corporate finance and internal audit

8/11/2019 Corporate Finance and Internal Audit

1/53

1

A Practical Approach to

Risk ManagementFinancial Management Institute,

Toronto ChapterFebruary 17 2010

Corinne Berinstein, BPT, MBA, MHSC, CA, CFIHealth Audit Services Team

Ontario Internal Audit Division


2/53

2

Contact Info:

Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in RiskManagement (Canadian Health Care Association

Senior Audit Manager

Health Audit Services Team

Ontario Internal Audit DivisionProvince of Ontario

Office: 416-327-7798

eMail: [email protected]


3/53

3

Basic Concepts


4/53

4

Objectives of todays session

Basic principles, concepts, definitions

A simple framework

Stocking your toolkiteducation, job aids, templates

What are you going to do back in the office?

Q &As

A caseLets practice!

Outline


5/53

5

Objectives

Give you a practical approach, framework and tools so

you can start implementing ERM when you get back to

the office.

Share some lessons learned. Share some tips and tricks.

Practice concepts and tools with a case study so that you

practice


6/53

6

The only alternative to risk management is crisis management --- andcrisis management is much more expensive, time consuming andembarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance 2003

Without good risk management practices, government cannot manage its

resources effectively. Risk management means more than preparing for

the worst; it also means taking advantage of opportunities to improveservices or lower costs.

Sheila Fraser, Auditor General of Canada

Why do we need Risk Management?


7/53

7

Why bother with RM?

Increase risk awarenessWhat could affect theachievement of objectives? What could change? What

could go wrong? What could go right?

Increase understanding of risksensitivities. What

makes my risks increase/decrease/disappear?

Promote a healthy risk culture Its safe to talk about

risk. Open and transparent.

Develop a common and consistent approach to risk across

the organization. Not intuition-based.


8/53

8

Why bother with RM? Allows intelligent informed risk-taking.

Focuses effortshelps prioritize. Top 10 list. Or top 3.Or

Is proactive. not reactive Prepare for risks before theyhappen. Identify risks and develop appropriate risk

mitigating strategies.

Improve outcomesachievement of objectives(corporate, clinical, etc)

Really comes to down to simple good management

Enables accountability, transparency and responsibility

And maybe even mean survival


9/53


10/53

10

Threats and opportunities

Threata risk that may HINDER the achievement of objectives

Opportunities- a risk that may HELP in the achievement of objectives

Interest rates

Foreign exchange rates

Supply of service/product/resources

Demand/uptake for service/product/resources

The economy

The weather

The stock market


11/53

11

Interactive Session #110 minutes

Introduce yourselves to others at your table

Pick 1riskdiscuss it as both a threat and

an opportunity

Report to the large group. Pick a

spokesperson.


12/53

12

Definition of ERM

aprocess, effected by an entity's board ofdirectors, management and other personnel, applied

in strategy setting and across the enterprise,

designed to identify potential events that may affect

the entity, and manage risks to be within its riskappetite, to provide reasonable assurance regarding

the achievement of entity objectives.

Source: COSO Enterprise Risk ManagementIntegrated Framework. 2004.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)


13/53

13

Enterprise vs Integrated Risk Management

Similarities: Formal process

Consistent and systematic

Includes projects, programs,

operations

Is embedded in key processessuch as strategic planning,

budgeting, project planning,evaluation, etc

Must be driven and supported byLeadership

Adds value to decision-making

Differences:Enterprise-wide:

Is organizational-centric

Success is defined as

implementation over the entireorganization

Integrated:

Take a systems-focus

May actually create risks for

individual organizations


14/53


15/53


16/53

16Slide 16

Risk Management Basics Risk (uncertainty) may affect the achievement of

objectives.

Effective mitigation strategies/controls can reducenegative risks or increase opportunities.

Residual risk is the level of risk after evaluating the

effectiveness of controls.

Acceptance and action should be based on residual risklevels.

INHERENT


17/53

17

A Simple Framework

Evaluate

& TakeAction

EstablishObjectives

Identify

Risks &Controls

Assess

Risks &Controls

Monitor

&Report

Step 1 Step 2 Step 3 Step 4 Step 5

Communicate, learn, improve


18/53

18

Risk Management is critical to ALL levels of decisions

Decisions can be categorized into three types. The amount of risk uncertainty) varies

with the type of decisions. Most decisions are concerned with implementation.

