A Practical Approach to Risk Management - Financial Management ...

beansproutscompleteSoftware and s/w Development

Dec 13, 2013 (3 years and 9 months ago)

91 views

1

A Practical Approach to


Risk Management

Financial Management Institute,

Toronto Chapter



February 17 2010







Corinne Berinstein, BPT, MBA, MHSC, CA, CFI

Health Audit Services Team

Ontario Internal Audit Division



2

Contact Info:

Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk
Management (Canadian Health Care Association

Senior Audit Manager

Health Audit Services Team

Ontario Internal Audit Division

Province of Ontario


Office: 416
-
327
-
7798

eMail: corinne.berinstein1@ontario.ca



3

Basic Concepts


4


Objectives of today’s session


Basic principles, concepts, definitions


A simple framework


Stocking your toolkit


education, job aids, templates


What are you going to do back in the office?


Q &A’s


A case


Let’s practice!

Outline

5

Objectives


Give you a practical approach, framework and tools so
you can start implementing ERM when you get back to
the office.


Share some lessons learned. Share some tips and tricks.


Practice concepts and tools with a case study so that you
practice



6

The only alternative to risk management is crisis management
---

and
crisis management is much more expensive, time consuming and
embarrassing.


JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003


Without

good

risk

management

practices,

government

cannot

manage

its

resources

effectively
.

Risk

management

means

more

than

preparing

for

the

worst
;

it

also

means

taking

advantage

of

opportunities

to

improve

services

or

lower

costs
.


Sheila Fraser, Auditor General of Canada


Why do we need Risk Management?

7

Why bother with RM?



Increase risk awareness


What could affect the
achievement of objectives? What could change? What
could go wrong? What could go right?


Increase understanding of risk


sensitivities. What
makes my risks increase/decrease/disappear?


Promote a “healthy” risk culture


It’s safe to talk about
risk. Open and transparent.


Develop a common and consistent approach to risk across
the organization. Not intuition
-
based.

8

Why bother with RM?



Allows intelligent “informed” risk
-
taking.


Focuses efforts

helps prioritize. Top 10 list. Or top 3.
Or…


Is proactive…. not reactive


Prepare for risks before they
happen. Identify risks and develop appropriate risk
mitigating strategies.


Improve outcomes


achievement of objectives
(corporate, clinical, etc)


Really comes to down to simple good management


Enables accountability, transparency and responsibility


And maybe even mean survival

9

A risk is
ANYTHIN
G that may affect the
achievement of an organization’s objectives.


It is the
UNCERTAINTY

that surrounds future
events and outcomes.


It is the expression of the likelihood and impact of
an event with the potential to influence the
achievement of an organization’s objectives.

Basic principles, concepts, definitions

10

Threats and opportunities

Threat



a

risk

that

may

HINDER

the

achievement

of

objectives

Opportunities

-

a

risk

that

may

HELP

in

the

achievement

of

objectives



Interest

rates



Foreign

exchange

rates


Supply

of

service/product/resources


Demand/uptake

for

service/product/resources



The

economy



The

weather


The

stock

market

11

Interactive Session #1


10 minutes


Introduce yourselves to others at your table


Pick
1

risk


discuss it as both a threat and
an opportunity


Report to the large group. Pick a
spokesperson.

1

12

Definition of ERM



“… a
process
, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and
across the enterprise
,
designed to identify potential events that may affect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives
.”

Source:
COSO Enterprise Risk Management


Integrated Framework
. 2004.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

13

Enterprise vs Integrated Risk Management


Similarities:


Formal process



Consistent and systematic



Includes projects, programs,
operations



Is embedded in key processes
such as strategic planning,
budgeting, project planning,
evaluation, etc



Must be driven and supported by
Leadership



Adds value to decision
-
making








Differences:


Enterprise
-
wide
:



Is organizational
-
centric


Success is defined as
implementation over the entire
organization



Integrated:


Take a systems
-
focus


May actually create risks for
individual organizations





14

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Periodic Summary Analysis & Report


Enterprise Risk Management

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Periodic Summary Analysis & Report

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Division
Level

Branch
Level

Unit or
Project
Level

15

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Periodic Summary Analysis & Report


Integrated Risk Management

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Periodic Summary Analysis & Report

Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
System

Level

Regional
Level

Organiz
-
ational
Level

16


Slide
16

Risk Management Basics


Risk (uncertainty) may affect the achievement of
objectives.




