1 / 71

VCOSS – DARU workshop 17 October 2012 Tips, Tricks and Concepts for making risk management work.

VCOSS – DARU workshop 17 October 2012 Tips, Tricks and Concepts for making risk management work. Diana Borgmeyer - Risk Management Adviser. About the VMIA The Victorian Risk Management Context Governance and Risk A quick overview of AS/NZS/ISO31000 Integrating Risk Risk Framework elements

gefen
Download Presentation

VCOSS – DARU workshop 17 October 2012 Tips, Tricks and Concepts for making risk management work.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VCOSS – DARU workshop17 October 2012 Tips, Tricks and Concepts for making risk management work. Diana Borgmeyer - Risk Management Adviser

  2. About the VMIA • The Victorian Risk Management Context • Governance and Risk • A quick overview of AS/NZS/ISO31000 • Integrating Risk • Risk Framework elements • Tools and Tips • Activity – Describing Risks • Risk Management Pitfalls • Questions Agenda

  3. VMIA Clients Government Government Government Ministers Ministers Central agencies Central agencies Departments Portfolio Portfolio Departments Departments Agencies Agencies Statutory Statutory Statutory [e.g. public [e.g. public Agencies Authorities Authorities hospitals hospitals Authorities External External [e.g. VMIA [e.g. VMIA welfare and welfare and External SSA] SSA] housing housing ] ] providers providers [e.g. contractors] [e.g. contractors] providers Victorian Community 11 Departments 89 Hospitals & Ambulance Services 90 Statutory Authorities 3500 Community Service Organisations

  4. VMIA Risk Services Risk Register Software

  5. Determining where we are now Targeted maturity state? Risk Management maturity model Source: Courtesy use by Victorian Managed Insurance Authority (2010 year version)

  6. Victorian Government Context

  7. Risk management in context • Whole of Government framework and attestation • risk management process consistent with AS/NZS ISO 31000 • internal control system so the executive understand, manage and satisfactorily control risk exposures • Responsible body verifies the assurance made and risk profile critically reviewed in last 12 months • Inter-agency risk

  8. DHS Service Level Agreement 2012-15 Risk Management Clause 3.20.2 acknowledges that risk management is an integral part of good organisational practice. The service agreement requires an organisation’s CEO or Board Member to attest annually that it is managing risk in accordance with the AUS/NZS/ISO 31000:2009 standard and the risk management processes satisfactorily and effectively manage the organisations risks and; within the twelve months prior to attestation, the organisation has undertaken a review of risk management processes.

  9. Risks we see of concern to Health and Community Sector Boards • Governance failures • Direct care workforce sustainability • Service delivery failures • Damage to stakeholder relationships/Reputation • Failure to adapt to changing service and funding models • Funding uncertainty • Inadequate emergency preparedness/response • Regulatory or funding standards non-compliance

  10. Common Risk Areas • Client dissatisfaction • Unfavourable publicity and/or reputation damage • Mismanagement (eg. projects, finance) • Threat to physical safety • Failure of equipment or computer systems • Breach of legal obligations and contractual responsibility • Fraud • Deficiencies in financial controls and reporting • Unethical behaviour • Failure to protect assets and goodwill

  11. Governance and Risk

  12. Governance “Corporate governance generally refers to the processes by which organisations are directed, controlled and held to account. It encompasses authority, accountability, stewardship, leadership, direction and control exercised in an organisation”[1] [1] Standards Australia, AS 8000-2003 Corporate Governance – Good governance principles, July 2003, p7

  13. Definition of Public Sector Governance ‘…the set of responsibilities and practices, policies and procedures, exercised by an agency’s executive, to provide strategic direction, ensure objectives are achieved, manage risks and use resources responsibly and with accountability.’1 • Good Governance is about both: • Performance – how an agency uses governance arrangements to contribute to its overall performance and delivery of services or programmes. • Conformance – how an agency uses governance arrangements to ensure it meets the requirements of the law, regulations, published standards and community expectations on probity and accountability. 1. adapted from , ANAO Implementation of program and policy initiatives; Better Practice Guide 2006,p.13.

