Taming Uncertainty: Risk Management in the 21st Century

David T. WilberChief Operating Officer / CARF Surveyor

What is RISK?

Definition of Risk Management

The act of controlling any threats to the organization’s:

Goodwill People Property Income Ability to accomplish goals

The Difference BetweenIncident Analysis and Risk Assessment

Incident Analysis:

Establishes a cause for an incident that has already happened.

Focuses on analyzing the reasons for the incident and development of strategies to prevent future incidents.

Risk Assessment:

Focuses on identification of potential exposures to prevent incidents from happening.

Breaks business decisions down into bite sized pieces to enable pre-planning for loss control and mitigation strategies.

The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Goals of Risk Management

For the organization to:

Protect physical and financial assets

Protect intangible assets (e.g., goodwill and reputation)

Prepare for operational crisis (Tolerate Uncertainty)

Provide a safe environment for all employees, persons receiving services and visitors

Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.

Develop a common and consistent approach to risk across the organization. Not intuition-based.

Goals of Risk ManagementThings will happen…they always do…!

Survival: Not going under due to unforeseen circumstances.

Continuity of operations: Avoiding Business interruption-shutdowns

Sustainability and profitability: Maintaining your mission

Low Risk Organizations will have these factors in place.

Risk management plan Continuity of Operations plan

Technology Plan Risk Management Team

Staff Training and competency testing Corporate Compliance program

Ethical Code of Conduct that includes witnessing of documents etc. Social Media Policies

Accreditation: CARF-The Rehabilitation Accreditation Commission

A Simple Framework

Evaluate & Take Action

Evaluate & Take Action

EstablishObjectives

EstablishObjectives

IdentifyRisks & Controls

IdentifyRisks & Controls

AssessRisks & Controls

AssessRisks & Controls

Monitor& Report

Monitor& Report

Step 1 Step 2 Step 3 Step 4 Step 5

Communicate, learn, improve

Process of Risk Management

Slide 9

Categorizing Risk – Comprehensive1. Political Risk

2. Financial Risk

3. Service Delivery or Operational Risk

4. People / HR Risk

5. Information/Knowledge Risk

6. Strategic / Policy Risk

7. Stakeholder Satisfaction / Public Perception Risk

8. Legal / Compliance Risk

9. Technology Risk

10. Governance / Organizational Risk

11. Privacy Risk

12. Security Risk

13. Equity Risk

14. SafetyNEW

Perils Causing Loss

Natural Perils:

Human Perils:

Economic Perils:

Social Media Risk

From Philadelphia Insurance:

From Philadelphia Insurance:

You still have to assess those “other risks”

VULNERABILITY ANALYSIS CHART

Department: Date:

Site: Person Completing Form:

TYPE OF RISK Probability Human

Impact Property Impact

Business Impact

Internal Resources

External Resources

Total

High 5 ←

Low → 1

High Impact 5

←---------------→

1 Low Impact

Weak 5 ◄ Resources

► 1 Strong Resources

FIRE

MEDICAL EMERGENCY

ELECTRIC SHOCK

SPILLS/ HAZARDOUS EXPOSURE

ADVERSE WEATHER “TORNADOS”

BOMBS / TERRORISM

MISSING PERSONS

POISONING

PSYCHIATRIC EMERGENCY

VEHICLE EMERGENCY

SUSPICIOUS MAIL

Slide 15

Risk rating …Combining impact and likelihood

LIKELIHOOD

IMP

AC

T

1

1

2

2

3

3

4

4

5

5

RISKI x L

RISKI x L

RISKI x L

RISK PRIORITIZATION MATRIX

A Risk Prioritization Matrix can be helpful in prioritizing risks

Plot of event probability versus impact

Note that the zones are not symmetrical across the matrix

High impact low probability events much more important than likely low impact events

Pick the High value Targets!

Polling Question

What is the average # of accidents that go unreported for every one reported accident?

1.292.484.716.26

Accident under-reporting among employees: Testing the moderating influence of psychological safety climate and supervisor enforcement of safety practices Tahira M. Probst & Armando X. Estrada, Department of Psychology, Washington State University, June 2009

The Approach-Your toolkit – education, job aids, templates Incorporates risk information into the strategic direction-

setting, making decisions that consider established risk tolerance levels.

Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic.

Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.

Add value not work. We developed forms and templates.

Develop and deliver educational sessions – usually attended by all leadership members at a minimum. Include risk 101 and time for them to discuss how to apply concepts to their specific worksite.

Develop teams in actual risk assessments.

