st
David T. Wilber
Chief Operating Officer / CARF Surveyor

What is RISK ?

 Goodwill
 People
 Property
 Income
 Ability to accomplish goals

The Difference Between
Incident Analysis and Risk Assessment
Incident Analysis:
 Establishes a cause for an incident that has already happened.

Focuses on analyzing the reasons for the incident and development of strategies to prevent future incidents.
Risk Assessment:
 Focuses on identification of potential exposures to prevent incidents from happening.

Breaks business decisions down into bite sized pieces to enable preplanning for loss control and mitigation strategies.
The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

 Protect physical and financial assets
 Protect intangible assets (e.g., goodwill and reputation)
 Prepare for operational crisis (Tolerate Uncertainty)
 Provide a safe environment for all employees, persons receiving services and visitors
 Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.
 Develop a common and consistent approach to risk across the organization. Not intuition-based.

Things will happen…they always do…!
 Survival: Not going under due to unforeseen circumstances.
 Continuity of operations: Avoiding Business interruption-shutdowns
 Sustainability and profitability: Maintaining your mission

 Risk management plan
 Continuity of Operations plan
 Technology Plan
 Risk Management Team
 Staff Training and competency testing
 Corporate Compliance program
 Ethical Code of Conduct that includes witnessing of documents etc.
 Social Media Policies
 Accreditation: CARF-The Rehabilitation Accreditation Commission

Step 1
Step 2 Step 3 Step 4 Step 5
Establish
Objectives
Identify
Risks &
Controls
Assess
Risks &
Controls
Evaluate
& Take
Action
Monitor
&
Report
Communicate, learn, improve

1.
Political Risk
2.
Financial Risk
3.
Service Delivery or Operational Risk
4.
People / HR Risk
5.
Information/Knowledge Risk
6.
Strategic / Policy Risk
7.
Stakeholder Satisfaction / Public Perception Risk
8.
Legal / Compliance Risk
9.
Technology Risk
10.
Governance / Organizational Risk
11.
Privacy Risk
12.
Security Risk
13.
Equity Risk
14. Safety
NEW
Slide 9

Department:
Site:
TYPE OF RISK
FIRE
MEDICAL EMERGENCY
ELECTRIC SHOCK
SPILLS/ HAZARDOUS
EXPOSURE
ADVERSE WEATHER
“TORNADOS”
BOMBS / TERRORISM
MISSING PERSONS
POISONING
PSYCHIATRIC EMERGENCY
VEHICLE EMERGENCY
SUSPICIOUS MAIL
Probability
High
5 ←
VULNERABILITY ANALYSIS CHART
Date:
Person Completing Form:
Low
→ 1
Human
Impact
High Impact 5
Property
Impact
←---------------→
Business
Impact
Internal
Resources
1 Low Impact
Weak
5 ◄
Resources
External
Resources
► 1 Strong
Resources
Total
You still have to assess those “other risks”

1
2
5
4
3
Combining impact and likelihood
RISK PRIORITIZATION MATRIX
RISK
I x L
A Risk Prioritization Matrix can be helpful in prioritizing risks
Plot of event probability versus impact
RISK
I x L
1
RISK
I x L
2 3
LIKELIHOOD
4 5
Slide 15
Note that the zones are not symmetrical across the matrix
High impact low probability events much more important than likely low impact events

What is the average # of accidents that go unreported for every one reported accident?
 1.29
 2.48
 4.71
 6.26
Accident under-reporting among employees: Testing the moderating influence of psychological safety climate and supervisor enforcement of safety practices
Tahira M. Probst & Armando X. Estrada, Department of Psychology, Washington State University,
June 2009

education, job aids, templates
 Incorporates risk information into the strategic direction-setting, making decisions that consider established risk tolerance levels.
 Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.
 Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
 Add value not work. We developed forms and templates.
 Develop and deliver educational sessions – usually attended by all leadership members at a minimum. Include risk 101 and time for them to discuss how to apply concepts to their specific worksite.
 Develop teams in actual risk assessments.

