You are on page 1of 53

A Practical Approach to

Risk Management
Financial Management Institute,
Toronto Chapter
February 17 2010

CorinneBerinstein,BPT,MBA,MHSC,CA,CFI
HealthAuditServicesTeam
OntarioInternalAuditDivision

Contact Info:
CorinneBerinstein,BPT,MBA,MHSC,CA,CFI,CertificateinRisk
Management(CanadianHealthCareAssociation
SeniorAuditManager
HealthAuditServicesTeam
OntarioInternalAuditDivision
ProvinceofOntario
Office:4163277798
eMail:corinne.berinstein1@ontario.ca

Basic Concepts

Outline

Objectivesoftodayssession

Basicprinciples,concepts,definitions

Asimpleframework

Stockingyourtoolkiteducation,jobaids,templates

Whatareyougoingtodobackintheoffice?

Q&As

AcaseLetspractice!

Objectives

Giveyouapracticalapproach,frameworkandtoolsso
youcanstartimplementingERMwhenyougetbackto
theoffice.

Sharesomelessonslearned.Sharesometipsandtricks.

Practiceconceptsandtoolswithacasestudysothatyou
practice

Why do we need Risk Management?


Theonlyalternativetoriskmanagementiscrisismanagementand
crisismanagementismuchmoreexpensive,timeconsumingand
embarrassing.
JAMESLAM,EnterpriseRiskManagement,WileyFinance2003

Withoutgoodriskmanagementpractices,governmentcannotmanageits
resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improve
servicesorlowercosts.

SheilaFraser,AuditorGeneralofCanada

Why bother with RM?

IncreaseriskawarenessWhatcouldaffecttheachievementofobjectives?Whatcould
change?Whatcouldgowrong?Whatcouldgoright?

Increaseunderstandingofrisksensitivities.Whatmakesmyrisks
increase/decrease/disappear?

PromoteahealthyriskcultureItssafetotalkaboutrisk.Openandtransparent.

Developacommonandconsistentapproachtoriskacrosstheorganization.Notintuitionbased.

Why bother with RM?

Allowsintelligentinformedrisktaking.

Focuseseffortshelpsprioritize.Top10list.Ortop3.
Or

Isproactive.notreactivePrepareforrisksbefore
theyhappen.Identifyrisksanddevelopappropriaterisk
mitigatingstrategies.

Improveoutcomesachievementofobjectives
(corporate,clinical,etc)

Reallycomestodowntosimplegoodmanagement

Enablesaccountability,transparencyandresponsibility

Andmaybeevenmeansurvival

Basic principles, concepts, definitions


AriskisANYTHINGthatmayaffectthe
achievementofanorganizationsobjectives.
ItistheUNCERTAINTYthatsurroundsfuture
eventsandoutcomes.
Itistheexpressionofthelikelihoodandimpactof
aneventwiththepotentialtoinfluencethe
achievementofanorganizationsobjectives.

Threats and opportunities


ThreatariskthatmayHINDERtheachievementofobjectives
OpportunitiesariskthatmayHELPintheachievementofobjectives

Interestrates

Foreignexchangerates

Supplyofservice/product/resources

Demand/uptakeforservice/product/resources

Theeconomy

Theweather

Thestockmarket

10

Interactive Session #1 10 minutes


Introduceyourselvestoothersatyourtable
Pick1riskdiscussitasbothathreatand
anopportunity
Reporttothelargegroup.Picka
spokesperson.

11

Definition of ERM
aprocess,effectedbyanentity'sboardof
directors,managementandotherpersonnel,applied
instrategysettingandacrosstheenterprise,
designedtoidentifypotentialeventsthatmayaffect
theentity,andmanageriskstobewithinitsrisk
appetite,toprovidereasonableassuranceregarding
theachievementofentityobjectives.
Source:COSOEnterpriseRiskManagementIntegratedFramework.2004.
TheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)

12

Enterprise vs Integrated Risk Management


Similarities:

Formalprocess
Consistentandsystematic
Includesprojects,programs,
operations
Isembeddedinkeyprocesses
suchasstrategicplanning,
budgeting,projectplanning,
evaluation,etc
Mustbedrivenandsupportedby
Leadership
Addsvaluetodecisionmaking

