How I learned to stop worrying and love the risk Trent Dean
Jan 09, 2016
How I learned to stop worrying and love the risk
Trent Dean
PPB Survey (2010) of Not for Profit organisations in Australia and New Zealand:
1. Almost half did not have, or did not know if they had, a risk management plan
2. 61% of respondents stated that risk to their organisation had increased over the past five years
3. Over one third of Not-For-Profit boards were not held accountable for managing risk in their respective organisations
4. Almost half of respondents believe that budgetary constraints was the main barrier to adequate risk management support
The Ultimate
Risk Management ConsultantCon
Managing risk is a good thing...Moves us away from avoidance or transferenceIt forces creativityThe only way to achieve innovation and growth
Risk Management Framework
- Fully integrated and informed
Leadership
- Prepared to take calculated risks
0
The most important things...
The Risk Averse
The Optimistic Gamblers
The Innovators
Where to begin?Design a RM framework that fits
your organisationIdentify your strategic risksIdentify risk ownersDo something... anythingMonitor, Rinse and Repeat
“Effect of uncertainty on objectives”
ISO 31000:2009 Risk Management
Objectives can have very different aspects
What is Risk?
Major risks can impact on a range of areas including, but not limited to:
Client Safety Staff Safety Business continuity Organisational Reputation Financial Sustainability Employee Relations
Strategic Objectives Risk Category Identified Strategic Risks
Grow more Christian Communities
Growth
Lack of brand awareness and / or reputational loss
Increased industry competition
Poor due diligence and management of merger and acquisitions
Limited church planting and sustained congregational growth
Operate and grow in a financially sustainable way
Financial Sustainability
Unsuitable or poor performing investmentsOverextending on capital work projectsLoss of / decreased funding sources
Poor budgeting (organisational / project) and treasury strategy
Loss of PBI / DGR status
Consequence Type Insignificant Minor Moderate Major Catastrophic
Audit and Compliance
Compliance with standards or licensing requirements maintained with negligible level of control weakness
Compliant with standards or licensing requirements / minimal level of control weakness
Single non compliance with standards or licensing requirements resulting in recommendations for improvement /
moderate level of control weakness identified
Multiple non compliances with standards or licensing requirements resulting in recommendations for improvement /
high level of control weakness
Fully non compliant with standards or licensing requirements resulting in sanction or penalty /
critical failure of key controls
Business ContinuityLoss / interruption less than 1 hour
Loss / interruption <= 8 hours / some disruption
manageable by altered
operational routine
Loss / interruption <=1 day / Disruption to a number of areas within a Division or Unit, possible flow on to other locations
Loss / interruption <= 1 week / all operational areas of a Division or Unit compromised, other locations are affected
Total system dysfunction
and /or total shut-down of
operations
Client Safety and Care
No injury or harm caused unsatisfactory client
experience not directly related to client care
Minimal harm caused / unsatisfactory client
experience - readily
resolvable
Temporary loss of function or
harm caused /
mismanagement of client care
Permanent loss of function or
harm caused / serious mismanagement
of client care
Loss of life / totally unsatisfactory client outcome or experience
Finance < $100k $100 –200k $200 – 500k $500 – 2m Greater than $2mFraud <$2k $2-10k $10-25k $25-100k Greater than $100k
Health and Safety
No injury / illness - no
time lost, minor adjustment
to operational routine
Single injury / minor illness – lost
time of less than 4 rostered days
Single serious injury >4 rostered days lost.
Multiple serious injuries or illness (more than 4 rostered days lost, or an event which is notifiable)
Fatality
ReputationMinimal adverse local
publicity
Significant adverse local publicity
Significant adverse state-wide
publicity
Significant and sustained state-wide publicity
Sustained national adverse publicity
Vision and ValuesNegligible misalignment with strategic objectives or expected behaviours
Minor misalignment with strategic objectives or expected behaviours
Moderate misalignment with strategic objectives or expected behaviours
Major misalignment with strategic objectives or expected behaviours
Significant misalignment with strategic objectives or expected behaviours
Workforce
Short term low staffing level
temporarily reduces service
quality
Ongoing low staffing level
reduces service quality
Moderate annualised staff turnover (< 30% ) Late delivery of key objectives / services due to lack of staff
Very high annualised staff turnover (> 30% / Uncertain delivery of key
objective / service due to lack of staff
Non delivery of key objectives / services due to lack of staff
Likelihood Rating Descriptor Frequency
Almost Certain
Is expected to occur frequently (in most circumstances) Expected to occur at least monthly
Likely Is expected to occur occasionally (to be expected) Expected to occur at least quarterly
PossibleCould occur at least once (capable of happening / foreseeable)
Expected to occur at least biannually
Unlikely Might occur at some time (not to be expected) Expected to occur at least annually
Rare May occur in exceptional circumstances only Not expected to occur for years
Rank Colour Description
Low 1Action plans, policies or controls are not mitigating the risk and /or deemed to be very weak or ineffective. Risk may be outside control of organisation.
Medium 2Action plans, policies or controls may be partially mitigating the risk and scope for some improvement.
