Enterprise Risk Management Framework

(1)

Enterprise Risk Management Framework

North Simcoe Muskoka LHIN

June 2010

Prepared by

Tim Berry,

MBA,CMA

(2)

(3)

Executive Summary

The North Simcoe Muskoka Local Health Integration Network (NSM LHIN) is committed to providing high quality health care and services, enhancing the safety of clients, staff, families, volunteers and preserving its reputational and financial integrity in order to continue its mission.

Currently, risk management with the NSM LHIN has been addressed through a variety of processes including:

• Quarterly reporting of financial risks to the Ministry of Health and Long-Term Care

• Quarterly reporting of variances related to performance requirements in the Ministry-LHIN accountability agreement

• Varying degrees of risk elevation based on issue identification by staff What’s missing is an assessment of risk on an organization or enterprise-wide basis. The establishment of an Enterprise Risk Management (ERM) system is founded on the

philosophy that leadership sets the tone and directs efforts across the organization to foster a culture that values learning, innovation, responsible risk taking, continuous improvement and commitment to address the underlying system factors that contribute to risk.

An ERM system should satisfy the following objectives at the NSM LHIN:

1. to establish an ERM system as a critical component in achieving quality and safety goals and financial performance targets, plus protecting and enhancing NSM LHIN’s

reputation.

2. to establish all forms of risk that the organization may face and to outline risk identification strategies, risk mitigation processes and monitoring and reporting to achieve effective ERM.

3. to establish a structured analytical process that focuses on identifying and eliminating risks that will impact on achievement of objectives.

The benefits of an ERM system to the NSM LHIN are:

1. Proactive rather than reactive management of risk resulting in more successes, fewer setbacks, and more effective operations and controls.

2. More effective and structured approach to opportunities and threats by managing the associated risks in effective and efficient ways.

3. Improved stakeholder trust and confidence in the organization.

4. Better corporate governance through improved understanding of risks, their control and general resilience and robustness of the organization.

(5)

Risk Oversight

In its report on the Current State of Enterprise Risk Management Oversight, the American Institute of Certified Public Accountants (AICPA) notes that “the intense focus on board

oversight of risk management process continues in 2010”.

A December 2009 survey of over 700 executives representing organizations of various sizes and industries conducted by the AICPA shows some interesting trends relative to enterprise risk oversight.

• Over 63% of respondents believe that the volume and complexity of risks have changed “Extensively” or “A Great Deal” in the past five years.

• 49% of respondents described the sophistication of their risk oversight processes as immature to minimally mature. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors.

• Almost 57% of respondents have no formal enterprise-wide approach to risk oversight. Only a small number (11%) of respondents believe they have a formal enterprise-wide risk management process in place.

• 53% of respondents currently do no formal assessment of strategic, market, or industry risks, and 51% noted that they do not maintain any risk inventories on a formal basis.

Description of the State of ERM Currently in Place

Percentage of Respondents

No enterprise-wide management process in place 40.1% Currently investigating concept of enterprise-wide risk

management, but have made no decision yet 16.7%

No formal enterprise-wide risk management process in place, but

have plans to implement 10.2%

Partial enterprise-wide risk management process in place

(i.e., some, but not all, risk areas addressed) 22.0% Complete formal enterprise-wide risk management process in place 11.0%

Despite the growing demand for more effective risk oversight, the level of enterprise-wide risk oversight across a wide spectrum of organizations remains fairly immature.

Many corporate governance reform experts have called for the embrace of ERM, a top-down, holistic view of the inventory of key risk exposures potentially affecting an enterprise’s ability to achieve its objectives.

(6)

Risk Definitions

Enterprise risk management can be viewed as a natural evolution of the process of risk management. There are many variations of the definition of risk management. The Committee of Sponsoring Organizations (COSO), considered a world leader in risk management, defines enterprise risk management as:

• a process, effected by the entity’s board of directors, management and other

personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.

