SlideShare ist ein Scribd-Unternehmen logo

1 -corinne_berinstein

Als PPT, PDF herunterladen
Ramaica Ona
Ramaica Ona
1 von 53
1 A Practical Approach to Risk Management Financial Management Institute, Toronto Chapter February 17 2010 Corinne Berinstein, BPT, MBA, MHSC, CA, CFI Health Audit Services Team Ontario Internal Audit Division
2 Contact Info: Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk Management (Canadian Health Care Association Senior Audit Manager Health Audit Services Team Ontario Internal Audit Division Province of Ontario Office: 416-327-7798 eMail: corinne.berinstein1@ontario.ca
3 Basic Concepts
4  Objectives of today’s session  Basic principles, concepts, definitions  A simple framework  Stocking your toolkit – education, job aids, templates  What are you going to do back in the office?  Q &A’s  A case – Let’s practice! Outline
5 Objectives  Give you a practical approach, framework and tools so you can start implementing ERM when you get back to the office.  Share some lessons learned. Share some tips and tricks.  Practice concepts and tools with a case study so that you practice
6 The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada Why do we need Risk Management?
7 Why bother with RM?  Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?  Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?  Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.  Develop a common and consistent approach to risk across the organization. Not intuition-based.
8 Why bother with RM?  Allows intelligent “informed” risk-taking.  Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…  Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.  Improve outcomes – achievement of objectives (corporate, clinical, etc)  Really comes to down to simple good management  Enables accountability, transparency and responsibility  And maybe even mean survival
9 A risk is ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives. Basic principles, concepts, definitions
10 Threats and opportunities Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives  Interest rates  Foreign exchange rates  Supply of service/product/resources  Demand/uptake for service/product/resources  The economy  The weather  The stock market
11 Interactive Session #1 – 10 minutes  Introduce yourselves to others at your table  Pick 1 risk – discuss it as both a threat and an opportunity  Report to the large group. Pick a spokesperson.
12 Definition of ERM “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
13 Enterprise vs Integrated Risk Management Similarities:  Formal process  Consistent and systematic  Includes projects, programs, operations  Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc  Must be driven and supported by Leadership  Adds value to decision-making Differences: Enterprise-wide:  Is organizational-centric Success is defined as implementation over the entire organization Integrated: Take a systems-focus May actually create risks for individual organizations
14 Periodic Summary Analysis & Report Enterprise Risk Management Periodic Summary Analysis & Report Division Level Branch Level Unit or Project Level
15 Periodic Summary Analysis & Report Integrated Risk Management Periodic Summary Analysis & Report System Level Regional Level Organiz- ational Level
16Slide 16 Risk Management Basics  Risk (uncertainty) may affect the achievement of objectives.  Effective mitigation strategies/controls can reduce negative risks or increase opportunities.  Residual risk is the level of risk after evaluating the effectiveness of controls.  Acceptance and action should be based on residual risk levels. INHEREN T
17 A Simple Framework Evaluate & Take Action Evaluate & Take Action Establish Objectives Establish Objectives Identify Risks & Controls Identify Risks & Controls Assess Risks & Controls Assess Risks & Controls Monitor & Report Monitor & Report Step 1 Step 2 Step 3 Step 4 Step 5 Communicate, learn, improve
18 Risk Management is critical to ALL levels of decisions Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation. The HM Treasury’s The Orange Book
19 The relationship between IRM & MOHLTC’s Complex Risk Environment
20Slide 20 Categorizing Risk – Comprehensive 1. Political or Reputational Risk 2. Financial Risk 3. Service Delivery or Operational Risk 4. People / HR Risk 5. Information/Knowledge Risk 6. Strategic / Policy Risk 7. Stakeholder Satisfaction / Public Perception Risk 8. Legal / Compliance Risk 9. Technology Risk 10. Governance / Organizational Risk 11. Privacy Risk 12. Security Risk 13. Equity Risk 14. Patient Safety NEW
21Slide 21 Risk Prioritization – likelihood and impact Likelihood of a risk event occurring  Very High: Is almost certain to occur  High: Is likely to occur  Medium: Is as likely as not to occur  Low: May occur occasionally  Very Low: Unlikely to occur Risk Impact: Level of damage that can occur when a risk event occurs  Very High: Threatens the success of the project  High: Substantial impact on time, cost or quality  Medium: Notable impact on time, cost or quality  Low: Minor impact on time, cost or quality  Very Low: Negligible impact