Differences:
Enterprisewide:
Isorganizationalcentric
Successisdefinedas
implementationovertheentire
organization
Integrated:
Takeasystemsfocus
Mayactuallycreaterisksfor
individualorganizations

13

Enterprise Risk Management


Division
Level

Periodic Summary Analysis & Report


Branch
Level

Periodic Summary Analysis & Report

Unitor
Project
Level

14

Integrated Risk Management


System
Level

Periodic Summary Analysis & Report


Regional
Level

Periodic Summary Analysis & Report

Organiz
ational
Level

15

Risk Management Basics

Risk (uncertainty) may affect the achievement of


objectives.

Effective mitigation strategies/controls can reduce


negative risks or increase opportunities.

Residual risk is the level of risk after evaluating the


effectiveness of controls.

Acceptance and action should be based on residual risk


levels.

INHEREN
T

Slide 16

16

A Simple Framework

Step 1

Step 2

Establish
Establish
Objectives
Objectives

Identify
Identify
Risks
Risks&&
Controls
Controls

Step 3
Assess
Assess
Risks
Risks&&
Controls
Controls

Step 4

Evaluate
Evaluate
&&Take
Take
Action
Action

Step 5

Monitor
Monitor
&&Report
Report

Communicate, learn, improve

17

Risk Management is critical to ALL levels of decisions

The HM Treasurys The Orange Book

Decisions can be categorized into three types. The amount of risk


(uncertainty) varies with the type of decisions. Most decisions are

18
concerned with implementation.

The relationship between IRM & MOHLTCs Complex Risk


Environment

19

Categorizing Risk Comprehensive


1.

PoliticalorReputationalRisk

2.

FinancialRisk

3.

ServiceDeliveryorOperationalRisk

4.

People/HRRisk

5.

Information/KnowledgeRisk

6.

Strategic/PolicyRisk

7.

StakeholderSatisfaction/PublicPerceptionRisk

8.

Legal/ComplianceRisk

9.

TechnologyRisk

10.

Governance/OrganizationalRisk

11.

PrivacyRisk

12.

SecurityRisk

13.

EquityRisk

14.

PatientSafety

NEW
Slide 20

20

Risk Prioritization likelihood and impact


Likelihoodofariskeventoccurring

VeryHigh:Isalmostcertaintooccur

RiskImpact:Levelofdamagethat
canoccurwhenariskevent
occurs

VeryHigh:Threatensthesuccessof
theproject

High:Substantialimpactontime,cost
orquality

Medium:Notableimpactontime,
costorquality

Low:Minorimpactontime,costor
quality

VeryLow:Negligibleimpact

High:Islikelytooccur
Medium:Isaslikelyasnottooccur
Low:Mayoccuroccasionally
VeryLow:Unlikelytooccur

Slide 21

21

Third dimension for rating risks - proximity

Immediatenow

Lessthan6months

Between612months

Between1224months

Between2436months

Morethan36months

22

Risk rating
Combining impact and likelihood

Slide 23

23

Risk reporting and communications

24

25

Key Risk Indicators (KRIs) are linked to


strategy, performance and risk
Strategy & objectives
Risk
Cause

Consequence
KRI
Performance

KRIs need to be linked to strategy, objectives and target performance


levels, with a good understanding of the drivers to risk.

26

EXAMPLES OF KRIs
Human resource
Average time to fill vacant
positions
Staff absenteeism /sickness
rates
Percentage of staff appraisals
below satisfactory
Age demographics of key
managers

Information Technology
Systems usage versus
capacity
Number of system upgrades/
version releases
Number of help desk calls

Finance
Daily P&L adjustments (#,
amt)
Reporting deadlines missed
(#)
Incomplete P&L sign-offs (#,
aged)

Legal/compliance
Outstanding litigation cases
(#, amt)
Compliance investigations (#)
Customer complaints (#)

Audit
Outstanding high risk issues
(#, aged)
Audit findings (#, severity)
Revised management action
target dates (#)

