Title: VCOSS
1VCOSS DARU workshop17 October 2012 Tips,
Tricks and Concepts for making risk management
work.
- Diana Borgmeyer - Risk Management Adviser
2Agenda
- About the VMIA
- The Victorian Risk Management Context
- Governance and Risk
- A quick overview of AS/NZS/ISO31000
- Integrating Risk
- Risk Framework elements
- Tools and Tips
- Activity Describing Risks
- Risk Management Pitfalls
- Questions
3(No Transcript)
411 Departments
89 Hospitals Ambulance Services
90 Statutory Authorities
3500 Community Service Organisations
5VMIA Risk Services
Risk Register Software
6Risk Management maturity model
Determining where we are now
Targeted maturity state?
Source Courtesy use by Victorian Managed
Insurance Authority (2010 year version)
7Victorian Government Context
8Risk management in context
- Whole of Government framework and attestation
- risk management process consistent with AS/NZS
ISO 31000 - internal control system so the executive
understand, manage and satisfactorily control
risk exposures - Responsible body verifies the assurance made and
risk profile critically reviewed in last 12
months - Inter-agency risk
9DHS Service Level Agreement 2012-15
- Risk Management Clause 3.20.2 acknowledges that
risk management is an integral part of good
organisational practice. - The service agreement requires an organisations
CEO or Board Member to attest annually that it is
managing risk in accordance with the AUS/NZS/ISO
310002009 standard and the risk management
processes satisfactorily and effectively manage
the organisations risks and - within the twelve months prior to attestation,
the organisation has undertaken a review of risk
management processes.
10(No Transcript)
11Risks we see of concern to Health and Community
Sector Boards
- Governance failures
- Direct care workforce sustainability
- Service delivery failures
- Damage to stakeholder relationships/Reputation
- Failure to adapt to changing service and funding
models - Funding uncertainty
- Inadequate emergency preparedness/response
- Regulatory or funding standards non-compliance
12Common Risk Areas
- Client dissatisfaction
- Unfavourable publicity and/or reputation damage
- Mismanagement (eg. projects, finance)
- Threat to physical safety
- Failure of equipment or computer systems
- Breach of legal obligations and contractual
responsibility - Fraud
- Deficiencies in financial controls and reporting
- Unethical behaviour
- Failure to protect assets and goodwill
13Governance and Risk
14Governance
- Corporate governance generally refers to the
processes by which organisations are directed,
controlled and held to account. - It encompasses authority, accountability,
stewardship, leadership, direction and control
exercised in an organisation1 - 1 Standards Australia, AS 8000-2003 Corporate
Governance Good governance principles,
July 2003, p7
15Definition of Public Sector Governance
- the set of responsibilities and practices,
policies and procedures, exercised by an agencys
executive, to provide strategic direction, ensure
objectives are achieved, manage risks and use
resources responsibly and with accountability.1
- Good Governance is about both
- Performance how an agency uses governance
arrangements to contribute to its overall
performance and delivery of services or
programmes. - Conformance how an agency uses governance
arrangements to ensure it meets the requirements
of the law, regulations, published standards and
community expectations on probity and
accountability.
1. adapted from , ANAO Implementation of program
and policy initiatives Better Practice Guide
2006,p.13.
16Governance - common elements
17How governance risk management underpin an
organisations performance
Source Public Sector Governance Better Practice
Guide Volume 1, Australian National Audit
Office, July 2003
18Core principles underpinning Governance frameworks
- Accountability Compliancebeing answerable for
decisions and have appropriate compliance
mechanisms - Transparency structureclear roles, duties and
procedures in decision making - Leadershiptone at the top to achieve
organisation-wide commitment from the top - Integrityacting impartially, ethically and in
the interests of the organisation 1 - 1 Public sector governance and the individual
officer guidance paper no.1- Better Practice
Guide, Australian National Audit Office, July
2003
19Good governance attributes
- Clear roles responsibilities
- Ethics based culture
- Accountability through control, monitoring and
review - Effective governing body
- Communication awareness
- Transparent external reporting
- Integrated risk management practices in
planning, operations reporting
20risk management?