Other definitions include:

• a comprehensive, systematic process that assists decision-makers in identifying, analyzing, evaluating and treating all types of risks, both internal and external to the organization.

• managing the “unacceptable variation from the expected” of both positive and negative consequences of activities.

It is important that a holistic approach be taken to ERM. Often organizations address risk in “silos”, with the management of various departments each conducted as narrowly focused and fragmented activities. Under ERM, all risk areas would function as parts of an integrated, strategic, and enterprise-wide system. While risk management is coordinated with senior-level oversight, employees at all levels of the organization using ERM are encouraged to view risk management as an integral and ongoing part of their jobs.

Enterprise Risk Management (ERM) is a systematic process of identifying, analyzing and

responding to risk. The “what” of risk is anything of variable uncertainty and significance that interferes with the achievement of business strategies and objectives. It involves developing flexible strategies aimed at preventing any negative event from occurring or to minimize any potential harm and provide reasonable assurance regarding the achievement of the

organization’s objectives.

Risk refers to the uncertainty in achieving organization objectives or the uncertainty that

surrounds future events and outcomes. The uncertainties include:

• the likelihood of the event occurring

• the expected frequency of the event occurring

• the severity of the outcome if the event occurs.

The fundamental nature and consequences of risk apply equally to for-profit and not-for-profit organizations. In not-for-profit organizations, risk is usually formalized as uncertainty in

(7)

achieving the organization’s stated qualitative objectives – for example, a provincial health ministry may have the objective of improving some measure of the population’s health, and risk relates to uncertainty in achieving that target.

Operational accountability demands that all agencies including the LHINs, health service providers, and the MOHLTC, must demonstrate accountability through risk management by recognizing, reviewing and analyzing key risk concepts and considerations.

Major risk categories include:

1. Operational Risk: The risk of direct or indirect loss or inability to provide core services,

especially to stakeholders, resulting from inadequate or failed internal processes, people and systems or from external events. Operational risks involves factors such as technical or equipment malfunctions and human error, lack of prioritization,

management support or expertise, etc. This comes from the design and implementation of measures and processes that support accountability and oversight, being able to attract talent with experience in transformation and change management and addressing broader system-wide pressures for health care resources.

2. Financial Risk: The risk of financial loss to the organization’s ability to earn, raise or

access capital as well as costs associated with its transfer of risk. This includes effectiveness of financial processes for reporting, budgeting, funding allocation and fiscal stewardship as well as monitoring of full financial reporting of the health service providers by the LHINs.

3. Reputational Risk: The risk of significant negative public opinion that results in a critical

loss of confidence (patient, staff, physician, family, public). The risk may involve actions that create a lasting negative image of, or loss of confidence in, the overall operations of the LHIN.

4. Strategic Risk: The risk associated with the organization’s initial strategy selection,

execution or modification over time, resulting in a lack of achievement of the organization’s overall objectives. Processes and controls must be sustainable, defensible and make sense in the context of an organization’s risk and operational priorities.

(8)

Roles and Responsibilities

1. LHIN Board

Fundamentally, the role of the board is to ensure that the risk management processes designed and implemented by the LHIN senior management act in concert with the LHIN’s strategic vision. The board must exercise appropriate oversight to be confident that risk management processes are functioning as designed and that adequate attention is paid to the development of a culture of risk-aware decision making throughout the organization. Executed properly, an ERM system can and should become an integral component of the LHIN’s strategy, culture, and value-creation process.

The LHIN’s ERM system should bring to the board’s attention the LHIN’s most significant risks and allow the board to understand and evaluate how these risks may be correlated, the manner in which they may affect the LHIN’s mitigation or response strategies.

For board purposes it is useful to discuss organization risk within the context of the classic control cycle (Deming paradigm) of plan, do, check and act (PDCA, Figure 1).

