April 2018 Board Meeting - Risk Management Information Report

Meeting Document Type
Information Report
Risk Management

Prepared By:

Dave Jansen, Performance Improvement & Accountability Coordinator (PIAC), Planning & Strategic Initiatives Department

Date:

March 19, 2018

Subject:

Risk Management

Background

In September 2017, a Risk Management Framework was presented to the Windsor-Essex County Board of Health along with a draft risk registry. In this framework, the Planning and Strategic Initiatives (PSI) Department was tasked to maintain the corporate risk registry and construct a plan for corporate risk reporting.

Current Initiatives

To begin the transition of risk management to PSI, the WECHU’s risk management framework was compared to the Association of Local Public Health Agencies’ (alPHa) three-phase implementation approach. This comparison highlighted the progress made to date and the actions necessary to develop risk preparedness. The alPHa documentation suggests that their approach should take approximately three years, with one year assigned to each phase. To summarize this comparison, the WECHU has completed most of the first phase actions, with some updates currently underway. The WECHU is now pursuing a number of items in the second phase, including the creation of a risk management review cycle, complete with key risk indicators, reporting mechanisms, and reporting timelines.       

The second phase of the implementation approach includes a structured and comprehensive risk registry. As such, the draft risk registry approved in September 2017 has been updated to allow for a more robust assessment of risk. Based on resources provided through alPHa, and using the Ontario Public Service Risk Framework, the risk registry was updated as follows:

Risk Identification

Many risks and their consequences were reshaped to better express the uncertainties each risk category brings. With these updates, the corporate risk registry was reduced to 29 risks.

Inherent Risk Assessment

This section still assesses the gross risk, or risk before controls. Each risk’s likelihood and impact are assessed on a scale of one to three, and the inherent risk score is a product of the two.

Controls

This section indicates the efforts we currently have in place to prevent, detect, or correct the risk.

Residual Risk Assessment

This new section measures exposure, that being the level of risk after evaluating the effectiveness of controls. If the control was preventative, the likelihood was reduced. If the controls are detective or corrective, the impact was reduced. The residual risk score is then the product of the two.

If that new score exceeds our risk tolerance or risk appetite, further mitigation actions were identified.

Risk Ownership

Each risk now identifies three separate ownership roles. First is the accountable person, who may approve or veto decisions regarding each risk. Second is the risk owner, who is responsible for the management of that risk. Third is the control owner, who ensures that the control strategies are appropriate and effective.

Risk Monitoring

This section will help monitor the status of risks and action plans, and measure the effectiveness of controls. Key Risk Indicators (KRI’s) will be developed in the near future along with specific timelines for each. Updates to the registry will be made using this data.

The following table provides two separate examples pulled from the updated risk registry.

Section

Subsection

Example A

Example B

Risk Identification

Risk ID

SDO1

F1

Risk

Program Planning. WECHU may be at risk of programs and services not being planned to address the needs of our community or public health requirements.

Funding. WECHU may be at risk that funding uncertainties will hamper the financial planning, monitoring, and decision making processes.

Consequences
  • Inability to meet the requirements of the Ontario Public Health Standards (2018).
  • Staff time and resources gathered through data collection and knowledge exchange wasted or not being used effectively.
  • Increased health disparity/inequity in Windsor-Essex.
  • Inability to satisfy the WECHU's objectives (Strategic and Operational).
  • Inability to meet the requirements of the OPHS.
  • Cost reduction measures (i.e. headcount reductions; prioritization of expenditures) and resulting impact on staff morale.
  • If late approval or approval in excess of budget, lost opportunities if the WECHU is unable to act on plans.
  • Organization’s reputation is at risk.

Inherent Risk Assessment

Likelihood (L)

2

3

Impact (I)

3

3

Score (L x I)

6

9

Controls

Control Type

Preventative & Corrective

Detective

Control Strategy
  • Annual Service Plan submitted to MOHLTC
  • WECHU Operational and Departmental Plans. 
  • Departmental and corporate planning support from Planning and Strategic Initiatives Department (PSI).
  • Monthly variance analysis comparing budget to actual financial results reviewed by Leadership Team (LT) and Board of Health (BoH).
  • Responsible budget process that balances finite resources with program/departmental priorities.
  • Identification of priorities (i.e. contract positions, operating expenditures) to be strategic with budget/planning reallocation when positive budget variances are realized.
  • Forecasting of expenditures on a quarterly basis (internal).

Residual Risk Assessment

Likelihood (L)

1

3

Impact (I)

2

2

Score (L x I)

2

6

Action Required
  • Continually review and update planning processes and procedures to meet changing public health requirements and organizational needs.
  • Expanded variance analysis to provide budget to actual, budget to forecast, and year-over-year variance analysis.
  • Evaluation of budget (process and quality).

 

Ownership

Accountable

CEO

CEO

 

Risk Owner

Director,

Knowledge Management

 

Director,

Corporate Services

Control Owner

Director,

Knowledge Management

Manager,

Accounting & Financial Reporting

Risk Monitoring

KRI’s

TBD

TBD

Reporting Period

TBD

TBD

The WECHU expects to begin the third phase of the risk management implementation approach by the end of the 2018, which will involve rolling out risk management to all operational levels.

Consultation:

The following individuals contributed to this report:

  • Lorie Gregg, Director, Corporate Services
  • Kristy McBeth, Director, Knowledge Management
  • Marc Frey, Manager, Planning & Strategic Initiatives

Approved by:

Theresa Marentette