- An integral part of the organisations management
system - Essential for good governance
- Offers common language and consistency
- Embeds the risk management process in decision
making - Dont simply ask what may go wrong? .. ask
what must go right? - Good risk management doesnt stifle progress and
innovation it drives success
21- Looking back, I wish I had pressed harder. Its
easy to say after the fact. - Yukinobu Okamura, Head of Active Fault and
Earthquake Research Centre, recalling tsunami
concerns he raised in June 2009 at a Japan Trade
Ministry meeting to assess reactor safety. - Tsunami Warnings ignored, The Age March 26 2011
22- Details of risks were either not satisfactorily
conveyed to senior executives and ministers or,
if conveyed, were not acted on. - Energy Efficient Homes Package (Ceilings
Insulation) - Senate Inquiry Report (15 July 2010)
23Why do strategies fail?
Only 10 of organisations execute their strategy
The problem isnt lack of strategy. Its the lack
of ability to successfully manage the execution
of what looks strategically good on paper.
Barriers to Strategy Execution
Reference Robert Kaplan and David Norton - The
Balanced Scorecard and The Strategy Focused
Organization
24Six key questions
- Essentially, risk management seeks to answer
these basic questions - what are we trying to achieve?
- what events or circumstances could affect the
achievement of our objectives? - what are the consequences?
- how likely is it of these events?
- what can we do to manage these outcomes?
- how will we maximise opportunities?
25AS/NZS ISO 310002009
26The definition of risk?
The effect of uncertainty on objectives Uncertai
nty is the state , even partial, of deficiency
of information related to, understanding or
knowledge of, an event, its consequence, or
likelihood.
AS/NZS ISO 310002009
The aim of risk management is not the management
of risk but the achievement of objectives.
27Overview of AS/NZS/ISO31000
Process for managing risk (Clause 5)
Principles for managing risk (Clause 3)
Creates value Integral part of organisational processes Part of decision making Explicitly addresses uncertainty Systematic, structured timely Based on the best available information Tailored Takes human cultural factors into account Transparent inclusive Dynamic, iterative responsive to change Facilitates continual improvement enhancement of the organisation
Framework for managing risk (Clause 4)
Attributes of enhanced risk management (Annex A - Informative)
28AS / NZS ISO 310002009 - Risk management
principles
- Creates value
- Integral part of organisational processes
- Part of decision making
- Explicitly addresses uncertainty
- Systematic, structured and timely
- Based on the best available information
- Tailored
- 8. Takes human and cultural factors into account
- 9. Transparent and inclusive
- 10. Dynamic, iterative and responsive to change
- 11. Facilitates continual improvement and
enhancement of the organisation
Should be reflected in your organisations
approach
29Fit-for-purpose
Risk management should be embedded in all the
organisation's practices and processes in a way
that it is relevant, effective and efficient. The
risk management process should become part of,
and not separate from, those organisational
processes. In particular, risk management should
be embedded into the policy development, business
and strategic planning and review, and change
management processes.
(Source AS/NZS/ISO310002009 Risk Management
Principles and Guidelines)
30Risk Terminology
- Risk chance of something happening that will
have an impact on objectives - Likelihood chance of something happening
- Consequence outcome of risk on objectives
- Risk Rating overall rating which determines
actions risk treatments by the Board, CEO
Executive - Control includes any process, policy, device
or practice or actions which modify risk - Control Effectiveness assessment of the
effectiveness of controls to determine if
any gaps exist - Risk Owner person or entity with the
accountability authority to manage a risk - Risk Treatment can involve avoiding the risk,
increasing risk to gain an opportunity,
remove the source, change the likelihood or
consequence, sharing the risk, retaining the
risk
31Integrating risk
32What are the benefits of a Enterprise wide
approach to Risk Management?
- Enables identification of threats and
opportunities for an agency - Improves and informs the planning process
- Reduces likelihood of costly surprises
- Contributes to improved resource allocation
- Improves efficiency and performance
- Improves accountability
- Encourages continual improvement
33- Managing risks in order to meet our objectives
- Choosing which risks to take . and then
managing them well
34Risk and planning - a comprehensive process
- Designed to identify, analyse, evaluate, treat,
monitor and communicate risks that could prevent
an organisation from achieving its objectives. - Covers strategic, operational, financial and
compliance risks. - The term enterprise-wide risk management is
widely used both by the Victorian public sector
and the private, both the for and not for profit
sectors to describe this comprehensive approach.