22 Third dimension for rating risks - proximity  Immediate – now  Less than 6 months  Between 6-12 months  Between 12 – 24 months  Between 24 – 36 months  More than 36 months
23Slide 23 Risk rating …Combining impact and likelihood
24 Risk Level Action and Level of Involvement Required Critical Risk • Inform Chief Executive Officer and Board of Directors • Immediate action required High Risk • Inform Chief Executive Officer • Strategy Team involvement/attention is essential to manage risks – provide report to Board as appropriate Moderate Risk • Management mitigation and ongoing monitoring required • Inform relevant Strategy Team members Low Risk • Accept, but monitor risks • Manage by routine procedures within the program and site Risk reporting and communications
25
26 Key Risk Indicators (KRIs) are linked to strategy, performance and risk Risk Consequence Strategy & objectives Cause KRI KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk. Performance
27 EXAMPLES OF KRIs Human resource • Average time to fill vacant positions • Staff absenteeism /sickness rates • Percentage of staff appraisals below “satisfactory” Age demographics of key managers Information Technology • Systems usage versus capacity • Number of system upgrades/ version releases • Number of help desk calls Finance • Daily P&L adjustments (#, amt) • Reporting deadlines missed (#) • Incomplete P&L sign-offs (#, aged) Legal/compliance • Outstanding litigation cases (#, amt) • Compliance investigations (#) • Customer complaints (#) Audit • Outstanding high risk issues (#, aged) • Audit findings (#, severity) • Revised management action target dates (#) Risk management • Management overrides • Limit breaches (#, amt)
28 Measure and report RM implementation progress Excellent • Advanced capabilities to identify, measure, manage all risk exposures within tolerances • Advanced implementation, development and execution of ERM parameters • Consistently optimizes risk adjusted returns throughout the organization Strong • Clear vision of risk tolerance and overall risk profile • Risk control exceeds adequate for most major risks • Has robust processes to identify and prepare for emerging risks • Incorporates risk management and decision making to optimize risk adjusted returns Adequate • Has fully functioning control systems in place for all of their major risks • May lack a robust process for identifying and preparing for emerging risks • Performing good classical “silo” based risk management • Not fully developed process to optimize risk adjusted returns Weak • Incomplete control process for one or more major risks • Inconsistent or limited capabilities to identify, measure or manage major risk exposures Source: Standard & Poor
29 Progress to Date – ERM Report Card Quality of Care and Patient SafetyQuality of Care and Patient Safety Corporate GovernanceCorporate Governance Operation & Business SupportOperation & Business Support Reputation and Public ImageReputation and Public Image Human Resources and Staff RelationsHuman Resources and Staff Relations Financial ResourcesFinancial Resources Information Systems and TechnologyInformation Systems and Technology Physical AssetsPhysical Assets Legal and RegulatoryLegal and Regulatory Environmental Health and SafetyEnvironmental Health and Safety PoliciesPolicies StandardsStandards
30 An Approach to Risk Management  Establish centralized support  Develop a standardized framework  Provide education and coaching  Ensure ministry-wide implementation  Embed IRM into all major processes including strategic planning and resource allocations decisions  Enable our stewardship role
31 The Approach  Incorporates risk information into the strategic direction- setting, making decisions that consider established risk tolerance levels.  Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.  Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
32  We wanted to add value not work. We developed forms and templates.  So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work.  We assisted teams in actual risk assessments. Sometimes we used voting software.  We trained the trainer. Your toolkit – education, job aids, templates
