121017_DARU-Risk-Management
advertisement
VCOSS – DARU workshop 17 October 2012 Tips, Tricks and Concepts for making risk management work. Diana Borgmeyer - Risk Management Adviser Agenda 1. About the VMIA 2. The Victorian Risk Management Context 3. Governance and Risk 4. A quick overview of AS/NZS/ISO31000 5. Integrating Risk 6. Risk Framework elements 7. Tools and Tips 8. Activity – Describing Risks 9. Risk Management Pitfalls 10.Questions VMIA Clients Government Government 11 Departments Ministers Ministers Central agencies Portfolio Departments Departments 89 Hospitals & Ambulance Services Statutory Statutory Authorities [e.g. VMIA Authorities SSA] 90 Statutory Authorities 3500 Community Service Organisations Agencies [e.g. public External providers External [e.g. contractors] providers Victorian Community hospitals Agencies welfare and housing ] VMIA Risk Services Risk Register Software Risk Management maturity model Determining where we are now Targeted maturity state? Developing RISK MANAGEMENT FRAMEWORK The organisation is in the process of developing an organisationwide Risk Management Framework Multiple and uncontrolled application of risk management principals and processes exists within the organisation Integrating The organisation-wide Risk Management Framework defines how management of risk will be handled within the associated context (organisation-wide or for a specific activity such as a project). It covers the lifetime of the activity. It provides information on roles, responsibilities, processes and procedures, standards, tools, facilities and documentation to be produced. It sets the context in which risks are managed, in terms of how they will be identified, analysed, controlled, monitored and reviewed The organisation-wide Risk Management Framework has been documented and approved Effective Advanced The organisation-wide Risk Management Framework is consistent and comprehensive with processes that are part of everyday management The organisation-wide Risk Management Framework is consistent and comprehensive with processes that are embedded in everyday management and reflected in a proactive risk management culture The organisation-wide Risk Management Framework, risk management processes, practices, procedures and accountability requirements are consistently applied across the organisation. The organisation employs a process of continued review and actively pursues improvement opportunities in risk management Risk management is integral in optimising outcomes, creating value and achieving objectives through the use of innovation and change management Source: Courtesy use by Victorian Managed Insurance Authority (2010 year version) Victorian Government Context Risk management in context • Whole of Government framework and attestation ◦ risk management process consistent with AS/NZS ISO 31000 ◦ internal control system so the executive understand, manage and satisfactorily control risk exposures ◦ Responsible body verifies the assurance made and risk profile critically reviewed in last 12 months • Inter-agency risk DHS Service Level Agreement 2012-15 Risk Management Clause 3.20.2 acknowledges that risk management is an integral part of good organisational practice. The service agreement requires an organisation’s CEO or Board Member to attest annually that it is managing risk in accordance with the AUS/NZS/ISO 31000:2009 standard and the risk management processes satisfactorily and effectively manage the organisations risks and; within the twelve months prior to attestation, the organisation has undertaken a review of risk management processes. Risks we see of concern to Health and Community Sector Boards Governance failures Direct care workforce sustainability Service delivery failures Damage to stakeholder relationships/Reputation Failure to adapt to changing service and funding models Funding uncertainty Inadequate emergency preparedness/response Regulatory or funding standards non-compliance Common Risk Areas • Client dissatisfaction • Unfavourable publicity and/or reputation damage • Mismanagement (eg. projects, finance) • Threat to physical safety • Failure of equipment or computer systems • Breach of legal obligations and contractual responsibility • Fraud • Deficiencies in financial controls and reporting • Unethical behaviour • Failure to protect assets and goodwill Page 12 Governance and Risk Governance “Corporate governance generally refers to the processes by which organisations are directed, controlled and held to account. It encompasses authority, accountability, stewardship, leadership, direction and control exercised in an organisation”[1] [1] Standards Australia, AS 8000-2003 Corporate Governance – Good governance principles, July 2003, p7 Definition of Public Sector Governance ‘…the set of responsibilities and practices, policies and procedures, exercised by an agency’s executive, to provide strategic direction, ensure objectives are achieved, manage risks and use resources responsibly and with accountability.’1 Good Governance is about both: • Performance – how an agency uses governance arrangements to contribute to its overall performance and delivery of services or programmes. • Conformance – how an agency uses governance arrangements to ensure it meets the requirements of the law, regulations, published standards and community expectations on probity and accountability. 