It is senior management’s responsibility to plan, implement, monitor, and revise major strategic initiatives, all of which simultaneously create and affect organizational risk. This means that the board must ensure that the LHIN’s strategic plans are adequately based on appropriate,

reliable, and complete information which, in turn, requires the board to undertake an assessment of the LHIN’s strategic plan.

(9)

The board must verify that management has put in place control systems to ensure that its major initiatives have been implemented as planned and that there are effective systems to monitor and evaluate the successful achievement of objectives.

The LHIN Board’s responsibility is to ensure:

a) the LHIN strategic plan is based on appropriate, reliable, and complete information b) control systems are in place to ensure that major LHIN initiatives have been

implemented as planned and that mitigation strategies are in place

c) control systems are in place to monitor and evaluate the successful achievement of objectives

d) management regularly compares planned and actual results, and appropriately re-evaluates strategy on that basis

2. LHIN Senior Management

An ERM approach to risk management requires a top-down view of risks face by the

organization. Visible leadership from and embraced by the LHIN senior management team is a critical component to an effective ERM system. Those organizations that have started down the ERM path attest to the reality that the adoption of a holistic view of risks, which requires that risk information be shared transparently across the organization, requires a mindset or culture where risk management permeates all levels of the organization

The LHIN CEO has overall responsibility for risk management and will ensure the effective execution of the LHIN ERM system. The LHIN CEO will ensure that all risk management activities are coordinated and no significant risk is overlooked.

The LHIN Senior Director Finance and Risk Management is responsible for:

a) the development, implementation, and review of the ERM system including the review of risk management policies, procedures and plans

b) the development of processes to identify risks across the NSM LHIN

c) the development of a standardized risk analysis framework including levels of severity of impact and levels of likelihood of the risk occurring

d) assessment and analysis of critical incidents

e) the provision of analytical reports and recommendations regarding risk for the LHIN leadership team, the board and the board audit and finance committee

f) engaging management and senior leadership in discussions regarding events or developments that could expose the LHIN to potential risks/losses.

(10)

3. LHIN Staff

As mentioned previously, it is important that a holistic approach be taken to ERM. While risk management is coordinated with senior-level oversight, employees at all levels of the

organization using ERM are encouraged to view risk management as an integral and ongoing part of their jobs. Accordingly, staff has an inherent responsibility to identify risks in their respective programs/projects in order to assist in developing and implementing risk management strategies.

(11)

Principles of Risk Management

The International Standards Organization (ISO) offers a framework for Risk Management in its published guide, ISO 31000 Risk Management – Principles and Guidelines. It incorporates best

practice from a number of leading international risk management standards.

The overarching concept of the ISO ERM framework is that the risk management in an organization is fully integrated into the management and direction of the organization. Risk management is just one aspect of management and is just one more tool available to managers besides tools for: operations, finance, planning, human resources, and so forth. Risk

management is not an add-on step but rather is fully integrated and embedded in all decision processes.

The ISO framework is principle-based rather than prescriptive. The overarching ISO principle is that risk management should have net value to the organization. ISO identified 10 principles for risk management which provide the basic attributes for ERM:

1. Creates values for objectives of health, reputation, profits, compliance and so on, less the costs of risk management.

2. Is an integral part of organizational processes including project management, strategic planning, auditing, and all other processes.

3. Is part of decision making through analysis and evaluation to understand risk and determine its acceptability as treated.

4. Explicitly addresses uncertainty and how it can be modified.

5. Is systematic, structured and timely and produces repeatable and verifiable outcomes and decisions.

6. Is based on the best available information including historical data, expert opinion, stakeholder concerns, and so forth, tempered with the quality and availability of the information.

7. Is tailored to the organization, its objectives, its risks, and its capabilities.

8. Takes human and cultural factors into account in addition to technical and other “hard” factors that impact the likelihood of consequences.

9. Is transparent and inclusive so that communications and consultation with stakeholders and others keeps the risk management and risk criteria current and relevant.