High 3 Action plans, controls or policies deemed to be satisfactory and tested regularly.
Insignificant Minor Moderate Major Catastrophic
Almost Certain Medium High High Extreme Extreme
Likely Medium Medium High Extreme Extreme
Possible Low Medium High High High
Unlikely Low Medium Medium Medium High
Rare Low Low Low Medium Medium
Risk Rating Action Required
Low Manage by routine controls and processes
Ongoing monitoring of control effectiveness by local management
Medium
Manage by routine controls and processes
May require a detailed risk action plan
Ongoing monitoring of control effectiveness by local management
High
Immediate notification of relevant Senior Management
Should have a detailed risk action plan
Risk action plan to be monitored by relevant Senior Management and progress reported to relevant Divisional Director
Updates to be provided to Executive Committee members, as required
Ongoing monitoring of control effectiveness by Senior management
Extreme
Immediate notification of relevant Divisional Director
Must have specific risk mitigation plan
Risk action plan to be monitored by Divisional Director and progress reported to Executive Committee members
Updates to be provided to Board Risk, Audit and Compliance Committee members, as required
Ongoing monitoring of control effectiveness by Divisional Director
Risk Assessments
Risk Statement Contributing Factors Consequences ControlsControl effectivenessRisk Analysis Action RequiredRisk Ownership
What should the Board know about?Key strategic / operational risksPresentations by individual risk
ownersKey issues / incidents / compliance
breachesCrisis / Disaster Management OH&SFraud and CorruptionInternal Audit reportsExternal Audit reports
Say what?What are the risks, both strategic
and operational?How effective are the controls,
and how do you know they are working?
What are you doing about the risks?
How are the risks trending?What are the known or possible
risks ahead of us?
Board Report – Risk Heat Map
Risk 2 (SR-AC): Poor integration and support of client focused care
Risk Owner: A. Staff Accountable Executive: B. Cool
Existing Controls• Training on customer focused awareness• CMS focused on client outcomes• Appointed project manager for the client
focused care project• Appointed GM for shared services and
integration• Appointed regional volunteer coordinators
Gaps and planned response• Client focused education at every level of organisation• Review of all functions that interface / input into
client outcomes• Churches of Christ Care Strategic Plan/ actions from
the Strategic Plan• Gap assessment of CMS / Care Governance• Action learning approach to learning • Client satisfaction survey
Key Risk Indicators• Number of volunteers• Compliance with standards and
licensing• Client satisfaction surveys• Predetermined and measured
outcomes of care• Culture survey results
Current Risk Rating Control effectiveness / scope for control improvement
Contributing Factors / Issues
• Poor awareness of integration of services (both care and support)
• Constraints by regulatory and compliance obligations• Limited creativity with application of compliance and regulatory
obligations• Lack of support or resistance for client focused care• Client not viewed as central to all tasks and functions
• Lack of awareness of services and functions that input or interface with client care delivery
• Poor history and culture – task focused and output driven at both industry and occupational level
Definition of Risk Poor integration and support of client focused care
Risk Category Client Focus
Likelihood Consequence Rating
4 3 12
Comments / Updates • Gap assessment of CMS/Care Governance is almost complete• Actively recruiting 5 regional volunteer coordinators
Key Risk Indicators
Quality Improvemen
t
Internal Audit
An integrated approach
Risk Managemen
t
Identify and Assess Risk
Design and Implement Controls
Monitor and Review Controls
Churches of Christ in Queensland
• A group of mainstream Christian churches which has been an active part of the Queensland community for over 100 years.
• We are a significant presence within Queensland with over 200 services in more than 100 communities, touching tens of thousands of lives each year.
Churches of Christ Care
• Established in 1930; operates 137 services with the support of more than 2,800 staff and over 700 volunteers.
• The care services are active in the areas of early childhood services, child protection, social and affordable housing, retirement living, community aged care, and residential aged care.
Director
Group Manager -
Quality
Quality Advisor
Health, Safety and Rehabilitati
on Consultant
Health, Safety and Rehabilitati
on Specialist
Health, Safety and Rehabilitati
on Consultant
Internal Audit
Coordinator
Health, Safety and Rehabilitati
on Consultant
Quality Officer
Internal Auditor
Internal Auditor
Risk and Complian
ce Advisor
Assurance Services
Health, Safety and Rehabilitati
on Consultant
What we do...
• Risk Management Framework
• Fraud Risk Management• Sentinel Event
Management• Root Cause Analysis• Crisis / Disaster
Management• ChildSafe Program• Legislative Compliance• Quality Management
(Continuous Improvement) Framework
• Controlled Documents
• Archiving / Records Management
• Internal Audit• Self Audits• Compliance Reviews• Due Diligence• Forensic
Investigations• Workplace Health
and Safety• Worker
Rehabilitation
A Call to ActionAsk yourself...Do I know my organisation’s strategic
risks, and are they meaningful to me?Is ‘risk management’ only raised as
part of a dedicated risk meeting, or is it part of every Board conversation?
What is the risk appetite and tolerance of the Board, the organisation, and me?