UNCERTAINTY

Strategic Strategic

Programme Prog

ramme

Project&Operational Project

&Opera

tional

Strategic Decisions

Decisions transferring

strategy into action

Decisions required for

implementation

The HM Treasurys The Orange Book


19/53

19

The relationship between IRM & MOHLTCs Complex Risk

Environment

MOHLTC Extended

Enterprise

External Risk Environment

MOHLTC

Risk Environment

Laws&

regulatio

ns

Capacity

TheEconom

y

Corporate Governance

Requirements

Stak

eholde

r

expe

ctatio

ns

Political

Outcomes

Public

Perception

Oth

er

Minis

trie

s

Partner-

Organizations

LHINs

Financial

Organizational

Governance

HumanResources

Information

Inform

atio

n

Techn

ology

L

egal/

Com

plia

nce

Operati

onal

Strate

gic/

Polic

y

TransferP

ayment

Accountability&

Governance

Communication

& Learning

Monito

r

Evaluate

Assess

Identify

Estab

lish

Communication

& Learning

Communication

& Learning


20/53

20Slide 20

Categorizing RiskComprehensive1. Political or Reputational Risk

2. Financial Risk3. Service Delivery or Operational Risk

4. People / HR Risk

5. Information/Knowledge Risk

6. Strategic / Policy Risk

7. Stakeholder Satisfaction / Public Perception Risk

8. Legal / Compliance Risk

9. Technology Risk

10. Governance / Organizational Risk

11. Privacy Risk

12. Security Risk

13. Equity Risk

14. Patient SafetyNEW


21/53

21Slide 21

Risk Prioritizationlikelihood and impact

Likelihood of a risk event occurring

Very High: Is almost certain to occur

High: Is likely to occur

Medium:Is as likely as not to occur

Low:May occur occasionally

Very Low:Unlikely to occur

Risk Impact: Level of damage thatcan occur when a risk eventoccurs

Very High: Threatens the success ofthe project

High:Substantial impact on time, costor quality

Medium:Notable impact on time,cost or quality

Low:Minor impact on time, cost orquality

Very Low: Negligible impact


22/53

22

Third dimension for rating risks - proximity

Immediatenow

Less than 6 months

Between 6-12 months

Between 1224 months

Between 2436 months

More than 36 months


23/53

23Slide 23

Risk rating

Combining impact and likelihood

LIKELIHOOD

IMPACT

1

1

2

2

3

3

4

4

5

5

RISKI x L

RISK

I x L

RISK

I x L

RISK PRIORITIZATION MATRIX


24/53

24

Risk Level Action and Level of Involvement Required

Critical RiskInform Chief Executive Officer and Board of Directors

Immediate action required

High Risk

Inform Chief Executive OfficerStrategy Team involvement/attention is essential to manage risksprovide report to Board as appropriate

Moderate RiskManagement mitigation and ongoing monitoring required

Inform relevant Strategy Team members

Low Risk Accept, but monitor risksManage by routine procedures within the program and site

Risk reporting and communications


25/53

25

Ke Risk Indicators (KRIs) are linked to


26/53

26

Key Risk Indicators (KRIs) are linked to

strategy, performance and risk

Risk

Consequence

Strategy & objectives

Cause

KRI

KRIs need to be linked to strategy, objectives and target performancelevels, with a good understanding of the drivers to risk.

Performance


27/53

27

EXAMPLES OF KRIs

Human resource

Average time to fill vacant

positions

Staff absenteeism /sickness

rates

Percentage of staff appraisals

below satisfactory

Age demographics of key

managers

Information Technology

Systems usage versus

capacity

Number of system upgrades/

version releases

Number of help desk calls

Finance

Daily P&L adjustments (#,

amt)

Reporting deadlines missed

(#)

Incomplete P&L sign-offs (#,

aged)

Legal/compliance

Outstanding litigation cases

(#, amt)

Compliance investigations (#)

Customer complaints (#)

Audit

Outstanding high risk issues

(#, aged)

Audit findings (#, severity)

Revised management actiontarget dates (#)

Risk management

Management overrides

Limit breaches (#, amt)


