Risk Category: Environmental
Risk Type: Disasters & Hazards
Risk Description: The WECHU may be at risk of epidemiological, natural, and anthropogenic disasters or hazards.
Consequences: Service delivery to residents of Windsor-Essex County is negatively impacted. Ability to mount a hazard specific response is negatively affected. Organization's reputation is at risk. Infrastructure, resources, and/or financial loss.
Controls: The WECHU works closely with community partners, the Province, and Federal agencies to monitor for emerging public health issues, emergency notification, and response. Continuity of Operations Plan (COOP). Emergency Response Plan (ERP). Respiratory Protection Policy. RAVE Alert System. Hazard Identification Risk Assessment (HIRA).
Final Ratings: Residual Impact (2) x Residual Likelihood (3) = Total Score (6). Risk Level is: Medium Risk
Risk Category: Equity
Risk Type: Health Disparity
Risk Description: The WECHU may be at risk that its programs and services do not address the health disparity among priority populations.
Consequences: Inability to meet the requirements of the Ontario Public Health Standards (2021). Increased health disparity among priority populations. Organization’s reputation is at risk. Misuse of public resources and funds (out of public health scope).
Controls: Capacity building and training to address health equity. Annual Service Plan completion that includes priority population identification. Quarterly review of Emerging Public Health Issues list and priority population focus in the Strategic Plan Health Equity E-Learning Module for internal staff training.
Final Ratings: Residual Impact (3) x Residual Likelihood (3) = Total Score (9). Risk Level is: Medium Risk
Risk Category: Financial
Risk Type: Funding
Risk Description: The WECHU may be at risk that funding uncertainties will hamper the financial planning, monitoring, and decision-making processes. Specifically, proposed changes to the funding will directly affect programmatic decision making and operations in 2025 and going forward.
Consequences: Inability to satisfy the WECHU's objectives (Refreshed, Strategic and Operational Plans). Inability to meet the requirements of the Ontario Public Health Standards (2021). Cost reduction measures (i.e. headcount reductions; prioritization of expenditures; staff secondments) and resulting impact on staff morale, competency, and productivity. If late approval or approval in excess of budget, lost opportunities if the WECHU is unable to act on plans. Organization’s reputation is at risk.
Controls: Quarterly variance analysis comparing budget to actual financial results reviewed by Leadership Team (LT) on a monthly basis and Board of Health (BoH). Responsible budget process that balances finite resources with program/departmental priorities. Identification of priorities (i.e., contract positions, operating expenditures) to be strategic with budget/planning reallocation when positive budget variances are realized. Forecasting of expenditures on a quarterly basis. Program review, evaluation, and rating.
Final Ratings: Residual Impact (4) x Residual Likelihood (4) = Total Score (16). Risk Level is: High Risk
Risk Category: Financial
Risk Type: Procurement
Risk Description: The WECHU may be at risk that the procurement process is inefficient and ineffective and prone to fraud and errors.
Consequences: Organization’s reputation is at risk. Ineffective use of the WECHU resources. Financial loss.
Controls: The WECHU Procurement Policy and audit procedures. The WECHU planning process including: Budget by program and department. Additional guidance available through use of Broader Public Sector Procurement Directives and other relevant legislation over procurement (e.g., Canadian Free Trade Agreement (CFTA)). Conduct annual needs analysis by department to properly forecast resource needs and consider supply chain risks. Enhance relationships with suppliers with periodic contract reviews.
Final Ratings: Residual Impact (3) x Residual Likelihood (3) = Total Score (9). Risk Level is: Medium Risk
Risk Category: Financial
Risk Type: Fraud
Risk Description: The WECHU may be at risk financial loss or material reputational loss resulting from fraudulent actions
Consequences: Organization’s reputation is at risk. Ineffective use of the WECHU resources.
Controls: The WECHU Board of Health Financial and Asset Management By-law. WECHU Finance Policies including: i) Procurement Policy; ii) Financial Reporting Policy; iii) Travel Expense Policy; iv) Cash Management Policy; v) Asset Management Policy. Quarterly variance analysis comparing budget to actual financial results. Other financial controls including: Review and approval of documentation in support of expense submissions (i.e. permission to attend forms; mileage and overtime submission; expense forms and cheque requisitions). Month-end and year-end financial reporting process including preparation and review of financial information. Additional review requirements are noted in the Financial Reporting Process Document. From a human resources perspective, appropriate practices over hiring including checking credentials and reference checks as well as other policies (i.e., nepotism policy, vacations). Annual sign off of WECHU Code of Conduct. Third party audits.
