VCOSS

1
VCOSS DARU workshop17 October 2012 Tips,
Tricks and Concepts for making risk management
work.

• Diana Borgmeyer - Risk Management Adviser

2
Agenda

1. About the VMIA
2. The Victorian Risk Management Context
3. Governance and Risk
4. A quick overview of AS/NZS/ISO31000
5. Integrating Risk
6. Risk Framework elements
7. Tools and Tips
8. Activity Describing Risks
9. Risk Management Pitfalls
10. Questions

3
(No Transcript)
4
11 Departments
89 Hospitals Ambulance Services
90 Statutory Authorities
3500 Community Service Organisations
5
VMIA Risk Services
Risk Register Software
6
Risk Management maturity model
Determining where we are now
Targeted maturity state?
Source Courtesy use by Victorian Managed
Insurance Authority (2010 year version)
7
Victorian Government Context
8
Risk management in context

• Whole of Government framework and attestation
• risk management process consistent with AS/NZS
  ISO 31000
• internal control system so the executive
  understand, manage and satisfactorily control
  risk exposures
• Responsible body verifies the assurance made and
  risk profile critically reviewed in last 12
  months
• Inter-agency risk

9
DHS Service Level Agreement 2012-15

• Risk Management Clause 3.20.2 acknowledges that
  risk management is an integral part of good
  organisational practice.
• The service agreement requires an organisations
  CEO or Board Member to attest annually that it is
  managing risk in accordance with the AUS/NZS/ISO
  310002009 standard and the risk management
  processes satisfactorily and effectively manage
  the organisations risks and
• within the twelve months prior to attestation,
  the organisation has undertaken a review of risk
  management processes.

10
(No Transcript)
11
Risks we see of concern to Health and Community
Sector Boards

• Governance failures
• Direct care workforce sustainability
• Service delivery failures
• Damage to stakeholder relationships/Reputation
• Failure to adapt to changing service and funding
  models
• Funding uncertainty
• Inadequate emergency preparedness/response
• Regulatory or funding standards non-compliance

12
Common Risk Areas

• Client dissatisfaction
• Unfavourable publicity and/or reputation damage
• Mismanagement (eg. projects, finance)
• Threat to physical safety
• Failure of equipment or computer systems
• Breach of legal obligations and contractual
  responsibility
• Fraud
• Deficiencies in financial controls and reporting
• Unethical behaviour
• Failure to protect assets and goodwill

13
Governance and Risk
14
Governance

• Corporate governance generally refers to the
  processes by which organisations are directed,
  controlled and held to account.
• It encompasses authority, accountability,
  stewardship, leadership, direction and control
  exercised in an organisation1
• 1 Standards Australia, AS 8000-2003 Corporate
  Governance Good governance principles,
  July 2003, p7

15
Definition of Public Sector Governance

• the set of responsibilities and practices,
  policies and procedures, exercised by an agencys
  executive, to provide strategic direction, ensure
  objectives are achieved, manage risks and use
  resources responsibly and with accountability.1

• Good Governance is about both
• Performance how an agency uses governance
  arrangements to contribute to its overall
  performance and delivery of services or
  programmes.
• Conformance how an agency uses governance
  arrangements to ensure it meets the requirements
  of the law, regulations, published standards and
  community expectations on probity and
  accountability.

1. adapted from , ANAO Implementation of program
and policy initiatives Better Practice Guide
2006,p.13.
16
Governance - common elements
17
How governance risk management underpin an
organisations performance
Source Public Sector Governance Better Practice
Guide Volume 1, Australian National Audit
Office, July 2003
18
Core principles underpinning Governance frameworks

• Accountability Compliancebeing answerable for
  decisions and have appropriate compliance
  mechanisms
• Transparency structureclear roles, duties and
  procedures in decision making
• Leadershiptone at the top to achieve
  organisation-wide commitment from the top
• Integrityacting impartially, ethically and in
  the interests of the organisation 1
• 1 Public sector governance and the individual
  officer guidance paper no.1- Better Practice
  Guide, Australian National Audit Office, July
  2003

19
Good governance attributes

• Clear roles responsibilities
• Ethics based culture
• Accountability through control, monitoring and
  review
• Effective governing body
• Communication awareness
• Transparent external reporting
• Integrated risk management practices in
  planning, operations reporting

20
risk management?

