Enterprise Risk ManagementA Journey

January 2014

Contents

• Risk Management Concepts

• Risk Organization, Process and Terminology

• Function Wise Risk Summary

• MHC Risk Library

• Review frequency

• Way Forward

Ask most people why cars have brakes and they’ll say, “So you can slow down.”

But the real reason is so you can go faster and still be in control

Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that

are less so.

Why do we need risk management?

“Risk is the effect of uncertainty on objectives.” (ISO 31000:2009)

What is Risk?

The threat of bad things(risk as hazard)

The possibility of good things not happening (risk as opportunity)

The potential that actual events will not equal anticipated outcomes (risk as uncertainty)

e.g. Flood or FireMajor AccidentsNatural Disasters

e.g. Changes in laws and regulations,Government Interventions

e.g. New Technologies,New markets,New products

• Company in Eastern India: Fire incident – Regulatory and operational risk can have a significant financial, strategic (and reputational) impact

Case Studies: Snowball effect of risk not assessed and managed effectively

Lack of Internal Controls

• The Fire System was not operational

Company received Memo from Fire Department

• Fire system was still not operational

Fire Broke Out

• 88 Lives Lost• Company sealed• Directors Arrested

Financial/OperationalRevenue loss due to closure of operations

Strategic ? Expansion Plans? Reputation

• Hospital in Noida – Kidney scam happened, after which hospital lost its reputation and has still not been able to compete with current players in market.

• Hospital in Bangalore – Lost licenses to carry out transplants due to non transfer of license to operator’s name.

What are managements asking

· What are our principal business risks?· Are we taking the right amount of risk?· How effective are our processes for identifying, assessing and

managing business risks?· How is risk management coordinated across the organisation ?· How do we integrate risk management with the organization’s

strategic direction and plan?· How do we ensure that the organisation is performing

according to the business plan and within appropriate risk criteria?

· What information about the risks facing the organisation does the Management & Board get to help it fulfil its stewardship and governance responsibilities?

· How do we help establish the "tone at the top" that reinforces organisation’s values and promotes a "risk aware culture"?

What is Enterprise Risk Management(ERM)?

PreventRisk Analysis

PreventRisk Analysis

PreparePractice

PreparePractice

RecuperateSettle

RecuperateSettle

RespondOrganize

RespondOrganize

“COSO* recognizes that many organizations are engaged in some aspects of ERM”

* Committee of Sponsoring Organizations (COSO) of the Treadway Commission, US

Benefits from ERM

· Avoid surprises: Strengthened framework to identify and manage potential issues before they become serious business problems

· Better governance due to clarity in following: · Risk Roles and Responsibilities · Risk Communication· Risk Reporting

· Timely achievement of business objectives without any setback due to lack of effective risk management.

· Enhanced confidence on internal controls for management declaration/ assurance.

· Help in preventing potential revenue leakage and effective cost management.

ERM Standards & Frameworks

• UK – The Institute of Risk Management - A Risk Management Standard

• ISO 31000:2009

• Committee of Sponsoring Organization (COSO) of the Treadway Commission –

‘Enterprise Risk Management – Integrated Framework’

The frameworks provide broadly similar guidance on risk management principles and processes. COSO framework is used across the globe as acommon framework

COSO Framework – Approach and Methodology

People & Technology Risk may have to be

separately managed

Why ERM is vital in Healthcare

Key Risks faced by Healthcare Providers

The journey to implement an ERM framework

· ERM Champion designated and Functional Risk Owners identified

· Risk identification exercise to identify risks across all the functions and at an enterprise level. Draft Risk registers created.

· Risks identified to be assessed/rated by the functional heads on the basis of their impact, likelihood of occurrence and mitigation plan effectiveness, prioritised and mitigation/action plans implemented.

· Key enterprise level risks to be reviewed by the senior leadership team on a periodic basis.

· Risk Organisation Structure at implementation and governance levels set up.