1. adapted from , ANAO Implementation of program and policy initiatives; Better Practice Guide 2006,p.13. Governance - common elements Strategy & Direction Compliance & Accountability • Corporate Plan • Annual Report • Business Plan • Delegations • Operational Plans • Policies & Procedures • Strategic, IT, HR & asset plans • Audit/ Risk Committee • Annual Plan • Audit methodologies • Internal Audit Stewardship Leadership Governing Body Control Risk Management Structures & Relationships • • • • • • • • Organisational Structure Core competency criteria Standards of Behaviour Client surveys Training programs Roles and responsibilities Communication Business processes Performance Monitoring • Monthly Financial Statements • Balanced Scorecard • Performance Management How governance & risk management underpin an organisation’s performance Source: Public Sector Governance Better Practice Guide – Volume 1, Australian National Audit Office, July 2003 Core principles underpinning Governance frameworks • Accountability & Compliance being answerable for decisions and have appropriate compliance mechanisms • Transparency & structure clear roles, duties and procedures in decision making • Leadership ‘tone at the top’ to achieve organisation-wide commitment from the top • Integrity acting impartially, ethically and in the interests of the organisation 1] [1] Public sector governance and the individual officer – guidance paper no.1- Better Practice Guide, Australian National Audit Office, July 2003 Good governance attributes • Clear roles & responsibilities • Ethics based culture • Accountability through control, monitoring and review • Effective governing body • Communication & awareness • Transparent external reporting • Integrated risk management practices in planning, operations & reporting risk management? • An integral part of the organisation’s management system • Essential for ‘good governance’ • Offers common language and consistency • Embeds the risk management process in decision making • Don’t simply ask ‘what may go wrong?’ .…. ask ‘what must go right?’ • Good risk management doesn’t stifle progress and innovation – it drives success “Looking back, I wish I had pressed harder. It’s easy to say after the fact.” Yukinobu Okamura, Head of Active Fault and Earthquake Research Centre, recalling tsunami concerns he raised in June 2009 at a Japan Trade Ministry meeting to assess reactor safety. Tsunami Warnings ignored, The Age March 26 2011 “Details of risks were either not satisfactorily conveyed to senior executives and ministers or, if conveyed, were not acted on.” Energy Efficient Homes Package (Ceilings Insulation) Senate Inquiry Report (15 July 2010) Why do strategies fail? Only 10% of organisations execute their strategy The problem isn’t lack of strategy. It’s the lack of ability to successfully manage the execution of what looks strategically good on paper. Barriers to Strategy Execution Vision Barrier People Barrier Management Barrier Resource Barrier Only 5% of the workforce understands the strategy Only 25% of managers have incentives linked to strategy 85% of executive teams spend less than one hour per month discussing strategy 60% of organisations don’t link budgets to strategy Reference: Robert Kaplan and David Norton - The Balanced Scorecard and The Strategy Focused Organization Six key questions Essentially, risk management seeks to answer these basic questions: • what are we trying to achieve? • what events or circumstances could affect the achievement of our objectives? • what are the consequences? • how likely is it of these events? • what can we do to manage these outcomes? • how will we maximise opportunities? AS/NZS ISO 31000:2009 The definition of risk? “The effect of uncertainty on objectives” Uncertainty is the state , even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. AS/NZS ISO 31000:2009 The aim of risk management is not the management of risk but the achievement of objectives. Overview of AS/NZS/ISO31000 Principles for managing risk Framework for managing risk Process for managing risk (Clause 3) (Clause 4) (Clause 5) Attributes of enhanced risk management (Annex A - Informative) Integral part of organisational processes 3) Part of decision making 4) Explicitly addresses uncertainty 5) Systematic, structured & timely 6) Based on the best available information 7) Tailored 8) Takes human & cultural factors into account 9) Transparent & inclusive 10) Dynamic, iterative & responsive to change 11) Facilitates continual improvement & enhancement of the organisation Mandate & commitment Design of framework for managing risk Continual improvement of the framework Implementing risk management Monitoring & review of the framework Establishing the Context Risk Assessment Risk Identification Risk Analysis Risk Evaluation Risk Treatment Monitoring & Review Creates value 2) Communication & Consultation 1) AS / NZS ISO 31000:2009 - Risk management principles 1. Creates value 2. Integral part of organisational processes 3. Part of decision making 4. Explicitly addresses uncertainty 5. Systematic, structured and timely Should be reflected in your organisation’s approach 6. Based on the best available information 7. Tailored 8. Takes human and cultural factors into account 9. Transparent and inclusive 10. Dynamic, iterative and responsive to change 11. Facilitates continual improvement and enhancement of the organisation Fit-for-purpose Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines) Risk Terminology • Risk: chance of something happening that will have an impact on objectives • Likelihood: chance of something happening • Consequence: outcome of risk on objectives • Risk Rating: overall rating which determines actions & risk treatments by the Board, CEO & Executive • Control: includes any