• An integral part of the organisations management
  system
• Essential for good governance
• Offers common language and consistency
• Embeds the risk management process in decision
  making
• Dont simply ask what may go wrong? .. ask
  what must go right?
• Good risk management doesnt stifle progress and
  innovation it drives success

21

• Looking back, I wish I had pressed harder. Its
  easy to say after the fact.
• Yukinobu Okamura, Head of Active Fault and
  Earthquake Research Centre, recalling tsunami
  concerns he raised in June 2009 at a Japan Trade
  Ministry meeting to assess reactor safety.
• Tsunami Warnings ignored, The Age March 26 2011

22

• Details of risks were either not satisfactorily
  conveyed to senior executives and ministers or,
  if conveyed, were not acted on.
• Energy Efficient Homes Package (Ceilings
  Insulation)
• Senate Inquiry Report (15 July 2010)

23
Why do strategies fail?
Only 10 of organisations execute their strategy
The problem isnt lack of strategy. Its the lack
of ability to successfully manage the execution
of what looks strategically good on paper.
Barriers to Strategy Execution
Reference Robert Kaplan and David Norton - The
Balanced Scorecard and The Strategy Focused
Organization
24
Six key questions

• Essentially, risk management seeks to answer
  these basic questions
• what are we trying to achieve?
• what events or circumstances could affect the
  achievement of our objectives?
• what are the consequences?
• how likely is it of these events?
• what can we do to manage these outcomes?
• how will we maximise opportunities?

25
AS/NZS ISO 310002009
26
The definition of risk?
The effect of uncertainty on objectives Uncertai
nty is the state , even partial, of deficiency
of information related to, understanding or
knowledge of, an event, its consequence, or
likelihood.
AS/NZS ISO 310002009
The aim of risk management is not the management
of risk but the achievement of objectives.
27
Overview of AS/NZS/ISO31000
Process for managing risk (Clause 5)

Principles for managing risk (Clause 3)
Creates value Integral part of organisational processes Part of decision making Explicitly addresses uncertainty Systematic, structured timely Based on the best available information Tailored Takes human cultural factors into account Transparent inclusive Dynamic, iterative responsive to change Facilitates continual improvement enhancement of the organisation
Framework for managing risk (Clause 4)

Attributes of enhanced risk management (Annex A - Informative)
28
AS / NZS ISO 310002009 - Risk management
principles

• Creates value
• Integral part of organisational processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured and timely
• Based on the best available information
• Tailored
• 8. Takes human and cultural factors into account
• 9. Transparent and inclusive
• 10. Dynamic, iterative and responsive to change
• 11. Facilitates continual improvement and
  enhancement of the organisation

Should be reflected in your organisations
approach
29
Fit-for-purpose
Risk management should be embedded in all the
organisation's practices and processes in a way
that it is relevant, effective and efficient. The
risk management process should become part of,
and not separate from, those organisational
processes. In particular, risk management should
be embedded into the policy development, business
and strategic planning and review, and change
management processes.
(Source AS/NZS/ISO310002009 Risk Management
Principles and Guidelines)
30
Risk Terminology

• Risk chance of something happening that will
  have an impact on objectives
• Likelihood chance of something happening
• Consequence outcome of risk on objectives
• Risk Rating overall rating which determines
  actions risk treatments by the Board, CEO
  Executive
• Control includes any process, policy, device
  or practice or actions which modify risk
• Control Effectiveness assessment of the
  effectiveness of controls to determine if
  any gaps exist
• Risk Owner person or entity with the
  accountability authority to manage a risk
• Risk Treatment can involve avoiding the risk,
  increasing risk to gain an opportunity,
  remove the source, change the likelihood or
  consequence, sharing the risk, retaining the
  risk

31
Integrating risk
32
What are the benefits of a Enterprise wide
approach to Risk Management?

• Enables identification of threats and
  opportunities for an agency
• Improves and informs the planning process
• Reduces likelihood of costly surprises
• Contributes to improved resource allocation
• Improves efficiency and performance
• Improves accountability
• Encourages continual improvement

33

• Managing risks in order to meet our objectives
• Choosing which risks to take . and then
  managing them well

34
Risk and planning - a comprehensive process

• Designed to identify, analyse, evaluate, treat,
  monitor and communicate risks that could prevent
  an organisation from achieving its objectives.
• Covers strategic, operational, financial and
  compliance risks.
• The term enterprise-wide risk management is
  widely used both by the Victorian public sector
  and the private, both the for and not for profit
  sectors to describe this comprehensive approach.