Effective mitigation strategies/controls can reduce
negative risks or increase opportunities.



Residual risk is the level of risk after evaluating the
effectiveness of controls.



Acceptance and action should be based on residual risk
levels.





INHERENT

17

A Simple Framework

Evaluate

& Take

Action

Establish

Objectives

Identify

Risks &
Controls

Assess

Risks &
Controls


Monitor

&
Report

Step 1

Step 2

Step 3

Step 4

Step 5

Communicate, learn, improve

18

Risk Management is critical to ALL levels of decisions


Decisions can be categorized into three types. The amount of risk (uncertainty) varies
with the type of decisions. Most decisions are concerned with implementation.

U
NCERTAINTY

Strategic
Strategic
Programme
Programme
Project
&
Operational
Project
&
Operational
Strategic Decisions
Decisions transferring
strategy into action
Decisions required for
implementation
The HM Treasury’s The Orange Book


19

The relationship between IRM & MOHLTC’s Complex Risk
Environment

MOHLTC Extended
Enterprise
External Risk Environment
MOHLTC
Risk Environment
Laws
&
regulations
Capacity
The
Economy
Corporate Governance
Requirements
Stakeholder
expectations
Political
Outcomes
Public
Perception
Other
Ministries
Partner
-
Organizations
LHINs
Financial
Organizational
Governance
Human
Resources
Information
Information
Technology
Legal
/
Compliance
Operational
Strategic
/
Policy
Transfer Payment
Accountability
&
Governance
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Communication
&
Learning
20


Slide
20

Categorizing Risk


Comprehensive

1.

Political or Reputational Risk

2.

Financial Risk

3.

Service Delivery or Operational Risk

4.

People / HR Risk

5.

Information/Knowledge Risk

6.

Strategic / Policy Risk

7.

Stakeholder Satisfaction / Public Perception Risk

8.

Legal / Compliance Risk

9.

Technology Risk

10.

Governance / Organizational Risk

11.

Privacy Risk

12.

Security Risk

13.

Equity Risk

14.
Patient Safety


NEW

21


Slide
21

Risk Prioritization


likelihood and impact

Likelihood of a risk event occurring



Very High
: Is almost certain to occur




High
: Is likely to occur




Medium:

Is as likely as not to occur




Low:

May occur occasionally




Very Low:

Unlikely to occur




Risk Impact: Level of damage that
can occur when a risk event
occurs



Very High
: Threatens the success of
the project



High:

Substantial impact on time, cost
or quality



Medium:

Notable impact on time,
cost or quality



Low:

Minor impact on time, cost or
quality



Very Low
: Negligible impact





22

Third dimension for rating risks
-

proximity


Immediate


now


Less than 6 months


Between 6
-
12 months


Between 12


24 months


Between 24


36 months


More than 36 months

23


Slide
23

Risk rating


Combining impact and likelihood

LIKELIHOOD
IMPACT
1
1
2
2
3
3
4
4
5
5
RISK
I x L
RISK
I x L
RISK
I x L
RISK PRIORITIZATION MATRIX
24



Risk Level

Action and Level of Involvement Required

Critical Risk



Inform Chief Executive Officer and Board of Directors



Immediate action required

High Risk



Inform Chief Executive Officer



Strategy Team involvement/attention is essential to manage risks


provide report to Board as appropriate

Moderate Risk



Management mitigation and ongoing monitoring required



Inform relevant Strategy Team members

Low Risk



Accept, but monitor risks



Manage by
routine procedures within the p
rogram and
s
ite


Risk reporting and communications

25

26

Key Risk Indicators (KRIs) are linked to

strategy, performance and risk

Risk

Consequence

Strategy & objectives

Cause


KRI


KRIs need to be linked to strategy, objectives and target performance
levels, with a good understanding of the drivers to risk.

