Transcript Slide 1
How I learned to stop worrying and love the risk PPB Survey (2010) of Not for Profit organisations in Australia and New Zealand: 1. Almost half did not have, or did not know if they had, a risk management plan 2. 61% of respondents stated that risk to their organisation had increased over the past five years 3. Over one third of Not-For-Profit boards were not held accountable for managing risk in their respective organisations 4. Almost half of respondents believe that budgetary constraints was the main barrier to adequate risk management support The Ultimate Risk Management Consultant Con Managing risk is a good thing... Moves us away from avoidance or transference It forces creativity The only way to achieve innovation and growth The most important things... Risk Management Framework - Fully integrated and informed Leadership - Prepared to take calculated risks The Optimistic Gamblers The Risk Averse The Innovators Where to begin? Design a RM framework that fits your organisation Identify your strategic risks Identify risk owners Do something... anything Monitor, Rinse and Repeat “Effect of uncertainty on objectives” ISO 31000:2009 Risk Management Objectives can have very different aspects Major risks can impact on a range of areas including, but not limited to: Client Safety Staff Safety Business continuity Organisational Reputation Financial Sustainability Employee Relations Strategic Objectives Risk Category Identified Strategic Risks Lack of brand awareness and / or reputational loss Increased industry competition Grow more Christian Communities Growth Poor due diligence and management of merger and acquisitions Limited church planting and sustained congregational growth Operate and grow in a financially sustainable way Financial Sustainability Unsuitable or poor performing investments Overextending on capital work projects Loss of / decreased funding sources Poor budgeting (organisational / project) and treasury strategy Loss of PBI / DGR status Consequence Type Audit and Compliance Business Continuity Insignificant Compliance with standards or licensing requirements maintained with negligible level of control weakness Loss / interruption less than 1 hour Minor Compliant with standards or licensing requirements / minimal level of control weakness Loss / interruption <= 8 hours / some disruption manageable by altered operational routine Client Safety and Care Finance Fraud Health and Safety No injury or harm caused unsatisfactory client Minimal harm caused / unsatisfactory client experience not directly related to client care experience - readily < $100k <$2k No injury / illness - no $100 –200k $2-10k time lost, minor adjustment to operational routine Reputation Vision and Values Single injury / minor illness – lost time of less than 4 rostered days Major Catastrophic Single non compliance with standards or licensing requirements resulting in recommendations for improvement / Multiple non compliances with standards or licensing requirements resulting in recommendations for improvement / Fully non compliant with standards or licensing requirements resulting in sanction or penalty / moderate level of control weakness identified high level of control weakness Loss / interruption <=1 day / Disruption to a number of areas within a Division or Unit, possible flow on to other locations Loss / interruption <= 1 Total system dysfunction week / all operational areas of a Division or Unit and /or total shut-down of compromised, other operations locations are affected Temporary loss of function or Permanent loss of function or harm caused / harm caused / serious mismanagement Loss of life / totally unsatisfactory client outcome or experience of client care $500 – 2m $25-100k Greater than $2m Greater than $100k mismanagement of client care $200 – 500k $10-25k Single serious injury >4 rostered days lost. Multiple serious injuries or illness (more than 4 rostered days lost, or an event which is notifiable) critical failure of key controls Fatality publicity Significant adverse local publicity Significant adverse stateSignificant and sustained wide state-wide publicity publicity Sustained national adverse publicity Negligible misalignment with strategic objectives or expected behaviours Minor misalignment with strategic objectives or expected behaviours Moderate misalignment with strategic objectives or expected behaviours Significant misalignment with strategic objectives or expected behaviours Minimal adverse local Short term low staffing level Workforce resolvable Moderate temporarily reduces service quality Moderate annualised staff Ongoing low staffing level turnover (< 30% ) Late delivery of key objectives reduces service quality / services due to lack of staff Major misalignment with strategic objectives or expected behaviours Very high annualised staff turnover (> 30% / Non delivery of key Uncertain delivery of key objectives / services due objective / service due to to lack of staff lack of staff Likelihood Rating Almost Certain Descriptor Frequency Is expected to occur frequently (in Expected to occur at least monthly most circumstances) Is expected to occur occasionally (to be expected) Expected to occur at least quarterly Possible Could occur at least once (capable of happening / foreseeable) Expected to occur at least biannually Unlikely Might occur at some time (not to be expected) Expected to occur at least annually May occur in exceptional circumstances only Not expected to occur for years Likely Rare Rank Colour Description Low 1 Action plans, policies or controls are not mitigating the risk and /or deemed to be very weak or ineffective. Risk may be outside control of organisation. Medium 2 Action plans, policies