How I learned to stop worrying and love the risk Trent Dean

PPB Survey (2010) of Not for Profit organisations in Australia and New Zealand: 1. Almost half did not have, or did not know if they had, a risk management plan 2. 61% of respondents stated that risk to their organisation had increased over the past five years 3. Over one third of Not-For-Profit boards were not held accountable for managing risk in their respective organisations 4. Almost half of respondents believe that budgetary constraints was the main barrier to adequate risk management support

The Ultimate Risk Management ConsultantCon

Managing risk is a good thing... Moves us away from avoidance or transference It forces creativity The only way to achieve innovation and growth

Risk Management Framework - Fully integrated and informed Leadership - Prepared to take calculated risks 0 The most important things...

The Risk Averse The Optimistic Gamblers

The Innovators

Where to begin? Design a RM framework that fits your organisation Identify your strategic risks Identify risk owners Do something... anything Monitor, Rinse and Repeat

“Effect of uncertainty on objectives” ISO 31000:2009 Risk Management Objectives can have very different aspects

Major risks can impact on a range of areas including, but not limited to:  Client Safety  Staff Safety  Business continuity  Organisational Reputation  Financial Sustainability  Employee Relations

Strategic ObjectivesRisk CategoryIdentified Strategic Risks Grow more Christian Communities Growth Lack of brand awareness and / or reputational loss Increased industry competition Poor due diligence and management of merger and acquisitions Limited church planting and sustained congregational growth Operate and grow in a financially sustainable way Financial Sustainability Unsuitable or poor performing investments Overextending on capital work projects Loss of / decreased funding sources Poor budgeting (organisational / project) and treasury strategy Loss of PBI / DGR status

Consequence Type InsignificantMinorModerateMajorCatastrophic Audit and Compliance Compliance with standards or licensing requirements maintained with negligible level of control weakness Compliant with standards or licensing requirements / minimal level of control weakness Single non compliance with standards or licensing requirements resulting in recommendations for improvement / moderate level of control weakness identified Multiple non compliances with standards or licensing requirements resulting in recommendations for improvement / high level of control weakness Fully non compliant with standards or licensing requirements resulting in sanction or penalty / critical failure of key controls Business Continuity Loss / interruption less than 1 hour Loss / interruption <= 8 hours / some disruption manageable by altered operational routine Loss / interruption <=1 day / Disruption to a number of areas within a Division or Unit, possible flow on to other locations Loss / interruption <= 1 week / all operational areas of a Division or Unit compromised, other locations are affected Total system dysfunction and /or total shut-down of operations Client Safety and Care No injury or harm caused unsatisfactory client experience not directly related to client care Minimal harm caused / unsatisfactory client experience - readily resolvable Temporary loss of function or harm caused / mismanagement of client care Permanent loss of function or harm caused / serious mismanagement of client care Loss of life / totally unsatisfactory client outcome or experience Finance< $100k$100 –200k$200 – 500k$500 – 2mGreater than $2m Fraud<$2k$2-10k$10-25k$25-100kGreater than $100k Health and Safety No injury / illness - no time lost, minor adjustment to operational routine Single injury / minor illness – lost time of less than 4 rostered days Single serious injury >4 rostered days lost. Multiple serious injuries or illness (more than 4 rostered days lost, or an event which is notifiable) Fatality Reputation Minimal adverse local publicity Significant adverse local publicity Significant adverse state- wide publicity Significant and sustained state-wide publicity Sustained national adverse publicity Vision and Values Negligible misalignment with strategic objectives or expected behaviours Minor misalignment with strategic objectives or expected behaviours Moderate misalignment with strategic objectives or expected behaviours Major misalignment with strategic objectives or expected behaviours Significant misalignment with strategic objectives or expected behaviours Workforce Short term low staffing level temporarily reduces service quality Ongoing low staffing level reduces service quality Moderate annualised staff turnover (< 30% ) Late delivery of key objectives / services due to lack of staff Very high annualised staff turnover (> 30% / Uncertain delivery of key objective / service due to lack of staff Non delivery of key objectives / services due to lack of staff

Likelihood Rating DescriptorFrequency Almost Certain Is expected to occur frequently (in most circumstances) Expected to occur at least monthly Likely Is expected to occur occasionally (to be expected) Expected to occur at least quarterly Possible Could occur at least once (capable of happening / foreseeable) Expected to occur at least biannually Unlikely Might occur at some time (not to be expected) Expected to occur at least annually Rare May occur in exceptional circumstances only Not expected to occur for years RankColourDescription Low1 Action plans, policies or controls are not mitigating the risk and /or deemed to be very weak or ineffective. Risk may be outside control of organisation. Medium 2 Action plans, policies or controls may be partially mitigating the risk and scope for some improvement. High3Action plans, controls or policies deemed to be satisfactory and tested regularly.