10.Is dynamic, iterative and responsive within a “continuous improvement” environment that responds to changes in context, trends, risk factors and other internal and external factors.

(12)

Risk Management Process

The Risk Management Process is fundamentally a five-step process: 1) Risk Identification

2) Risk Analysis 3) Risk Evaluation 4) Risk Treatment

5) Monitoring and Review

Outlined below are two templates which depict the Risk Management Process. These templates are not flow charts but relational diagrams and can be tailored to the NSM LHIN. A “tailored” approach is designed to ensure that risk management is both practical and aligned with the LHIN’s structures, processes, and objectives.

Risk Management Process – Example 1

This template illustrates the tactical process of Risk Management overlaid by the strategic process:

(13)

Risk Management Process – Example 2

What is at risk and why?

What (and where) are the risks? What is known about them? How important are they? What should be done about them? CONTEXT

Business and project objectives Projects in the context of the business

Business and project boundaries

RISK IDENTIFICATION Sources of risk What are the risks? How do they arise? Groupings and associations

RISK ANALYSIS Characteristics Classification Estimates of likelihood Potential consequences RISK EVALUATION Set criteria Decide ranking Select priorities RISK TREATMENT Identify options Evaluate options Plan treatment measures

Assess secondary risks Allocate responsibilities Implement treatment Maintain database Communicate and explain Monitor effectiveness of process Review objectives, decisions and assumptions Update plans Se con dar y r isks

(14)

Risk Management Process – Risk Assessment

Risk Assessment involves three tasks: 1) Risk Identification

2) Risk Analysis 3) Risk Evaluation

1.0 Risk Identification

Risk identification is the process through which the organization becomes aware of risks that constitute potential loss exposures. The primary process of risk identification is to identify risks to the organization which would reduce or remove likelihood of the organization reaching its strategic objectives. The Ontario Public Service uses 13 categories for risk:

1) Compliance/Legal 2) Equity

3) Financial

4) Governance/Organizational 5) Information/Knowledge

6) Operational or Service Delivery 7) People/Human Resources 8) Political 9) Privacy 10)Security 11)Stakeholder/Public Perception 12)Strategic/Policy 13)Technology

Risks associated with any decision must be identified and placed in a risk register or risk log before they can be treated, even if it is later determined that the risk levels with existing controls are acceptable. It is assumed that not all risks will be identified and so there needs to be a provision for monitoring and review to add risks to the register. In many cases risks can be described in aggregate terms representing dozens or more sub-risks.

Risk identification can employ numerous methods or techniques including:

• Brainstorming

• Interviews and self-assessment

• Facilitated workshops

• Questionnaires and risk surveys

(15)

2.0 Risk Analysis

The purpose of risk analysis is to provide the decision maker with sufficient understanding of the risk, that they are satisfied they have the appropriate level of knowledge about the risk to make decisions on risk treatment and acceptance. Risk analysis may be organized into

estimates of likelihood of events, estimates of consequence of events and estimates of the combined effect of likelihood and consequences according to the risk criteria. The steps in risk analysis include:

1) Assign the Severity/Impact/Consequence of the risk (i.e., Minor, Moderate, Major, Severe).

2) Assign the Likelihood/Frequency of the risk occurring (i.e., Rare, Unlikely, Likely, Almost Certain).

3) Score Risk Impact using a Risk Matrix (i.e., Minor, Moderate, Major, Severe). 4) Prioritize action.