Final Ratings: Residual Impact (3) x Residual Likelihood (4) = Total Score (12). Risk Level is: High Risk
Risk Category: Governance/Organizational
Risk Type: Board of Health Competence
Risk Description: The WECHU may be at risk as the BoH members, individually or collectively, may not have the required competencies for effective Board Governance.
Consequences: Governance may be ineffective if BoH members do not have the knowledge, skills, and/or ability to govern well. Disunity of vision, mission, and/or values. Decisions could be made that are not in line with the evidence informed decision making process. Organization’s reputation is at risk.
Controls: The WECHU and BoH Chair only supports competent, representative of the community, and known BoH provincial candidates for Secretariat consideration by the Ministry of Health. The WECHU BoH Annual Competency Based Self-Assessment and New member orientation. The WECHU BoH Education Sessions and Professional Development opportunities to improve Board Competencies (i.e. alPHa meetings/training).
Final Ratings: Residual Impact (2) x Residual Likelihood (3) = Total Score (6). Risk Level is: Medium Risk
Risk Category: Legal/Compliance
Risk Type: Compliance
Risk Description: The WECHU may be at risk of not achieving full compliance with the many and varied obligations imposed by statues and regulations.
Consequences: Organization's reputation is at risk. Financial loss, including penalties or fines levied under Provincial Regulations.
Controls: Regular review of statutes & regulations that affect compliance. Policies and procedures. Access to legal consultation. Privacy Impact Assessments & Audit.
Final Ratings: Residual Impact (2) x Residual Likelihood (2) = Total Score (4). Risk Level is: Low Risk
Risk Category: Legal/Compliance
Risk Type: Litigation
Risk Description: The WECHU may be at risk of litigation (e.g., because of privacy breach, TVEO or Health Inspection activities, Provincial Offence Enforcement, and labour related matters).
Consequences: Organization's reputation is at risk. Financial Loss.
Controls: Regular review of statutes & regulations that affect compliance. Develop and implement a matrix that governs all channels of legal communications within the organization. Policies and procedures. Access to legal consultation. Privacy Impact Assessments & Auditing Policy & Procedure.
Final Ratings: Residual Impact (3) x Residual Likelihood (3) = Total Score (9). Risk Level is: Medium Risk
Risk Category: People/Human Resources
Risk Type: Work Disruption
Risk Description: The WECHU’s operations may be at risk during an extended work stoppage or absenteeism involving either internal labour groups or by external labour groups from organizations co-located with the WECHU. Inadequate staffing levels due to illness or isolation requirements. Impacts of a disease outbreak in areas such as absenteeism, return-to-work issues, employee communications, and employee benefits.
Consequences: Public Health Service delivery to residents of Windsor and Essex County is negatively impacted. Inward delivery of goods and services may be impeded.
Controls: Canadian Union of Public Employees (CUPE) and Ontario Nurses Association (ONA) Contingency Plans. Management Policy and Procedure. Maintain good communication for labour relations (monthly meetings). Contingency Plans.
Final Ratings: Residual Impact (4) x Residual Likelihood (2) = Total Score (8). Risk Level is: Medium Risk
Risk Category: People/Human Resources
Risk Type: Talent Management
Risk Description: The WECHU may be at risk that the organization is unable to attract, retain, and/or develop the appropriate human resources. Changes in provincial direction may place the WECHU at risk of having difficulty filling with competent and qualified staff long-term.
Consequences: Inability to satisfy the WECHU's own objectives and/or emerging public health needs. The WECHU staff may be unable to fulfill role responsibilities. Inability to meet the requirements of the Ontario Public Health Standards (2021). Service delivery to residents of Windsor and Essex County is negatively impacted. Overreliance on other WECHU staff that have necessary competencies to satisfy requirements. Organization’s reputation is at risk.
Controls: Probationary performance appraisal process (30/60/90) and Annual Performance Appraisals. Hiring practices including: 1. Review of resumes 2. Reference checks 3. Credential review 4. Hiring matrices (to promote consistent hiring practices) Professional development policies, or more specifically, the Leadership Professional Development Policy. Leadership Development series for current and key identified individuals with future capacity for management and senior management roles. Incorporated into WECHU’s Strategic Plan as organization development priority. Promotion of compensation packages and work-life balance to potential candidates. Incorporated into the WECHU’s Strategic Plan as Organizational Development priority.
Final Ratings: Residual Impact (4) x Residual Likelihood (5) = Total Score (20). Risk Level is: High Risk
Risk Category: People/Human Resources
Risk Type: Staff Engagement
Risk Description: The WECHU may be at risk related to varying levels of staff engagement in the work of the organization. The WECHU is at risk of staff disengagement in work functions.
