
Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.
UNCERTAINTY
Strategic Strategic
Programme Programme
Project & Operational Project & Operational
Strategic Decisions
Decisions transferring strategy into action
Decisions required for implementation
The HM Treasury’s The Orange Book
19
The relationship between IRM & MOHLTC’s Complex Risk Environment
MOHLTC Extended Enterprise
External Risk Environment
MOHLTCRisk Environment
Laws &
regu
lation
s
Ca
pa
city
The Econom
y
Corporate Governance Requirements
Stake
holde
r
expe
ctatio
ns
Po
litical
Ou
tcome
s
Public
Perception
Oth
er
Min
istri
esP
artner-
Organizations
LHINs
Financial
Organizational
Governance
Human Resources
Information
Info
rmat
ion
Tech
nolo
gy
Lega
l/C
ompl
ianc
e
Operational
Strate
gic/
Policy
Transfer Paym
ent
Accountability &
Governance
Communication & Learning
Monitor
Evalu
ate
Assess
IdentifyEstablish
Communication& Learning
Communication& Learning
20 Slide 20
Categorizing Risk – Comprehensive1. Political or Reputational Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
14. Patient SafetyNEW
21 Slide 21
Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring
Very High: Is almost certain to occur
High: Is likely to occur
Medium: Is as likely as not to occur
Low: May occur occasionally
Very Low: Unlikely to occur
Risk Impact: Level of damage that can occur when a risk event occurs
Very High: Threatens the success of the project
High: Substantial impact on time, cost or quality
Medium: Notable impact on time, cost or quality
Low: Minor impact on time, cost or quality
Very Low: Negligible impact
22
Third dimension for rating risks - proximity
Immediate – now
Less than 6 months
Between 6-12 months
Between 12 – 24 months
Between 24 – 36 months
More than 36 months
23 Slide 23
Risk rating …Combining impact and likelihood
LIKELIHOOD
IMP
AC
T
1
1
2
2
3
3
4
4
5
5
RISKI x L
RISKI x L
RISKI x L
RISK PRIORITIZATION MATRIX
24
Risk Level Action and Level of Involvement Required
Critical Risk Inform Chief Executive Officer and Board of Directors Immediate action required
High Risk Inform Chief Executive Officer Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate
Moderate Risk Management mitigation and ongoing monitoring required Inform relevant Strategy Team members
Low Risk Accept, but monitor risks Manage by routine procedures within the program and site
Risk reporting and communications
25
26
Key Risk Indicators (KRIs) are linked to strategy, performance and risk
Risk
Consequence
Strategy & objectives
Cause
KRI
KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.
Performance
27
EXAMPLES OF KRIs
Human resource• Average time to fill vacant positions• Staff absenteeism /sickness rates• Percentage of staff appraisals below “satisfactory”Age demographics of key managers
Information Technology• Systems usage versus capacity• Number of system upgrades/ version releases• Number of help desk calls
Finance• Daily P&L adjustments (#, amt)• Reporting deadlines missed (#)• Incomplete P&L sign-offs (#, aged)
Legal/compliance• Outstanding litigation cases (#, amt)• Compliance investigations (#)• Customer complaints (#)
Audit• Outstanding high risk issues (#, aged)• Audit findings (#, severity)• Revised management action target dates (#)
Risk management• Management overrides• Limit breaches (#, amt)
28
Measure and report RM implementation progress
Excellent
• Advanced capabilities to identify, measure, manage all risk exposures within tolerances
• Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
Strong
• Clear vision of risk tolerance and overall risk profile
• Risk control exceeds adequate for most major risks
• Has robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk adjusted returns
Adequate
• Has fully functioning control systems in place for all of their major risks
• May lack a robust process for identifying and preparing for emerging risks
• Performing good classical “silo” based risk management
• Not fully developed process to optimize risk adjusted returns
Weak• Incomplete control process for one or more major risks
• Inconsistent or limited capabilities to identify, measure or manage major risk exposures
Source: Standard & Poor
29
Progress to Date – ERM Report Card
Quality of Care and Patient Safety Quality of Care and Patient Safety
Corporate Governance Corporate Governance
Operation & Business SupportOperation & Business Support
Reputation and Public ImageReputation and Public Image
Human Resources and Staff RelationsHuman Resources and Staff Relations
Financial ResourcesFinancial Resources
Information Systems and TechnologyInformation Systems and Technology
Physical AssetsPhysical Assets
Legal and RegulatoryLegal and Regulatory
Environmental Health and SafetyEnvironmental Health and Safety
Policies Policies
StandardsStandards
30
An Approach to Risk Management
Establish centralized support
Develop a standardized framework
Provide education and coaching
Ensure ministry-wide implementation
Embed IRM into all major processes including strategic planning and resource allocations decisions
Enable our stewardship role
31
The Approach
Incorporates risk information into the strategic direction-setting, making decisions that consider established risk tolerance levels.
Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.
Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
32
We wanted to add value not work. We developed forms and templates.
So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work.
We assisted teams in actual risk assessments. Sometimes we used voting software.
We trained the trainer.
Your toolkit – education, job aids, templates
33
A Process for Embedding IRM HAST Sessions Components Participant Outcomes
Risk 101 Presentation
Introduction – Integrated Risk Management
Introduction to basic risk concepts and terminologies
Introduction to the MOHLTC’s Integrated Risk Framework
Status of IRM in MOHLTC
(Most effective when followed-up with facilitated risk assessment workshop or application to actual project)
Understanding of risk management process
Understanding of how risk management is relevant to their day-to-day work
Knowledge of IRM in MOHLTC
Management IRM Planning Meeting
Planning
Discuss best way to implementation IRM in area
Proposed IRM implementation plan presented for area
Clarify roles & responsibilities for risk management
Commitment to IRM implementation in area or stream of work
Risk management roles and responsibilities clearly defined
Review of IRM roll-out; timelines , deliverables, related forums
Commitment to continuous risk communication & learning
Risk Assessment Workshop
Facilitated Training – Identification of risks & mitigation strategies
Identification of objectives
Brainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. )
Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’
Hands-on experience allowing assimilation of consistent risk management techniques
Hands-on practice of IRM process, enabling application of risk management principles and tools to work
Greater understanding of work and inter-dependencies
Risk Prioritization & Voting Workshop
Facilitated Training – Assessment of mitigation strategies & prioritization
Review of risks, mitigation strategies and ownership
Anonymous voting on the impact and probability of each risk
Prioritization of risks on ‘heat map’
Discussion of mitigation strategies for high priority risks
Review of risks, mitigation strategies, ownership, residual risk to their work in a seamless manner
Unbiased risk prioritization and identification of high risks
Enables application of complete risk management process to every day work
Risk follow-up Session
Monitoring & Review
Review of risks six months after initial assessment
Review mitigation strategies and residual risks
Review of risks and status
Continuous improvement
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
Communication & Learning
Monitor
Ev
alu
ate
Assess
IdentifyEstablish
34
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
ID Number
Responsible Org & Name (Implement / Operate) Risk Control
Risk Rating (Impact)
Risk Rating (likelihood) Date Required Status
Category: Financial
Category: Equity
Category: Service Delivery or Operational064 Person A 055 – Insufficient knowledge transfer
102 – Conflicting management instructions
Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure).
M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report
065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management)
(a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported.
M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document
IRM RISKS AND CONTROLS
None in this category
None in this category
35
36
37
38
The Cyclist and the Risk Manager
39
Interactive Session #2 – 15 minutes
Identify risks that the cyclists faces in cycling to work.
Report back.
1
40
Risk Factors – the cyclist
.
41
Risk Factors – the weather, the road, visibility, the bike, the lock
.
42
Risk Factors – the driver
.
43
RisksThreats:
Death
Head Injury
Injury
Reputation
Financial
Damage to the bike
Sunburn/frost bite
Opportunities:
Exercise
Sunlight
Reputation
Financial
Role model
Environment
44
Mitigation Strategies for threats Death, head injury, other injury – helmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger management course
Reputation – great outfit, change of wrinkle-free clothes, shower, time management
Financial – high quality locks, “beater”, stopping at stop signs
Damage to the bike – regular maintenance, avoiding pot holes
Sunburn/frost bite – sunscreen, mittens, hats, token/change
Dehydration- filled water bottle
45
ERM/IRM can be complex and messy
46
Keep it simple
47
Back at the office Why is the organization interested in RM? What are they hoping
will be achieved with its implementation?
Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned
How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported?
Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high.
When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.
48
Ask questions and develop your approach Do we understand our major risks? Do we know what is causing our risks to
increase, decrease or stay the same?
Have we assessed the likelihood and impact of our risks?
Have we identified the sources and causes of our risks?
How well are we managing our risks?
Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them?
Who is accountable for these risks?
How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system?
Are we taking too much risk? Or not enough risk?
Are the right people taking the right risks at the right time?
What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?
49
TAKE SMALL BITES………. IRM IMPLEMENTATION
50
Questions?
51
Case 1 – The Pan Am Games 2015
Case 2 – The provincial response to the next Pandemic
Case 3 – The extension of Hwy 404
Case 4 – The rescue efforts in Haiti
Case 5 – Human Resources in the Ontario Public Services
Case 6 – A big teaching hospital in Toronto
The case - You are responsible for Risk Management for:
52
Consider the 13 categories of risk
Identify top 5 threats (downside) and top 5opportunities (upside)
Propose mitigation strategies
Discuss how the following risk factors would affect your assessment: Economy Demographics Weather Technology Timing of events such an election Others
The case
53
Questions?