VCOSS - PowerPoint PPT Presentation


PPT – VCOSS PowerPoint presentation | free to download - id: 50fbf9-MjYxZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation



Probably worth mentioning: Health sector (clinical ... operations and risk management Organisational Objectives ... Risk and Audit Committee Receives ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 72
Provided by: DavidPe162
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: VCOSS

VCOSS DARU workshop 17 October 2012 Tips,
Tricks and Concepts for making risk management
  • Diana Borgmeyer - Risk Management Adviser

  1. About the VMIA
  2. The Victorian Risk Management Context
  3. Governance and Risk
  4. A quick overview of AS/NZS/ISO31000
  5. Integrating Risk
  6. Risk Framework elements
  7. Tools and Tips
  8. Activity Describing Risks
  9. Risk Management Pitfalls
  10. Questions

(No Transcript)
11 Departments
89 Hospitals Ambulance Services
90 Statutory Authorities
3500 Community Service Organisations
VMIA Risk Services
Risk Register Software
Risk Management maturity model
Determining where we are now
Targeted maturity state?
Source Courtesy use by Victorian Managed
Insurance Authority (2010 year version)
Victorian Government Context
Risk management in context
  • Whole of Government framework and attestation
  • risk management process consistent with AS/NZS
    ISO 31000
  • internal control system so the executive
    understand, manage and satisfactorily control
    risk exposures
  • Responsible body verifies the assurance made and
    risk profile critically reviewed in last 12
  • Inter-agency risk

DHS Service Level Agreement 2012-15
  • Risk Management Clause 3.20.2 acknowledges that
    risk management is an integral part of good
    organisational practice.
  • The service agreement requires an organisations
    CEO or Board Member to attest annually that it is
    managing risk in accordance with the AUS/NZS/ISO
    310002009 standard and the risk management
    processes satisfactorily and effectively manage
    the organisations risks and
  • within the twelve months prior to attestation,
    the organisation has undertaken a review of risk
    management processes.

(No Transcript)
Risks we see of concern to Health and Community
Sector Boards
  • Governance failures
  • Direct care workforce sustainability
  • Service delivery failures
  • Damage to stakeholder relationships/Reputation
  • Failure to adapt to changing service and funding
  • Funding uncertainty
  • Inadequate emergency preparedness/response
  • Regulatory or funding standards non-compliance

Common Risk Areas
  • Client dissatisfaction
  • Unfavourable publicity and/or reputation damage
  • Mismanagement (eg. projects, finance)
  • Threat to physical safety
  • Failure of equipment or computer systems
  • Breach of legal obligations and contractual
  • Fraud
  • Deficiencies in financial controls and reporting
  • Unethical behaviour
  • Failure to protect assets and goodwill

Governance and Risk
  • Corporate governance generally refers to the
    processes by which organisations are directed,
    controlled and held to account.
  • It encompasses authority, accountability,
    stewardship, leadership, direction and control
    exercised in an organisation1
  • 1 Standards Australia, AS 8000-2003 Corporate
    Governance Good governance principles,
    July 2003, p7

Definition of Public Sector Governance
  • the set of responsibilities and practices,
    policies and procedures, exercised by an agencys
    executive, to provide strategic direction, ensure
    objectives are achieved, manage risks and use
    resources responsibly and with accountability.1
  • Good Governance is about both
  • Performance how an agency uses governance
    arrangements to contribute to its overall
    performance and delivery of services or
  • Conformance how an agency uses governance
    arrangements to ensure it meets the requirements
    of the law, regulations, published standards and
    community expectations on probity and

1. adapted from , ANAO Implementation of program
and policy initiatives Better Practice Guide
Governance - common elements
How governance risk management underpin an
organisations performance
Source Public Sector Governance Better Practice
Guide Volume 1, Australian National Audit
Office, July 2003
Core principles underpinning Governance frameworks
  • Accountability Compliance being answerable for
    decisions and have appropriate compliance
  • Transparency structure clear roles, duties and
    procedures in decision making
  • Leadership tone at the top to achieve
    organisation-wide commitment from the top
  • Integrity acting impartially, ethically and in
    the interests of the organisation 1
  • 1 Public sector governance and the individual
    officer guidance paper no.1- Better Practice
    Guide, Australian National Audit Office, July