A risk map (sometimes called a heat map) is one of the most commonly used methods to depict the largest risks facing an organization. It is visually appealing, and easy to understand and describe. It typically consists of two axes: the vertical axis showing the potential impact of the risk and the horizontal axis showing the estimated likelihood of the risk occurring - both usually measured on a scale of 1 (low) to 5 (high). A generic example of a risk map is as follows:

LIKELIHOOD

IMPACT 1 2 3 4 5

5 Moderate Extreme Extreme Extreme Extreme

4 Low Moderate High Extreme Extreme

3 Low Low Moderate High High

2 Low Low Low Low Moderate

(16)

Examples of two Risk Maps:

Rouge Valley Health System (Scarborough)

IMPACT

LIKELIHOOD Insignificant Minor Moderate Major Extreme

Almost Certain Moderate

Risk Moderate Risk High Risk Critical Risk Critical Risk

Likely Low Risk Moderate

Risk High Risk Critical Risk Critical Risk Possible Low Risk Moderate

Risk Moderate Risk High Risk High Risk Unlikely Low Risk Low Risk Moderate

Risk Moderate Risk High Risk Rare Low Risk Low Risk Low Risk Moderate

Risk Moderate Risk

Alberta Health Services

LIKELIHOOD

CONSEQUENCE/

IMPACT Rare Unlikely Possible Likely Almost Certain

Catastrophic Moderate Extreme Extreme Extreme Extreme

Major Low Moderate High Extreme Extreme

Moderate Low Low Moderate High High

(17)

Risk Evaluation/Scoring Scale/Matrix

The Ontario Public Service Risk (OPS) uses the following rating scale:

Value Likelihood Impact Proximity Scale

1 Unlikely to occur Negligible Impact More than 36

months Very low

2 May occur occasionally Minor impact on

time, cost or quality 12-24 months Low 3 Is as likely as not to occur Notable impact on

time, cost or quality 6-12 months Medium 4 Is likely to occur Substantial impact

on time, cost or

quality Less than 6 months High 5 Is almost certain to occur Threatens the

success of the

project Now Very High

3.0 Risk Evaluation

An important element of risk evaluation is risk tolerance. Risk tolerance is key to achieving effective ERM and it must be considered before determining how risks can be addressed. Risk

tolerance is the risk exposure an organization determines appropriate to take or avoid taking.

It’s an important component of risk management in that it clarifies what risk exposures are acceptable to take and what exposures are to be avoided. The concept may be looked at in different ways depending on whether the risk being considered is an opportunity or a threat. Some risk may not be within the ability of the LHIN to completely manage it – resulting in risk exposure or residual risk.

Determining risk tolerance involves applying judgment - giving careful consideration to the following key factors:

1) NSM LHIN’s attitude towards risk. 2) NSM LHIN’s goals

3) NSM LHIN’s capability to manage risk

4) NSM LHIN’s capacity to absorb the impact of potential loss related to taking the risk. 5) The cost/benefit of managing the risk.

Each factor must be considered individually and collectively – reflecting ultimately that the NSM LHIN must be in a position to demonstrate that it is appropriately managing the risks to which it

(18)

An important part of formalizing and communicating risk tolerance is through policies. Where the board of directors has delegated decision-making responsibility to management, policies should be written which clarify:

• The risk tolerance (i.e. parameters) within which the board expects management to manage risk.

• The information that management should provide to the board about the management of the risk, so that the board can carry out its oversight responsibilities.

Given the complex nature of the LHIN and its health service providers’ variance of delivery models, risk must be assessed at multiple levels. From an enterprise-wide perspective, risk tolerance is determined from the risk boundaries the board and senior management are willing to tolerate. At a more granular level, there may be operational initiatives which require specific statements of risk tolerance.

Risk Treatment (Responding to Risk - Plan and take Action)

The risk assessment exercise will determine the action plan with respect to the mitigation of the risk. It is here where control or mitigation strategies are identified or formulated and implemented. The focus/priority should be on those risks that are the most likely to occur and which have the most impact on a project, the organization or the health system as a whole. Consider the Risk Map examples identified earlier. Regardless of the format or style chosen in the development of a Risk Map, the fundamental focus needs to be on the upper right area as this is where the most severe risks are scored.

