A Practical Approach to Risk Management Financial Management Institute, Toronto Chapter February 17 2010 Corinne Berinstein, BPT, MBA, MHSC, CA, CFI Health Audit Services Team Ontario Internal Audit Division 1 Contact Info: Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk Management (Canadian Health Care Association Senior Audit Manager Health Audit Services Team Ontario Internal Audit Division Province of Ontario Office: 416-327-7798 eMail: corinne.berinstein1@ontario.ca 2 Basic Concepts 3 Outline Objectives of today’s session Basic principles, concepts, definitions A simple framework Stocking your toolkit – education, job aids, templates What are you going to do back in the office? Q &A’s A case – Let’s practice! 4 Objectives Give you a practical approach, framework and tools so you can start implementing ERM when you get back to the office. Share some lessons learned. Share some tips and tricks. Practice concepts and tools with a case study so that you practice 5 Why do we need Risk Management? The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada 6 Why bother with RM? Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right? Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear? Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent. Develop a common and consistent approach to risk across the organization. Not intuition-based. 7 Why bother with RM? Allows intelligent “informed” risk-taking. Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or… Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies. Improve outcomes – achievement of objectives (corporate, clinical, etc) Really comes to down to simple good management Enables accountability, transparency and responsibility And maybe even mean survival 8 Basic principles, concepts, definitions A risk is ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives. 9 Threats and opportunities Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives Interest rates Foreign exchange rates Supply of service/product/resources Demand/uptake for service/product/resources The economy The weather The stock market 10 Interactive Session #1 – 10 minutes Introduce yourselves to others at your table Pick 1 risk – discuss it as both a threat and an opportunity Report to the large group. Pick a spokesperson. 11 Definition of ERM “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 12 Enterprise vs Integrated Risk Management Similarities: Formal process Consistent and systematic Includes projects, programs, operations Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc Must be driven and supported by Leadership Adds value to decision-making Differences: Enterprise-wide: Is organizational-centric Success is defined as implementation over the entire organization Integrated: Take a systems-focus May actually create risks for individual organizations 13 Enterprise Risk Management h is bl ta Evaluate Communication & Learning Id e nti fy Division Level Es r nito o M Assess Periodic Summary Analysis & Report Communication & Learning Ide nti fy I d e nti fy Assess Assess h is bl ta Communication & Learning Es Evaluate h is bl ta Assess r nito Mo Es Communication & Learning Ide nti fy I d e nti fy Evaluate h is bl ta Evaluate h is bl ta Communication & Learning r nito Mo Es r nito Mo Es Evaluate Branch Level r nito Mo Assess Periodic Summary Analysis & Report Es h is bl ta Communication & Learning Ide nti fy Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Evaluate Unit or Project Level r nito Mo Assess 14 Integrated Risk Management Communication & Learning Id e nti fy Level h is bl ta Evaluate System Es r nito o M Assess Periodic Summary Analysis & Report Communication & Learning Ide nti fy I d e nti fy Assess Assess h is bl ta Communication & Learning Es Evaluate h is bl ta Assess r nito Mo Es Communication & Learning Ide nti fy I d e nti fy Evaluate h is bl ta Evaluate h is bl ta Communication & Learning r nito Mo Es r nito Mo Es Evaluate Regional Level r nito Mo Assess Periodic Summary Analysis & Report Es h is bl ta Communication & Learning Ide nti fy Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Ide nti fy Evaluate h is bl ta Communication & Learning Assess r nito Mo Es Evaluate Organizational Level r nito Mo Assess 15 Risk Management Basics Risk (uncertainty) may affect the achievement of objectives. Effective mitigation strategies/controls can reduce negative risks or increase opportunities. Residual risk is the level of risk after evaluating the effectiveness of controls. Acceptance and action should be based on residual risk levels. INHERENT 16 Slide 16 A Simple Framework Step 1 Establish Objectives Step 2 Identify Risks & Controls Step 3 Assess Risks & Controls Step 4 Evaluate & Take Action Step 5 Monitor & Report Communicate, learn, improve 17 Risk Management is critical to ALL levels of decisions UNCERTAINTY Strategic Decisions Stra tegic Decisions transferring strategy into action Prog ramm e Stra tegic m gra Pr o me Decisions required for implementation Pr o ject &O per a tion al ject Pr o al tion a r pe &O The HM Treasury’s The Orange Book Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.18 The relationship between IRM & MOHLTC’s Complex Risk Environment External Risk Environment re L a gu ws la & tio ns ial Political Outcomes nc Fina St r Po ateg lic ic y / Communication & Learning Inf Te orma ch no tion log y Assess rm ati on Human Resources e Th nom o Ec y LHINs e ra Op n tio al S ex tak pe eh ct o l d at e io r ns Leg Com al/ plian ce Ot h nis er trie s er- s rtn on Pa izati n ga Or l na io a t ce iz an a n rn rg e O Gov