35Link strategy, operations and risk management
Department A Operational Objectives, Indicators
Targets
Organisational Objectives
Cascading Process
Cascade Align Strategic Objectives, Key
Performance Indicators Targets
Program B Operational Objectives, Indicators
Targets
Strategies
Service C Operational Objectives, Indicators
Targets
Key Performance Indicators Targets
Strategic Risks
Operational Risks
Organisational-Wide Risk Register
Link Risk Management To Strategic Planning
Risk Reporting(Reporting System)
Link Risk Management To Operational Planning
36Different levels, different types of risks
Risks ultimately should be filtered to the lowest
level possible for ownership and mitigation
37Different levels of risk
Executive
Vision and Mission Corporate strategy and
objectives
Strategic Risks
Corporate Plan
Measures/Targets
Emerging
Management and staff
Operational Risks
Business and operational objectives
Business Plan
Measures/Targets
Emerging
Project managers
Project Risks
Project Plan
Project objectives
Measures/Targets
Emerging
38Differences and similarities between strategic
and operational risks?
- Both follow principles of AS/NZS ISO 310002009
- Differences can include
- Risk context strategic risks most likely to
impact organisational goals/objectives - Participants (senior executives, audit, some
board) - Treatments for high level risks may vary
- Methods used for identifying and evaluating risk
may vary - Timelines can be different some goals are
longer term - Requires strategic thinking
- Ideally strategic risks are identified before
operational risks - Both strategic and operational risks should be
centrally managed
39Strategic Risk Assessment
For strategic risk assessment of the whole
organisation goals, objectives strategies
are established as part of the organisational con
text
40A strategy focused risk assessment process
Example The Head of the Defence force has a
strategy to engage the enemy to regain a key
piece of land
- The Generals are told the strategy is to capture
important assets - They think which assets are important?
(strategic context) - They consider
- do they have enough personnel/skills, support
(organisational context) - how can the strategy fail/achieved? (risk
management context) - To improve success rates they will need to
develop a high level plan on the strategy and its
key objectives (strategic plan) - They will need evaluate if there will be issues
that may impede the strategic plan (eg ambush,
not enough soldiers, wrong information about
assets (strategic risk assessment) - Once you understand the threats you will then put
in plans to avoid them and fine tune the plan
before giving it to the officers to execute - The officers will develop operational orders for
the soldiers to follow about how the offensive
will take place (timings, supplies required,
equipment needed, signals etc) (operational
plans) - The officers will determine what risks there
would be to the soldiers undertaking the
offensive (injury, failed equipment, loss of
communication etc) (operational risks)
41Example of strategic risks
Ensuring a safe, reliable and sustainable water
supply
Strategic goal
- Incidents of poor water quality will be reduced
by 15 - by 2011
Strategic objectives
(b) Water monitoring activities will increase by
10 within 12 months
(1) Inadequate policies and procedures to improve
water Leading to unexpected poor water quality
Strategic risks
(2) Funding for water monitoring will be diverted
to another program reducing capacity to meet
targets
(3) Government may change its priorities for
resource Management, leading to inability to
ensure a sustainable Safe water supply
42Outcome based risk assessment
- Used where the objectives have not been defined
- Focuses on the outcomes without defining
strategic objectives
Identifies outcomes which may be unacceptable
How they may occur
Outcomes that will be of consequence to the
organisations stakeholders
43A practical example of linking strategy with
planning
44Example of embedding risk management in already
established practices.
Lets Improve
Is this an interpersonal/ HR issue?
Is this a risk to the organisation?
Is this a service issue?
Have you got a great idea or suggestion?
Is this a maintenance issue?
Is this a publicsafety issue, near miss or
incident?
Have you followed the conflict resolution process?
Have you discussed it with the Service
Coordinator?
This is wonderful
Have you discussed it with your superior?
Have you discussed it with your superior?
Have you discussed the risk with your superior?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Document in Maintenance Book
Complete Near Miss or Incident Form
Update Risk Register, Develop Risk Treatment Plan
Complete a Confidential Quality Improvement Form
Complete a Quality Improvement Form
Does the situation require further improvement?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Complete a Quality Improvement Form
45Summary comments on risk integration
- One size does not fit all, depends on the
management maturity, industry and commitment - Focus on what makes sense to the board and
management keep it practical and tailored - Risk disciplines can work well effectively with
the planning, reporting, compliance, board
committee and HR culture functions - Governance foundations cultural tone at the
top, role clarity, transparency communication
is key
46Risk Framework elements
47(No Transcript)
48Risk appetite and risk rating
Plan for All Extreme Risks
Large Appetite for Risk
Increasing Impact ?