28/53

28

Measure and report RM implementation progress

Excellent

Advanced capabilities to identify, measure, manage all risk exposures withintolerances

Advanced implementation, development and execution of ERM parameters

Consistently optimizes risk adjusted returns throughout the organization

Strong

Clear vision of risk tolerance and overall risk profile

Risk control exceeds adequate for most major risks

Has robust processes to identify and prepare for emerging risks Incorporates risk management and decision making to optimize risk adjusted

returns

Adequate

Has fully functioning control systems in place for all of their major risks

May lack a robust process for identifying and preparing for emerging risks

Performing good classical silo based risk management Not fully developed process to optimize risk adjusted returns

Weak Incomplete control process for one or more major risks

Inconsistent or limited capabilities to identify, measure or manage major riskexposures

Source: Standard & Poor


29/53

29

Progress to DateERM Report Card

Quality of Care and Patient SafetyCorporate Governance

Operation & Business Support

Reputation and Public Image

Human Resources and Staff RelationsFinancial Resources

Information Systems and Technology

Physical Assets

Legal and RegulatoryEnvironmental Health and Safety

Policies

Standards


30/53


31/53

31

The Approach

Incorporates risk information into the strategic direction-

setting, making decisions that consider established risk

tolerance levels.

Takes a systems approach to managing risk at thestrategic, operational and project levels which is

continuous, proactive and systematic.

Fosters a working culture that values learning, innovation,responsible risk-taking and continuous improvement.


32/53

32

We wanted to add value not work. We developed formsand templates.

So we developed and delivered educational sessions

usually attended by all team members. Included risk 101and then time for the team members to discuss how to

apply concepts to their work.

We assisted teams in actual risk assessments. Sometimes

we used voting software.

We trained the trainer.

Your toolkiteducation, job aids, templates

f


33/53

33

A Process for Embedding IRMHAST Sessions Components Participant Outcomes

Risk 101Presentation

IntroductionIntegrated Risk Management

Introduction to basic risk concepts and terminologies

Introduction to the MOHLTCs Integrated Risk

Framework

Status of IRM in MOHLTC

(Most effective when followed-up with facilitated riskassessment workshop or application to actual project)

Understanding of risk management process

Understanding of how risk management is relevant to their day-to-daywork

Knowledge of IRM in MOHLTC

Management IRM

Planning Meeting

Planning

Discuss best way to implementation IRM in area

Proposed IRM implementation plan presented for area

Clarify roles & responsibilities for risk management

Commitment to IRM implementation in area or stream of work

Risk management roles and responsibilities clearly defined

Review of IRM roll-out; timelines , deliverables, related forums

Commitment to continuous risk communication & learning

Risk AssessmentWorkshop

Facilitated Training

Identification of risks &mitigation strategies

Identification of objectives

Brainstorming and identification of risks to meetingobjectives (for project, branch, initiative, etc. )

Identification of source, mitigation strategies, ownershipand residual risk for each risk category

Hands-on experience allowing assimilation of consistent riskmanagement techniques

Hands-on practice of IRM process, enabling application of riskmanagement principles and tools to work

Greater understanding of work and inter-dependencies

Risk Prioritization

& Voting

Workshop

Facilitated TrainingAssessment of mitigationstrategies & prioritization

Review of risks, mitigation strategies and ownership

Anonymous voting on the impact and probability of eachrisk

Prioritization of risks on heat map

Discussion of mitigation strategies for high priority risks

Review of risks, mitigation strategies, ownership, residual risk to theirwork in a seamless manner

Unbiased risk prioritization and identification of high risks

Enables application of complete risk management process to everyday work

Risk follow-up

Session

Monitoring & Review

Review of risks six months after initial assessment

Review mitigation strategies and residual risks

Review of risks and status

Continuous improvement

Communication& Learning

Monit

or

Evaluat

e

Assess

Id

entify

Esta

blish


Monito

r

Evaluate

Assess

Identify

Estab

lish


Monit

or

Evaluate

Assess

Identify

Estab

lish


Monit

or

Evaluate

Assess

Identify

Es

tablish

IRM RISKS AND CONTROLS


34/53

34

The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.

Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)

ID Number

Responsible Org &

Name (Implement /Operate) Risk Control

Risk

Rating(Impact)

Risk

Rating(likelihood) Date Required Status

Category: Financial

Category: Equity

Category: Service Delivery or Operational

064 Person A 055 Insufficient knowledge transfer

102 Conflicting managementinstructions

Update impacted policies and procedures

for integration into knowledge support tools.Harmonizing policies and procedures (e.g.,

access procedures X has one and Y has

one there needs to be one

process/policy/procedure).

M M 31-Mar-09 Refer to Privacy

Action Plan Work onOngoing Operations

Commitments

Report

065 Person B 056 Lack of communication (Serious

service delivery issues)

352 Different business and IT

processes (incident management)

(a) IT incident and Triage (harmonization

between IT and Business).

(b) X and Y need to develop an incident

management process/service to deal withissues that arise during service delivery.

Roles and responsibilities need to be

defined in both organizations: from a

stewardship perspective on the ministry

side, and from a service delivery/reporting

perspective on the agency side. The

process/service ensures that incident/issues

are communicated as per agreement

requirements; well tracked and reported.

M M 31-Mar-09 (a, b) Refer to

ongoing Operations

IRM document

IRM RISKS AND CONTROLS

None in this category

None in this category


35/53

35


36/53

36


37/53

37


38/53

38

The Cyclist and the Risk Manager


39/53

39

Interactive Session #215 minutes

Identify risks that the cyclists faces in

cycling to work.

Report back.


40/53

40

Risk Factorsthe cyclist

.
http://tm.wc.ask.com/r?t=an&s=p&uid=098E1493A9EC1C514&sid=11DA886A45F270C14&qid=829E8A0EADF4CE4EBCA964773D7792AD&io=14&sv=za5cb0de8&o=8187&ask=traffic+ticket&uip=8e148eb7&en=is&eo=0&pt=&ac=24&qs=32&pg=3&u=http://pictures.ask.com/redir?bpg=http%3a%2f%2fpictures.ask.com%2fpictures%3fq%3dtraffic%2bticket%26o%3d8187%26page%3d3&q=traffic+ticket&u=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2fdefense.htm&s=p&bu=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2fdefense.htm&qte=0&o=8187&isimageSearch=true&fromImagePage=False&iskey=&thumbsrc=http%3a%2f%2fimages.picsearch.com%2fis%3f37655786706&imagesrc=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2ftraffic2.jpg&thumbwidth=128&thumbheight=96http://tm.wc.ask.com/r?t=an&s=p&uid=098E1493A9EC1C514&sid=11DA886A45F270C14&qid=2CF4A17580AA02488EDF37EFE872C174&io=6&sv=za5cb0de9&o=8187&ask=alice+in+wonderland+&uip=8e148eb7&en=is&eo=1&pt=&ac=11&qs=32&pg=1&u=http://pictures.ask.com/redir?bpg=http%3a%2f%2fpictures.ask.com%2fpictures%3fq%3dalice%2bin%2bwonderland%2b%26o%3d8187%26page%3d1&q=alice+in+wonderland+&u=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2foxford_story.shtml&s=p&bu=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2foxford_story.shtml&qte=0&o=8187&isimageSearch=true&fromImagePage=False&iskey=&thumbsrc=http%3a%2f%2fimages.picsearch.com%2fis%3f654728293862&imagesrc=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2fimages%2foxford_story_270.jpg&thumbwidth=128&thumbheight=78http://tm.wc.ask.com/r?t=c&s=p&id=30751&sv=z6f5372c5&uid=098E1493A9EC1C514&sid=157E092258E460C14&p=%2fimagetop&o=8187&u=http://www.kenpapai.com/racing/sf2002/lance0451z.jpg