· On-going monitoring and inculcating ERM culture in day to day operations.

A sample Risk Organization Structure

To include EC members and

Head – Legal and Head – Internal

Audit

Audit Committee

Risk and Controls Steering

Committee

Chief Risk Officer : Non Medical

Chief Risk Officer : Medical

Risk Champions / Risk Owners

Risk Champions / Risk Owners

Risk Chanpions / Risk Owners

Risk Champions / Risk Owners

Clinical Director will be

CRO Medical

CFO will be CRO Non-Medical

Medical Excellence Committee

Service Excellence Committee

Sample Risk Ranking Mechanism

• Risk Rating = I * P * E • Impact, Probability & Effectiveness are measured on a scale of 1-4

Risk

Rating

Effect

Cause

Control

Function/Business Process/Event

Impact

Probability

Mitigation Plan Effectiveness

Risk Priority

Action Plan

Risk Terminology

Term Explanation

Risk owner Person with the accountability and authority to manage a risk

Risk Category Strategic, People, Technology, Compliance, Operations, Financial & Reporting

Probability Likely-Risks which are almost certain to occurPossible-Risks whose likelihood of occurrence is high Unlikely-Risks with a moderate likelihood of occurrenceRemote-Risks with an extremely low probability of occurrence

Impact Category

Occurrence of the risk could have an impact in the following areas - Financial, Brand, Legal & Regulatory and People

Severity of Impact

Extreme- Loss of ability to sustain ongoing operationsMajor-Significant impact on the achievement of objectivesMaterial- Limited effect on achievement of objectives Minor-Minimal impact on achievement of objectives

Risk Rating Very High, High, Medium & Low

Function

Risk Owner Risk Category

Probability Impact Category

Severity of Impact Risk Rating

Mitigation Plan

S.No. Activity Closure Date

1

2

Risk Description :

Risk Register Template

Risk Responses

Impact

Pro

bab

ilit

yTreat Terminate

TransferTake

Once risks have been identified & assessed, the next step is to manage the risk based on the risk criteria of the organization

19

Frequency of review

Impact Probability

Grid I Grid II Grid III

Grid IV Grid V Grid VI

Grid IXGrid VIIIGrid VII

High impact, Low probability & Medium

effectiveness

Low impact, Low probability & High

effectiveness

Medium impact, Low probability & Medium

effectiveness

High impact, high probability & Low

effectiveness

High impact, Medium probability & Low

effectiveness

Medium impact, Medium probability & Medium

effectiveness

Medium impact, High probability & Medium

effectiveness

Low impact, Medium probability & High

effectiveness

Low impact. High probability & Medium effectiveness

Maybe reviewed every quarter

Maybe reviewed every six month

Maybe reviewed annually

Needs quarterly review with real time monitoring

Maybe reviewed every six month

Maybe reviewed every quarter

Maybe reviewed annuallyMaybe reviewed every

six month

Needs quarterly review with on line monitoring

Possible Roadblocks

· Sub-committee oversight of specific risk areas such as credit risk, market risk, operational risk, and compliance risk.

· Clear expression of risk criteria.· Loose linkage between business strategy and risk criteria.· Lack of documentation on Policies and Procedures, and Roles

and Responsibilities.· Lack of consistent approach followed for identifying and

managing risks across the organization.· Inadequate communication between Risk Takers and Risk

Managers/facilitators.· Inefficient support to the needs of robust Risk Management.

• Final risk registers to be validated by leadership team for probability of occurrence of risks, their impact, adequacy of mitigation plans & timelines and residual risk ratings

• 15 key risks to be identified by leadership team, to be taken up for rigorous risk management. The owners of these risks to co-opt people from other departments and develop elaborate Risk Mitigation Strategy and Plans

• Mitigation progress of the 15 key risks to be reviewed in monthly leadership team meetings. CEO to chair these meetings

• Risk Polarization Survey to be conducted on half yearly basis

Way forward

Thank You