  14. Governance - common elements

  15. How governance & risk management underpin an organisation’s performance Source: Public Sector Governance Better Practice Guide – Volume1, Australian National Audit Office, July 2003

  16. Core principles underpinning Governance frameworks • Accountability & Compliancebeing answerable for decisions and have appropriate compliance mechanisms • Transparency & structureclear roles, duties and procedures in decision making • Leadership‘tone at the top’ to achieve organisation-wide commitment from the top • Integrityacting impartially, ethically and in the interests of the organisation1] [1] Public sector governance and the individual officer – guidance paper no.1- Better Practice Guide, Australian National Audit Office, July 2003

  17. Good governance attributes • Clear roles & responsibilities • Ethics based culture • Accountability through control, monitoring and review • Effective governing body • Communication & awareness • Transparent external reporting • Integrated risk management practices in planning, operations & reporting

  18. risk management? An integral part of the organisation’s management system Essential for ‘good governance’ Offers common language and consistency Embeds the risk management process in decision making Don’t simply ask ‘what may go wrong?’ .…. ask ‘what must go right?’ Good risk management doesn’t stifle progress and innovation – it drives success

  19. “Looking back, I wish I had pressed harder. It’s easy to say after the fact.” Yukinobu Okamura, Head of Active Fault and Earthquake Research Centre, recalling tsunami concerns he raised in June 2009 at a Japan Trade Ministry meeting to assess reactor safety. Tsunami Warnings ignored, The Age March 26 2011

  20. “Details of risks were either not satisfactorily conveyed to senior executives and ministers or, if conveyed, were not acted on.” Energy Efficient Homes Package (Ceilings Insulation) Senate Inquiry Report (15 July 2010)

  21. Vision Barrier People Barrier Management Barrier Resource Barrier Only 5% of the workforce understands the strategy Only 25% of managers have incentives linked to strategy 85% of executive teams spend less than one hour per month discussing strategy 60% of organisations don’t link budgets to strategy Why do strategies fail? Only 10% of organisations execute their strategy The problem isn’t lack of strategy. It’s the lack of ability to successfully manage the execution of what looks strategically good on paper. Barriers to Strategy Execution Reference: Robert Kaplan and David Norton - The Balanced Scorecard and The Strategy Focused Organization

  22. Six key questions Essentially, risk management seeks to answer these basic questions: • what are we trying to achieve? • what events or circumstances could affect the achievement of our objectives? • what are the consequences? • how likely is it of these events? • what can we do to manage these outcomes? • how will we maximise opportunities?

  23. AS/NZS ISO 31000:2009

  24. The definition of risk? “The effect of uncertainty on objectives” Uncertainty is the state , even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. AS/NZS ISO 31000:2009 The aim of risk management is not the management of risk but the achievement of objectives.

  25. Mandate & commitment Establishing the Context Design of framework for managing risk Risk Assessment Risk Identification Communication & Consultation Monitoring & Review Continual improvement of the framework Implementing risk management Risk Analysis Risk Evaluation Monitoring & review of the framework Risk Treatment Overview of AS/NZS/ISO31000

  26. AS / NZS ISO 31000:2009 - Risk management principles Creates value Integral part of organisational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored 8. Takes human and cultural factors into account 9. Transparent and inclusive 10. Dynamic, iterative and responsive to change 11. Facilitates continual improvement and enhancement of the organisation Should be reflected in your organisation’s approach

  27. Fit-for-purpose Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)

  28. Risk Terminology • Risk: chance of something happening that will have an impact on objectives • Likelihood: chance of something happening • Consequence: outcome of risk on objectives • Risk Rating: overall rating which determines actions & risk treatments by the Board, CEO & Executive • Control: includes any process, policy, device or practice or actions which modify risk • Control Effectiveness: assessment of the effectiveness of controls to determine if any gaps exist • Risk Owner: person or entity with the accountability & authority to manage a risk • Risk Treatment: can involve avoiding the risk, increasing risk to gain an opportunity, remove the source, change the likelihood or consequence, sharing the risk, retaining the risk

  29. Integrating risk

  30. What are the benefits of a Enterprise wide approach to Risk Management? • Enables identification of threats and opportunities for an agency • Improves and informs the planning process • Reduces likelihood of costly “surprises” • Contributes to improved resource allocation • Improves efficiency and performance • Improves accountability • Encourages continual improvement

  31. Managing risks in order to meet our ‘objectives’ ‘Choosing which risks to take ……. and then managing them well’

  32. Risk and planning - a comprehensive process • Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent an organisation from achieving its objectives. • Covers strategic, operational, financial and compliance risks. • The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private, both the for and not for profit sectors to describe this comprehensive approach.