35
Link strategy, operations and risk management
Department A Operational Objectives, Indicators
Targets
Organisational Objectives
Cascading Process
Cascade Align Strategic Objectives, Key
Performance Indicators Targets
Program B Operational Objectives, Indicators
Targets
Strategies
Service C Operational Objectives, Indicators
Targets
Key Performance Indicators Targets
Strategic Risks
Operational Risks
Organisational-Wide Risk Register
Link Risk Management To Strategic Planning
Risk Reporting(Reporting System)
Link Risk Management To Operational Planning
36
Different levels, different types of risks
Risks ultimately should be filtered to the lowest
level possible for ownership and mitigation
37
Different levels of risk
Executive
Vision and Mission Corporate strategy and
objectives
Strategic Risks
Corporate Plan
Measures/Targets
Emerging
Management and staff
Operational Risks
Business and operational objectives
Business Plan
Measures/Targets
Emerging
Project managers
Project Risks
Project Plan
Project objectives
Measures/Targets
Emerging
38
Differences and similarities between strategic
and operational risks?

• Both follow principles of AS/NZS ISO 310002009
• Differences can include
• Risk context strategic risks most likely to
  impact organisational goals/objectives
• Participants (senior executives, audit, some
  board)
• Treatments for high level risks may vary
• Methods used for identifying and evaluating risk
  may vary
• Timelines can be different some goals are
  longer term
• Requires strategic thinking
• Ideally strategic risks are identified before
  operational risks
• Both strategic and operational risks should be
  centrally managed

39
Strategic Risk Assessment
For strategic risk assessment of the whole
organisation goals, objectives strategies
are established as part of the organisational con
text
40
A strategy focused risk assessment process
Example The Head of the Defence force has a
strategy to engage the enemy to regain a key
piece of land

• The Generals are told the strategy is to capture
  important assets
• They think which assets are important?
  (strategic context)
• They consider
• do they have enough personnel/skills, support
  (organisational context)
• how can the strategy fail/achieved? (risk
  management context)
• To improve success rates they will need to
  develop a high level plan on the strategy and its
  key objectives (strategic plan)
• They will need evaluate if there will be issues
  that may impede the strategic plan (eg ambush,
  not enough soldiers, wrong information about
  assets (strategic risk assessment)
• Once you understand the threats you will then put
  in plans to avoid them and fine tune the plan
  before giving it to the officers to execute
• The officers will develop operational orders for
  the soldiers to follow about how the offensive
  will take place (timings, supplies required,
  equipment needed, signals etc) (operational
  plans)
• The officers will determine what risks there
  would be to the soldiers undertaking the
  offensive (injury, failed equipment, loss of
  communication etc) (operational risks)

41
Example of strategic risks
Ensuring a safe, reliable and sustainable water
supply
Strategic goal

• Incidents of poor water quality will be reduced
  by 15
• by 2011

Strategic objectives
(b) Water monitoring activities will increase by
10 within 12 months
(1) Inadequate policies and procedures to improve
water Leading to unexpected poor water quality
Strategic risks
(2) Funding for water monitoring will be diverted
to another program reducing capacity to meet
targets
(3) Government may change its priorities for
resource Management, leading to inability to
ensure a sustainable Safe water supply
42
Outcome based risk assessment

• Used where the objectives have not been defined
• Focuses on the outcomes without defining
  strategic objectives

Identifies outcomes which may be unacceptable
How they may occur
Outcomes that will be of consequence to the
organisations stakeholders
43
A practical example of linking strategy with
planning
44
Example of embedding risk management in already
established practices.
Lets Improve
Is this an interpersonal/ HR issue?
Is this a risk to the organisation?
Is this a service issue?
Have you got a great idea or suggestion?
Is this a maintenance issue?
Is this a publicsafety issue, near miss or
incident?
Have you followed the conflict resolution process?
Have you discussed it with the Service
Coordinator?
This is wonderful
Have you discussed it with your superior?
Have you discussed it with your superior?
Have you discussed the risk with your superior?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Document in Maintenance Book
Complete Near Miss or Incident Form
Update Risk Register, Develop Risk Treatment Plan
Complete a Confidential Quality Improvement Form
Complete a Quality Improvement Form
Does the situation require further improvement?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Complete a Quality Improvement Form
45
Summary comments on risk integration

• One size does not fit all, depends on the
  management maturity, industry and commitment
• Focus on what makes sense to the board and
  management keep it practical and tailored
• Risk disciplines can work well effectively with
  the planning, reporting, compliance, board
  committee and HR culture functions
• Governance foundations cultural tone at the
  top, role clarity, transparency communication
  is key

