4 Outline Objectives of today’s session Basic principles, concepts, definitionsA simple frameworkStocking your toolkit – education, job aids, templatesWhat are you going to do back in the office?Q &A’sA case – Let’s practice!
5 ObjectivesGive you a practical approach, framework and tools so you can start implementing ERM when you get back to the office.Share some lessons learned. Share some tips and tricks.Practice concepts and tools with a case study so that you practice
7 Why bother with RM?Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.Develop a common and consistent approach to risk across the organization. Not intuition-based.
8 Why bother with RM? Allows intelligent “informed” risk-taking. Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.Improve outcomes – achievement of objectives (corporate, clinical, etc)Really comes to down to simple good managementEnables accountability, transparency and responsibilityAnd maybe even mean survival
9 Basic principles, concepts, definitions A risk is ANYTHING that may affect the achievement of an organization’s objectives.It is the UNCERTAINTY that surrounds future events and outcomes.It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.
10 Threats and opportunities Threat – a risk that may HINDER the achievement of objectivesOpportunities - a risk that may HELP in the achievement of objectivesInterest ratesForeign exchange ratesSupply of service/product/resourcesDemand/uptake for service/product/resourcesThe economyThe weatherThe stock market
11 Interactive Session #1 – 10 minutes Introduce yourselves to others at your tablePick 1 risk – discuss it as both a threat and an opportunityReport to the large group. Pick a spokesperson.
12 Definition of ERM“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”Source: COSO Enterprise Risk Management – Integrated FrameworkThe Committee of Sponsoring Organizations of the Treadway Commission (COSO)
13 Enterprise vs Integrated Risk Management Similarities:Formal processConsistent and systematicIncludes projects, programs, operationsIs embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etcMust be driven and supported by LeadershipAdds value to decision-makingDifferences:Enterprise-wide:Is organizational-centricSuccess is defined as implementation over the entire organizationIntegrated:Take a systems-focusMay actually create risks for individual organizations
16 Risk Management Basics Risk (uncertainty) may affect the achievement of objectives.Effective mitigation strategies/controls can reduce negative risks or increase opportunities.Residual risk is the level of risk after evaluating the effectiveness of controls.Acceptance and action should be based on residual risk levels.INHERENTSlide 16
18 Risk Management is critical to ALL levels of decisions The HM Treasury’s The Orange BookDecisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.
19 The relationship between IRM & MOHLTC’s Complex Risk Environment
20 Categorizing Risk – Comprehensive Political or Reputational RiskFinancial RiskService Delivery or Operational RiskPeople / HR RiskInformation/Knowledge RiskStrategic / Policy RiskStakeholder Satisfaction / Public Perception RiskLegal / Compliance RiskTechnology RiskGovernance / Organizational RiskPrivacy RiskSecurity RiskEquity RiskPatient Safety1. Financial Risk - The risk of financial losses, overspending, or the inability to meet budgets and plans.2. Service Delivery or Operational Risk - The risk that products or services will not get completed or delivered in a timely manner as expected. This also includes risks to business continuity.3. People / HR Risk - The risk that capable & motivated staff will not be available to get the job done. This could be the result of resignations, turnovers, inability to hire, lack of skills, strikes, injury etc.4. Information Risk- The risk that information produced, or used, is incomplete, out-of-date, inaccurate, irrelevant, or inappropriately disclosed5. Strategic / Policy Risk -The risk that strategies and policies fail to achieve required results6. Stakeholder Satisfaction / Public Perception Risk - The risk of failure to meet expectations of the public, other governments, ministries, or other stakeholders7. Legal / Compliance Risk- The risk that a government initiative, or action, will be in breach of a statute, regulation, contract, MOU, or that the government will face litigation8. Technology Risks- Risk that information technology infrastructure does not align with business requirements, and does not support availability, access, integrity, relevance, and security of data. This also includes risks to business continuity9. Governance / Organizational Risk- Risk that the organization structure, accountabilities, or responsibilities are not designed, communicated, or implemented to meet the organization’s objectives, and the risk that business culture and management commitment does not support the formal structures10. Privacy Risk- Risk that associated with the collection, use and disclosure of personal information and personal health information.11. Security Risk- Risk that is associated with the protection of confidentiality, integrity, availability and value of assets (tangible and intangible) and people.NEWSlide 20