InsignificantMinorModerateMajorCatastrophic Almost CertainMediumHigh Extreme LikelyMedium HighExtreme PossibleLowMediumHigh UnlikelyLowMedium High RareLow Medium Risk Rating Action Required Low  Manage by routine controls and processes  Ongoing monitoring of control effectiveness by local management Medium  Manage by routine controls and processes  May require a detailed risk action plan  Ongoing monitoring of control effectiveness by local management High  Immediate notification of relevant Senior Management  Should have a detailed risk action plan  Risk action plan to be monitored by relevant Senior Management and progress reported to relevant Divisional Director  Updates to be provided to Executive Committee members, as required  Ongoing monitoring of control effectiveness by Senior management Extreme  Immediate notification of relevant Divisional Director  Must have specific risk mitigation plan  Risk action plan to be monitored by Divisional Director and progress reported to Executive Committee members  Updates to be provided to Board Risk, Audit and Compliance Committee members, as required  Ongoing monitoring of control effectiveness by Divisional Director

Risk Assessments Risk Statement Contributing Factors Consequences Controls Control effectiveness Risk Analysis Action Required Risk Ownership

What should the Board know about? Key strategic / operational risks Presentations by individual risk owners Key issues / incidents / compliance breaches Crisis / Disaster Management OH&S Fraud and Corruption Internal Audit reports External Audit reports

Say what? What are the risks, both strategic and operational? How effective are the controls, and how do you know they are working? What are you doing about the risks? How are the risks trending? What are the known or possible risks ahead of us?

Board Report – Risk Heat Map

Risk 2 (SR-AC): Poor integration and support of client focused care Risk Owner: A. Staff Accountable Executive: B. Cool Existing Controls Training on customer focused awareness CMS focused on client outcomes Appointed project manager for the client focused care project Appointed GM for shared services and integration Appointed regional volunteer coordinators Gaps and planned response Client focused education at every level of organisation Review of all functions that interface / input into client outcomes Churches of Christ Care Strategic Plan/ actions from the Strategic Plan Gap assessment of CMS / Care Governance Action learning approach to learning Client satisfaction survey Key Risk Indicators Number of volunteers Compliance with standards and licensing Client satisfaction surveys Predetermined and measured outcomes of care Culture survey results Current Risk Rating Control effectiveness / scope for control improvement Contributing Factors / Issues Poor awareness of integration of services (both care and support) Constraints by regulatory and compliance obligations Limited creativity with application of compliance and regulatory obligations Lack of support or resistance for client focused care Client not viewed as central to all tasks and functions Lack of awareness of services and functions that input or interface with client care delivery Poor history and culture – task focused and output driven at both industry and occupational level Definition of Risk Poor integration and support of client focused care Risk Category Client Focus LikelihoodConsequenceRating 4312 Comments / Updates Gap assessment of CMS/Care Governance is almost complete Actively recruiting 5 regional volunteer coordinators

Key Risk Indicators

Quality Improvement Internal Audit Risk Management Identify and Assess Risk Design and Implement Controls Monitor and Review Controls

A group of mainstream Christian churches which has been an active part of the Queensland community for over 100 years. We are a significant presence within Queensland with over 200 services in more than 100 communities, touching tens of thousands of lives each year.

Established in 1930; operates 137 services with the support of more than 2,800 staff and over 700 volunteers. The care services are active in the areas of early childhood services, child protection, social and affordable housing, retirement living, community aged care, and residential aged care.

Director Group Manager - Quality Quality Advisor Health, Safety and Rehabilitation Consultant Health, Safety and Rehabilitation Specialist Health, Safety and Rehabilitation Consultant Internal Audit Coordinator Health, Safety and Rehabilitation Consultant Quality Officer Internal Auditor Risk and Compliance Advisor Assurance Services Health, Safety and Rehabilitation Consultant

What we do... Risk Management Framework Fraud Risk Management Sentinel Event Management Root Cause Analysis Crisis / Disaster Management ChildSafe Program Legislative Compliance Quality Management (Continuous Improvement) Framework Controlled Documents Archiving / Records Management Internal Audit Self Audits Compliance Reviews Due Diligence Forensic Investigations Workplace Health and Safety Worker Rehabilitation

A Call to Action Ask yourself... Do I know my organisation’s strategic risks, and are they meaningful to me? Is ‘risk management’ only raised as part of a dedicated risk meeting, or is it part of every Board conversation? What is the risk appetite and tolerance of the Board, the organisation, and me?