A Practical Approach to

Risk Management
Financial Management Institute,
Toronto Chapter
February 17 2010

Corinne Berinstein, BPT, MBA, MHSC, CA, CFI

Health Audit Services Team
Ontario Internal Audit Division

1
Contact Info:
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk
Management (Canadian Health Care Association

Senior Audit Manager

Health Audit Services Team
Ontario Internal Audit Division
Province of Ontario

Office: 416-327-7798

eMail: corinne.berinstein1@ontario.ca

2
Basic Concepts

3
Outline
Objectives of todays session

Basic principles, concepts, definitions

A simple framework

Stocking your toolkit education, job aids, templates

What are you going to do back in the office?

Q &As

A case Lets practice!

4
Objectives

Give you a practical approach, framework and tools so

you can start implementing ERM when you get back to
the office.

Share some lessons learned. Share some tips and tricks.

Practice concepts and tools with a case study so that you

practice

5
Why do we need Risk Management?
The only alternative to risk management is crisis management --- and
crisis management is much more expensive, time consuming and
embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance 2003

Without good risk management practices, government cannot manage its

resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improve
services or lower costs.
Sheila Fraser, Auditor General of Canada

6
Why bother with RM?

Increase risk awareness What could affect the

achievement of objectives? What could change? What
could go wrong? What could go right?

Increase understanding of risk sensitivities. What

makes my risks increase/decrease/disappear?

Promote a healthy risk culture Its safe to talk about

risk. Open and transparent.

Develop a common and consistent approach to risk across

the organization. Not intuition-based.

7
Why bother with RM?
Allows intelligent informed risk-taking.

Focuses efforts helps prioritize. Top 10 list. Or top 3.

Or

Is proactive. not reactive Prepare for risks before they

happen. Identify risks and develop appropriate risk
mitigating strategies.

Improve outcomes achievement of objectives

(corporate, clinical, etc)

Really comes to down to simple good management

Enables accountability, transparency and responsibility

And maybe even mean survival

8
Basic principles, concepts, definitions

A risk is ANYTHING that may affect the

achievement of an organizations objectives.

It is the UNCERTAINTY that surrounds future

events and outcomes.

It is the expression of the likelihood and impact of

an event with the potential to influence the
achievement of an organizations objectives.

9
Threats and opportunities
Threat a risk that may HINDER the achievement of objectives

Opportunities - a risk that may HELP in the achievement of objectives

Interest rates

Foreign exchange rates

Supply of service/product/resources

Demand/uptake for service/product/resources

The economy

The weather

The stock market

10
Interactive Session #1 10 minutes

Introduce yourselves to others at your table

Pick 1 risk discuss it as both a threat and

an opportunity

Report to the large group. Pick a

spokesperson.

11
Definition of ERM
a process, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and across the enterprise,
designed to identify potential events that may affect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
Source: COSO Enterprise Risk Management Integrated Framework. 2004.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

12
 Enterprise vs Integrated Risk Management
Similarities:
Formal process
Consistent and systematic
Includes projects, programs,
operations
Is embedded in key processes
such as strategic planning,
budgeting, project planning,
evaluation, etc
Must be driven and supported by
Leadership
Adds value to decision-making
Differences:
Enterprise-wide:
Is organizational-centric
Success is defined as
implementation over the entire
organization
Integrated:
Take a systems-focus
May actually create risks for
individual organizations
13
 Enterprise Risk Management
r
onito

Es
M

ta
bl
is
h
Evaluate
Division Communication
& Learning

Level

Ide nti
fy
Assess

Periodic Summary Analysis & Report

r
nito
r
nito
r nito nito
r
Mo

Es
Mo Mo Mo
Es

Es

Es
ta
ta

ta

ta
Branch

bl
bl

bl

bl
is
is

is

is
h
Evaluate
h

h
Evaluate

Evaluate

Evaluate
Level
Communication
Communication Communication Communication
& Learning
& Learning & Learning & Learning

Id
I

Ide

Ide
d

e
e

nti
nti

nti

nti
fy
fy

fy

fy
Assess Assess Assess Assess

Periodic Summary Analysis & Report

r r r
nito
r
nito
r nito nito nito
Mo Mo Mo
Es

Es

Es
Mo Mo
Es

Es

ta

ta

ta
Unit or
ta

ta

bl

bl

bl
bl

bl

is

is

is
is

is

h
Evaluate

Evaluate

Evaluate
h

h
Evaluate

Evaluate

Communication Communication Communication Communication Communication

& Learning & Learning & Learning

Project
& Learning & Learning
Ide

Ide

Ide
Ide

Ide

nti

nti

nti
nti

nti

fy

fy

fy
fy

fy

Assess Assess Assess

Level
Assess Assess

14
 Integrated Risk Management
r
onito

Es
M

ta
bl
is
h
Evaluate
System Communication
& Learning

Ide
Level

nti
fy
Assess

Periodic Summary Analysis & Report

r
nito
r
nito
r nito nito
r
Mo

Es
Mo Mo Mo
Es

Es

Es
ta
ta

ta

ta
Regional

bl
bl

bl

bl
is
is

is

is
h
Evaluate
h

h
Evaluate

Evaluate

Evaluate
Level
Communication
Communication Communication Communication
& Learning
& Learning & Learning & Learning