Figure 2 depicts the area of primary focus – “High Impact/ High Likelihood. Figure 2 High Impact Low Likelihood High Impact High Likelihood Low Impact Low Likelihood Low Impact High Likelihood Imp ac t o f R is k 4 3 2 1 1 2 3 4

(19)

Another, but similar way to look at where the organization needs to focus its risk mitigation efforts is represented in Figure 3, which maps risks out in terms of Impact on Strategic Objectives.

Figure 3

The key concepts for the evaluation, selection and design of an effective program of risk treatments are:

• Determine if risk exposure is within tolerance levels. If not, adjust risk response activities.

• To determine how best to manage a risk, you need to understand how it arises.

• There are two types of risk treatments: Prevention activities – aimed at reducing the likelihood of occurrence of the risk event and Mitigation activities aimed at reducing magnitude of the impact should the risk event occur.

Management of most risks consists of a combination of prevention and mitigation measures. The focus should be on prevention as it is typically more cost-effective however, because no prevention regimen is perfect it is prudent to put in place strong mitigation activities. To mitigate a risk is to moderate or alleviate a risk – to lessen it in some way.

It is common in risk management circles to think of a choice among four basic alternatives for managing a given risk:

1) Avoid: We can choose to not take action that would create an exposure of some kind.

Medium High Critical

Low Medium High

Low Low Medium

Im p ac t on S tra teg ic O b je ct iv e Likelihood Critical Major Manageable Remote (<10%) Possible (10%-50%) Likely (>50%)

(20)

3) Transfer or Share: Risks can be transferred to someone else. Insurance is the best

example of this as is the transfer of risk through contractual methods.

4) Accept: This is the default choice for any risk management. You simply accept the risk

as is.

Monitoring and Reviewing

Monitoring and review are key to the continuous improvement of risk management. For example, most approaches to risk maturity examine how monitoring and review leads to actions and then to observable improvements. Every aspect of the Risk Management Process needs to be monitored and reviewed with the following in mind:

• Has the risk changed in character due to trends? Are there new risks evolving or emerging?

• Has the context for the risk management changed?

• Is the risk treatment plan being implemented? As planned?

• Are controls effective?

• What is the appropriate frequency of monitoring?

• Based on actual outcomes for objectives, was the risk assessment accurate?

(21)

NSM LHIN Risk Management Process

Risk Identification

NSM LHIN Risk can be separated into two major areas: 1. LHIN Operations

2. Health System/Health Service Providers

Within each area of risk there are several categories of risk. A consortium of four LHINs, led by the Central East LHIN, developed a list of various risk categories. They are as follows:

LHIN Operations

Category Components

Operational Risk Privacy

Legal & Regulatory Facility Information Technology Human Resources Issues Management Corporate Governance Reputational Risk Strategic Risk Financial Risk

Health System/Health Service Providers

Category Components

Operational Risk Stakeholder Relations (HSPs/Health System) Legal & Regulatory

Performance Management Programs

Projects

Information Technology Health Human Resources Privacy & Security

Quality Care & Safety

Environments & Infrastructure

MLAA Risk Financial Risk

Strategic Risk Performance Risk Reputational Risk

(22)

A common approach to specific risk identification is through the interview process. The NSM LHIN is organized around geographical regions with each region having “leads”. In order to “drill down” from the Risk Component level, as identified in the previous chart, to specific risks, it makes sense then to engage the geographic leads.