  33. 2 1 3 3 Stage Stage Stage Stage Link strategy, operations and risk management Department A Operational Objectives, Indicators & Targets Organisational Objectives Cascading Process Cascade & Align Strategic Objectives, Key Performance Indicators & Targets Program B Operational Objectives, Indicators & Targets Strategies Service C Operational Objectives, Indicators & Targets Key Performance Indicators & Targets Strategic Risks Organisational-Wide Risk Register Operational Risks Link Risk Management To Strategic Planning Risk Reporting(Reporting System) Link Risk Management To Operational Planning

  34. RISKS Enterprise Level Program Level Project Level Subproject Level Different levels, different types of risks Risks ultimately should be filtered to the lowest level possible for ownership and mitigation

  35. Different levels of risk Executive Vision and Mission Corporate strategy and objectives Strategic Risks Corporate Plan Measures/Targets Emerging Management and staff Operational Risks Business and operational objectives Business Plan Measures/Targets Emerging Project managers Project Risks Project Plan Project objectives Measures/Targets Emerging

  36. Differences and similarities between strategic and operational risks? • Both follow principles of AS/NZS ISO 31000:2009 • Differences can include: • Risk context strategic risks most likely to impact organisational goals/objectives • Participants (senior executives, audit, some board) • Treatments for high level risks may vary • Methods used for identifying and evaluating risk may vary • Timelines can be different – some goals are longer term • Requires strategic thinking • Ideally strategic risks are identified before operational risks • Both strategic and operational risks should be centrally managed

  37. Strategic Risk Assessment For strategic risk assessment of the whole organisation ‘goals, objectives & strategies are established as part of the organisational context

  38. A strategy focused risk assessment process Example: The Head of the Defence force has a strategy to engage the enemy to regain a key piece of land • The Generals are told the strategy is to capture ‘important assets’ • They think “which assets are important?” (strategic context) • They consider: • do they have enough personnel/skills, support (organisational context) • how can the strategy fail/achieved? (risk management context) • To improve success rates they will need to develop a high level plan on the strategy and its key objectives (strategic plan) • They will need evaluate if there will be issues that may impede the strategic plan (eg ambush, not enough soldiers, wrong information about assets (strategic risk assessment) • Once you understand the threats you will then put in plans to avoid them and fine tune the plan before giving it to the officers to execute • The officers will develop operational orders for the soldiers to follow about how the offensive will take place (timings, supplies required, equipment needed, signals etc) (operational plans) • The officers will determine what risks there would be to the soldiers undertaking the offensive (injury, failed equipment, loss of communication etc) (operational risks)

  39. Example of strategic risks Ensuring a safe, reliable and sustainable water supply Strategic goal: • Incidents of poor water quality will be reduced by 15% • by 2011 Strategic objectives: (b) Water monitoring activities will increase by 10% within 12 months (1) Inadequate policies and procedures to improve water Leading to unexpected poor water quality Strategic risks: (2) Funding for water monitoring will be diverted to another program reducing capacity to meet targets (3) Government may change its priorities for resource Management, leading to inability to ensure a sustainable Safe water supply

  40. Outcome based risk assessment • Used where the objectives have not been defined • Focuses on the outcomes without defining strategic objectives Identifies outcomes which may be unacceptable How they may occur Outcomes that will be of consequence to the organisation’s stakeholders

  41. A practical example of linking strategy with planning

  42. Example of embedding risk management in already established practices. Lets Improve Is this an interpersonal/ HR issue? Is this a service issue? Have you got a great idea or suggestion? Is this a maintenance issue? Is this a publicsafety issue, near miss or incident? Is this a risk to the organisation? Have you followed the conflict resolution process? Have you discussed it with the Service Coordinator? This is wonderful Have you discussed it with your superior? Have you discussed it with your superior? Have you discussed the risk with your superior? Does the situation require further improvement? Does the situation require further improvement? Complete a Quality Improvement Form Document in Maintenance Book Complete Near Miss or Incident Form Update Risk Register, Develop Risk Treatment Plan Complete a Confidential Quality Improvement Form Complete a Quality Improvement Form Does the situation require further improvement? Does the situation require further improvement? Does the situation require further improvement? Complete a Quality Improvement Form Complete a Quality Improvement Form Complete a Quality Improvement Form

  43. Summary comments on risk integration • ‘One size does not fit all’, depends on the management maturity, industry and commitment • Focus on what makes sense to the board and management – keep it practical and tailored • Risk disciplines can work well effectively with the planning, reporting, compliance, board committee and HR culture functions • Governance foundations: cultural tone at the top, role clarity, transparency & communication is key

  44. Risk Framework elements

  45. Risk appetite and risk rating Plan for All Extreme Risks Large Appetite for Risk Increasing Impact  Increasing Impact  Board CEO Increasing Likelihood  Increasing Likelihood  Standard Risk Averse Manager Staff Increasing Impact  Increasing Impact  Increasing Likelihood  Increasing Likelihood 

  46. Risk-opportunity matrix Rigorously manage these exposures Actively pursue these opportunities

  47. Example – Consequence (Impact) table

More Related