Good governance attributes
  • Clear roles responsibilities
  • Ethics based culture
  • Accountability through control, monitoring and
  • Effective governing body
  • Communication awareness
  • Transparent external reporting
  • Integrated risk management practices in
    planning, operations reporting

risk management?
  • An integral part of the organisations management
  • Essential for good governance
  • Offers common language and consistency
  • Embeds the risk management process in decision
  • Dont simply ask what may go wrong? .. ask
    what must go right?
  • Good risk management doesnt stifle progress and
    innovation it drives success

  • Looking back, I wish I had pressed harder. Its
    easy to say after the fact.
  • Yukinobu Okamura, Head of Active Fault and
    Earthquake Research Centre, recalling tsunami
    concerns he raised in June 2009 at a Japan Trade
    Ministry meeting to assess reactor safety.
  • Tsunami Warnings ignored, The Age March 26 2011

  • Details of risks were either not satisfactorily
    conveyed to senior executives and ministers or,
    if conveyed, were not acted on.
  • Energy Efficient Homes Package (Ceilings
  • Senate Inquiry Report (15 July 2010)

Why do strategies fail?
Only 10 of organisations execute their strategy
The problem isnt lack of strategy. Its the lack
of ability to successfully manage the execution
of what looks strategically good on paper.
Barriers to Strategy Execution
Reference Robert Kaplan and David Norton - The
Balanced Scorecard and The Strategy Focused
Six key questions
  • Essentially, risk management seeks to answer
    these basic questions
  • what are we trying to achieve?
  • what events or circumstances could affect the
    achievement of our objectives?
  • what are the consequences?
  • how likely is it of these events?
  • what can we do to manage these outcomes?
  • how will we maximise opportunities?

AS/NZS ISO 310002009
The definition of risk?
The effect of uncertainty on objectives Uncertai
nty is the state , even partial, of deficiency
of information related to, understanding or
knowledge of, an event, its consequence, or
AS/NZS ISO 310002009
The aim of risk management is not the management
of risk but the achievement of objectives.
Overview of AS/NZS/ISO31000
Process for managing risk (Clause 5)

Principles for managing risk (Clause 3)
Creates value Integral part of organisational processes Part of decision making Explicitly addresses uncertainty Systematic, structured timely Based on the best available information Tailored Takes human cultural factors into account Transparent inclusive Dynamic, iterative responsive to change Facilitates continual improvement enhancement of the organisation
Framework for managing risk (Clause 4)

Attributes of enhanced risk management (Annex A - Informative)
AS / NZS ISO 310002009 - Risk management
  • Creates value
  • Integral part of organisational processes
  • Part of decision making
  • Explicitly addresses uncertainty
  • Systematic, structured and timely
  • Based on the best available information
  • Tailored
  • 8. Takes human and cultural factors into account
  • 9. Transparent and inclusive
  • 10. Dynamic, iterative and responsive to change
  • 11. Facilitates continual improvement and
    enhancement of the organisation

Should be reflected in your organisations
Risk management should be embedded in all the
organisation's practices and processes in a way
that it is relevant, effective and efficient. The
risk management process should become part of,
and not separate from, those organisational
processes. In particular, risk management should
be embedded into the policy development, business
and strategic planning and review, and change
management processes.
(Source AS/NZS/ISO310002009 Risk Management
Principles and Guidelines)
Risk Terminology
  • Risk chance of something happening that will
    have an impact on objectives
  • Likelihood chance of something happening
  • Consequence outcome of risk on objectives
  • Risk Rating overall rating which determines
    actions risk treatments by the Board, CEO
  • Control includes any process, policy, device
    or practice or actions which modify risk
  • Control Effectiveness assessment of the
    effectiveness of controls to determine if
    any gaps exist
  • Risk Owner person or entity with the
    accountability authority to manage a risk
  • Risk Treatment can involve avoiding the risk,
    increasing risk to gain an opportunity,
    remove the source, change the likelihood or
    consequence, sharing the risk, retaining the

Integrating risk
What are the benefits of a Enterprise wide
approach to Risk Management?
  • Enables identification of threats and
    opportunities for an agency
  • Improves and informs the planning process
  • Reduces likelihood of costly surprises
  • Contributes to improved resource allocation
  • Improves efficiency and performance
  • Improves accountability
  • Encourages continual improvement

  • Managing risks in order to meet our objectives
  • Choosing which risks to take . and then
    managing them well

Risk and planning - a comprehensive process
  • Designed to identify, analyse, evaluate, treat,
    monitor and communicate risks that could prevent
    an organisation from achieving its objectives.
  • Covers strategic, operational, financial and
    compliance risks.
  • The term enterprise-wide risk management is
    widely used both by the Victorian public sector
    and the private, both the for and not for profit
    sectors to describe this comprehensive approach.