Risk management
Management overrides
Limit breaches (#, amt)

27

Measure and report RM implementation progress


Advanced capabilities to identify, measure, manage all risk exposures within
Excellent

Strong

tolerances

Advanced implementation, development and execution of ERM parameters


Consistently optimizes risk adjusted returns throughout the organization

Adequate

Weak

Clear vision of risk tolerance and overall risk profile


Risk control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted
returns
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical silo based risk management
Not fully developed process to optimize risk adjusted returns

Incomplete control process for one or more major risks


Inconsistent or limited capabilities to identify, measure or manage major risk
exposures

Source:Standard&Poor
28

Progress to Date ERM Report Card


Quality of Care and Patient Safety
Corporate Governance
Operation & Business Support
Reputation and Public Image
Human Resources and Staff Relations
Financial Resources
Information Systems and Technology
Physical Assets
Legal and Regulatory
Environmental Health and Safety
Policies
Standards
29

An Approach to Risk Management

Establishcentralizedsupport

Developastandardizedframework

Provideeducationandcoaching

Ensureministrywideimplementation

EmbedIRMintoallmajorprocessesincludingstrategic
planningandresourceallocationsdecisions

Enableourstewardshiprole

30

The Approach

Incorporatesriskinformationintothestrategicdirection
setting,makingdecisionsthatconsiderestablishedrisk
tolerancelevels.

Takesasystemsapproachtomanagingriskatthe
strategic,operationalandprojectlevelswhichis
continuous,proactiveandsystematic.

Fostersaworkingculturethatvalueslearning,innovation,
responsiblerisktakingandcontinuousimprovement.

31

Your toolkit education, job aids, templates

Wewantedtoaddvaluenotwork.Wedevelopedforms
andtemplates.

Sowedevelopedanddeliverededucationalsessions
usuallyattendedbyallteammembers.Includedrisk101
andthentimefortheteammemberstodiscusshowto
applyconceptstotheirwork.

Weassistedteamsinactualriskassessments.Sometimes
weusedvotingsoftware.

Wetrainedthetrainer.

32

A Process for Embedding IRM


HAST Sessions
Risk101
Presentation

Components

Participant Outcomes

IntroductionIntegratedRiskManagement

Understandingofriskmanagementprocess

Introductiontobasicriskconceptsandterminologies

Understandingofhowriskmanagementisrelevanttotheirdaytoday
work

IntroductiontotheMOHLTCsIntegratedRisk
Framework

KnowledgeofIRMinMOHLTC

StatusofIRMinMOHLTC
(Mosteffectivewhenfollowedupwithfacilitatedrisk
assessmentworkshoporapplicationtoactualproject)
ManagementIRM
PlanningMeeting

RiskAssessment
Workshop

Planning

CommitmenttoIRMimplementationinareaorstreamofwork

DiscussbestwaytoimplementationIRMinarea

Riskmanagementrolesandresponsibilitiesclearlydefined

ProposedIRMimplementationplanpresentedforarea

ReviewofIRMrollout;timelines,deliverables,relatedforums

Clarifyroles&responsibilitiesforriskmanagement

Commitmenttocontinuousriskcommunication&learning

FacilitatedTrainingIdentificationofrisks&
mitigationstrategies

Handsonexperienceallowingassimilationofconsistentrisk
managementtechniques

Identificationofobjectives

HandsonpracticeofIRMprocess,enablingapplicationofrisk
managementprinciplesandtoolstowork

Brainstormingandidentificationofriskstomeeting
objectives(forproject,branch,initiative,etc.)

