Professional Documents
Culture Documents
Risk Management
Financial Management Institute,
Toronto Chapter
February 17 2010
1
Contact Info:
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk
Management (Canadian Health Care Association
Office: 416-327-7798
eMail: corinne.berinstein1@ontario.ca
2
Basic Concepts
3
Outline
Objectives of todays session
A simple framework
Q &As
5
Why do we need Risk Management?
The only alternative to risk management is crisis management --- and
crisis management is much more expensive, time consuming and
embarrassing.
6
Why bother with RM?
7
Why bother with RM?
Allows intelligent informed risk-taking.
9
Threats and opportunities
Threat a risk that may HINDER the achievement of objectives
Interest rates
Supply of service/product/resources
The economy
The weather
11
Definition of ERM
a process, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and across the enterprise,
designed to identify potential events that may affect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
Source: COSO Enterprise Risk Management Integrated Framework. 2004.
12
Enterprise vs Integrated Risk Management
Similarities: Differences:
Formal process
Enterprise-wide:
Consistent and systematic Is organizational-centric
Includes projects, programs, Success is defined as
operations implementation over the entire
Is embedded in key processes organization
such as strategic planning,
budgeting, project planning,
evaluation, etc Integrated:
Take a systems-focus
Must be driven and supported by
Leadership May actually create risks for
individual organizations
Adds value to decision-making
13
Enterprise Risk Management
r
onito
Es
M
ta
bl
is
h
Evaluate
Division Communication
& Learning
Level
Ide nti
fy
Assess
Es
Mo Mo Mo
Es
Es
Es
ta
ta
ta
ta
Branch
bl
bl
bl
bl
is
is
is
is
h
Evaluate
h
h
Evaluate
Evaluate
Evaluate
Level
Communication
Communication Communication Communication
& Learning
& Learning & Learning & Learning
Id
I
Ide
Ide
d
e
e
nti
nti
nti
nti
fy
fy
fy
fy
Assess Assess Assess Assess
Es
Es
Mo Mo
Es
Es
ta
ta
ta
Unit or
ta
ta
bl
bl
bl
bl
bl
is
is
is
is
is
h
Evaluate
Evaluate
Evaluate
h
h
Evaluate
Evaluate
Project
& Learning & Learning
Ide
Ide
Ide
Ide
Ide
nti
nti
nti
nti
nti
fy
fy
fy
fy
fy
Level
Assess Assess
14
Integrated Risk Management
r
onito
Es
M
ta
bl
is
h
Evaluate
System Communication
& Learning
Ide
Level
nti
fy
Assess
Es
Mo Mo Mo
Es
Es
Es
ta
ta
ta
ta
Regional
bl
bl
bl
bl
is
is
is
is
h
Evaluate
h
h
Evaluate
Evaluate
Evaluate
Level
Communication
Communication Communication Communication
& Learning
& Learning & Learning & Learning
Id
I
Ide
Ide
d
e
e
nti
nti
nti
nti
fy
fy
fy
fy
Assess Assess Assess Assess
Es
Es
Mo Mo
Es
Es
ta
ta
ta
Organiz-
ta
ta
bl
bl
bl
bl
bl
is
is
is
is
is
h
Evaluate
Evaluate
Evaluate
h
h
Evaluate
Evaluate
ational
& Learning & Learning
Ide
Ide
Ide
Ide
Ide
nti
nti
nti
nti
nti
fy
fy
fy
fy
fy
Level
Assess Assess
15
Risk Management Basics
Risk (uncertainty) may affect the achievement of
objectives.
INHERENT
16
Slide 16
A Simple Framework
Assess
Identify Evaluate Monitor
Establish Risks &
Risks & & Take &
Objectives Controls
Controls Action Report
17
Risk Management is critical to ALL levels of decisions
UNCERTAINTY
Strategic Decisions
Stra
tegic tegic
Stra
Decisions transferring
strategy into action
Prog m me
ramm gra
e Pr o
Decisions can be categorized into three types. The amount of risk (uncertainty) varies with
the type of decisions. Most decisions are concerned with implementation. 18
The relationship between IRM & MOHLTCs Complex Risk
Environment External Risk Environment
MOHLTC Extended
Enterprise Pe Pu
rc b l i
la &
ns
ep c
gu ws
tio
tio
re L a
MOHLTC n
Risk Environment
O
y /
lic ic
r
G gan
Po ateg
Or
ov iz
Pa izati
tor
r
er at
St
ga
i na ion
rtn on
s
nis er
n
n
trie nc al
Mo
Es
er- s
h
e
Ot
ta
Mi
ce
bl
Com al/
plian
Fina
is
Leg
h
Evaluate
nc
Outcomes
Capacity
ial
Political
Communication Communication Communication
& Learning & Learning & Learning
Tra ccou rnan
Ide
A o ve
ns nta
no tion
fer bili e
G
y
n
log
Te orma
Pa ty &
tify
ym
ch
Inf
en
c
Assess
Inf
o rm n al
ati tio
on e ra
Human Op
Resources
io r
at e
ct o l d
ns
Ec Th
pe eh
on e
ex tak
om
S
y
LHINs
Corporate Governance
Requirements
19
Categorizing Risk Comprehensive
1. Political or Reputational Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
NEW
14. Patient Safety
20
Slide 20
Risk Prioritization likelihood and impact
21
Slide 21
Third dimension for rating risks - proximity
Immediate now
Between 12 24 months
Between 24 36 months
22
Risk rating
Combining impact and likelihood
RISK PRIORITIZATION MATRIX
RISK
4 IxL
IMPACT
RISK
3 IxL
RISK
1 IxL
1 2 3 4 5
LIKELIHOOD
23
Slide 23
Risk reporting and communications
24
25
Key Risk Indicators (KRIs) are linked to
strategy, performance and risk
Cause
Consequence
KRI
Performance
26
EXAMPLES OF KRIs
27
Measure and report RM implementation progress
Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent Advanced implementation, development and execution of ERM parameters
Consistently optimizes risk adjusted returns throughout the organization
Clear vision of risk tolerance and overall risk profile
Risk control exceeds adequate for most major risks
Strong Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted
returns
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Adequate
Performing good classical silo based risk management
Not fully developed process to optimize risk adjusted returns
Incomplete control process for one or more major risks
Weak Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
30
The Approach
31
Your toolkit education, job aids, templates
We wanted to add value not work. We developed forms
and templates.
