1

A Practical Approach to Risk Management

Financial Management Institute, Toronto Chapter

February 17 2010

Corinne Berinstein, BPT, MBA, MHSC, CA, CFI Health Audit Services Team

Ontario Internal Audit Division

2

Contact Info:

Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk Management (Canadian Health Care Association

Senior Audit ManagerHealth Audit Services Team

Ontario Internal Audit DivisionProvince of Ontario

Office: 416-327-7798

eMail: corinne.berinstein1@ontario.ca

3

Basic Concepts

4

Objectives of today’s session

Basic principles, concepts, definitions

A simple framework

Stocking your toolkit – education, job aids, templates

What are you going to do back in the office?

Q &A’s

A case – Let’s practice!

Outline

5

Objectives

Give you a practical approach, framework and tools so you can start implementing ERM when you get back to the office.

Share some lessons learned. Share some tips and tricks.

Practice concepts and tools with a case study so that you practice

6

The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, government cannot manage its

resources effectively. Risk management means more than preparing for

the worst; it also means taking advantage of opportunities to improve

services or lower costs. Sheila Fraser, Auditor General of Canada

Why do we need Risk Management?

7

Why bother with RM?

Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?

Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?

Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.

Develop a common and consistent approach to risk across the organization. Not intuition-based.

8

Why bother with RM? Allows intelligent “informed” risk-taking.

Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…

Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.

Improve outcomes – achievement of objectives (corporate, clinical, etc)

Really comes to down to simple good management

Enables accountability, transparency and responsibility

And maybe even mean survival

9

A risk is ANYTHING that may affect the achievement of an organization’s objectives.

It is the UNCERTAINTY that surrounds future events and outcomes.

It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.

Basic principles, concepts, definitions

10

Threats and opportunities

Threat – a risk that may HINDER the achievement of objectives

Opportunities - a risk that may HELP in the achievement of objectives

Interest rates

Foreign exchange rates

Supply of service/product/resources

Demand/uptake for service/product/resources

The economy

The weather

The stock market

11

Interactive Session #1 – 10 minutes

Introduce yourselves to others at your table

Pick 1 risk – discuss it as both a threat and an opportunity

Report to the large group. Pick a spokesperson.

1

12

Definition of ERM

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

13

Enterprise vs Integrated Risk ManagementSimilarities:

Formal process

Consistent and systematic

Includes projects, programs, operations

Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc

Must be driven and supported by Leadership

Adds value to decision-making

Differences:Enterprise-wide: Is organizational-centricSuccess is defined as

implementation over the entire organization

Integrated:Take a systems-focusMay actually create risks for

individual organizations

14

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Periodic Summary Analysis & Report

Enterprise Risk Management

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Periodic Summary Analysis & Report

Communication & Learning

Monitor

Evaluate

AssessIdentify

Establish

Division Level

Branch Level

Unit or Project Level

15

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Periodic Summary Analysis & Report

Integrated Risk Management

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Periodic Summary Analysis & Report

Communication & Learning

Monitor

Evaluate

AssessIdentify

Establish

System

Level

Regional Level

Organiz-ational Level

16 Slide 16

Risk Management Basics Risk (uncertainty) may affect the achievement of

objectives. Effective mitigation strategies/controls can reduce

negative risks or increase opportunities.

Residual risk is the level of risk after evaluating the effectiveness of controls.

Acceptance and action should be based on residual risk levels.

INHERENT

17

A Simple Framework

Evaluate & Take Action

EstablishObjectives

IdentifyRisks & Controls

AssessRisks & Controls

Monitor& Report

Step 1 Step 2 Step 3 Step 4 Step 5

Communicate, learn, improve

18

Risk Management is critical to ALL levels of decisions

Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.