or controls may be partially mitigating the risk and scope for some improvement. High 3 Action plans, controls or policies deemed to be satisfactory and tested regularly. Insignificant Minor Moderate Major Catastrophic Almost Certain Medium High High Extreme Extreme Likely Medium Medium High Extreme Extreme Possible Low Medium High High High Unlikely Low Medium Medium Medium High Rare Low Low Low Medium Medium Risk Rating Low Medium High Action Required Manage by routine controls and processes Ongoing monitoring of control effectiveness by local management Manage by routine controls and processes May require a detailed risk action plan Ongoing monitoring of control effectiveness by local management Immediate notification of relevant Senior Management Should have a detailed risk action plan Risk action plan to be monitored by relevant Senior Management and progress reported to relevant Divisional Director Updates to be provided to Executive Committee members, as required Ongoing monitoring of control effectiveness by Senior management Immediate notification of relevant Divisional Director Must have specific risk mitigation plan Risk action plan to be monitored by Divisional Director and progress reported to Executive Committee members Updates to be provided to Board Risk, Audit and Compliance Committee members, as required Ongoing monitoring of control effectiveness by Divisional Director Extreme Risk Assessments Risk Statement Contributing Factors Consequences Controls Control effectiveness Risk Analysis Action Required Risk Ownership What should the Board know about? Key strategic / operational risks Presentations by individual risk owners Key issues / incidents / compliance breaches Crisis / Disaster Management OH&S Fraud and Corruption Internal Audit reports External Audit reports Say what? What are the risks, both strategic and operational? How effective are the controls, and how do you know they are working? What are you doing about the risks? How are the risks trending? What are the known or possible risks ahead of us? Board Report – Risk Heat Map Risk 2 (SR-AC): Poor integration and support of client focused care Risk Owner: A. Staff Accountable Executive: B. Cool Definition of Risk Poor integration and support of client focused care Contributing Factors / Issues Risk Category • Poor awareness of integration of services (both care and • support) • • Constraints by regulatory and compliance obligations • Limited creativity with application of compliance and regulatory • obligations • Lack of support or resistance for client focused care Existing Controls • Training on customer focused awareness • CMS focused on client outcomes • Appointed project manager for the client focused care project • Appointed GM for shared services and integration • Appointed regional volunteer coordinators Comments / Updates Current Risk Rating • • Client Focus Client not viewed as central to all tasks and functions Lack of awareness of services and functions that input or interface with client care delivery Poor history and culture – task focused and output driven at both industry and occupational level Gaps and planned response • Client focused education at every level of organisation • Review of all functions that interface / input into client outcomes • Churches of Christ Care Strategic Plan/ actions from the Strategic Plan • Gap assessment of CMS / Care Governance • Action learning approach to learning • Client satisfaction survey Gap assessment of CMS/Care Governance is almost complete Actively recruiting 5 regional volunteer coordinators Likelihood Consequence Rating 4 3 12 Control effectiveness / scope for control improvement Key Risk Indicators • Number of volunteers • Compliance with standards and licensing • Client satisfaction surveys • Predetermined and measured outcomes of care • Culture survey results Key Risk Indicators Identify and Assess Risk Risk Management Design and Implement Controls Internal Audit Quality Improvement Monitor and Review Controls • • A group of mainstream Christian churches which has been an active part of the Queensland community for over 100 years. We are a significant presence within Queensland with over 200 services in more than 100 communities, touching tens of thousands of lives each year. • • Established in 1930; operates 137 services with the support of more than 2,800 staff and over 700 volunteers. The care services are active in the areas of early childhood services, child protection, social and affordable housing, retirement living, community aged care, and residential aged care. Assurance Services Group Manager Quality Quality Officer Quality Advisor Internal Auditor Internal Auditor Health, Safety and Rehabilitation Consultant Health, Safety and Rehabilitation Consultant Risk and Compliance Advisor Internal Audit Coordinator Director Health, Safety and Rehabilitation Specialist Health, Safety and Rehabilitation Consultant Health, Safety and Rehabilitation Consultant What we do... • • • • • • • • Risk Management Framework Fraud Risk Management Sentinel Event Management Root Cause Analysis Crisis / Disaster Management ChildSafe Program Legislative Compliance Quality Management (Continuous Improvement) Framework • Controlled Documents • Archiving / Records Management • Internal Audit • Self Audits • Compliance Reviews • Due Diligence • Forensic Investigations • Workplace Health and Safety • Worker Rehabilitation A Call to Action Ask yourself... Do I know my organisation’s strategic risks, and are they meaningful to me? Is ‘risk management’ only raised as part of a dedicated risk meeting, or is it part of every Board conversation? What is the risk appetite and tolerance of the Board, the organisation, and me?