33 A Process for Embedding IRM HAST Sessions Components Participant Outcomes Risk 101 Presentation Introduction – Integrated Risk Management Introduction to basic risk concepts and terminologies Introduction to the MOHLTC’s Integrated Risk Framework Status of IRM in MOHLTC (Most effective when followed-up with facilitated risk assessment workshop or application to actual project) Understanding of risk management process Understanding of how risk management is relevant to their day-to-day work Knowledge of IRM in MOHLTC Management IRM Planning Meeting Planning Discuss best way to implementation IRM in area Proposed IRM implementation plan presented for area Clarify roles & responsibilities for risk management Commitment to IRM implementation in area or stream of work Risk management roles and responsibilities clearly defined Review of IRM roll-out; timelines , deliverables, related forums Commitment to continuous risk communication & learning Risk Assessment Workshop Facilitated Training – Identification of risks & mitigation strategies Identification of objectives Brainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. ) Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’ Hands-on experience allowing assimilation of consistent risk management techniques Hands-on practice of IRM process, enabling application of risk management principles and tools to work Greater understanding of work and inter-dependencies Risk Prioritization & Voting Workshop Facilitated Training – Assessment of mitigation strategies & prioritization Review of risks, mitigation strategies and ownership Anonymous voting on the impact and probability of each risk Prioritization of risks on ‘heat map’ Discussion of mitigation strategies for high priority risks Review of risks, mitigation strategies, ownership, residual risk to their work in a seamless manner Unbiased risk prioritization and identification of high risks Enables application of complete risk management process to every day work Risk follow-up Session Monitoring & Review Review of risks six months after initial assessment Review mitigation strategies and residual risks Review of risks and status Continuous improvement
34 The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated. Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L) ID Number Responsible Org & Name (Implement / Operate) Risk Control Risk Rating (Impact) Risk Rating (likelihood) Date Required Status Category: Financial Category: Equity Category: Service Delivery or Operational 064 Person A 055 – Insufficient knowledge transfer 102 – Conflicting management instructions Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure). M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report 065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management) (a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported. M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document IRM RISKS AND CONTROLS None in this category None in this category
35
36
37
38 The Cyclist and the Risk Manager
39 Interactive Session #2 – 15 minutes  Identify risks that the cyclists faces in cycling to work.  Report back.
40 Risk Factors – the cyclist .
41 Risk Factors – the weather, the road, visibility, the bike, the lock .
42 Risk Factors – the driver .
43 Risks Threats:  Death  Head Injury  Injury  Reputation  Financial  Damage to the bike  Sunburn/frost bite Opportunities:  Exercise  Sunlight  Reputation  Financial  Role model  Environment
44 Mitigation Strategies for threats  Death, head injury, other injury – helmet, bright clothes, lights, bell, CANbike course, obeying traffic laws, positive attitude, anger management course  Reputation – great outfit, change of wrinkle-free clothes, shower, time management  Financial – high quality locks, “beater”, stopping at stop signs  Damage to the bike – regular maintenance, avoiding pot holes  Sunburn/frost bite – sunscreen, mittens, hats, token/change  Dehydration- filled water bottle
45 ERM/IRM can be complex and messy
46 Keep it simple
47 Back at the office  Why is the organization interested in RM? What are they hoping will be achieved with its implementation?  Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned  How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported?  Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high.  When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.
48 Ask questions and develop your approach  Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same?  Have we assessed the likelihood and impact of our risks?  Have we identified the sources and causes of our risks?  How well are we managing our risks?  Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them?  Who is accountable for these risks?  How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system?  Are we taking too much risk? Or not enough risk?  Are the right people taking the right risks at the right time?  What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?
49 TAKE SMALL BITES………. IRM IMPLEMENTATION
50 Questions?
51  Case 1 – The Pan Am Games 2015  Case 2 – The provincial response to the next Pandemic  Case 3 – The extension of Hwy 404  Case 4 – The rescue efforts in Haiti  Case 5 – Human Resources in the Ontario Public Services  Case 6 – A big teaching hospital in Toronto The case - You are responsible for Risk Management for:
52  Consider the 13 categories of risk  Identify top 5 threats (downside) and top 5opportunities (upside)  Propose mitigation strategies  Discuss how the following risk factors would affect your assessment:  Economy  Demographics  Weather  Technology  Timing of events such an election  Others The case
53 Questions?