UNCERTAINTY

Strategic Strategic

Programme Programme

Project & Operational Project & Operational

Strategic Decisions

Decisions transferring strategy into action

Decisions required for implementation

The HM Treasury’s The Orange Book

19

The relationship between IRM & MOHLTC’s Complex Risk Environment

MOHLTC Extended Enterprise

External Risk Environment

MOHLTCRisk Environment

Laws &

regula

tions

Capacity

The Economy

Corporate Governance Requirements

Stakeh

older

expe

ctatio

ns

Political

Outcom

es

PublicPerception

Oth

er

Min

istrie

sPartner-

Organizations

LHINs

Financial

Organizational

Governance

Human Resources

Information

Info

rmat

ion

Tech

nolo

gy

Lega

l/C

ompl

ianc

e

Operational

Strateg

ic/

Policy

Transfer Payment

Accountability &

Governance

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication& Learning

Communication& Learning

20 Slide 20

Categorizing Risk – Comprehensive1. Political or Reputational Risk

2. Financial Risk

3. Service Delivery or Operational Risk

4. People / HR Risk

5. Information/Knowledge Risk

6. Strategic / Policy Risk

7. Stakeholder Satisfaction / Public Perception Risk

8. Legal / Compliance Risk

9. Technology Risk

10. Governance / Organizational Risk

11. Privacy Risk

12. Security Risk

13. Equity Risk

14. Patient SafetyNEW

21 Slide 21

Risk Prioritization – likelihood and impact

Likelihood of a risk event occurring

Very High: Is almost certain to occur

High: Is likely to occur

Medium: Is as likely as not to occur

Low: May occur occasionally

Very Low: Unlikely to occur

Risk Impact: Level of damage that can occur when a risk event occurs

Very High: Threatens the success of the project

High: Substantial impact on time, cost or quality

Medium: Notable impact on time, cost or quality

Low: Minor impact on time, cost or quality

Very Low: Negligible impact

22

Third dimension for rating risks - proximity

Immediate – now

Less than 6 months

Between 6-12 months

Between 12 – 24 months

Between 24 – 36 months

More than 36 months

23 Slide 23

Risk rating …Combining impact and likelihood

LIKELIHOOD

IMPA

CT

1

1

2

2

3

3

4

4

5

5

RISKI x L

RISKI x L

RISKI x L

RISK PRIORITIZATION MATRIX

24

Risk Level Action and Level of Involvement Required

Critical Risk Inform Chief Executive Officer and Board of Directors Immediate action required

High Risk Inform Chief Executive Officer Strategy Team involvement/attention is essential to manage risks

– provide report to Board as appropriate

Moderate Risk Management mitigation and ongoing monitoring required Inform relevant Strategy Team members

Low Risk Accept, but monitor risks Manage by routine procedures within the program and site

Risk reporting and communications

25

26

Key Risk Indicators (KRIs) are linked to strategy, performance and risk

Risk

Consequence

Strategy & objectives

Cause

KRI

KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.

Performance

27

EXAMPLES OF KRIs

Human resource• Average time to fill vacant positions• Staff absenteeism /sickness rates• Percentage of staff appraisals below “satisfactory”Age demographics of key managers

Information Technology• Systems usage versus capacity• Number of system upgrades/ version releases• Number of help desk calls

Finance• Daily P&L adjustments (#, amt)• Reporting deadlines missed (#)• Incomplete P&L sign-offs (#, aged)

Legal/compliance• Outstanding litigation cases (#, amt)• Compliance investigations (#)• Customer complaints (#)

Audit• Outstanding high risk issues (#, aged)• Audit findings (#, severity)• Revised management action target dates (#)

Risk management• Management overrides• Limit breaches (#, amt)

28

Measure and report RM implementation progress

Excellent

• Advanced capabilities to identify, measure, manage all risk exposures within tolerances

• Advanced implementation, development and execution of ERM parameters• Consistently optimizes risk adjusted returns throughout the organization

Strong

• Clear vision of risk tolerance and overall risk profile• Risk control exceeds adequate for most major risks• Has robust processes to identify and prepare for emerging risks • Incorporates risk management and decision making to optimize risk adjusted

returns

Adequate

• Has fully functioning control systems in place for all of their major risks• May lack a robust process for identifying and preparing for emerging risks• Performing good classical “silo” based risk management • Not fully developed process to optimize risk adjusted returns

Weak• Incomplete control process for one or more major risks• Inconsistent or limited capabilities to identify, measure or manage major risk

exposures

Source: Standard & Poor

29

Progress to Date – ERM Report Card

Quality of Care and Patient Safety Quality of Care and Patient Safety Corporate Governance Corporate Governance Operation & Business SupportOperation & Business SupportReputation and Public ImageReputation and Public ImageHuman Resources and Staff RelationsHuman Resources and Staff RelationsFinancial ResourcesFinancial ResourcesInformation Systems and TechnologyInformation Systems and TechnologyPhysical AssetsPhysical AssetsLegal and RegulatoryLegal and RegulatoryEnvironmental Health and SafetyEnvironmental Health and SafetyPolicies Policies StandardsStandards

30

An Approach to Risk Management

Establish centralized support Develop a standardized framework Provide education and coaching Ensure ministry-wide implementation Embed IRM into all major processes including strategic

planning and resource allocations decisions Enable our stewardship role

31

The Approach

Incorporates risk information into the strategic direction-setting, making decisions that consider established risk tolerance levels.

Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.

Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.

32

We wanted to add value not work. We developed forms and templates.

So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work.

We assisted teams in actual risk assessments. Sometimes we used voting software.

We trained the trainer.