46
Risk Framework elements
47
(No Transcript)
48
Risk appetite and risk rating
Plan for All Extreme Risks
Large Appetite for Risk










Increasing Impact ?
Increasing Impact ?
Board
CEO
Increasing Likelihood ?
Increasing Likelihood ?
Standard
Risk Averse
Manager










Staff
Increasing Impact ?
Increasing Impact ?
Increasing Likelihood ?
Increasing Likelihood ?
49
Risk-opportunity matrix
Likelihood Likelihood Likelihood
A Almost Certain
B Likely
C Possible
Watching brief D Unlikely Watching brief
E Rare
High Low Low High
Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Negative Impact Consequence of Failure Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success Positive Impact Benefit of Success
Rigorously manage these exposures
Actively pursue these opportunities
50
Example Consequence (Impact) table
Descriptors Descriptors Descriptors Descriptors Descriptors Descriptors
Rating Personal injury Financial Reputation Environmental Operational
Insignificant No injury sustained. Minor loss resulting in only minimal impact to local area budget. Minor complaints resolved quickly with routine procedures. Negligible, transient damage. No threat to safety. Negligible short-term disruption to non-essential services.
Minor Minor injury requiring first aid only. Loss that impacts on a single service, but does not threaten that services overall budget. Complaints resolved by written response. Transient environmental damage requiring minor corrective action. Short term disruption to services, not resulting in loss of business continuity.
Moderate Injury requiring minor or short term medical intervention. Loss of more than 500,000. Includes losses of lt 500,000 that threaten the overall budget of a single service. Adverse publicity or media coverage not resulting in damage to operations. Short term environmental damage. May pose threat to public safety requiring minor treatment for injuries. Short term disruption to services, resulting in short term loss of business continuity.
Major Serious injury requiring significant or long term medical intervention. 500,000 to 1M Adverse publicity resulting in damage to operations, but not loss of confidence in hospital management. Long term environmental damage. Threat to safety, resulting in hospitalization of casualties. Substantial disruption to multiple services resulting in short to medium term loss of business continuity.
Catastrophic Multiple unexpected deaths or injuries resulting in permanent disability. gt 1M Significant / continued negative publicity. Loss of confidence in hospital management by community or government. Includes parliamentary inquiry. Permanent environmental damage. Life threatening effect on public safety. Substantial disruption to multiple services, threatening the survival or long term business continuity of the organisation.
51
Example Likelihood Table
Rating Description
Almost certain The event will definitely occur, probably multiple times in a year.
Likely There is a strong likelihood that the event will occur at least once in the next 6-12 months.
Possible There is a 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.
Unlikely The event is not likely to occur in the next 12 months, but there is a slight possibility of occurrence.
Rare Highly unlikely to occur in the next 5 years. No history of adverse event in this organisation.
52
Roles Responsibilities

• Executive
• Be a risk owner
• Integrate into Quality Business plans, risk
  treatment actions
• Monitor for emerging risks
• Ensure KPIs audit data is monitored
• Managers
• Manage local risks escalate risks outside of
  delegation
• Understand the risks for the Program/Division/Unit
  
• Ensure completion of Quality Business plan
  activities
• Undertake audit activities linked to key risks

53
Risk management responsibilities
The Board Sets risk appetite and tolerance Directs strategy and reviews strategic risks Receives risks and risk controls reports from management (via Risk Management Committee or Executive Management Committee) Receives report from Risk and Quality or Risk and Audit Committee on the process for managing risk and on the management of key risks
Operational Management Owns risks and their management Reports to the Board (self certification) on their management of risks
Risk Management Committee Provides corporate oversight of risks and their management Learns from incidents and events Monitors leading indicators of changes in risk
Risk Management Sub-Committee Provides expert resources for specific areas of operational risk such as health and safety Manages the transfer of risk via outsourcing and insurance Analyses risks and reports to the Risk Management Committee.
Risk and Audit Committee Receives reports from Internal Audit on the process for managing risk and on the management of key risks
Internal Audit Team Provides assurance to the Audit Committee on the system of internal control and risk management Provides assurance to the Audit Committee and the Risk Management Committee on the management of specific risks
54
Risk Management Tools and Tips
55
Reporting the right things at the right level
Risk/ Audit Committee
Strategic / Critical risk issues
Board
Significant / key operational and strategic risk
information
Exec Risk Mgt Committee
Executive Management
Operational and strategic risk information at
Business level
Op Risk Mgt Committee
Business Units
Volume of risk information
56
The Risk Management Process for Operational
Managers
IDENTIFY RISK
MONITOR PERFORMANCE
ASSESS RISK
RISK MANAGEMENT CYCLE
IDENTIFY CONTROL MEASURES
IMPLEMENT SOLUTIONS
ASSESS CONTROL MEASURES
57
You cannot manage what you dont measure
Robert S. Kaplan Harvard Business School
Co-creator of Balanced Scorecard (with David P.
Norton)
58
Reporting
Staff encouraged and/ or incentivised to report
risk or suggest risk reduction strategies.

