PREPARED BY: Planning and Strategic Initiatives
DATE: December 5, 2024
SUBJECT: 2025 Organizational Risk Management Report
BACKGROUND/PURPOSE
The Ontario Public Standards requires the Board of Health to have a risk management framework in place that identifies, assesses, and addresses risks. The WECHU risk registry currently tracks 21 risks across 12 categories. Risk categories cover a diverse array of topics such as finances, security, service delivery, equity, technology, and privacy, for example.
Local Health Units are also expected to submit a list of corporate risks and mitigation strategies to the Ministry of Health (MOH) during Q3 Standards Activity Reporting.
DISCUSSION
For 2025, a comprehensive review of the WECHU organizational risk registry was conducted, engaging Control Owners who work in the areas of each risk daily over the course of two rounds of feedback. Their expert insights were instrumental in refining and updating the registry for the current year.
The Risk Registry review identified 17 risks scoring “high” before consideration of control and mitigation strategies, with 11 remaining “high” after mitigation measures were implemented.
The MOH requires reporting of highly ranked risks. The WECHU’s submission will include the following high-risk categories and types for 2025:
- Financial – Funding
- Financial – Fraud
- People/Human Resources - Talent Management
- People/Human Resources - Staff Engagement
- Privacy - Privacy Requirements
- Privacy - Privacy Breach
- Privacy - Records Management
- Security - Facilities
- Service Delivery/Operational - Planning Information and Evaluation
- Technology - Cyber-Security
- Technology - System Outages
Figure 1 lists all the risks and their residual risk levels for 2025.
Figure 1. Risks by risk levels for 2025