process, policy, device or practice or actions which modify risk • Control Effectiveness: assessment of the effectiveness of controls to determine if any gaps exist • Risk Owner: person or entity with the accountability & authority to manage a risk • Risk Treatment: can involve avoiding the risk, increasing risk to gain an opportunity, remove the source, change the likelihood or consequence, sharing the risk, retaining the risk Integrating risk What are the benefits of a Enterprise wide approach to Risk Management? • Enables identification of threats and opportunities for an agency • Improves and informs the planning process • Reduces likelihood of costly “surprises” • Contributes to improved resource allocation • Improves efficiency and performance • Improves accountability • Encourages continual improvement • Managing risks in order to meet our ‘objectives’ • ‘Choosing which risks to take ……. and then managing them well’ Risk and planning - a comprehensive process • Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent an organisation from achieving its objectives. • Covers strategic, operational, financial and compliance risks. • The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private, both the for and not for profit sectors to describe this comprehensive approach. Page 34 1 2 Organisational Objectives Strategies Cascade & Align Strategic Objectives, Key Performance Indicators & Targets 3 Department A Operational Objectives, Indicators & Targets Program B Operational Objectives, Indicators & Targets Service C Operational Objectives, Indicators & Targets Stage Key Performance Indicators & Targets Cascading Process Stage Stage Stage Link strategy, operations and risk management Strategic Risks Link Risk Management To Strategic Planning Organisational-Wide Risk Register Risk Reporting (Reporting System) 3 Operational Risks Link Risk Management To Operational Planning Different levels, different types of risks RISKS Enterprise Level Risks ultimately should be filtered to the lowest level possible for ownership and mitigation Program Level Project Level Subproject Level Different levels of risk Vision and Mission Corporate strategy and objectives Executive Corporate Plan Strategic Risks Measures/Targets Emerging Management and staff Business and operational objectives Business Plan Measures/Targets Operational Risks Emerging Project managers Project objectives Project Plan Measures/Targets Project Risks Emerging Differences and similarities between strategic and operational risks? • Both follow principles of AS/NZS ISO 31000:2009 • Differences can include: • Risk context strategic risks most likely to impact organisational goals/objectives • Participants (senior executives, audit, some board) • Treatments for high level risks may vary • Methods used for identifying and evaluating risk may vary • Timelines can be different – some goals are longer term • Requires strategic thinking • Ideally strategic risks are identified before operational risks • Both strategic and operational risks should be centrally managed Strategic Risk Assessment identify risks analyse risks evaluate risks Assess Risk treat risks Monitor and Review Communicate and Consult establish context For strategic risk assessment of the whole organisation ‘goals, objectives & strategies are established as part of the organisational context A strategy focused risk assessment process Example: The Head of the Defence force has a strategy to engage the enemy to regain a key piece of land • The Generals are told the strategy is to capture ‘important assets’ • They think “which assets are important?” (strategic context) • They consider: • do they have enough personnel/skills, support (organisational context) • how can the strategy fail/achieved? (risk management context) • To improve success rates they will need to develop a high level plan on the strategy and its key objectives (strategic plan) • They will need evaluate if there will be issues that may impede the strategic plan (eg ambush, not enough soldiers, wrong information about assets (strategic risk assessment) • Once you understand the threats you will then put in plans to avoid them and fine tune the plan before giving it to the officers to execute • The officers will develop operational orders for the soldiers to follow about how the offensive will take place (timings, supplies required, equipment needed, signals etc) (operational plans) • The officers will determine what risks there would be to the soldiers undertaking the offensive (injury, failed equipment, loss of communication etc) (operational risks) Example of strategic risks Strategic goal: Ensuring a safe, reliable and sustainable water supply (a) Incidents of poor water quality will be reduced by 15% Strategic objectives: by 2011 (b) Water monitoring activities will increase by 10% within 12 months Strategic risks: (1) Inadequate policies and procedures to improve water Leading to unexpected poor water quality (2) Funding for water monitoring will be diverted to another program reducing capacity to meet targets (3) Government may change its priorities for resource Management, leading to inability to ensure a sustainable Safe water supply Outcome based risk assessment • Used where the objectives have not been defined • Focuses on the outcomes without defining strategic objectives Identifies outcomes which may be unacceptable How they may occur Outcomes that will be of consequence to the organisation’s stakeholders A practical example of linking strategy with planning Example of embedding risk management in already established