Link strategy, operations and risk management
Department A Operational Objectives, Indicators
Organisational Objectives
Cascading Process
Cascade Align Strategic Objectives, Key
Performance Indicators Targets
Program B Operational Objectives, Indicators
Service C Operational Objectives, Indicators
Key Performance Indicators Targets
Strategic Risks
Operational Risks
Organisational-Wide Risk Register
Link Risk Management To Strategic Planning
Risk Reporting (Reporting System)
Link Risk Management To Operational Planning
Different levels, different types of risks
Risks ultimately should be filtered to the lowest
level possible for ownership and mitigation
Different levels of risk
Vision and Mission Corporate strategy and
Strategic Risks
Corporate Plan
Management and staff
Operational Risks
Business and operational objectives
Business Plan
Project managers
Project Risks
Project Plan
Project objectives
Differences and similarities between strategic
and operational risks?
  • Both follow principles of AS/NZS ISO 310002009
  • Differences can include
  • Risk context strategic risks most likely to
    impact organisational goals/objectives
  • Participants (senior executives, audit, some
  • Treatments for high level risks may vary
  • Methods used for identifying and evaluating risk
    may vary
  • Timelines can be different some goals are
    longer term
  • Requires strategic thinking
  • Ideally strategic risks are identified before
    operational risks
  • Both strategic and operational risks should be
    centrally managed

Strategic Risk Assessment
For strategic risk assessment of the whole
organisation goals, objectives strategies
are established as part of the organisational con
A strategy focused risk assessment process
Example The Head of the Defence force has a
strategy to engage the enemy to regain a key
piece of land
  • The Generals are told the strategy is to capture
    important assets
  • They think which assets are important?
    (strategic context)
  • They consider
  • do they have enough personnel/skills, support
    (organisational context)
  • how can the strategy fail/achieved? (risk
    management context)
  • To improve success rates they will need to
    develop a high level plan on the strategy and its
    key objectives (strategic plan)
  • They will need evaluate if there will be issues
    that may impede the strategic plan (eg ambush,
    not enough soldiers, wrong information about
    assets (strategic risk assessment)
  • Once you understand the threats you will then put
    in plans to avoid them and fine tune the plan
    before giving it to the officers to execute
  • The officers will develop operational orders for
    the soldiers to follow about how the offensive
    will take place (timings, supplies required,
    equipment needed, signals etc) (operational
  • The officers will determine what risks there
    would be to the soldiers undertaking the
    offensive (injury, failed equipment, loss of
    communication etc) (operational risks)

Example of strategic risks
Ensuring a safe, reliable and sustainable water
Strategic goal
  • Incidents of poor water quality will be reduced
    by 15
  • by 2011

Strategic objectives
(b) Water monitoring activities will increase by
10 within 12 months
(1) Inadequate policies and procedures to improve
water Leading to unexpected poor water quality
Strategic risks
(2) Funding for water monitoring will be diverted
to another program reducing capacity to meet
(3) Government may change its priorities for
resource Management, leading to inability to
ensure a sustainable Safe water supply
Outcome based risk assessment
  • Used where the objectives have not been defined
  • Focuses on the outcomes without defining
    strategic objectives

Identifies outcomes which may be unacceptable
How they may occur
Outcomes that will be of consequence to the
organisations stakeholders
A practical example of linking strategy with
Example of embedding risk management in already
established practices.
Lets Improve
Is this an interpersonal/ HR issue?
Is this a risk to the organisation?
Is this a service issue?
Have you got a great idea or suggestion?
Is this a maintenance issue?
Is this a publicsafety issue, near miss or
Have you followed the conflict resolution process?
Have you discussed it with the Service
This is wonderful
Have you discussed it with your superior?
Have you discussed it with your superior?
Have you discussed the risk with your superior?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Document in Maintenance Book
Complete Near Miss or Incident Form
Update Risk Register, Develop Risk Treatment Plan
Complete a Confidential Quality Improvement Form
Complete a Quality Improvement Form
Does the situation require further improvement?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Summary comments on risk integration
  • One size does not fit all, depends on the
    management maturity, industry and commitment
  • Focus on what makes sense to the board and
    management keep it practical and tailored
  • Risk disciplines can work well effectively with
    the planning, reporting, compliance, board
    committee and HR culture functions
  • Governance foundations cultural tone at the
    top, role clarity, transparency communication
    is key