Greaterunderstandingofworkandinterdependencies

Identificationofsource,mitigationstrategies,ownership
andresidualriskforeachriskcategory
RiskPrioritization
&Voting
Workshop

FacilitatedTrainingAssessmentofmitigation
strategies&prioritization

Reviewofrisks,mitigationstrategies,ownership,residualrisktotheir
workinaseamlessmanner

Reviewofrisks,mitigationstrategiesandownership

Unbiasedriskprioritizationandidentificationofhighrisks

Anonymousvotingontheimpactandprobabilityofeach
risk

Enablesapplicationofcompleteriskmanagementprocesstoevery
daywork

Prioritizationofrisksonheatmap
Discussionofmitigationstrategiesforhighpriorityrisks
Riskfollowup
Session

Monitoring&Review

Reviewofrisksandstatus

Reviewofriskssixmonthsafterinitialassessment

Continuousimprovement

Reviewmitigationstrategiesandresidualrisks

33

34

35

36

37

The Cyclist and the Risk Manager

38

Interactive Session #2 15 minutes

Identifyrisksthatthecyclistsfacesin
cyclingtowork.
Reportback.

39

Risk Factors the cyclist


.

40

Risk Factors the weather, the road, visibility, the


bike, the lock
.

41

Risk Factors the driver


.

42

Risks
Threats:

Opportunities:

Death

Exercise

HeadInjury

Sunlight

Injury

Reputation

Reputation

Financial

Financial

Rolemodel

Damagetothebike

Environment

Sunburn/frostbite

43

Mitigation Strategies for threats


Death,headinjury,otherinjuryhelmet,brightclothes,lights,bell,
CANbikecourse,obeyingtrafficlaws,positiveattitude,anger
managementcourse
Reputationgreatoutfit,changeofwrinklefreeclothes,shower,
timemanagement
Financialhighqualitylocks,beater,stoppingatstopsigns
Damagetothebikeregularmaintenance,avoidingpotholes
Sunburn/frostbitesunscreen,mittens,hats,token/change
Dehydrationfilledwaterbottle

44

ERM/IRM can be complex and messy

45

Keep it simple

46

Back at the office

WhyistheorganizationinterestedinRM?Whataretheyhopingwill
beachievedwithitsimplementation?

Whoisdoingwhat?Roles&responsibilitiesmustbeclearlydefined.
MakesureLeadershipsupportsRMandusesRMresultstomake
decisions.Everyoneisariskmanager.Makesurethatallriskshave
ownersandtheresponsibilitiesformitigationareassigned

Howwillitbeimplemented?Whatisyourframework?Whatisthe
commonlanguage?Howwillrisksbemeasuredandreported?

Wherewillyoustart?Choicescouldbewhereyoucanmosteasily
succeedorwhereitisneededthemostorwhereinterestishigh.

Whenwillitbeimplemented?Itisajourneynotadestination;35
yearsforcompleterollout;howoftenwillrisksbeassessed;when
willmitigationplansbeimplementedandmonitored;whenwillrisks
bereported.

47

Ask questions and develop your approach

Doweunderstandourmajorrisks?Doweknowwhatiscausingourriskstoincrease,
decreaseorstaythesame?

Haveweassessedthelikelihoodandimpactofourrisks?

Haveweidentifiedthesourcesandcausesofourrisks?

Howwellarewemanagingourrisks?

Arewetryingtopreventthedownsiderisksfromhappening?Orarewetryingto
simplyrecoverfromthem?

Whoisaccountablefortheserisks?

Howdowetalkaboutrisk?Dowehaveacommonlanguageacrossbranches,across
divisions,acrosstheministry,acrosstheOPS,acrossthehealthcaresystem?

Arewetakingtoomuchrisk?Ornotenoughrisk?

Aretherightpeopletakingtherightrisksattherighttime?

Whatsourculture?Areweriskadverseorarewerisktakers?Orarewesomewhere
inbetween?

48

TAKE SMALL BITES. IRM IMPLEMENTATION

49

Questions?

50

The case - You are responsible for Risk Management


for:

Case1ThePanAmGames2015

Case2TheprovincialresponsetothenextPandemic

Case3TheextensionofHwy404

Case4TherescueeffortsinHaiti

Case5HumanResourcesintheOntarioPublicServices

Case6AbigteachinghospitalinToronto

51

The case

Considerthe13categoriesofrisk

Identifytop5threats(downside)andtop5opportunities(upside)

Proposemitigationstrategies

Discusshowthefollowingriskfactorswouldaffectyourassessment:
Economy
Demographics
Weather
Technology
Timingofeventssuchanelection
Others

52

Questions?

53

You might also like