Upload
sophie-dixon
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Taming Uncertainty: Risk Management in the 21st Century
David T. WilberChief Operating Officer / CARF Surveyor
Definition of Risk Management
The act of controlling any threats to the organization’s:
Goodwill People Property Income Ability to accomplish goals
The Difference BetweenIncident Analysis and Risk Assessment
Incident Analysis:
Establishes a cause for an incident that has already happened.
Focuses on analyzing the reasons for the incident and development of strategies to prevent future incidents.
Risk Assessment:
Focuses on identification of potential exposures to prevent incidents from happening.
Breaks business decisions down into bite sized pieces to enable pre-planning for loss control and mitigation strategies.
The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Goals of Risk Management
For the organization to:
Protect physical and financial assets
Protect intangible assets (e.g., goodwill and reputation)
Prepare for operational crisis (Tolerate Uncertainty)
Provide a safe environment for all employees, persons receiving services and visitors
Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.
Develop a common and consistent approach to risk across the organization. Not intuition-based.
Goals of Risk ManagementThings will happen…they always do…!
Survival: Not going under due to unforeseen circumstances.
Continuity of operations: Avoiding Business interruption-shutdowns
Sustainability and profitability: Maintaining your mission
Low Risk Organizations will have these factors in place.
Risk management plan Continuity of Operations plan
Technology Plan Risk Management Team
Staff Training and competency testing Corporate Compliance program
Ethical Code of Conduct that includes witnessing of documents etc. Social Media Policies
Accreditation: CARF-The Rehabilitation Accreditation Commission
A Simple Framework
Evaluate & Take Action
Evaluate & Take Action
EstablishObjectives
EstablishObjectives
IdentifyRisks & Controls
IdentifyRisks & Controls
AssessRisks & Controls
AssessRisks & Controls
Monitor& Report
Monitor& Report
Step 1 Step 2 Step 3 Step 4 Step 5
Communicate, learn, improve
Process of Risk Management
Slide 9
Categorizing Risk – Comprehensive1. Political Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
14. SafetyNEW
You still have to assess those “other risks”
VULNERABILITY ANALYSIS CHART
Department: Date:
Site: Person Completing Form:
TYPE OF RISK Probability Human
Impact Property Impact
Business Impact
Internal Resources
External Resources
Total
High 5 ←
Low → 1
High Impact 5
←---------------→
1 Low Impact
Weak 5 ◄ Resources
► 1 Strong Resources
FIRE
MEDICAL EMERGENCY
ELECTRIC SHOCK
SPILLS/ HAZARDOUS EXPOSURE
ADVERSE WEATHER “TORNADOS”
BOMBS / TERRORISM
MISSING PERSONS
POISONING
PSYCHIATRIC EMERGENCY
VEHICLE EMERGENCY
SUSPICIOUS MAIL
Slide 15
Risk rating …Combining impact and likelihood
LIKELIHOOD
IMP
AC
T
1
1
2
2
3
3
4
4
5
5
RISKI x L
RISKI x L
RISKI x L
RISK PRIORITIZATION MATRIX
A Risk Prioritization Matrix can be helpful in prioritizing risks
Plot of event probability versus impact
Note that the zones are not symmetrical across the matrix
High impact low probability events much more important than likely low impact events
Polling Question
What is the average # of accidents that go unreported for every one reported accident?
1.292.484.716.26
Accident under-reporting among employees: Testing the moderating influence of psychological safety climate and supervisor enforcement of safety practices Tahira M. Probst & Armando X. Estrada, Department of Psychology, Washington State University, June 2009
The Approach-Your toolkit – education, job aids, templates Incorporates risk information into the strategic direction-
setting, making decisions that consider established risk tolerance levels.
Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.
Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.
Add value not work. We developed forms and templates.
Develop and deliver educational sessions – usually attended by all leadership members at a minimum. Include risk 101 and time for them to discuss how to apply concepts to their specific worksite.
Develop teams in actual risk assessments.
What are Loss Prevention/Risk Control Methods?
Avoidance – There’s a great deal of risk. You don’t want to assume the risk and it can’t be transferred, so you avoid the risk altogether
Loss Prevention – Reduces the frequency or likelihood of a “particular” loss. Examples include:
Improve security measures to reduce the possibility of arson or theft.
Improve maintenance of facilities to reduce the possibility of a tripping hazard.
Loss Reduction – Reduces the severity or cost of a “particular” loss. Examples include:
Require the use of hearing protection to reduce the chance of a hearing loss.
Reduce the cost of workers’ compensation claims through the use of return to work programs.
Segregate Losses – Arrange your agency’s activities and assets to prevent one event from causing loss to the whole.
Contractually transfer the risk.
Process of Risk Management
Select and implement desired loss reduction techniques
Personal protective equipment.Housekeeping, repair, and maintenance.Inspections.Tools and equipment.Supervision.Policies, procedures, and process.Contract management and administration.
Monitoring and Control
Continually monitor risks to identify any change in the status, or if they turn into an issue.
Hold regular risk reviews To identify actions outstanding, risk
probability and impact Remove risks that have passed Identify new risks
The Risk Management PlanRisk Management Plan should specify the risks, risk responses, and mechanisms used to control the process
Need to continuously monitor for risk triggers Potential risk events should be identified
early in a project and monitoring for such events immediately commence
Each risk is assigned to a specific position Has the expertise & authority to identify &
response to an event
Need environment where problems are readily reported, embraced & solved
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
ID Number
Responsible Org & Name (Implement / Operate) Risk Control
Risk Rating (Impact)
Risk Rating (likelihood) Date Required Status
Category: Financial
Category: Equity
Category: Service Delivery or Operational064 Person A 055 – Insufficient knowledge transfer
102 – Conflicting management instructions
Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure).
M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report
065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management)
(a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported.
M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document
IRM RISKS AND CONTROLS
None in this category
None in this category
Process of Risk Management
Annual Report results of loss reduction techniques
Include results in performance improvement activities
Exposure Risk Control Mechanism Responsibility Review Date
Maltreatment of Individuals
Fines, loss of licenses, loss of Individuals
Maintain current knowledge of Human Rights (DBHDS)Annual training of all direct support staff in Human Rights (DBHDS)Incident Report ProcessInternal Investigation process
Director of Program and Quality Services, Senior Leadership Team, Management Team
Annually
Change in population - Diversity
Loss of Individuals
Develop new and innovative programs to meet the changing needsProgram evaluation and satisfaction surveysFollow trends
Senior Leadership Team, Management Team
Annually
Legislative/ Rule Changes
Increased costs without increased fundingNot implementing rule changes correctlyLoss of funding
Actively monitor legislative activities through trade associations – vaACCSES, VNPP, VAAPSE, ArcVA
Management Team Annually
Wage and Hour Issues
Wage and Hour Audit
Maintain current knowledge of wage and hour rules and regulationsProvide staff with wage and hour training
Management Team
Accounting staff
Annually
Loss of work Loss of income
Loss of Individuals
Monitor marketing capabilitiesDevelop aggressive marketing planPlan for alternative activities
Management Team, Director of Business Development
Annually
Downturn in economy
Loss of community jobsLoss of facility based jobsLoss of income
Implement volunteer opportunities and alternative activitiesDiversify program options throughout agency
Management Team Annually
Thank youThank you
You don’t know what you don’t know…
Better to know….
David T. WilberChief Operating Officer / CARF Surveyor