21 Risk Prioritization – likelihood and impact Likelihood of a risk event occurringVery High: Is almost certain to occurHigh: Is likely to occurMedium: Is as likely as not to occurLow: May occur occasionallyVery Low: Unlikely to occurRisk Impact: Level of damage that can occur when a risk event occursVery High: Threatens the success of the projectHigh: Substantial impact on time, cost or qualityMedium: Notable impact on time, cost or qualityLow: Minor impact on time, cost or qualityVery Low: Negligible impactIn phase I we facilitated a number of IRM activities. Here are three examples:Oak Ridge Facility at the Mental Health Centre PenetanguisheneColorectal Cancer Screening ProgramLHIN Readiness I and IIThese 3 examples showed us how we could implement IRM.Sharon Zwicker told us: put in quoteMarsha Barnes told us: put in quoteGail Paech told us: put in quoteCarrie Hayward told us: put in quoteSlide 21
22 Third dimension for rating risks - proximity Immediate – nowLess than 6 monthsBetween 6-12 monthsBetween 12 – 24 monthsBetween 24 – 36 monthsMore than 36 months
23 Risk rating …Combining impact and likelihood In phase I we facilitated a number of IRM activities. Here are three examples:Oak Ridge Facility at the Mental Health Centre PenetanguisheneColorectal Cancer Screening ProgramLHIN Readiness I and IIThese 3 examples showed us how we could implement IRM.Sharon Zwicker told us: put in quoteMarsha Barnes told us: put in quoteGail Paech told us: put in quoteCarrie Hayward told us: put in quoteSlide 23
26 Key Risk Indicators (KRIs) are linked to strategy, performance and risk Strategy & objectivesRiskCauseConsequenceKRIPerformanceSandraKRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.
27 EXAMPLES OF KRIs Human resource • Average time to fill vacant positions• Staff absenteeism /sickness rates• Percentage of staff appraisals below “satisfactory”Age demographics of key managersInformation Technology• Systems usage versus capacity• Number of system upgrades/ version releases• Number of help desk callsFinance• Daily P&L adjustments (#, amt)• Reporting deadlines missed (#)• Incomplete P&L sign-offs (#, aged)Legal/compliance• Outstanding litigation cases (#, amt)• Compliance investigations (#)• Customer complaints (#)Audit• Outstanding high risk issues (#, aged)• Audit findings (#, severity)• Revised management action target dates (#)Risk management• Management overrides• Limit breaches (#, amt)Sandra
28 Measure and report RM implementation progress ExcellentAdvanced capabilities to identify, measure, manage all risk exposures within tolerancesAdvanced implementation, development and execution of ERM parametersConsistently optimizes risk adjusted returns throughout the organizationStrongClear vision of risk tolerance and overall risk profileRisk control exceeds adequate for most major risksHas robust processes to identify and prepare for emerging risksIncorporates risk management and decision making to optimize risk adjusted returnsAdequateHas fully functioning control systems in place for all of their major risksMay lack a robust process for identifying and preparing for emerging risksPerforming good classical “silo” based risk managementNot fully developed process to optimize risk adjusted returnsWeakIncomplete control process for one or more major risksInconsistent or limited capabilities to identify, measure or manage major risk exposuresSource: Standard & Poor
29 Progress to Date – ERM Report Card Quality of Care and Patient SafetyCorporate GovernanceOperation & Business SupportReputation and Public ImageHuman Resources and Staff RelationsFinancial ResourcesInformation Systems and TechnologyPhysical AssetsLegal and RegulatoryEnvironmental Health and SafetyPoliciesStandards
30 An Approach to Risk Management Establish centralized supportDevelop a standardized frameworkProvide education and coachingEnsure ministry-wide implementationEmbed IRM into all major processes including strategic planning and resource allocations decisionsEnable our stewardship role
31 The ApproachIncorporates risk information into the strategic direction- setting, making decisions that consider established risk tolerance levels.Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
32 Your toolkit – education, job aids, templates We wanted to add value not work. We developed forms and templates.So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work.We assisted teams in actual risk assessments. Sometimes we used voting software.We trained the trainer.