Communication & Learning Ide n tify t en ym Pa ty & fer bili e ns nta c Tra ccou rnan A o ve G Inf o h is bl ta tor i n Mo Es Mi MOHLTC Risk Environment Evaluate Capacity Communication & Learning ic n bl tio Pu cep r Pe MOHLTC Extended Enterprise Corporate Governance Requirements 19 Categorizing Risk – Comprehensive 1. Political or Reputational Risk 2. Financial Risk 3. Service Delivery or Operational Risk 4. People / HR Risk 5. Information/Knowledge Risk 6. Strategic / Policy Risk 7. Stakeholder Satisfaction / Public Perception Risk 8. Legal / Compliance Risk 9. Technology Risk 10. Governance / Organizational Risk 11. Privacy Risk 12. Security Risk 13. Equity Risk 14. Patient Safety NEW 20 Slide 20 Risk Prioritization – likelihood and impact Likelihood of a risk event occurring Very High: Is almost certain to occur High: Is likely to occur Medium: Is as likely as not to occur Low: May occur occasionally Very Low: Unlikely to occur Risk Impact: Level of damage that can occur when a risk event occurs Very High: Threatens the success of the project High: Substantial impact on time, cost or quality Medium: Notable impact on time, cost or quality Low: Minor impact on time, cost or quality Very Low: Negligible impact 21 Slide 21 Third dimension for rating risks - proximity Immediate – now Less than 6 months Between 6-12 months Between 12 – 24 months Between 24 – 36 months More than 36 months 22 Risk rating …Combining impact and likelihood RISK PRIORITIZATION MATRIX 5 RISK IxL IMPACT 4 RISK IxL 3 2 RISK IxL 1 1 2 3 4 LIKELIHOOD Slide 23 5 23 Risk reporting and communications Risk Level Critical Risk High Risk Moderate Risk Low Risk Action and Level of Involvement Required Inform Chief Executive Officer and Board of Directors Immediate action required Inform Chief Executive Officer Strategy Team involvement/attention is essential to manage risks – provide report to Board as appropriate Management mitigation and ongoing monitoring required Inform relevant Strategy Team members Accept, but monitor risks Manage by routine procedures within the program and site 24 25 Key Risk Indicators (KRIs) are linked to strategy, performance and risk Strategy & objectives Risk Cause Consequence KRI Performance KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk. 26 EXAMPLES OF KRIs Human resource • Average time to fill vacant positions • Staff absenteeism /sickness rates • Percentage of staff appraisals below “satisfactory” Age demographics of key managers Information Technology • Systems usage versus capacity • Number of system upgrades/ version releases • Number of help desk calls Finance • Daily P&L adjustments (#, amt) • Reporting deadlines missed (#) • Incomplete P&L sign-offs (#, aged) Legal/compliance • Outstanding litigation cases (#, amt) • Compliance investigations (#) • Customer complaints (#) Audit • Outstanding high risk issues (#, aged) • Audit findings (#, severity) • Revised management action target dates (#) Risk management • Management overrides • Limit breaches (#, amt) 27 Measure and report RM implementation progress • Advanced capabilities to identify, measure, manage all risk exposures within tolerances Excellent Strong • Advanced implementation, development and execution of ERM parameters • Consistently optimizes risk adjusted returns throughout the organization • • • • • • Adequate • • Weak Clear vision of risk tolerance and overall risk profile Risk control exceeds adequate for most major risks Has robust processes to identify and prepare for emerging risks Incorporates risk management and decision making to optimize risk adjusted returns Has fully functioning control systems in place for all of their major risks May lack a robust process for identifying and preparing for emerging risks Performing good classical “silo” based risk management Not fully developed process to optimize risk adjusted returns • Incomplete control process for one or more major risks • Inconsistent or limited capabilities to identify, measure or manage major risk exposures Source: Standard & Poor 28 Progress to Date – ERM Report Card Quality of Care and Patient Safety Corporate Governance Operation & Business Support Reputation and Public Image Human Resources and Staff Relations Financial Resources Information Systems and Technology Physical Assets Legal and Regulatory Environmental Health and Safety Policies Standards 29 An Approach to Risk Management Establish centralized support Develop a standardized framework Provide education and coaching Ensure ministry-wide implementation Embed IRM into all major processes including strategic planning and resource allocations decisions Enable our stewardship role 30 The Approach Incorporates risk information into the strategic directionsetting, making decisions that consider established risk tolerance levels. Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic. Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement. 31 Your toolkit – education, job aids, templates We wanted to add value not work. We developed forms and templates. So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work. We assisted teams in actual risk assessments. Sometimes we used voting software. We trained the trainer. 