Increasing Impact ?
Board
CEO
Increasing Likelihood ?
Increasing Likelihood ?
Standard
Risk Averse
Manager
Staff
Increasing Impact ?
Increasing Impact ?
Increasing Likelihood ?
Increasing Likelihood ?
49Risk-opportunity matrix
Likelihood Likelihood Likelihood
A Almost Certain
B Likely
C Possible
Watching brief D Unlikely Watching brief
E Rare
High Low Low High
Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success
Rigorously manage these exposures
Actively pursue these opportunities
50Example Consequence (Impact) table
Descriptors Descriptors Descriptors Descriptors Descriptors Descriptors
Rating Personal injury Financial Reputation Environmental Operational
Insignificant No injury sustained. Minor loss resulting in only minimal impact to local area budget. Minor complaints resolved quickly with routine procedures. Negligible, transient damage. No threat to safety. Negligible short-term disruption to non-essential services.
Minor Minor injury requiring first aid only. Loss that impacts on a single service, but does not threaten that services overall budget. Complaints resolved by written response. Transient environmental damage requiring minor corrective action. Short term disruption to services, not resulting in loss of business continuity.
Moderate Injury requiring minor or short term medical intervention. Loss of more than 500,000. Includes losses of lt 500,000 that threaten the overall budget of a single service. Adverse publicity or media coverage not resulting in damage to operations. Short term environmental damage. May pose threat to public safety requiring minor treatment for injuries. Short term disruption to services, resulting in short term loss of business continuity.
Major Serious injury requiring significant or long term medical intervention. 500,000 to 1M Adverse publicity resulting in damage to operations, but not loss of confidence in hospital management. Long term environmental damage. Threat to safety, resulting in hospitalization of casualties. Substantial disruption to multiple services resulting in short to medium term loss of business continuity.
Catastrophic Multiple unexpected deaths or injuries resulting in permanent disability. gt 1M Significant / continued negative publicity. Loss of confidence in hospital management by community or government. Includes parliamentary inquiry. Permanent environmental damage. Life threatening effect on public safety. Substantial disruption to multiple services, threatening the survival or long term business continuity of the organisation.
51Example Likelihood Table
Rating Description
Almost certain The event will definitely occur, probably multiple times in a year.
Likely There is a strong likelihood that the event will occur at least once in the next 6-12 months.
Possible There is a 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.
Unlikely The event is not likely to occur in the next 12 months, but there is a slight possibility of occurrence.
Rare Highly unlikely to occur in the next 5 years. No history of adverse event in this organisation.
52Roles Responsibilities
- Executive
- Be a risk owner
- Integrate into Quality Business plans, risk
treatment actions - Monitor for emerging risks
- Ensure KPIs audit data is monitored
- Managers
- Manage local risks escalate risks outside of
delegation - Understand the risks for the Program/Division/Unit
- Ensure completion of Quality Business plan
activities - Undertake audit activities linked to key risks
53Risk management responsibilities
The Board Sets risk appetite and tolerance Directs strategy and reviews strategic risks Receives risks and risk controls reports from management (via Risk Management Committee or Executive Management Committee) Receives report from Risk and Quality or Risk and Audit Committee on the process for managing risk and on the management of key risks
Operational Management Owns risks and their management Reports to the Board (self certification) on their management of risks
Risk Management Committee Provides corporate oversight of risks and their management Learns from incidents and events Monitors leading indicators of changes in risk
Risk Management Sub-Committee Provides expert resources for specific areas of operational risk such as health and safety Manages the transfer of risk via outsourcing and insurance Analyses risks and reports to the Risk Management Committee.