Risk Analysis

1. Assign the Likelihood/Frequency of the risk occurring 2. Assign the Severity/Impact/Consequence of the risk

Value Likelihood Value Impact

1 Rare 1 Insignificant

2 Unlikely 2 Minor

3 Possible 3 Moderate

4 Likely 4 Major

5 Almost Certain 5 Extreme

3. Assign the Severity/Impact/Consequence of the risk (i.e., Minor, Moderate, Major, Extreme).

NSM LHIN Risk Matrix or Heat Map

LIKELIHOOD

IMPACT Rare Unlikely Possible Likely Almost

Certain

Extreme Low Medium High Extreme Extreme

Major Low Medium High High Extreme

Moderate Low Medium Medium High High

Minor Low Low Medium Medium High

Insignificant Low Low Low Low Low

Risk Rating

Rating Likelihood X’s Impact Score Colour Code

LOW 0-5

MEDIUM 6-11

HIGH 12-19

EXTREME > 20

(23)

Risks associated with any decision must be identified and placed in a risk register or risk log before they can be treated, even if it is later determined that the risk levels with existing controls are acceptable.

There are many examples of a risk register. The recommended register for the NSM LHIN is a variation of the risk register currently used by the Vancouver Island Health Authority. Two risk registers would be established, one for LHIN Operations, the other for the Health System. Each risk register would then contain a further breakdown of related risk categories:

Risk Registers - LHIN Operations Register and Health System Register

• Risk Component (i.e., human resources, corporate governance, information technology)

• Description of Risk

• Inherent Risk Rating – Which is the product of Risk Likelihood and Risk Consequence

o The results of the multiplication of Risk Likelihood and Risk Consequence

will correspond to a colour coded rating as described in the chart above.

• Impact/Consequence

o Rating of 1-5 for each category

• Mitigation Strategy

• Residual Risk rating

o The risk rating after the implementation of the mitigation strategy

• Change status (i.e., increased, decreased, same)

Exhibit “A”, North Simcoe Muskoka LHIN Risk Register, represents an example of a proposed Risk Register for the category of “LHIN Operations”.

Exhibit “B”, North Simcoe Muskoka LHIN Risk Register, represents an example of a proposed risk Register for the category of “Health System”.

(24)

ERM Framework – June 2010 24

Exhibit A

Risk Category Risk

Component Risk Owner Description of Risk

L i k e l i h o o d C o n s e q u e n c e T o t a l Inherent Risk Rating Q u a r t e r s o n R e g i s t e r

Impact/Consequence Mitigation Strategy

L i k e l i h o o d C o n s e q u e n c e T o t a l Residual Risk Rating

Operational Risk Human Resources EMC

Space shortage at LHIN offices means unable to staff to sufficient levels - Larger office space puts pressure to stay within operating budget

4 4 16 HIGH 2 Costs overruns and _{inability to service}

stakeholders

Redisgn office space to increase ability to add staff. Expand on virtual office practice

2 2 4 LOW  Decreased

Operational Risk Privacy EMC Loss of key talent 2 4 8 MEDIUM 3 Business continuity Succession planning, cross functional roles 1 4 4 LOW  Decreased Operational Risk

Information Technology

Breach of confidentiality due to staff

practices 5 3 15 HIGH 1

Reputation damage, costs (legal)

Develop policies around appropriate

protection & technology standards 1 3 3 LOW  Decreased Operational Risk

Information

Technology 3 5 15 HIGH 1 3 4 12 HIGH  _Decreased

Operational Risk Facilities 3 5 15 HIGH 0 3 5 15 HIGH  Same

Operational Risk Legal & Regulatory 2 3 6 MEDIUM 0 2 3 6 MEDIUM  increased

Operational Risk Privacy 4 3 12 HIGH 0 4 3 12 HIGH  Same

Reputational Risk Human Resources 1 5 5 LOW 0 3 5 15 HIGH  Same

Strategic Risk Legal & Regulatory 4 4 16 HIGH 0 3 4 12 HIGH  increased

Financial Risk Facilities 4 5 20 EXTREME 0 5 5 25 EXTREME  Same

0 0 0 LOW 0 0 0 0 LOW  Same

0 0 0 LOW 0 0 0 0 LOW 

Same

0 0 0 LOW 0 0 0 0 LOW  Same

0 0 0 LOW 0 0 0 0 LOW 

Same

0 0 0 LOW 0 0 0 0 LOW  Same

Increased Decreased No Change

North Simcoe Muskoka LHIN Risk Register - LHIN Operations

(25)