practices. Lets Improve Is this an interpersonal/ HR issue? Is this a service issue? Have you got a great idea or suggestion? Is this a maintenance issue? Is this a publicsafety issue, near miss or incident? Is this a risk to the organisation? Have you followed the conflict resolution process? Have you discussed it with the Service Coordinator? This is wonderful Have you discussed it with your superior? Have you discussed it with your superior? Have you discussed the risk with your superior? Does the situation require further improvement? Does the situation require further improvement? Complete a Quality Improvement Form Document in Maintenance Book Complete Near Miss or Incident Form Update Risk Register, Develop Risk Treatment Plan Complete a Confidential Quality Improvement Form Complete a Quality Improvement Form Does the situation require further improvement? Does the situation require further improvement? Does the situation require further improvement? Complete a Quality Improvement Form Complete a Quality Improvement Form Complete a Quality Improvement Form Summary comments on risk integration • ‘One size does not fit all’, depends on the management maturity, industry and commitment • Focus on what makes sense to the board and management – keep it practical and tailored • Risk disciplines can work well effectively with the planning, reporting, compliance, board committee and HR culture functions • Governance foundations: cultural tone at the top, role clarity, transparency & communication is key Risk Framework elements Risk appetite and risk rating Plan for All Extreme Risks Increasing Impact Increasing Impact Large Appetite for Risk Board Increasing Likelihood Increasing Likelihood Standard Risk Averse CEO Increasing Impact Increasing Impact Manager Increasing Likelihood Staff Increasing Likelihood Risk-opportunity matrix Likelihood A Almost Certain Rigorously manage these exposures Actively pursue these opportunities B Likely C Possible D Watching brief Unlikely Watching brief E Rare High Low Low High Negative Impact Positive Impact Consequence of Failure Benefit of Success Example – Consequence (Impact) table Descriptors Rating Personal injury Financial Reputation Environmental Operational Insignificant No injury sustained. Minor loss resulting in only minimal impact to local area budget. Minor complaints resolved quickly with routine procedures. Negligible, transient damage. No threat to safety. Negligible short-term disruption to non-essential services. Minor Minor injury requiring first aid only. Loss that impacts on a single service, but does not threaten that service’s overall budget. Complaints resolved by written response. Transient environmental damage requiring minor corrective action. Short term disruption to services, not resulting in loss of business continuity. Moderate Injury requiring minor or short term medical intervention. Loss of more than $500,000. Includes losses of < $500,000 that threaten the overall budget of a single service. Adverse publicity or media coverage not resulting in damage to operations. Short term environmental damage. May pose threat to public safety requiring minor treatment for injuries. Short term disruption to services, resulting in short term loss of business continuity. Major Serious injury requiring significant or long term medical intervention. $500,000 to $1M Adverse publicity resulting in damage to operations, but not loss of confidence in hospital management. Long term environmental damage. Threat to safety, resulting in hospitalization of casualties. Substantial disruption to multiple services resulting in short to medium term loss of business continuity. Catastrophic Multiple unexpected deaths or injuries resulting in permanent disability. > $1M Significant / continued negative publicity. Loss of confidence in hospital management by community or government. Includes parliamentary inquiry. Permanent environmental damage. Life threatening effect on public safety. Substantial disruption to multiple services, threatening the survival or long term business continuity of the organisation. Example – Likelihood Table Rating Description Almost certain The event will definitely occur, probably multiple times in a year. Likely There is a strong likelihood that the event will occur at least once in the next 6-12 months. Possible There is a 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not. Unlikely The event is not likely to occur in the next 12 months, but there is a slight possibility of occurrence. Rare Highly unlikely to occur in the next 5 years. No history of adverse event in this organisation. Roles & Responsibilities Executive • Be a risk owner • Integrate into Quality & Business plans, risk treatment actions • Monitor for emerging risks • Ensure KPI’s & audit data is monitored Managers • Manage local risks & escalate risks outside of delegation • Understand the risks for the Program/Division/Unit • Ensure completion of Quality & Business plan activities • Undertake audit activities linked to key risks Risk management responsibilities The Board • Sets risk appetite and tolerance • Directs strategy and reviews strategic risks • Receives risks and risk controls reports from management (via Risk Management Committee or Executive Management Committee) • Receives report from Risk and Quality or Risk and Audit Committee on the process for managing risk and on the management of key risks Operational Management • Owns risks and their management • Reports to the Board (self certification) on their management of risks Risk Management Committee • Provides