Your toolkit – education, job aids, templates

33

A Process for Embedding IRM HAST Sessions Components Participant Outcomes

Risk 101 Presentation

Introduction – Integrated Risk Management Introduction to basic risk concepts and terminologiesIntroduction to the MOHLTC’s Integrated Risk Framework Status of IRM in MOHLTC (Most effective when followed-up with facilitated risk assessment workshop or application to actual project)

Understanding of risk management process Understanding of how risk management is relevant to their day-to-day work Knowledge of IRM in MOHLTC

Management IRM Planning Meeting

Planning Discuss best way to implementation IRM in area Proposed IRM implementation plan presented for areaClarify roles & responsibilities for risk management

Commitment to IRM implementation in area or stream of workRisk management roles and responsibilities clearly defined Review of IRM roll-out; timelines , deliverables, related forums Commitment to continuous risk communication & learning

Risk Assessment Workshop

Facilitated Training – Identification of risks & mitigation strategiesIdentification of objectives Brainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. )Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’

Hands-on experience allowing assimilation of consistent risk management techniques Hands-on practice of IRM process, enabling application of risk management principles and tools to work Greater understanding of work and inter-dependencies

Risk Prioritization & Voting Workshop

Facilitated Training – Assessment of mitigation strategies & prioritizationReview of risks, mitigation strategies and ownership Anonymous voting on the impact and probability of each riskPrioritization of risks on ‘heat map’Discussion of mitigation strategies for high priority risks

Review of risks, mitigation strategies, ownership, residual risk to their work in a seamless mannerUnbiased risk prioritization and identification of high risks Enables application of complete risk management process to every day work

Risk follow-up Session

Monitoring & ReviewReview of risks six months after initial assessmentReview mitigation strategies and residual risks

Review of risks and status Continuous improvement

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

34

The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)

ID Number

Responsible Org & Name (Implement / Operate) Risk Control

Risk Rating (Impact)

Risk Rating (likelihood) Date Required Status

Category: Financial

Category: Equity

Category: Service Delivery or Operational064 Person A 055 – Insufficient knowledge transfer

102 – Conflicting management instructions

Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure).

M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report

065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management)

(a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported.

M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document

IRM RISKS AND CONTROLS

None in this category

None in this category

35

36

37

38

The Cyclist and the Risk Manager

39

Interactive Session #2 – 15 minutes

Identify risks that the cyclists faces in cycling to work.

Report back.

1

40

Risk Factors – the cyclist

.

41

Risk Factors – the weather, the road, visibility, the bike, the lock

.

42

Risk Factors – the driver

.

43

RisksThreats:

Death

Head Injury

Injury

Reputation

Financial

Damage to the bike

Sunburn/frost bite

Opportunities:

Exercise

Sunlight

Reputation

Financial

Role model

Environment

44

Mitigation Strategies for threats Death, head injury, other injury – helmet, bright clothes, lights, bell,

CANbike course, obeying traffic laws, positive attitude, anger management course

Reputation – great outfit, change of wrinkle-free clothes, shower, time management

Financial – high quality locks, “beater”, stopping at stop signs

Damage to the bike – regular maintenance, avoiding pot holes

Sunburn/frost bite – sunscreen, mittens, hats, token/change

Dehydration- filled water bottle

45

ERM/IRM can be complex and messy

46

Keep it simple

47

Back at the office Why is the organization interested in RM? What are they hoping will

be achieved with its implementation?

Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned

How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported?

Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high.

When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.

48

Ask questions and develop your approach Do we understand our major risks? Do we know what is causing our risks to

increase, decrease or stay the same? Have we assessed the likelihood and impact of our risks? Have we identified the sources and causes of our risks? How well are we managing our risks? Are we trying to prevent the downside risks from happening? Or are we trying to

simply recover from them? Who is accountable for these risks? How do we talk about risk? Do we have a common language across branches, across

divisions, across the ministry, across the OPS, across the health care system? Are we taking too much risk? Or not enough risk? Are the right people taking the right risks at the right time? What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere

in between?

49

TAKE SMALL BITES………. IRM IMPLEMENTATION

50

Questions?

51

Case 1 – The Pan Am Games 2015

Case 2 – The provincial response to the next Pandemic

Case 3 – The extension of Hwy 404

Case 4 – The rescue efforts in Haiti

Case 5 – Human Resources in the Ontario Public Services

Case 6 – A big teaching hospital in Toronto

The case - You are responsible for Risk Management for:

52

Consider the 13 categories of risk

Identify top 5 threats (downside) and top 5opportunities (upside)

Propose mitigation strategies

Discuss how the following risk factors would affect your assessment: Economy Demographics Weather Technology Timing of events such an election Others

The case

53

Questions?