Id
I

Ide

Ide
d

e
e

nti
nti

nti

nti
fy
fy

fy

fy
Assess Assess Assess Assess

Periodic Summary Analysis & Report

r r r
nito
r
nito
r nito nito nito
Mo Mo Mo
Es

Es

Es
Mo Mo
Es

Es

ta

ta

ta
Organiz-
ta

ta

bl

bl

bl
bl

bl

is

is

is
is

is

h
Evaluate

Evaluate

Evaluate
h

h
Evaluate

Evaluate

Communication Communication Communication Communication Communication

& Learning & Learning & Learning

ational
& Learning & Learning
Ide

Ide

Ide
Ide

Ide

nti

nti

nti
nti

nti

fy

fy

fy
fy

fy

Assess Assess Assess

Level
Assess Assess

15
 Risk Management Basics
Risk (uncertainty) may affect the achievement of
objectives.

Effective mitigation strategies/controls can reduce

negative risks or increase opportunities.

Residual risk is the level of risk after evaluating the

effectiveness of controls.

Acceptance and action should be based on residual risk

levels.

INHERENT

16
Slide 16
A Simple Framework

Step 1 Step 2 Step 3 Step 4 Step 5

Assess
Identify Evaluate Monitor
Establish Risks &
Risks & & Take &
Objectives Controls
Controls Action Report

Communicate, learn, improve

17
Risk Management is critical to ALL levels of decisions

UNCERTAINTY
Strategic Decisions

Stra
tegic tegic
Stra
Decisions transferring
strategy into action

Prog m me
ramm gra
e Pr o

Decisions required for

implementation
Pr o
ject al
&O
per r a tion
a pe
tion &O
al ject
Pr o

The HM Treasurys The Orange Book

Decisions can be categorized into three types. The amount of risk (uncertainty) varies with
the type of decisions. Most decisions are concerned with implementation. 18
The relationship between IRM & MOHLTCs Complex Risk
Environment External Risk Environment

MOHLTC Extended
Enterprise Pe Pu
rc b l i

la &
ns
ep c

gu ws
tio
tio

re L a
MOHLTC n

Risk Environment
O

y /
lic ic
r
G gan

Po ateg

Or
ov iz

Pa izati
tor

r
er at

St

ga
i na ion

rtn on
s
nis er
n

n
trie nc al
Mo

Es

er- s
h
e
Ot

ta
Mi

ce

bl
Com al/
plian

Fina
is
Leg

h
Evaluate

nc

Outcomes
Capacity

ial

Political
Communication Communication Communication
& Learning & Learning & Learning
Tra ccou rnan

Ide
A o ve
ns nta

no tion
fer bili e
G

y
n

log
Te orma
Pa ty &

tify
ym

ch
Inf
en
c

Assess
Inf
o rm n al
ati tio
on e ra
Human Op
Resources

io r
at e
ct o l d
ns
Ec Th

pe eh
on e

ex tak
om

S
y
LHINs

Corporate Governance
Requirements

19
Categorizing Risk Comprehensive
1. Political or Reputational Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
NEW
14. Patient Safety
20
Slide 20
Risk Prioritization likelihood and impact

Likelihood of a risk event occurring Risk Impact: Level of damage that

can occur when a risk event
occurs
Very High: Is almost certain to occur

Very High: Threatens the success of

High: Is likely to occur the project
High: Substantial impact on time, cost
Medium: Is as likely as not to occur or quality
Medium: Notable impact on time,
Low: May occur occasionally cost or quality
Low: Minor impact on time, cost or
Very Low: Unlikely to occur quality
Very Low: Negligible impact

21
Slide 21
Third dimension for rating risks - proximity

Immediate now

Less than 6 months

Between 6-12 months

Between 12 24 months

Between 24 36 months

More than 36 months

22
Risk rating
Combining impact and likelihood
RISK PRIORITIZATION MATRIX

RISK
4 IxL
IMPACT

RISK
3 IxL

RISK
1 IxL

1 2 3 4 5

LIKELIHOOD
23
Slide 23
 Risk reporting and communications

Risk Level Action and Level of Involvement Required

Inform Chief Executive Officer and Board of Directors

Critical Risk
Immediate action required

Inform Chief Executive Officer

High Risk Strategy Team involvement/attention is essential to manage risks
provide report to Board as appropriate

Management mitigation and ongoing monitoring required

Moderate Risk
Inform relevant Strategy Team members

Accept, but monitor risks

Low Risk
Manage by routine procedures within the program and site

24
25
 Key Risk Indicators (KRIs) are linked to
strategy, performance and risk

Strategy & objectives

Risk

Cause

Consequence

KRI
Performance

KRIs need to be linked to strategy, objectives and target performance

levels, with a good understanding of the drivers to risk.