Risk and Audit Committee Receives reports from Internal Audit on the process for managing risk and on the management of key risks
Internal Audit Team Provides assurance to the Audit Committee on the system of internal control and risk management Provides assurance to the Audit Committee and the Risk Management Committee on the management of specific risks
54Risk Management Tools and Tips
55Reporting the right things at the right level
Risk/ Audit Committee
Strategic / Critical risk issues
Board
Significant / key operational and strategic risk
information
Exec Risk Mgt Committee
Executive Management
Operational and strategic risk information at
Business level
Op Risk Mgt Committee
Business Units
Volume of risk information
56The Risk Management Process for Operational
Managers
IDENTIFY RISK
MONITOR PERFORMANCE
ASSESS RISK
RISK MANAGEMENT CYCLE
IDENTIFY CONTROL MEASURES
IMPLEMENT SOLUTIONS
ASSESS CONTROL MEASURES
57You cannot manage what you dont measure
Robert S. Kaplan Harvard Business School
Co-creator of Balanced Scorecard (with David P.
Norton)
58Reporting
Staff encouraged and/ or incentivised to report
risk or suggest risk reduction strategies.
- Formally report risks and risk treatments with
sufficient detail to enable clear understanding
of how risks are being managed. - Board and/ or Management guidance on what
information they would like to see in risk
reports - Agreed template or format for recording risk and
risk treatment information - Agreed template or format for risk reporting
- Agreement on when and how often risk reports will
be produced - Recipients/ stakeholders of risk reports
identified and agreed - Different risk reports meeting different
stakeholders needs.
Who receives risk reports in your
organisation? Who should receive reports?
59Risk as a management agenda item
- What is happening in other jurisdictions .
could that happen here? - Are we meeting our legal, regulatory and
compliance requirements if not, why not? - How do we compare to other jurisdictions when
managing the risk of ....? - What are the risks that could stop us from
achieving our KPIs? - What are the risks that could stop us from
achieving our objectives? - How could the next be harmed?
- Where will the next scandal or adverse media
involving the agency come from? - Risk management update new practices, policies,
procedures, protocols, communiqués and
expectations
60Risk as an management agenda item?
- Progress against the top 5-10-20 risks
- What are we doing about (risk).?
- What does our data tell us about our risks?
- How effective are our risk controls for
(risk)? - For this risk .. what do we need to stop doing,
start doing and keep doing? - What do we need to change to achieve best
practice in managing the risk of.....? - Risks with projects or new initiatives?
- What are the commonly used work arounds in high
risk areas?
61Case Study Melbourne Zoo
- Operational Risk Reporting to
- Management (CEO) and Animal Welfare Peer Review
Committee - Includes
- Animal escapes / disappearances
- Births, deaths (eg by cause and by age)
- Complaints (eg queries about treatment of
animals) - Staff injuries (eg snake bites and low flying
owls) - Animal rescue and rehabilitation
62Risk Descriptions
63Describing the risk
- The risk of (what, where, when). caused by
(how). resulting in (impact/ consequences).
- Examples
- The risk of extreme weather conditions (storm,
hail, ice, heat), caused by seasonal variations,
resulting in injury/ death to staff and/or public
members. - Loss of skill base in the organisation threatens
long-term sustainability of the workforce.
64Risk Statement
- The risk of . (what, where, when)
- caused by . (how)
- resulting in.......... (impact/consequences)
65Sample Template
66Activity Defining Risks
- In groups select a source of risk/common risk
area or a risk from your risk register that you
have concerns about and - Re define and describe the risk using agreed risk
language - Complete the template
- Discuss potential treatment strategies
67Risk Management Pitfalls
68So what does your risk management look like?
69Risk management - pitfalls?
- Poor culture
- Believing that will never happen here
- RM strategy is not driven from the top down
- Poorly defined accountability for risk management
- Risk management is not linked to corporate
strategy - Risk management is positioned as compliance
- Risk management fails, often with catastrophic
outcomes, when the organisations processes are
ignored or overlooked - Past mistakes are overlooked no corporate
learning - Framework does not accurately reflect the
organisations maturity or capability
70Risk management - pitfalls?
- Soft issues ignored (behaviours / attitudes)
- Over reliance on the Risk Manager
- Risk is managed in silos
- Framework has not been translated into an action
plan - Use of technical jargon in preference to plain
language statements and true life examples - Not tough enough on language that conceals risks
- Not utilising available data / information
- Broad / non-specific risk descriptions
- Failure to use risk information to inform
decision making
71Questions?
Diana Borgmeyer Risk Management Advisor Email d.borgmeyer_at_vmia.vic.gov.au Phone 9270 6812