Empfohlen

Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
mikaelastafrace
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
CAVR 2009 Risk Management PPT
CAVR 2009 Risk Management PPTCAVR 2009 Risk Management PPT
CAVR 2009 Risk Management PPT
Volunteer Alberta
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk Management
Dr David Hancock
 
Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniques
ILRI
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
Kannan Subbiah
 
Risk Management And Communication Maps
Risk Management And Communication MapsRisk Management And Communication Maps
Risk Management And Communication Maps
Jonelle Hilleary
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 

Empfohlen

Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
mikaelastafrace
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
CAVR 2009 Risk Management PPT
CAVR 2009 Risk Management PPTCAVR 2009 Risk Management PPT
CAVR 2009 Risk Management PPT
Volunteer Alberta
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk Management
Dr David Hancock
 
Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniques
ILRI
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
Kannan Subbiah
 
Risk Management And Communication Maps
Risk Management And Communication MapsRisk Management And Communication Maps
Risk Management And Communication Maps
Jonelle Hilleary
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
CORE Consulting
 
Risk Management
Risk ManagementRisk Management
Risk Management
ysshah
 
Enterprise risk & risk management - I
Enterprise risk & risk management - IEnterprise risk & risk management - I
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
 
Risk management
Risk managementRisk management
Risk management
AbbasFadhil12
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
SlideTeam
 
Beyond Compliance
Beyond ComplianceBeyond Compliance
Beyond Compliance
mikaelastafrace
 
Emerging Risks
Emerging RisksEmerging Risks
Emerging Risks
Society of Actuaries
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk Management
Dr David Hancock
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Risk management
Risk managementRisk management
Risk management
baderali2141
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
Corporater
 
Risk management
Risk managementRisk management
Risk management
Harold Malamion
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
r2financial
 
Risk management presentation
Risk management presentationRisk management presentation
Risk management presentation
abpeters82
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
FAA Safety Team Central Florida
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-management
Majd Ghanem,MBA
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
Debashis Gupta
 
Qpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionQpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance Solution
Iycon India
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
Shan Sokhanvar (CISM, AWS-SAP, PMP, MCTS)
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 

Weitere ähnliche Inhalte

Was ist angesagt?

Risk Management
Risk ManagementRisk Management
Risk Management
ysshah
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-management
Majd Ghanem,MBA
 

Was ist angesagt? (17)

Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Enterprise risk & risk management - I
Enterprise risk & risk management - IEnterprise risk & risk management - I
Enterprise risk & risk management - I
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
 
Beyond Compliance
Beyond ComplianceBeyond Compliance
Beyond Compliance
 
Emerging Risks
Emerging RisksEmerging Risks
Emerging Risks
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk Management
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Risk management
Risk managementRisk management
Risk management
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
Risk management presentation
Risk management presentationRisk management presentation
Risk management presentation
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-management
 

Ähnlich wie 1 -corinne_berinstein

Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
Debashis Gupta
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
Eneni Oduwole
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
Dr Darren O'Connell AGIA
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
Case IQ
 

Ähnlich wie 1 -corinne_berinstein (20)

Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
 
Qpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionQpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance Solution
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_en
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINAL
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
Risk Management Toolkit
Risk Management ToolkitRisk Management Toolkit
Risk Management Toolkit
 
Operational Risk Management & Strategic Planning
Operational Risk Management & Strategic PlanningOperational Risk Management & Strategic Planning
Operational Risk Management & Strategic Planning
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Basic Risk Management
Basic Risk ManagementBasic Risk Management
Basic Risk Management
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
 