26
EXAMPLES OF KRIs
Human resource
Average time to fill vacant
positions
Staff absenteeism /sickness
rates
Percentage of staff appraisals
below satisfactory
Age demographics of key
managers
Legal/compliance
Outstanding litigation cases
(#, amt)
Compliance investigations (#)
Customer complaints (#)
Information Technology
Systems usage versus
capacity
Number of system upgrades/
version releases
Number of help desk calls
aged)
Audit
Outstanding high risk issues
(#, aged)
Audit findings (#, severity)
Revised management action
target dates (#)
Finance
Daily P&L adjustments (#,
amt)
Reporting deadlines missed
(#)
Incomplete P&L sign-offs (#,
Risk management
Management overrides
Limit breaches (#, amt)
27
Measure and report RM implementation progress
Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent Advanced implementation, development and execution of ERM parameters
Consistently optimizes risk adjusted returns throughout the organization
Clear vision of risk tolerance and overall risk profile
Risk control exceeds adequate for most major risks
Strong Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted
returns
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Adequate
Performing good classical silo based risk management
Not fully developed process to optimize risk adjusted returns
Incomplete control process for one or more major risks
Weak Inconsistent or limited capabilities to identify, measure or manage major risk
exposures

Source: Standard & Poor

28
 Progress to Date ERM Report Card

Quality of Care and Patient Safety

Corporate Governance
Operation & Business Support
Reputation and Public Image
Human Resources and Staff Relations
Financial Resources
Information Systems and Technology
Physical Assets
Legal and Regulatory
Environmental Health and Safety
Policies
Standards
29
An Approach to Risk Management

Establish centralized support

Develop a standardized framework
Provide education and coaching
Ensure ministry-wide implementation
Embed IRM into all major processes including strategic
planning and resource allocations decisions
Enable our stewardship role

30
The Approach

Incorporates risk information into the strategic direction-

setting, making decisions that consider established risk
tolerance levels.

Takes a systems approach to managing risk at the

strategic, operational and project levels which is
continuous, proactive and systematic.

Fosters a working culture that values learning, innovation,

responsible risk-taking and continuous improvement.

31
Your toolkit education, job aids, templates
We wanted to add value not work. We developed forms
and templates.

So we developed and delivered educational sessions

usually attended by all team members. Included risk 101
and then time for the team members to discuss how to
apply concepts to their work.

We assisted teams in actual risk assessments. Sometimes

we used voting software.

We trained the trainer.

32
 A Process for Embedding IRM
HAST Sessions Components Participant Outcomes
Risk 101 Introduction Integrated Risk Management Understanding of risk management process
Presentation
Introduction to basic risk concepts and terminologies Understanding of how risk management is relevant to their day-to-day
work
Mo
nito
r Introduction to the MOHLTCs Integrated Risk
Es

Framework Knowledge of IRM in MOHLTC

ta
bl
is
h
Evaluate

Communication
& Learning
Status of IRM in MOHLTC
Ide
nti
fy

Assess
(Most effective when followed-up with facilitated risk
assessment workshop or application to actual project)
Management IRM Planning Commitment to IRM implementation in area or stream of work
Planning Meeting Discuss best way to implementation IRM in area Risk management roles and responsibilities clearly defined
Proposed IRM implementation plan presented for area Review of IRM roll-out; timelines , deliverables, related forums
Clarify roles & responsibilities for risk management Commitment to continuous risk communication & learning
Risk Assessment Facilitated Training Identification of risks & Hands-on experience allowing assimilation of consistent risk
Workshop mitigation strategies management techniques
Identification of objectives Hands-on practice of IRM process, enabling application of risk
management principles and tools to work
Brainstorming and identification of risks to meeting
Mo
nito
r
objectives (for project, branch, initiative, etc. ) Greater understanding of work and inter-dependencies
Es
ta
bl

Identification of source, mitigation strategies, ownership

is
h
Evaluate

Communication

and residual risk for each risk category

& Learning
Ide
nti
fy

Assess

Risk Prioritization Facilitated Training Assessment of mitigation Review of risks, mitigation strategies, ownership, residual risk to their
& Voting strategies & prioritization work in a seamless manner
Workshop Review of risks, mitigation strategies and ownership Unbiased risk prioritization and identification of high risks
onit
or
Anonymous voting on the impact and probability of each Enables application of complete risk management process to every
Es