corporate oversight of risks and their management • Learns from incidents and events • Monitors leading indicators of changes in risk Risk Management Sub-Committee • Provides expert resources for specific areas of operational risk such as health and safety • Manages the transfer of risk via outsourcing and insurance • Analyses risks and reports to the Risk Management Committee. Risk and Audit Committee • Receives reports from Internal Audit on the process for managing risk and on the management of key risks Internal Audit Team • Provides assurance to the Audit Committee on the system of internal control and risk management • Provides assurance to the Audit Committee and the Risk Management Committee on the management of specific risks Risk Management Tools and Tips Reporting – the right things at the right level Strategic / Critical risk issues Significant / key operational and strategic risk information Operational and strategic risk information at Business level Board Risk/ Audit Committee Executive Management Exec Risk Mgt Committee Business Units Op Risk Mgt Committee Volume of risk information The Risk Management Process for Operational Managers IDENTIFY RISK MONITOR PERFORMANCE ASSESS RISK RISK MANAGEMENT CYCLE IMPLEMENT SOLUTIONS IDENTIFY CONTROL MEASURES ASSESS CONTROL MEASURES “You cannot manage what you don’t measure” Robert S. Kaplan Harvard Business School Co-creator of Balanced Scorecard (with David P. Norton) Reporting •Formally report risks and risk treatments with sufficient detail to enable clear understanding of how risks are being managed. • Board and/ or Management guidance on what information they would like to see in risk reports • Agreed template or format for recording risk and risk treatment information • Agreed template or format for risk reporting • Agreement on when and how often risk reports will be produced • Recipients/ stakeholders of risk reports identified and agreed • Different risk reports meeting different stakeholder’s needs. Staff encouraged and/ or incentivised to report risk or suggest risk reduction strategies. Who receives risk reports in your organisation? Who should receive reports? Risk as a management agenda item • What is happening in other jurisdictions ………. could that happen here? • Are we meeting our legal, regulatory and compliance requirements …… if not, why not? • How do we compare to other jurisdictions when managing the risk of ....? • What are the risks that could stop us from achieving our KPIs? • What are the risks that could stop us from achieving our ‘objectives’? • How could the next be harmed? • Where will the next ‘scandal’ or adverse media involving the agency come from? • Risk management update – new practices, policies, procedures, protocols, communiqués and expectations Risk as an management agenda item? • Progress against the top 5-10-20 risks • What are we doing about …(risk)….? • What does our data tell us about our risks? • How effective are our ‘risk controls’ for …(risk)…? • For this risk ….. what do we need to stop doing, start doing and keep doing? • What do we need to change to achieve best practice in managing the risk of.....? • Risks with projects or new initiatives? • What are the commonly used ‘work arounds’ in high risk areas? Case Study: Melbourne Zoo Operational Risk Reporting to: • Management (CEO) and Animal Welfare Peer Review Committee Includes: • Animal escapes / disappearances • Births, deaths (eg by cause and by age) • Complaints (eg queries about treatment of animals) • Staff injuries (eg snake bites and low flying owls) • Animal rescue and rehabilitation Risk Descriptions Describing the risk •The risk of (what, where, when)…. caused by (how)…. resulting in (impact/ consequences).… Examples • The risk of extreme weather conditions (storm, hail, ice, heat), caused by seasonal variations, resulting in injury/ death to staff and/or public members. • Loss of skill base in the organisation threatens long-term sustainability of the workforce. Risk Statement The risk of ………. (what, where, when) caused by ………. (how) resulting in.......... (impact/consequences) Sample Template Activity – Defining Risks In groups select a source of risk/common risk area or a risk from your risk register that you have concerns about and: • Re define and describe the risk using agreed risk language • Complete the template • Discuss potential treatment strategies Risk Management Pitfalls So what does your risk management look like? Risk management - pitfalls? • Poor culture • Believing ……… ‘that will never happen here’ • RM strategy is not driven from the ‘top down’ • Poorly defined accountability for risk management • Risk management is not linked to corporate strategy • Risk management is positioned as ‘compliance’ • Risk management fails, often with catastrophic outcomes, when the organisation’s processes are ignored or overlooked • Past mistakes are overlooked – no corporate learning • Framework does not accurately reflect the organisation’s maturity or capability Risk management - pitfalls? • Soft issues ignored (behaviours / attitudes) • Over reliance on the ‘Risk Manager’ • Risk is managed in ‘silos’ • Framework has not been translated into an ‘action plan’ • Use of technical jargon in preference to plain language statements and ‘true life’ examples • Not tough enough on language that conceals risks • Not utilising available data / information • Broad / non-specific risk descriptions • Failure to use risk information to inform decision making Questions? Diana Borgmeyer Risk Management Advisor Email: d.borgmeyer@vmia.vic.gov.au Phone: 9270 6812