1 -corinne_berinstein

  • 1. 1 A Practical Approach to Risk Management Financial Management Institute, Toronto Chapter February 17 2010 Corinne Berinstein, BPT, MBA, MHSC, CA, CFI Health Audit Services Team Ontario Internal Audit Division
  • 2. 2 Contact Info: Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in Risk Management (Canadian Health Care Association Senior Audit Manager Health Audit Services Team Ontario Internal Audit Division Province of Ontario Office: 416-327-7798 eMail: corinne.berinstein1@ontario.ca
  • 4. 4  Objectives of today’s session  Basic principles, concepts, definitions  A simple framework  Stocking your toolkit – education, job aids, templates  What are you going to do back in the office?  Q &A’s  A case – Let’s practice! Outline
  • 5. 5 Objectives  Give you a practical approach, framework and tools so you can start implementing ERM when you get back to the office.  Share some lessons learned. Share some tips and tricks.  Practice concepts and tools with a case study so that you practice
  • 6. 6 The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada Why do we need Risk Management?
  • 7. 7 Why bother with RM?  Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?  Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?  Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.  Develop a common and consistent approach to risk across the organization. Not intuition-based.
  • 8. 8 Why bother with RM?  Allows intelligent “informed” risk-taking.  Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…  Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.  Improve outcomes – achievement of objectives (corporate, clinical, etc)  Really comes to down to simple good management  Enables accountability, transparency and responsibility  And maybe even mean survival
  • 9. 9 A risk is ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives. Basic principles, concepts, definitions
  • 10. 10 Threats and opportunities Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives  Interest rates  Foreign exchange rates  Supply of service/product/resources  Demand/uptake for service/product/resources  The economy  The weather  The stock market
  • 11. 11 Interactive Session #1 – 10 minutes  Introduce yourselves to others at your table  Pick 1 risk – discuss it as both a threat and an opportunity  Report to the large group. Pick a spokesperson.
  • 12. 12 Definition of ERM “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • 13. 13 Enterprise vs Integrated Risk Management Similarities:  Formal process  Consistent and systematic  Includes projects, programs, operations  Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc  Must be driven and supported by Leadership  Adds value to decision-making Differences: Enterprise-wide:  Is organizational-centric Success is defined as implementation over the entire organization Integrated: Take a systems-focus May actually create risks for individual organizations
  • 14. 14 Periodic Summary Analysis & Report Enterprise Risk Management Periodic Summary Analysis & Report Division Level Branch Level Unit or Project Level
  • 15. 15 Periodic Summary Analysis & Report Integrated Risk Management Periodic Summary Analysis & Report System Level Regional Level Organiz- ational Level
  • 16. 16Slide 16 Risk Management Basics  Risk (uncertainty) may affect the achievement of objectives.  Effective mitigation strategies/controls can reduce negative risks or increase opportunities.  Residual risk is the level of risk after evaluating the effectiveness of controls.  Acceptance and action should be based on residual risk levels. INHEREN T
  • 17. 17 A Simple Framework Evaluate & Take Action Evaluate & Take Action Establish Objectives Establish Objectives Identify Risks & Controls Identify Risks & Controls Assess Risks & Controls Assess Risks & Controls Monitor & Report Monitor & Report Step 1 Step 2 Step 3 Step 4 Step 5 Communicate, learn, improve
  • 18. 18 Risk Management is critical to ALL levels of decisions Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation. The HM Treasury’s The Orange Book
  • 19. 19 The relationship between IRM & MOHLTC’s Complex Risk Environment
  • 20. 20Slide 20 Categorizing Risk – Comprehensive 1. Political or Reputational Risk 2. Financial Risk 3. Service Delivery or Operational Risk 4. People / HR Risk 5. Information/Knowledge Risk 6. Strategic / Policy Risk 7. Stakeholder Satisfaction / Public Perception Risk 8. Legal / Compliance Risk 9. Technology Risk 10. Governance / Organizational Risk 11. Privacy Risk 12. Security Risk 13. Equity Risk 14. Patient Safety NEW
  • 21. 21Slide 21 Risk Prioritization – likelihood and impact Likelihood of a risk event occurring  Very High: Is almost certain to occur  High: Is likely to occur  Medium: Is as likely as not to occur  Low: May occur occasionally  Very Low: Unlikely to occur Risk Impact: Level of damage that can occur when a risk event occurs  Very High: Threatens the success of the project  High: Substantial impact on time, cost or quality  Medium: Notable impact on time, cost or quality  Low: Minor impact on time, cost or quality  Very Low: Negligible impact
