2. Contents
• Risk Management Concepts
• Risk Organization, Process and Terminology
• Function Wise Risk Summary
• MHC Risk Library
• Review frequency
• Way Forward
3. Ask most people why cars have brakes and they’ll say, “So you can slow down.”
But the real reason is so you can go faster and still be in control
Organizations that are most effective and efficient in managing risks to both
existing assets and to future growth will, in the long run, outperform those that
are less so.
Why do we need risk management?
4. “Risk is the effect of uncertainty on objectives.” (ISO 31000:2009)
What is Risk?
The threat of bad things
(risk as hazard)
The possibility of good
things not happening
(risk as opportunity)
The potential that actual
events will not equal
anticipated outcomes
(risk as uncertainty)
e.g. Flood or Fire
Major Accidents
Natural Disasters
e.g. Changes in laws and regulations,
Government Interventions
e.g. New
Technologies,
New markets,
New products
5. • Company in Eastern India: Fire incident – Regulatory and operational risk can have a significant
financial, strategic (and reputational) impact
Case Studies: Snowball effect of risk not assessed and
managed effectively
Lack of Internal Controls
• The Fire System was
not operational
Company received
Memo from Fire
Department
• Fire system was still
not operational
Fire Broke Out
• 88 Lives Lost
• Company sealed
• Directors Arrested
Financial/Operational
Revenue loss due to
closure of operations
Strategic
? Expansion Plans
? Reputation
• Hospital in Noida – Kidney scam happened, after which hospital lost its reputation and has still
not been able to compete with current players in market.
• Hospital in Bangalore – Lost licenses to carry out transplants due to non transfer of license to
operator’s name.
6. What are managements asking
What are our principal business risks?
Are we taking the right amount of risk?
How effective are our processes for identifying, assessing and
managing business risks?
How is risk management coordinated across the organisation ?
How do we integrate risk management with the organization’s
strategic direction and plan?
How do we ensure that the organisation is performing
according to the business plan and within appropriate risk
criteria?
What information about the risks facing the organisation does
the Management & Board get to help it fulfil its stewardship
and governance responsibilities?
How do we help establish the "tone at the top" that reinforces
organisation’s values and promotes a "risk aware culture"?
7. What is Enterprise Risk Management(ERM)?
Prevent
Risk Analysis
Prepare
Practice
Recuperate
Settle
Respond
Organize
“COSO* recognizes that many organizations are engaged
in some aspects of ERM”
* Committee of Sponsoring Organizations (COSO) of the Treadway Commission, US
8. Benefits from ERM
Avoid surprises: Strengthened framework to identify and
manage potential issues before they become serious business
problems
Better governance due to clarity in following:
Risk Roles and Responsibilities
Risk Communication
Risk Reporting
Timely achievement of business objectives without any
setback due to lack of effective risk management.
Enhanced confidence on internal controls for management
declaration/ assurance.
Help in preventing potential revenue leakage and effective cost
management.
9. ERM Standards & Frameworks
• UK – The Institute of Risk Management - A Risk Management Standard
• ISO 31000:2009
• Committee of Sponsoring Organization (COSO) of the Treadway Commission –
‘Enterprise Risk Management – Integrated Framework’
The frameworks provide broadly similar guidance on risk management principles
and processes. COSO framework is used across the globe as acommon
framework
10. COSO Framework – Approach and Methodology
People &
Technology Risk
may have to be
separately
managed
13. The journey to implement an ERM framework
ERM Champion designated and Functional Risk Owners identified
Risk identification exercise to identify risks across all the functions and at
an enterprise level. Draft Risk registers created.
Risks identified to be assessed/rated by the functional heads on the basis
of their impact, likelihood of occurrence and mitigation plan effectiveness,
prioritised and mitigation/action plans implemented.
Key enterprise level risks to be reviewed by the senior leadership team on
a periodic basis.
Risk Organisation Structure at implementation and governance levels set
up.