Risk Framework elements
(No Transcript)
Risk appetite and risk rating
Plan for All Extreme Risks
Large Appetite for Risk

Increasing Impact ?
Increasing Impact ?
Increasing Likelihood ?
Increasing Likelihood ?
Risk Averse

Increasing Impact ?
Increasing Impact ?
Increasing Likelihood ?
Increasing Likelihood ?
Risk-opportunity matrix
Likelihood Likelihood Likelihood
A Almost Certain
B Likely
C Possible
Watching brief D Unlikely Watching brief
E Rare
High Low Low High
Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success
Rigorously manage these exposures
Actively pursue these opportunities
Example Consequence (Impact) table
Descriptors Descriptors Descriptors Descriptors Descriptors Descriptors
Rating Personal injury Financial Reputation Environmental Operational
Insignificant No injury sustained. Minor loss resulting in only minimal impact to local area budget. Minor complaints resolved quickly with routine procedures. Negligible, transient damage. No threat to safety. Negligible short-term disruption to non-essential services.
Minor Minor injury requiring first aid only. Loss that impacts on a single service, but does not threaten that services overall budget. Complaints resolved by written response. Transient environmental damage requiring minor corrective action. Short term disruption to services, not resulting in loss of business continuity.
Moderate Injury requiring minor or short term medical intervention. Loss of more than 500,000. Includes losses of lt 500,000 that threaten the overall budget of a single service. Adverse publicity or media coverage not resulting in damage to operations. Short term environmental damage. May pose threat to public safety requiring minor treatment for injuries. Short term disruption to services, resulting in short term loss of business continuity.
Major Serious injury requiring significant or long term medical intervention. 500,000 to 1M Adverse publicity resulting in damage to operations, but not loss of confidence in hospital management. Long term environmental damage. Threat to safety, resulting in hospitalization of casualties. Substantial disruption to multiple services resulting in short to medium term loss of business continuity.
Catastrophic Multiple unexpected deaths or injuries resulting in permanent disability. gt 1M Significant / continued negative publicity. Loss of confidence in hospital management by community or government. Includes parliamentary inquiry. Permanent environmental damage. Life threatening effect on public safety. Substantial disruption to multiple services, threatening the survival or long term business continuity of the organisation.
Example Likelihood Table
Rating Description
Almost certain The event will definitely occur, probably multiple times in a year.
Likely There is a strong likelihood that the event will occur at least once in the next 6-12 months.
Possible There is a 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.
Unlikely The event is not likely to occur in the next 12 months, but there is a slight possibility of occurrence.
Rare Highly unlikely to occur in the next 5 years. No history of adverse event in this organisation.
Roles Responsibilities
  • Executive
  • Be a risk owner
  • Integrate into Quality Business plans, risk
    treatment actions
  • Monitor for emerging risks
  • Ensure KPIs audit data is monitored
  • Managers
  • Manage local risks escalate risks outside of
  • Understand the risks for the Program/Division/Unit
  • Ensure completion of Quality Business plan
  • Undertake audit activities linked to key risks