33 A Process for Embedding IRM HAST SessionsComponentsParticipant OutcomesRisk 101 PresentationIntroduction – Integrated Risk ManagementIntroduction to basic risk concepts and terminologiesIntroduction to the MOHLTC’s Integrated Risk FrameworkStatus of IRM in MOHLTC(Most effective when followed-up with facilitated risk assessment workshop or application to actual project)Understanding of risk management processUnderstanding of how risk management is relevant to their day-to-day workKnowledge of IRM in MOHLTCManagement IRM Planning MeetingPlanningDiscuss best way to implementation IRM in areaProposed IRM implementation plan presented for areaClarify roles & responsibilities for risk managementCommitment to IRM implementation in area or stream of workRisk management roles and responsibilities clearly definedReview of IRM roll-out; timelines , deliverables, related forumsCommitment to continuous risk communication & learningRisk Assessment WorkshopFacilitated Training – Identification of risks & mitigation strategiesIdentification of objectivesBrainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. )Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’Hands-on experience allowing assimilation of consistent risk management techniquesHands-on practice of IRM process, enabling application of risk management principles and tools to workGreater understanding of work and inter-dependenciesRisk Prioritization & Voting WorkshopFacilitated Training – Assessment of mitigation strategies & prioritizationReview of risks, mitigation strategies and ownershipAnonymous voting on the impact and probability of each riskPrioritization of risks on ‘heat map’Discussion of mitigation strategies for high priority risksReview of risks, mitigation strategies, ownership, residual risk to their work in a seamless mannerUnbiased risk prioritization and identification of high risksEnables application of complete risk management process to every day workRisk follow-up SessionMonitoring & ReviewReview of risks six months after initial assessmentReview mitigation strategies and residual risksReview of risks and statusContinuous improvement
43 Risks Threats: Opportunities: Death Exercise Head Injury Sunlight ReputationFinancialDamage to the bikeSunburn/frost biteOpportunities:ExerciseSunlightReputationFinancialRole modelEnvironmentStatistics from Transport CanadaMost Canadian deaths were unhelmeted riders.Transport Canada statistics show that 88 per cent of the 80 cyclists who died nationwide in 2001 were not wearing helmets.
44 Mitigation Strategies for threats Death, head injury, other injury – helmet, bright clothes, lights, bell, CANbike course, obeying traffic laws, positive attitude, anger management courseReputation – great outfit, change of wrinkle-free clothes, shower, time managementFinancial – high quality locks, “beater”, stopping at stop signsDamage to the bike – regular maintenance, avoiding pot holesSunburn/frost bite – sunscreen, mittens, hats, token/changeDehydration- filled water bottleStatistics from Transport CanadaMost Canadian deaths were unhelmeted riders.Transport Canada statistics show that 88 per cent of the 80 cyclists who died nationwide in 2001 were not wearing helmets.
47 Back at the officeWhy is the organization interested in RM? What are they hoping will be achieved with its implementation?Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assignedHow will it be implemented? What is your framework? What is the common language? How will risks be measured and reported?Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high.When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.
48 Ask questions and develop your approach Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same?Have we assessed the likelihood and impact of our risks?Have we identified the sources and causes of our risks?How well are we managing our risks?Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them?Who is accountable for these risks?How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system?Are we taking too much risk? Or not enough risk?Are the right people taking the right risks at the right time?What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?
51 The case - You are responsible for Risk Management for: Case 1 – The Pan Am Games 2015Case 2 – The provincial response to the next PandemicCase 3 – The extension of Hwy 404Case 4 – The rescue efforts in HaitiCase 5 – Human Resources in the Ontario Public ServicesCase 6 – A big teaching hospital in Toronto
52 The case Consider the 13 categories of risk Identify top 5 threats (downside) and top 5opportunities (upside)Propose mitigation strategiesDiscuss how the following risk factors would affect your assessment:EconomyDemographicsWeatherTechnologyTiming of events such an electionOthers