32 A Process for Embedding IRM HAST Sessions Risk 101 Presentation Es r nito Mo h is bl ta Ide nti fy Evaluate Communication & Learning Assess Management IRM Planning Meeting Risk Assessment Workshop Es Communication & Learning Ide nti fy Evaluate h is bl ta r nito Mo Components Participant Outcomes Introduction – Integrated Risk Management Understanding of risk management process Introduction to basic risk concepts and terminologies Understanding of how risk management is relevant to their day-to-day work Introduction to the MOHLTC’s Integrated Risk Framework Knowledge of IRM in MOHLTC Status of IRM in MOHLTC (Most effective when followed-up with facilitated risk assessment workshop or application to actual project) Planning Commitment to IRM implementation in area or stream of work Discuss best way to implementation IRM in area Risk management roles and responsibilities clearly defined Proposed IRM implementation plan presented for area Review of IRM roll-out; timelines , deliverables, related forums Clarify roles & responsibilities for risk management Commitment to continuous risk communication & learning Facilitated Training – Identification of risks & mitigation strategies Hands-on experience allowing assimilation of consistent risk management techniques Identification of objectives Hands-on practice of IRM process, enabling application of risk management principles and tools to work Brainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. ) Greater understanding of work and inter-dependencies Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’ Assess Risk Prioritization & Voting Workshop Es Communication & Learning Ide nti fy Evaluate h is bl ta M or onit Risk follow-up Session Es h is bl ta Ide nti fy Evaluate Communication & Learning Assess Review of risks, mitigation strategies, ownership, residual risk to their work in a seamless manner Review of risks, mitigation strategies and ownership Unbiased risk prioritization and identification of high risks Anonymous voting on the impact and probability of each risk Enables application of complete risk management process to every day work Prioritization of risks on ‘heat map’ Discussion of mitigation strategies for high priority risks Assess r nito Mo Facilitated Training – Assessment of mitigation strategies & prioritization Monitoring & Review Review of risks and status Review of risks six months after initial assessment Continuous improvement Review mitigation strategies and residual risks 33 IRM RISKS AND CONTROLS The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated. Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L) Responsible Org & Name (Implement / ID Number Operate) Risk Category: Financial None in this category Category: Equity None in this category Category: Service Delivery or Operational 064 Person A 055 – Insufficient knowledge transfer 102 – Conflicting management instructions 065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management) Control Risk Rating (Impact) Risk Rating (likelihood) Date Required Status Update impacted policies and procedures M for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure). M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report (a) IT incident and Triage (harmonization M between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported. M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document 34 35 36 37 The Cyclist and the Risk Manager 38 Interactive Session #2 – 15 minutes Identify risks that the cyclists faces in cycling to work. Report back. 39 Risk Factors – the cyclist . 40 Risk Factors – the weather, the road, visibility, the bike, the lock . 41 Risk Factors – the driver . 42 Risks Threats: Opportunities: Death Exercise Head Injury Sunlight Injury Reputation Reputation Financial Financial Role model Damage to the bike Environment Sunburn/frost bite 43 Mitigation Strategies for threats Death, head injury, other injury – helmet, bright clothes, lights, bell, CANbike course, obeying traffic laws, positive attitude, anger management course Reputation – great outfit, change of wrinkle-free clothes, shower, time management Financial – high quality locks, “beater”, stopping at stop signs Damage to the bike – regular maintenance, avoiding pot holes Sunburn/frost bite – sunscreen, mittens, hats, token/change Dehydration- filled water bottle 44 ERM/IRM can be complex and messy 45 Keep it simple 46 Back at the office Why is the organization interested in RM? What are they hoping will be achieved with its implementation? Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported? Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high. When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported. 47 Ask questions and develop your approach Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same? Have we assessed the likelihood and impact of our risks? Have we identified the sources and causes of our risks? How well are we managing our risks? Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them? Who is accountable for these risks? How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system? Are we taking too much risk? Or not enough risk? Are the right people taking the right risks at the right time? What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between? 48 TAKE SMALL BITES………. IRM IMPLEMENTATION 49 Questions? 50 The case - You are responsible for Risk Management for: Case 1 – The Pan Am Games 2015 Case 2 – The provincial response to the next Pandemic Case 3 – The extension of Hwy 404 Case 4 – The rescue efforts in Haiti Case 5 – Human Resources in the Ontario Public Services Case 6 – A big teaching hospital in Toronto 51 The case Consider the 13 categories of risk Identify top 5 threats (downside) and top 5opportunities (upside) Propose mitigation strategies Discuss how the following risk factors would affect your assessment: Economy Demographics Weather Technology Timing of events such an election Others 52 Questions? 53