Exhibit B

Risk Category Risk Component Risk Owner Description of Risk

L i k e l i h o o d C o n s e q u e n c e T o t a l Inherent Risk Rating Q u a r t e r s o n R e g i s t e r

Impact/Consequence Mitigation Strategy

L i k e l i h o o d C o n s e q u e n c e T o t a l Residual Risk Rating

Clinical Programs ABC Hospital

ABC hospital in a significant deficit position

5 5 25 EXTREME 3

Inability to provide effective services

Directed an operational audit - Deficit recovery plan submitted- Established a communication strategy with the MOHLTC, NSM LHIN & ABC Hospital

3 5 15 HIGH  Decreased

Clinical Programs XYZ Hospital

XYZ hospital projecting a small

deficit position 1 4 4 LOW 2 Inability to provide effective _services _{Submission of Deficit Recovery Plan} 1 4 4 LOW  Same

Clinical Programs EMC

DEF Agency expands services to a new population which is outside of their mandate

4 3 12 HIGH 4

Inability to provide effective services for mandated

activities Utilize M-SAA to stop this activity

1 3 3 LOW  Decreased

Clinical Programs TTT Hospital

Volumes not met in fiscal year for incremental funding for Hip & Knee replacement

3 4 12 HIGH 1

Funding is clawed back and impacts on future services

Requires both organizations to coordinate surgical schedules to achieved the combined target

1 4 4 LOW 

Decreased

Clinical Quality Care & Safety HHH Hospital

Cost overruns and inappropriate quality of care due to wrong patient placement

4 5 20 EXTREME 2

Pressure to balance budget. Inability to deliver appropriate care path

Timely assessment & patient transfer to appropriate setting

2 5 10 MEDIUM  Same

Operational Risk

Information

Technology 2 3 6 MEDIUM 0 2 3 6 MEDIUM  increased

Operational Risk

Health Human

Resources 4 3 12 HIGH 0 4 3 12 HIGH  Same

Operational Risk Privacy & Security 1 5 5 LOW 0 3 5 15 HIGH  Same

Operational Risk Quality Care & Safety 4 4 16 HIGH 0 3 4 12 HIGH  increased

MLAA Risk Financial Risk 4 5 20 EXTREME 0 5 5 25 EXTREME  Same

MLAA Risk

Strategic Risk (Care

Connect) 0 0 0 LOW 0 0 0 0 LOW  Same

MLAA Risk Performance Risk 0 0 0 LOW 0 0 0 0 LOW  Same

0 0 0 LOW 0 0 0 0 LOW 

Same

0 0 0 LOW 0 0 0 0 LOW  Same

Increased Decreased No Change

North Simcoe Muskoka LHIN

(26)

ERM Framework – June 2010 26

Material Sources

1. Enterprise Risk Management, Today’s Leading Research and Best Practices for Tomorrow’s Executives – Fraser & Simkins – John Wiley.

2. Central East LHIN Enterprise Risk Management policy - sent to LHIN CEO’s March 22, 2010.

3. CMA Canada – Management Magazine – A Director’s guide to Risk and its Management

– November, 2004.

4. Risk Management Tool Kit for non-for-profit executives – P. Vinette and S. Hartley –

Canadian Society of Association Executives.

5. Enterprise Risk Management Framework – paper prepared by Shazia Khokar.

6. Basic Frameworks for Risk Management – March, 2003 – J. Shorterrd, J. Hicks, L. Craig –

Network for Environmental Risk Assessment and Management.

7. Report on the Current of Enterprise Risk Oversight: 2nd_{edition 2010 – American Institute} of Certified Public Accountants.

8. Alberta Health Services Risk Analysis and Evaluation Guide. 9. Vancouver Island Health Authority Risk Register.

Enterprise Risk Management Framework