Process of Risk Management

Identify available techniques for reducing

or eliminating loss exposures

What are Loss Prevention/Risk Control Methods?

Avoidance – There’s a great deal of risk. You don’t want to assume the risk and it can’t be transferred, so you avoid the risk altogether 

Loss Prevention – Reduces the frequency or likelihood of a “particular” loss. Examples include:

Improve security measures to reduce the possibility of arson or theft.

Improve maintenance of facilities to reduce the possibility of a tripping hazard.

Loss Reduction – Reduces the severity or cost of a “particular” loss. Examples include:

 Require the use of hearing protection to reduce the chance of a hearing loss.

Reduce the cost of workers’ compensation claims through the use of return to work programs.

 

Segregate Losses – Arrange your agency’s activities and assets to prevent one event from causing loss to the whole.

Contractually transfer the risk.

Process of Risk Management

Select and implement desired loss reduction techniques

Personal protective equipment.Housekeeping, repair, and maintenance.Inspections.Tools and equipment.Supervision.Policies, procedures, and process.Contract management and administration.

Effective Risk Management

Monitoring and Control

Continually monitor risks to identify any change in the status, or if they turn into an issue.

Hold regular risk reviews To identify actions outstanding, risk

probability and impact Remove risks that have passed Identify new risks

The Risk Management PlanRisk Management Plan should specify the risks, risk responses, and mechanisms used to control the process

Need to continuously monitor for risk triggers Potential risk events should be identified

early in a project and monitoring for such events immediately commence

Each risk is assigned to a specific position Has the expertise & authority to identify &

response to an event

Need environment where problems are readily reported, embraced & solved

The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)

ID Number

Responsible Org & Name (Implement / Operate) Risk Control

Risk Rating (Impact)

Risk Rating (likelihood) Date Required Status

Category: Financial

Category: Equity

Category: Service Delivery or Operational064 Person A 055 – Insufficient knowledge transfer

102 – Conflicting management instructions

Update impacted policies and procedures for integration into knowledge support tools. Harmonizing policies and procedures (e.g., access procedures – X has one and Y has one – there needs to be one process/policy/procedure).

M M 31-Mar-09 Refer to Privacy Action Plan Work on Ongoing Operations Commitments Report

065 Person B 056 – Lack of communication (Serious service delivery issues) 352 – Different business and IT processes (incident management)

(a) IT incident and Triage (harmonization between IT and Business). (b) X and Y need to develop an incident management process/service to deal with issues that arise during service delivery. Roles and responsibilities need to be defined in both organizations: from a stewardship perspective on the ministry side, and from a service delivery/reporting perspective on the agency side. The process/service ensures that incident/issues are communicated as per agreement requirements; well tracked and reported.

M M 31-Mar-09 (a, b) Refer to ongoing Operations IRM document

IRM RISKS AND CONTROLS

None in this category

None in this category

Process of Risk Management

Annual Report results of loss reduction techniques

Include results in performance improvement activities

Exposure Risk Control Mechanism Responsibility Review Date

Maltreatment of Individuals

Fines, loss of licenses, loss of Individuals

Maintain current knowledge of Human Rights (DBHDS)Annual training of all direct support staff in Human Rights (DBHDS)Incident Report ProcessInternal Investigation process 

Director of Program and Quality Services, Senior Leadership Team, Management Team

Annually

Change in population - Diversity

Loss of Individuals

 

Develop new and innovative programs to meet the changing needsProgram evaluation and satisfaction surveysFollow trends 

Senior Leadership Team, Management Team

Annually

Legislative/ Rule Changes

Increased costs without increased fundingNot implementing rule changes correctlyLoss of funding  

Actively monitor legislative activities through trade associations – vaACCSES, VNPP, VAAPSE, ArcVA

Management Team Annually

Wage and Hour Issues

Wage and Hour Audit

 

Maintain current knowledge of wage and hour rules and regulationsProvide staff with wage and hour training  

Management Team

Accounting staff

Annually

Loss of work Loss of income

Loss of Individuals

Monitor marketing capabilitiesDevelop aggressive marketing planPlan for alternative activities

Management Team, Director of Business Development

Annually

Downturn in economy

Loss of community jobsLoss of facility based jobsLoss of income

Implement volunteer opportunities and alternative activitiesDiversify program options throughout agency

Management Team Annually

29 Questions?

Thank youThank you

You don’t know what you don’t know…

Better to know….

dwilber@VersAbility.org

David T. WilberChief Operating Officer / CARF Surveyor