M
ta

risk day work

bl
is
h
Evaluate

Communication
& Learning

Prioritization of risks on heat map

Ide
nti
fy

Discussion of mitigation strategies for high priority risks

Assess

Risk follow-up Monitoring & Review Review of risks and status

Session r
Review of risks six months after initial assessment Continuous improvement
nito
Mo
Es

Review mitigation strategies and residual risks

ta
bl
is
h
Evaluate

33
Communication
& Learning
Ide
nti
fy

Assess
 IRM RISKS AND CONTROLS

The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)

Responsible Org & Risk Risk

Name (Implement / Rating Rating
ID Number Operate) Risk Control (Impact) (likelihood) Date Required Status

Category: Financial
None in this category
Category: Equity
None in this category
Category: Service Delivery or Operational
064 Person A 055 Insufficient knowledge transfer Update impacted policies and procedures M M 31-Mar-09 Refer to Privacy
102 Conflicting management for integration into knowledge support tools. Action Plan Work on
instructions Harmonizing policies and procedures (e.g., Ongoing Operations
access procedures X has one and Y has Commitments
one there needs to be one Report
process/policy/procedure).

065 Person B 056 Lack of communication (Serious
service delivery issues)
352 Different business and IT
processes (incident management)
(a) IT incident and Triage (harmonization M M 31-Mar-09 (a, b) Refer to
between IT and Business). ongoing Operations
(b) X and Y need to develop an incident IRM document
management process/service to deal with
issues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement 34
requirements; well tracked and reported.
35
36
37
The Cyclist and the Risk Manager

38
Interactive Session #2 15 minutes

Identify risks that the cyclists faces in

cycling to work.

Report back.

39
Risk Factors the cyclist

40
Risk Factors the weather, the road, visibility, the
bike, the lock

41
Risk Factors the driver

42
Risks
Threats: Opportunities:

Death Exercise

Head Injury Sunlight

Injury Reputation

Reputation Financial

Financial Role model

Damage to the bike Environment

Sunburn/frost bite

43
Mitigation Strategies for threats
Death, head injury, other injury helmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger
management course

Reputation great outfit, change of wrinkle-free clothes, shower,

time management

Financial high quality locks, beater, stopping at stop signs

Damage to the bike regular maintenance, avoiding pot holes

Sunburn/frost bite sunscreen, mittens, hats, token/change

Dehydration- filled water bottle

44
ERM/IRM can be complex and messy

45
Keep it simple

46
Back at the office
Why is the organization interested in RM? What are they hoping
will be achieved with its implementation?

Who is doing what? Roles & responsibilities must be clearly

defined. Make sure Leadership supports RM and uses RM results to
make decisions. Everyone is a risk manager. Make sure that all risks
have owners and the responsibilities for mitigation are assigned

How will it be implemented? What is your framework? What is the

common language? How will risks be measured and reported?

Where will you start? Choices could be where you can most easily
succeed or where it is needed the most or where interest is high.

When will it be implemented? It is a journey not a destination; 3-5

years for complete roll-out; how often will risks be assessed; when
will mitigation plans be implemented and monitored; when will risks
be reported. 47
Ask questions and develop your approach
Do we understand our major risks? Do we know what is causing our
risks to increase, decrease or stay the same?
Have we assessed the likelihood and impact of our risks?
Have we identified the sources and causes of our risks?
How well are we managing our risks?
Are we trying to prevent the downside risks from happening? Or are
we trying to simply recover from them?
Who is accountable for these risks?
How do we talk about risk? Do we have a common language across
branches, across divisions, across the ministry, across the OPS, across
the health care system?
Are we taking too much risk? Or not enough risk?
Are the right people taking the right risks at the right time?
Whats our culture? Are we risk adverse or are we risk-takers? Or are
we somewhere in between? 48
TAKE SMALL BITES. IRM IMPLEMENTATION

49
Questions?

50
The case - You are responsible for Risk Management
for:

Case 1 The Pan Am Games 2015

Case 2 The provincial response to the next Pandemic

Case 3 The extension of Hwy 404

Case 4 The rescue efforts in Haiti

Case 5 Human Resources in the Ontario Public Services

Case 6 A big teaching hospital in Toronto

51
The case

Consider the 13 categories of risk

Identify top 5 threats (downside) and top 5opportunities (upside)

Propose mitigation strategies

Discuss how the following risk factors would affect your assessment:
Economy
Demographics
Weather
Technology
Timing of events such an election
Others

52
Questions?

53