Performance


27

EXAMPLES OF KRIs

Human resource

• Average time to fill vacant
positions

• Staff absenteeism /sickness
rates


Percentage of staff appraisals
below “satisfactory”

Age demographics of key
managers

Information Technology

• Systems usage versus
capacity

• Number of system upgrades/
version releases

• Number of help desk calls

Finance

• Daily P&L adjustments (#,
amt)

• Reporting deadlines missed
(#)

• Incomplete P&L sign
-
offs (#,
aged)

Legal/compliance



Outstanding litigation cases
(#, amt)



Compliance investigations (#)



Customer complaints (#)

Audit

• Outstanding high risk issues
(#, aged)

• Audit findings (#, severity)

• Revised management action
target dates (#)


Risk management

• Management overrides

• Limit breaches (#, amt)

28




Measure and report RM implementation progress

Excellent


Advanced capabilities to identify, measure, manage all risk exposures within
tolerances


Advanced implementation, development and execution of ERM parameters


Consistently optimizes risk adjusted returns throughout the organization

Strong


Clear vision of risk tolerance and overall risk profile


Risk control exceeds adequate for most major risks


Has robust processes to identify and prepare for emerging risks



Incorporates risk management and decision making to optimize risk adjusted
returns

Adequate


Has fully functioning control systems in place for all of their major risks


May lack a robust process for identifying and preparing for emerging risks


Performing good classical “silo” based risk management



Not fully developed process to optimize risk adjusted returns

Weak


Incomplete control process for one or more major risks


Inconsistent or limited capabilities to identify, measure or manage major risk
exposures

Source: Standard & Poor

29

Progress to Date


ERM Report Card



Quality of Care and Patient Safety

Corporate Governance

Operation & Business Support

Reputation and Public Image

Human Resources and Staff Relations

Financial Resources

Information Systems and Technology

Physical Assets

Legal and Regulatory

Environmental Health and Safety

Policies


Standards

30

An Approach to Risk Management


Establish centralized support


Develop a standardized framework


Provide education and coaching


Ensure ministry
-
wide implementation


Embed IRM into all major processes including strategic
planning and resource allocations decisions


Enable our stewardship role


31

The Approach


Incorporates risk information into the strategic direction
-
setting, making decisions that consider established risk
tolerance levels.


Takes a systems approach to managing risk at the
strategic, operational and project levels which is
continuous, proactive and systematic.


Fosters a working culture that values learning, innovation,
responsible

risk
-
taking and continuous improvement.

32


We wanted to add value not work. We developed forms
and templates.


So we developed and delivered educational sessions


usually attended by all team members. Included risk 101
and then time for the team members to discuss how to
apply concepts to their work.


We assisted teams in actual risk assessments. Sometimes
we used voting software.


We trained the trainer.

Your toolkit


education, job aids, templates

33

A Process for Embedding IRM

HAST Sessions

Components

Participant Outcomes

Risk 101
Presentation

Introduction


Integrated Risk Management


Introduction to basic risk concepts and terminologies


Introduction to the MOHLTC’s Integrated Risk
Framework


Status of IRM in MOHLTC

(Most effective when followed
-
up with facilitated risk
assessment workshop or application to actual project)


Understanding of risk management process


Understanding of how risk management is relevant to their day
-
to
-
day
work


Knowledge of IRM in MOHLTC

Management IRM
Planning Meeting

Planning


Discuss best way to implementation IRM in area


Proposed IRM implementation plan presented for area


Clarify roles & responsibilities for risk management


Commitment to IRM implementation in area or stream of work


Risk management roles and responsibilities clearly defined


Review of IRM roll
-
out; timelines , deliverables, related forums


Commitment to continuous risk communication & learning

Risk Assessment
Workshop



Facilitated Training


Identification of risks &
mitigation strategies


Identification of objectives


Brainstorming and identification of risks to meeting
objectives (for project, branch, initiative, etc. )


Identification of source, mitigation strategies, ownership
and residual risk for each ‘risk category’



Hands
-
on experience allowing assimilation of consistent risk
management techniques


Hands
-
on practice of IRM process, enabling application of risk
management principles and tools to work


Greater understanding of work and inter
-
dependencies


Risk Prioritization
& Voting
Workshop

Facilitated Training


Assessment of mitigation
strategies & prioritization


Review of risks, mitigation strategies and ownership


Anonymous voting on the impact and probability of each
risk


Prioritization of risks on ‘heat map’


Discussion of mitigation strategies for high priority risks


Review of risks, mitigation strategies, ownership, residual risk to their
work in a seamless manner


Unbiased risk prioritization and identification of high risks


Enables application of complete risk management process to every
day work

Risk follow
-
up
Session



Monitoring & Review


Review of risks six months after initial assessment


Review mitigation strategies and residual risks


Review of risks and status


Continuous improvement


Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
Communication
&
Learning
Monitor
Evaluate
Assess
Identify
Establish
34