Risk management responsibilities
The Board Sets risk appetite and tolerance Directs strategy and reviews strategic risks Receives risks and risk controls reports from management (via Risk Management Committee or Executive Management Committee) Receives report from Risk and Quality or Risk and Audit Committee on the process for managing risk and on the management of key risks
Operational Management Owns risks and their management Reports to the Board (self certification) on their management of risks
Risk Management Committee Provides corporate oversight of risks and their management Learns from incidents and events Monitors leading indicators of changes in risk
Risk Management Sub-Committee Provides expert resources for specific areas of operational risk such as health and safety Manages the transfer of risk via outsourcing and insurance Analyses risks and reports to the Risk Management Committee.
Risk and Audit Committee Receives reports from Internal Audit on the process for managing risk and on the management of key risks
Internal Audit Team Provides assurance to the Audit Committee on the system of internal control and risk management Provides assurance to the Audit Committee and the Risk Management Committee on the management of specific risks
Risk Management Tools and Tips
Reporting the right things at the right level
Risk/ Audit Committee
Strategic / Critical risk issues
Significant / key operational and strategic risk
Exec Risk Mgt Committee
Executive Management
Operational and strategic risk information at
Business level
Op Risk Mgt Committee
Business Units
Volume of risk information
The Risk Management Process for Operational
You cannot manage what you dont measure
Robert S. Kaplan Harvard Business School
Co-creator of Balanced Scorecard (with David P.
Staff encouraged and/ or incentivised to report
risk or suggest risk reduction strategies.
  • Formally report risks and risk treatments with
    sufficient detail to enable clear understanding
    of how risks are being managed.
  • Board and/ or Management guidance on what
    information they would like to see in risk
  • Agreed template or format for recording risk and
    risk treatment information
  • Agreed template or format for risk reporting
  • Agreement on when and how often risk reports will
    be produced
  • Recipients/ stakeholders of risk reports
    identified and agreed
  • Different risk reports meeting different
    stakeholders needs.

Who receives risk reports in your
organisation? Who should receive reports?
Risk as a management agenda item
  • What is happening in other jurisdictions .
    could that happen here?
  • Are we meeting our legal, regulatory and
    compliance requirements if not, why not?
  • How do we compare to other jurisdictions when
    managing the risk of ....?
  • What are the risks that could stop us from
    achieving our KPIs?
  • What are the risks that could stop us from
    achieving our objectives?
  • How could the next be harmed?
  • Where will the next scandal or adverse media
    involving the agency come from?
  • Risk management update new practices, policies,
    procedures, protocols, communiqués and

Risk as an management agenda item?
  • Progress against the top 5-10-20 risks
  • What are we doing about (risk).?
  • What does our data tell us about our risks?
  • How effective are our risk controls for
  • For this risk .. what do we need to stop doing,
    start doing and keep doing?
  • What do we need to change to achieve best
    practice in managing the risk of.....?
  • Risks with projects or new initiatives?
  • What are the commonly used work arounds in high
    risk areas?

Case Study Melbourne Zoo
  • Operational Risk Reporting to
  • Management (CEO) and Animal Welfare Peer Review
  • Includes
  • Animal escapes / disappearances
  • Births, deaths (eg by cause and by age)
  • Complaints (eg queries about treatment of
  • Staff injuries (eg snake bites and low flying
  • Animal rescue and rehabilitation

Risk Descriptions
Describing the risk
  • The risk of (what, where, when). caused by
    (how). resulting in (impact/ consequences).
  • Examples
  • The risk of extreme weather conditions (storm,
    hail, ice, heat), caused by seasonal variations,
    resulting in injury/ death to staff and/or public
  • Loss of skill base in the organisation threatens
    long-term sustainability of the workforce.

Risk Statement
  • The risk of . (what, where, when)
  • caused by . (how)
  • resulting in.......... (impact/consequences)

Sample Template
Activity Defining Risks
  • In groups select a source of risk/common risk
    area or a risk from your risk register that you
    have concerns about and
  • Re define and describe the risk using agreed risk
  • Complete the template
  • Discuss potential treatment strategies

Risk Management Pitfalls
So what does your risk management look like?
Risk management - pitfalls?
  • Poor culture
  • Believing that will never happen here
  • RM strategy is not driven from the top down
  • Poorly defined accountability for risk management
  • Risk management is not linked to corporate
  • Risk management is positioned as compliance
  • Risk management fails, often with catastrophic
    outcomes, when the organisations processes are
    ignored or overlooked
  • Past mistakes are overlooked no corporate
  • Framework does not accurately reflect the
    organisations maturity or capability

Risk management - pitfalls?
  • Soft issues ignored (behaviours / attitudes)
  • Over reliance on the Risk Manager
  • Risk is managed in silos
  • Framework has not been translated into an action
  • Use of technical jargon in preference to plain
    language statements and true life examples
  • Not tough enough on language that conceals risks
  • Not utilising available data / information
  • Broad / non-specific risk descriptions
  • Failure to use risk information to inform
    decision making

Diana Borgmeyer Risk Management Advisor Email Phone 9270 6812