41/53


42/53

42

Risk Factorsthe driver

.
http://images.google.ca/imgres?imgurl=http://www.connectingstanislaus.com/files/u46/ID_0.jpg&imgrefurl=http://www.connectingstanislaus.com/Youth/Get_Drivers_License_State%2BID_Card&usg=__oZNiU6g0bwPY_hAQhaoPkNxR67U=&h=282&w=424&sz=85&hl=en&start=7&itbs=1&tbnid=5zLQKXfj3xye5M:&tbnh=84&tbnw=126&prev=/images%3Fq%3Dyoung%2Bdriver%26gbv%3D2%26hl%3Denhttp://images.google.ca/imgres?imgurl=http://www.connectingstanislaus.com/files/u46/ID_0.jpg&imgrefurl=http://www.connectingstanislaus.com/Youth/Get_Drivers_License_State%2BID_Card&usg=__oZNiU6g0bwPY_hAQhaoPkNxR67U=&h=282&w=424&sz=85&hl=en&start=7&itbs=1&tbnid=5zLQKXfj3xye5M:&tbnh=84&tbnw=126&prev=/images%3Fq%3Dyoung%2Bdriver%26gbv%3D2%26hl%3Denhttp://images.google.ca/imgres?imgurl=http://www.grandprix.com/jpeg/phc/pmon05/fri/schumacher1-rg.jpg&imgrefurl=http://current.com/items/88709101_race-car-driver-takes-over-taxi-to-catch-flight.htm&usg=__4zWF4xQraHBB-5XUQlWkx1rmR9E=&h=450&w=300&sz=24&hl=en&start=14&itbs=1&tbnid=c7OdL3Gia1z1YM:&tbnh=127&tbnw=85&prev=/images%3Fq%3Drace%2Bcar%2Bdriver%26gbv%3D2%26hl%3Den


43/53

43

Risks

Threats:

Death

Head Injury

Injury

Reputation

Financial

Damage to the bike

Sunburn/frost bite

Opportunities:

Exercise

Sunlight

Reputation

Financial

Role model

Environment


44/53

44

Mitigation Strategies for threats

Death, head injury, other injuryhelmet, bright clothes, lights, bell,

CANbike course, obeying traffic laws, positive attitude, anger

management course

Reputationgreat outfit, change of wrinkle-free clothes, shower,

time management

Financialhigh quality locks, beater, stopping at stop signs

Damage to the bikeregular maintenance, avoiding pot holes

Sunburn/frost bitesunscreen, mittens, hats, token/change

Dehydration- filled water bottle


45/53


46/53

46

Keep it simple


47/53

47

Back at the office

Why is the organization interested in RM?What are they hopingwill be achieved with its implementation?

Who is doing what? Roles & responsibilities must be clearlydefined. Make sure Leadership supports RM and uses RM results tomake decisions. Everyone is a risk manager. Make sure that all risks

have owners and the responsibilities for mitigation are assigned

How will it be implemented?What is your framework? What is thecommon language? How will risks be measured and reported?

Where will you start?Choices could be where you can most easily

succeed or where it is needed the most or where interest is high.

When will it be implemented? It is a journey not a destination; 3-5years for complete roll-out; how often will risks be assessed; whenwill mitigation plans be implemented and monitored; when will risks

be reported.


48/53

48

Ask questions and develop your approach

Do we understand our major risks? Do we know what is causing ourrisks to increase, decrease or stay the same?

Have we assessed the likelihood and impact of our risks?

Have we identified the sources and causes of our risks?

How well are we managing our risks?

Are we trying to prevent the downside risks from happening? Or arewe trying to simply recover from them?

Who is accountable for these risks?

How do we talk about risk? Do we have a common language acrossbranches, across divisions, across the ministry, across the OPS, across

the health care system?

Are we taking too much risk? Or not enough risk?

Are the right people taking the right risks at the right time?

Whats our culture? Are we risk adverse or are we risk-takers? Or arewe somewhere in between?

TAKE SMALL BITES IRM IMPLEMENTATION


49/53

49

TAKE SMALL BITES. IRM IMPLEMENTATION


50/53

50

Questions?


51/53

51

Case 1The Pan Am Games 2015

Case 2The provincial response to the next Pandemic

Case 3The extension of Hwy 404

Case 4The rescue efforts in Haiti

Case 5Human Resources in the Ontario Public Services

Case 6A big teaching hospital in Toronto

The case - You are responsible for Risk Management

for:


52/53

52

Consider the 13 categories of risk

Identify top 5 threats (downside) and top 5opportunities (upside)

Propose mitigation strategies

Discuss how the following risk factors would affect your assessment:

Economy

Demographics

Weather

Technology

Timing of events such an election

Others

The case


53/53

53

Questions?

corporate finance and internal audit

Documents