  • 22. 22 Third dimension for rating risks - proximity  Immediate – now  Less than 6 months  Between 6-12 months  Between 12 – 24 months  Between 24 – 36 months  More than 36 months
  • 23. 23Slide 23 Risk rating …Combining impact and likelihood
  • 24. 24 Risk Level Action and Level of Involvement Required Critical Risk • Inform Chief Executive Officer and Board of Directors • Immediate action required High Risk • Inform Chief Executive Officer • Strategy Team involvement/attention is essential to manage risks – provide report to Board as appropriate Moderate Risk • Management mitigation and ongoing monitoring required • Inform relevant Strategy Team members Low Risk • Accept, but monitor risks • Manage by routine procedures within the program and site Risk reporting and communications
  • 25. 25
  • 26. 26 Key Risk Indicators (KRIs) are linked to strategy, performance and risk Risk Consequence Strategy & objectives Cause KRI KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk. Performance
  • 27. 27 EXAMPLES OF KRIs Human resource • Average time to fill vacant positions • Staff absenteeism /sickness rates • Percentage of staff appraisals below “satisfactory” Age demographics of key managers Information Technology • Systems usage versus capacity • Number of system upgrades/ version releases • Number of help desk calls Finance • Daily P&L adjustments (#, amt) • Reporting deadlines missed (#) • Incomplete P&L sign-offs (#, aged) Legal/compliance • Outstanding litigation cases (#, amt) • Compliance investigations (#) • Customer complaints (#) Audit • Outstanding high risk issues (#, aged) • Audit findings (#, severity) • Revised management action target dates (#) Risk management • Management overrides • Limit breaches (#, amt)
  • 28. 28 Measure and report RM implementation progress Excellent • Advanced capabilities to identify, measure, manage all risk exposures within tolerances • Advanced implementation, development and execution of ERM parameters • Consistently optimizes risk adjusted returns throughout the organization Strong • Clear vision of risk tolerance and overall risk profile • Risk control exceeds adequate for most major risks • Has robust processes to identify and prepare for emerging risks • Incorporates risk management and decision making to optimize risk adjusted returns Adequate • Has fully functioning control systems in place for all of their major risks • May lack a robust process for identifying and preparing for emerging risks • Performing good classical “silo” based risk management • Not fully developed process to optimize risk adjusted returns Weak • Incomplete control process for one or more major risks • Inconsistent or limited capabilities to identify, measure or manage major risk exposures Source: Standard & Poor
  • 29. 29 Progress to Date – ERM Report Card Quality of Care and Patient SafetyQuality of Care and Patient Safety Corporate GovernanceCorporate Governance Operation & Business SupportOperation & Business Support Reputation and Public ImageReputation and Public Image Human Resources and Staff RelationsHuman Resources and Staff Relations Financial ResourcesFinancial Resources Information Systems and TechnologyInformation Systems and Technology Physical AssetsPhysical Assets Legal and RegulatoryLegal and Regulatory Environmental Health and SafetyEnvironmental Health and Safety PoliciesPolicies StandardsStandards
  • 30. 30 An Approach to Risk Management  Establish centralized support  Develop a standardized framework  Provide education and coaching  Ensure ministry-wide implementation  Embed IRM into all major processes including strategic planning and resource allocations decisions  Enable our stewardship role
  • 31. 31 The Approach  Incorporates risk information into the strategic direction- setting, making decisions that consider established risk tolerance levels.  Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.  Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
  • 32. 32  We wanted to add value not work. We developed forms and templates.  So we developed and delivered educational sessions – usually attended by all team members. Included risk 101 and then time for the team members to discuss how to apply concepts to their work.  We assisted teams in actual risk assessments. Sometimes we used voting software.  We trained the trainer. Your toolkit – education, job aids, templates