On-going monitoring and inculcating ERM culture in day to day operations.
14. A sample Risk Organization Structure
To include EC
members and
Head – Legal and
Head – Internal
Audit
Audit
Committee
Risk and Controls
Steering
Committee
Chief Risk Officer
: Non Medical
Chief Risk Officer
: Medical
Risk Champions /
Risk Owners
Risk Champions /
Risk Owners
Risk Chanpions /
Risk Owners
Risk Champions /
Risk Owners
Clinical
Director will be
CRO Medical
CFO will be
CRO Non-
Medical
Medical Excellence
Committee
Service Excellence
Committee
15. Sample Risk Ranking Mechanism
• Risk Rating = I * P * E
• Impact, Probability & Effectiveness are measured on a scale of 1-4
Risk
Rating
Effect
Cause
Control
Function/
Business Process/
Event
Impact
Probability
Mitigation Plan Effectiveness
Risk
Priority
Action
Plan
16. Risk Terminology
Term Explanation
Risk owner Person with the accountability and authority to manage a risk
Risk Category Strategic, People, Technology, Compliance, Operations, Financial &
Reporting
Probability Likely-Risks which are almost certain to occur
Possible-Risks whose likelihood of occurrence is high
Unlikely-Risks with a moderate likelihood of occurrence
Remote-Risks with an extremely low probability of occurrence
Impact
Category
Occurrence of the risk could have an impact in the following areas -
Financial, Brand, Legal & Regulatory and People
Severity of
Impact
Extreme- Loss of ability to sustain ongoing operations
Major-Significant impact on the achievement of objectives
Material- Limited effect on achievement of objectives
Minor-Minimal impact on achievement of objectives
Risk Rating Very High, High, Medium & Low
17. Function
Risk Owner Risk Category
Probability Impact Category
Severity of Impact Risk Rating
Mitigation Plan
S.No. Activity Closure Date
1
2
Risk Description :
Risk Register Template
19. 19
Frequency of review
Impact Probability
Grid I Grid II Grid III
Grid IV Grid V Grid VI
Grid IXGrid VIIIGrid VII
High impact, Low
probability & Medium
effectiveness
Low impact, Low
probability & High
effectiveness
Medium impact, Low
probability & Medium
effectiveness
High impact, high
probability & Low
effectiveness
High impact, Medium
probability & Low
effectiveness
Medium impact, Medium
probability & Medium
effectiveness
Medium impact, High
probability & Medium
effectiveness
Low impact, Medium
probability & High
effectiveness
Low impact. High probability
& Medium effectiveness
Maybe reviewed every
quarter
Maybe reviewed every
six month
Maybe reviewed annually
Needs quarterly review with
real time monitoring
Maybe reviewed every
six month
Maybe reviewed every
quarter
Maybe reviewed annually
Maybe reviewed every
six month
Needs quarterly review with
on line monitoring
20. Possible Roadblocks
Sub-committee oversight of specific risk areas such as credit
risk, market risk, operational risk, and compliance risk.
Clear expression of risk criteria.
Loose linkage between business strategy and risk criteria.
Lack of documentation on Policies and Procedures, and Roles
and Responsibilities.
Lack of consistent approach followed for identifying and
managing risks across the organization.
Inadequate communication between Risk Takers and Risk
Managers/facilitators.
Inefficient support to the needs of robust Risk Management.
21. • Final risk registers to be validated by leadership team for
probability of occurrence of risks, their impact, adequacy of
mitigation plans & timelines and residual risk ratings
• 15 key risks to be identified by leadership team, to be taken up for
rigorous risk management. The owners of these risks to co-opt
people from other departments and develop elaborate Risk
Mitigation Strategy and Plans
• Mitigation progress of the 15 key risks to be reviewed in monthly
leadership team meetings. CEO to chair these meetings
• Risk Polarization Survey to be conducted on half yearly basis
Way forward