Avoidance – There’s a great deal of risk. You don’t want to assume the risk and it can’t be transferred, so you avoid the risk altogether
Loss Prevention – Reduces the frequency or likelihood of a “particular” loss. Examples include:
 Improve security measures to reduce the possibility of arson or theft.
 Improve maintenance of facilities to reduce the possibility of a tripping hazard.
Loss Reduction – Reduces the severity or cost of a “particular” loss. Examples include:
 Require the use of hearing protection to reduce the chance of a hearing loss.
 Reduce the cost of workers’ compensation claims through the use of return to work programs.
Segregate Losses – Arrange your agency’s activities and assets to prevent one event from causing loss to the whole.
Contractually transfer the risk.

 Personal protective equipment.
 Housekeeping, repair, and maintenance.
 Inspections.
 Tools and equipment.
 Supervision.
 Policies, procedures, and process.
 Contract management and administration.

 Continually monitor risks to identify any change in the status, or if they turn into an issue.
 Hold regular risk reviews
 To identify actions outstanding, risk probability and impact
 Remove risks that have passed
 Identify new risks

 The Risk Management Plan should specify the risks, risk responses, and mechanisms used to control the process
 Need to continuously monitor for risk triggers
 Potential risk events should be identified early in a project and monitoring for such events immediately commence
 Each risk is assigned to a specific position
 Has the expertise & authority to identify & response to an event
 Need environment where problems are readily reported, embraced & solved

IRM RISKS AND CONTROLS
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
Responsible Org &
Name (Implement /
ID Number Operate) Risk Control
Category: Financial
None in this category
Category: Equity
None in this category
Category: Service Delivery or Operational
064
065
Person A
Person B
055 – Insufficient knowledge transfer
102 – Conflicting management instructions
Update impacted policies and procedures for integration into knowledge support tools.
Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure).
M
056 – Lack of communication (Serious service delivery issues)
352 – Different business and IT processes (incident management)
(a) IT incident and Triage (harmonization between IT and Business).
(b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery.
Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported.
M
Risk
Rating
(Impact)
Risk
Rating
(likelihood) Date Required Status
M
M
31-Mar-09
31-Mar-09
Refer to Privacy
Action Plan Work on
Ongoing Operations
Commitments
Report
(a, b) Refer to ongoing Operations
IRM document

Exposure
Maltreatment of
Individuals
Risk Control Mechanism Responsibility
Fines, loss of licenses, loss of Individuals
Maintain current knowledge of
Human Rights (DBHDS)
Annual training of all direct support staff in Human Rights
(DBHDS)
Incident Report Process
Internal Investigation process
Director of Program and
Quality Services, Senior
Leadership Team,
Management Team
Change in population -
Diversity
Loss of Individuals Develop new and innovative programs to meet the changing needs
Program evaluation and satisfaction surveys
Follow trends
Senior Leadership Team,
Management Team
Legislative/ Rule
Changes
Wage and Hour Issues
Increased costs without increased funding
Not implementing rule changes correctly
Loss of funding
Actively monitor legislative activities through trade associations – vaACCSES, VNPP,
VAAPSE, ArcVA
Management Team
Wage and Hour Audit Maintain current knowledge of wage and hour rules and regulations
Provide staff with wage and hour training
Management Team
Accounting staff
Loss of work
Downturn in economy
Loss of income
Loss of Individuals
Loss of community jobs
Loss of facility based jobs
Loss of income
Monitor marketing capabilities
Develop aggressive marketing plan
Plan for alternative activities
Implement volunteer opportunities and alternative activities
Diversify program options throughout agency
Management Team,
Director of Business
Development
Management Team
Review
Date
Annually
Annually
Annually
Annually
Annually
Annually

29

You don’t know what you don’t know…
Better to know….
David T. Wilber
Chief Operating Officer / CARF Surveyor dwilber@VersAbility.org