  • 33. 33 A Process for Embedding IRM HAST Sessions Components Participant Outcomes Risk 101 Presentation Introduction – Integrated Risk Management Introduction to basic risk concepts and terminologies Introduction to the MOHLTC’s Integrated Risk Framework Status of IRM in MOHLTC (Most effective when followed-up with facilitated risk assessment workshop or application to actual project) Understanding of risk management process Understanding of how risk management is relevant to their day-to-day work Knowledge of IRM in MOHLTC Management IRM Planning Meeting Planning Discuss best way to implementation IRM in area Proposed IRM implementation plan presented for area Clarify roles & responsibilities for risk management Commitment to IRM implementation in area or stream of work Risk management roles and responsibilities clearly defined Review of IRM roll-out; timelines , deliverables, related forums Commitment to continuous risk communication & learning Risk Assessment Workshop Facilitated Training – Identification of risks & mitigation strategies Identification of objectives Brainstorming and identification of risks to meeting objectives (for project, branch, initiative, etc. ) Identification of source, mitigation strategies, ownership and residual risk for each ‘risk category’ Hands-on experience allowing assimilation of consistent risk management techniques Hands-on practice of IRM process, enabling application of risk management principles and tools to work Greater understanding of work and inter-dependencies Risk Prioritization & Voting Workshop Facilitated Training – Assessment of mitigation strategies & prioritization Review of risks, mitigation strategies and ownership Anonymous voting on the impact and probability of each risk Prioritization of risks on ‘heat map’ Discussion of mitigation strategies for high priority risks Review of risks, mitigation strategies, ownership, residual risk to their work in a seamless manner Unbiased risk prioritization and identification of high risks Enables application of complete risk management process to every day work Risk follow-up Session Monitoring & Review Review of risks six months after initial assessment Review mitigation strategies and residual risks Review of risks and status Continuous improvement
  • 34. 34 The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated. Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L) ID Number Responsible Org & Name (Implement / Operate) Risk Control Risk Rating (Impact) Risk Rating (likelihood) Date Required Status Category: Financial Category: Equity Category: Service Delivery or Operational 064 Person A 055 – Insufficient knowledge transfer 102 – Conflicting management instructions Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure). M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report 065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management) (a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported. M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document IRM RISKS AND CONTROLS None in this category None in this category
  • 35. 35
  • 36. 36
  • 37. 37
  • 38. 38 The Cyclist and the Risk Manager
  • 39. 39 Interactive Session #2 – 15 minutes  Identify risks that the cyclists faces in cycling to work.  Report back.
  • 40. 40 Risk Factors – the cyclist .
  • 41. 41 Risk Factors – the weather, the road, visibility, the bike, the lock .
  • 42. 42 Risk Factors – the driver .
  • 43. 43 Risks Threats:  Death  Head Injury  Injury  Reputation  Financial  Damage to the bike  Sunburn/frost bite Opportunities:  Exercise  Sunlight  Reputation  Financial  Role model  Environment
  • 44. 44 Mitigation Strategies for threats  Death, head injury, other injury – helmet, bright clothes, lights, bell, CANbike course, obeying traffic laws, positive attitude, anger management course  Reputation – great outfit, change of wrinkle-free clothes, shower, time management  Financial – high quality locks, “beater”, stopping at stop signs  Damage to the bike – regular maintenance, avoiding pot holes  Sunburn/frost bite – sunscreen, mittens, hats, token/change  Dehydration- filled water bottle
  • 45. 45 ERM/IRM can be complex and messy
  • 47. 47 Back at the office  Why is the organization interested in RM? What are they hoping will be achieved with its implementation?  Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned  How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported?  Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high.  When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.
  • 48. 48 Ask questions and develop your approach  Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same?  Have we assessed the likelihood and impact of our risks?  Have we identified the sources and causes of our risks?  How well are we managing our risks?  Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them?  Who is accountable for these risks?  How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system?  Are we taking too much risk? Or not enough risk?  Are the right people taking the right risks at the right time?  What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?
  • 49. 49 TAKE SMALL BITES………. IRM IMPLEMENTATION
  • 51. 51  Case 1 – The Pan Am Games 2015  Case 2 – The provincial response to the next Pandemic  Case 3 – The extension of Hwy 404  Case 4 – The rescue efforts in Haiti  Case 5 – Human Resources in the Ontario Public Services  Case 6 – A big teaching hospital in Toronto The case - You are responsible for Risk Management for:
  • 52. 52  Consider the 13 categories of risk  Identify top 5 threats (downside) and top 5opportunities (upside)  Propose mitigation strategies  Discuss how the following risk factors would affect your assessment:  Economy  Demographics  Weather  Technology  Timing of events such an election  Others The case