• Formally report risks and risk treatments with
  sufficient detail to enable clear understanding
  of how risks are being managed.
• Board and/ or Management guidance on what
  information they would like to see in risk
  reports
• Agreed template or format for recording risk and
  risk treatment information
• Agreed template or format for risk reporting
• Agreement on when and how often risk reports will
  be produced
• Recipients/ stakeholders of risk reports
  identified and agreed
• Different risk reports meeting different
  stakeholders needs.

Who receives risk reports in your
organisation? Who should receive reports?
59
Risk as a management agenda item

• What is happening in other jurisdictions .
  could that happen here?
• Are we meeting our legal, regulatory and
  compliance requirements if not, why not?
• How do we compare to other jurisdictions when
  managing the risk of ....?
• What are the risks that could stop us from
  achieving our KPIs?
• What are the risks that could stop us from
  achieving our objectives?
• How could the next be harmed?
• Where will the next scandal or adverse media
  involving the agency come from?
• Risk management update new practices, policies,
  procedures, protocols, communiqués and
  expectations

60
Risk as an management agenda item?

• Progress against the top 5-10-20 risks
• What are we doing about (risk).?
• What does our data tell us about our risks?
• How effective are our risk controls for
  (risk)?
• For this risk .. what do we need to stop doing,
  start doing and keep doing?
• What do we need to change to achieve best
  practice in managing the risk of.....?
• Risks with projects or new initiatives?
• What are the commonly used work arounds in high
  risk areas?

61
Case Study Melbourne Zoo

• Operational Risk Reporting to
• Management (CEO) and Animal Welfare Peer Review
  Committee
• Includes
• Animal escapes / disappearances
• Births, deaths (eg by cause and by age)
• Complaints (eg queries about treatment of
  animals)
• Staff injuries (eg snake bites and low flying
  owls)
• Animal rescue and rehabilitation

62
Risk Descriptions
63
Describing the risk

• The risk of (what, where, when). caused by
  (how). resulting in (impact/ consequences).

• Examples
• The risk of extreme weather conditions (storm,
  hail, ice, heat), caused by seasonal variations,
  resulting in injury/ death to staff and/or public
  members.
• Loss of skill base in the organisation threatens
  long-term sustainability of the workforce.

64
Risk Statement

• The risk of . (what, where, when)
• caused by . (how)
• resulting in.......... (impact/consequences)

65
Sample Template
66
Activity Defining Risks

• In groups select a source of risk/common risk
  area or a risk from your risk register that you
  have concerns about and
• Re define and describe the risk using agreed risk
  language
• Complete the template
• Discuss potential treatment strategies

67
Risk Management Pitfalls
68
So what does your risk management look like?
69
Risk management - pitfalls?

• Poor culture
• Believing that will never happen here
• RM strategy is not driven from the top down
• Poorly defined accountability for risk management
• Risk management is not linked to corporate
  strategy
• Risk management is positioned as compliance
• Risk management fails, often with catastrophic
  outcomes, when the organisations processes are
  ignored or overlooked
• Past mistakes are overlooked no corporate
  learning
• Framework does not accurately reflect the
  organisations maturity or capability

70
Risk management - pitfalls?

• Soft issues ignored (behaviours / attitudes)
• Over reliance on the Risk Manager
• Risk is managed in silos
• Framework has not been translated into an action
  plan
• Use of technical jargon in preference to plain
  language statements and true life examples
• Not tough enough on language that conceals risks
• Not utilising available data / information
• Broad / non-specific risk descriptions
• Failure to use risk information to inform
  decision making

71
Questions?
Diana Borgmeyer Risk Management Advisor Email d.borgmeyer_at_vmia.vic.gov.au Phone 9270 6812