32
A Process for Embedding IRM
HAST Sessions Components Participant Outcomes
Risk 101 Introduction Integrated Risk Management Understanding of risk management process
Presentation
Introduction to basic risk concepts and terminologies Understanding of how risk management is relevant to their day-to-day
work
Mo
nito
r Introduction to the MOHLTCs Integrated Risk
Es
Communication
& Learning
Status of IRM in MOHLTC
Ide
nti
fy
Assess
(Most effective when followed-up with facilitated risk
assessment workshop or application to actual project)
Management IRM Planning Commitment to IRM implementation in area or stream of work
Planning Meeting Discuss best way to implementation IRM in area Risk management roles and responsibilities clearly defined
Proposed IRM implementation plan presented for area Review of IRM roll-out; timelines , deliverables, related forums
Clarify roles & responsibilities for risk management Commitment to continuous risk communication & learning
Risk Assessment Facilitated Training Identification of risks & Hands-on experience allowing assimilation of consistent risk
Workshop mitigation strategies management techniques
Identification of objectives Hands-on practice of IRM process, enabling application of risk
management principles and tools to work
Brainstorming and identification of risks to meeting
Mo
nito
r
objectives (for project, branch, initiative, etc. ) Greater understanding of work and inter-dependencies
Es
ta
bl
Communication
Assess
Risk Prioritization Facilitated Training Assessment of mitigation Review of risks, mitigation strategies, ownership, residual risk to their
& Voting strategies & prioritization work in a seamless manner
Workshop Review of risks, mitigation strategies and ownership Unbiased risk prioritization and identification of high risks
onit
or
Anonymous voting on the impact and probability of each Enables application of complete risk management process to every
Es
M
ta
Communication
& Learning
33
Communication
& Learning
Ide
nti
fy
Assess
IRM RISKS AND CONTROLS
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
Category: Financial
None in this category
Category: Equity
None in this category
Category: Service Delivery or Operational
064 Person A 055 Insufficient knowledge transfer Update impacted policies and procedures M M 31-Mar-09 Refer to Privacy
102 Conflicting management for integration into knowledge support tools. Action Plan Work on
instructions Harmonizing policies and procedures (e.g., Ongoing Operations
access procedures X has one and Y has Commitments
one there needs to be one Report
process/policy/procedure).
065 Person B 056 Lack of communication (Serious (a) IT incident and Triage (harmonization M M 31-Mar-09 (a, b) Refer to
service delivery issues) between IT and Business). ongoing Operations
352 Different business and IT (b) X and Y need to develop an incident IRM document
processes (incident management) management process/service to deal with
issues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement 34
requirements; well tracked and reported.
35
36
37
The Cyclist and the Risk Manager
38
Interactive Session #2 15 minutes
Report back.
39
Risk Factors the cyclist
40
Risk Factors the weather, the road, visibility, the
bike, the lock
41
Risk Factors the driver
42
Risks
Threats: Opportunities:
Death Exercise
Injury Reputation
Reputation Financial
Sunburn/frost bite
43
Mitigation Strategies for threats
Death, head injury, other injury helmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger
management course
44
ERM/IRM can be complex and messy
45
Keep it simple
46
Back at the office
Why is the organization interested in RM? What are they hoping
will be achieved with its implementation?
Where will you start? Choices could be where you can most easily
succeed or where it is needed the most or where interest is high.
49
Questions?
50
The case - You are responsible for Risk Management
for:
Discuss how the following risk factors would affect your assessment:
Economy
Demographics
Weather
Technology
Timing of events such an election
Others
52
Questions?
53