Hinweis der Redaktion

  1. <number>
  2. <number>
  3. <number> 1. Financial Risk - The risk of financial losses, overspending, or the inability to meet budgets and plans. 2. Service Delivery or Operational Risk - The risk that products or services will not get completed or delivered in a timely manner as expected. This also includes risks to business continuity. 3. People / HR Risk - The risk that capable & motivated staff will not be available to get the job done. This could be the result of resignations, turnovers, inability to hire, lack of skills, strikes, injury etc. 4. Information Risk- The risk that information produced, or used, is incomplete, out-of-date, inaccurate, irrelevant, or inappropriately disclosed 5. Strategic / Policy Risk -The risk that strategies and policies fail to achieve required results 6. Stakeholder Satisfaction / Public Perception Risk - The risk of failure to meet expectations of the public, other governments, ministries, or other stakeholders 7. Legal / Compliance Risk- The risk that a government initiative, or action, will be in breach of a statute, regulation, contract, MOU, or that the government will face litigation 8. Technology Risks- Risk that information technology infrastructure does not align with business requirements, and does not support availability, access, integrity, relevance, and security of data. This also includes risks to business continuity 9. Governance / Organizational Risk- Risk that the organization structure, accountabilities, or responsibilities are not designed, communicated, or implemented to meet the organization’s objectives, and the risk that business culture and management commitment does not support the formal structures 10. Privacy Risk- Risk that associated with the collection, use and disclosure of personal information and personal health information. 11. Security Risk- Risk that is associated with the protection of confidentiality, integrity, availability and value of assets (tangible and intangible) and people.
  4. <number> In phase I we facilitated a number of IRM activities. Here are three examples: Oak Ridge Facility at the Mental Health Centre Penetanguishene Colorectal Cancer Screening Program LHIN Readiness I and II These 3 examples showed us how we could implement IRM. Sharon Zwicker told us: put in quote Marsha Barnes told us: put in quote Gail Paech told us: put in quote Carrie Hayward told us: put in quote
  5. <number> In phase I we facilitated a number of IRM activities. Here are three examples: Oak Ridge Facility at the Mental Health Centre Penetanguishene Colorectal Cancer Screening Program LHIN Readiness I and II These 3 examples showed us how we could implement IRM. Sharon Zwicker told us: put in quote Marsha Barnes told us: put in quote Gail Paech told us: put in quote Carrie Hayward told us: put in quote
  6. Sandra
  7. Sandra
  8. <number> Statistics from Transport Canada Most Canadian deaths were unhelmeted riders. Transport Canada statistics show that 88 per cent of the 80 cyclists who died nationwide in 2001 were not wearing helmets.
  9. <number> Statistics from Transport Canada Most Canadian deaths were unhelmeted riders. Transport Canada statistics show that 88 per cent of the 80 cyclists who died nationwide in 2001 were not wearing helmets.