The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor
(S, M, m)
and Likelihood = high, medium or low
(H, M, or L)
ID Number
Responsible Org &
Name (Implement /
Operate)
Risk
Control
Risk
Rating
(Impact)
Risk
Rating
(likelihood)
Date Required
Status
Category: Financial
Category: Equity
Category: Service Delivery or Operational
064
Person A
055 – Insufficient knowledge transfer
102 – Conflicting management
instructions
Update impacted policies and procedures
for integration into knowledge support tools.
Harmonizing policies and procedures (e.g.,
access procedures – X has one and Y has
one – there needs to be one
process/policy/procedure).
M
M
31-Mar-09
Refer to Privacy
Action Plan Work on
Ongoing Operations
Commitments
Report
065
Person B
056 – Lack of communication (Serious
service delivery issues)
352 – Different business and IT
processes (incident management)
(a) IT incident and Triage (harmonization
between IT and Business).
(b) X and Y need to develop an incident
management process/service to deal with
issues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement
requirements; well tracked and reported.
M
M
31-Mar-09
(a, b) Refer to
ongoing Operations
IRM document
IRM RISKS AND CONTROLS
None in this category
None in this category
35


36

37

38

The Cyclist and the Risk Manager










39

Interactive Session #2


15 minutes



Identify risks that the cyclists faces in
cycling to work.


Report back.


1

40

Risk Factors


the cyclist

.

41

Risk Factors


the weather, the road, visibility, the
bike, the lock

.

42

Risk Factors


the driver

.


43

Risks

Threats
:


Death


Head Injury


Injury


Reputation


Financial


Damage to the bike


Sunburn/frost bite



Opportunities:


Exercise


Sunlight


Reputation


Financial


Role model


Environment

44

Mitigation Strategies for threats


Death, head injury, other injury


helmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger
management course


Reputation


great outfit, change of wrinkle
-
free clothes, shower,
time management


Financial


high quality locks, “beater”, stopping at stop signs


Damage to the bike


regular maintenance, avoiding pot holes


Sunburn/frost bite


sunscreen, mittens, hats, token/change


Dehydration
-

filled water bottle



45

ERM/IRM can be complex and messy

























46



Keep it simple
























47


Back at the office


Why is the organization interested in RM?

What are they hoping
will be achieved with its implementation?


Who is doing what?

Roles & responsibilities must be clearly
defined. Make sure Leadership supports RM and uses RM results to
make decisions. Everyone is a risk manager. Make sure that all risks
have owners and the responsibilities for mitigation are assigned


How will it be implemented?

What is your framework? What is the
common language? How will risks be measured and reported?


Where will you start?

Choices could be where you can most easily
succeed or where it is needed the most or where interest is high.


When will it be implemented?

It is a journey not a destination; 3
-
5
years for complete roll
-
out; how often will risks be assessed; when
will mitigation plans be implemented and monitored; when will risks
be reported.

48

Ask questions and develop your approach


Do we understand our major risks? Do we know what is causing our
risks to increase, decrease or stay the same?


Have we assessed the likelihood and impact of our risks?


Have we identified the sources and causes of our risks?


How well are we managing our risks?


Are we trying to prevent the downside risks from happening? Or are
we trying to simply recover from them?


Who is accountable for these risks?


How do we talk about risk? Do we have a common language across
branches, across divisions, across the ministry, across the OPS, across
the health care system?


Are we taking too much risk? Or not enough risk?


Are the right people taking the right risks at the right time?


What’s our culture? Are we risk adverse or are we risk
-
takers? Or are
we somewhere in between?




49


TAKE SMALL BITES………. IRM IMPLEMENTATION


50

Questions?

51


Case 1


The Pan Am Games 2015


Case 2


The provincial response to the next Pandemic


Case 3


The extension of Hwy 404


Case 4


The rescue efforts in Haiti


Case 5


Human Resources in the Ontario Public Services


Case 6


A big teaching hospital in Toronto

The case
-

You are responsible for Risk Management
for:


52


Consider the 13 categories of risk


Identify top 5 threats (downside) and top 5opportunities (upside)


Propose mitigation strategies


Discuss how the following risk factors would affect your assessment:


Economy


Demographics


Weather


Technology


Timing of events such an election


Others



The case

53

Questions?