Consequences: Negative impact on employee morale, innovation, and productivity. Overreliance on highly engaged staff. Increase in absenteeism and or turnover.
Controls: Hybrid work policy. Employee Assistance programs to support a healthy work-life balance (FSEAP). Other internal communication mechanisms (i.e. emails to all staff; all-staff meetings, Intranet postings including new hire introduction). Periodic employee acknowledgement and appreciation efforts (i.e., Annual Service Awards). Mental health training for all staff. Space assessment plan. ED&I Committee. Performance management. Labour Management Committee. Nursing Practice Council.
Final Ratings: Residual Impact (3) x Residual Likelihood (4) = Total Score (12). Risk Level is: High Risk
Risk Category: Political
Risk Type: External Influence and Expectations
Risk Description: The WECHU may be at risk of uncertainty around managing the expectations and obligations of the public, ministries, stakeholders, municipalities and/or the media to prevent disruption of service or criticism of Public Health and a negative public image. The WECHU may be at risk because municipal policy decisions affect our ability to carry out our work effectively.
Consequences: Lack of community and /or partner awareness and decreased willingness to collaborate. Inability to meet the requirements of the Ontario Public Health Standards (2021).
Controls: The WECHU works closely with partners, including Ontario Health Team Steering Committee and Locally Driven Priority Health Funding Committee, to manage obligations & expectations. Implementation of the strategic plan and Annual Service Plan, and its associated objectives. Media training for Management. Generating a partnership/collaboration profile for each Program and monitoring the strategy.
Final Ratings: Residual Impact (3) x Residual Likelihood (3) = Total Score (9). Risk Level is: Medium Risk
Risk Category: Privacy
Risk Type: Privacy Requirements
Risk Description: The WECHU may be at risk for non-compliance with its privacy requirements, including legislation and data sharing agreements.
Consequences: Litigation risk. Organization’s reputation is at risk. Financial loss.
Controls: Staying abreast of privacy legislation and legal precedent. Privacy policies and procedures (e.g., client consent, MFIPPA and PHIPPA request procedure). Corporate privacy training modules. Privacy impact assessments (PIA). Annual report to Information Privacy Commission.
Final Ratings: Residual Impact (4) x Residual Likelihood (3) = Total Score (12). Risk Level is: High Risk
Risk Category: Privacy
Risk Type: Privacy Breach
Risk Description: The WECHU may be at risk of inappropriate collection, use, or disclosure of personal health information
Consequences: Litigation risk. Organization's reputation is at risk. Non-compliance with data sharing agreements (reduced access to required information). Clients’ personal health information is inappropriately shared.
Controls: Auditing the WECHU databases that hold personal health information (currently limited). Privacy policies and procedures (e.g., privacy breach incident report) Corporate privacy training modules. Reviewing and conducting Privacy Impact Assessments for processes/systems that hold PI/PHI. Technical automation (print restrictions, segmenting M-Files access by department, VPN).
Final Ratings: Residual Impact (4) x Residual Likelihood (3) = Total Score (12). Risk Level is: High Risk
Risk Category: Privacy
Risk Type: Records Management
Risk Description: The WECHU may be at risk for non-compliance with retention and destruction schedules for all the WECHU documentation.
Consequences: Litigation risk. Organization’s reputation is at risk. Financial loss.
Controls: Document retention policies and destruction schedule. Records Management policies and procedures. Secure offsite document storage. Quarterly reporting.
Final Ratings: Residual Impact (3) x Residual Likelihood (5) = Total Score (15). Risk Level is: High Risk
Risk Category: Security
Risk Type: Workplace
Risk Description: The WECHU staff may be at risk as their health and safety (physical and mental) may be compromised through workplace violence.
Consequences: Injury or illness (physical/mental) to the WECHU staff and/or clients. Organization’s reputation is at risk. Service delivery to residents of Windsor and Essex County is negatively impacted. Financial loss including lost time within the organization.
Controls: Incident reporting policy and procedure, including following up on next steps. Health and safety policies and procedures (including hazard assessment) in adherence to Occupational Health Safety Act.. Ergonomic Assessments. Workplace Hazard Assessment. The WECHU Code of Conduct. Employee Assistance Program (FSEAP). Workplace Hazardous Materials Information System Training.
Final Ratings: Residual Impact (3) x Residual Likelihood (2) = Total Score (6). Risk Level is: Medium Risk
Risk Category: Security
Risk Type: Facilities
Risk Description: The WECHU properties may be at risk that the security or physical structure of its offices are damaged or compromised by theft or public demonstrations relating to public health programming and guidance.
Consequences: Negative impact on staff productivity. Service delivery to residents of Windsor and Essex County is negatively impacted. Injury (physical/mental) to the WECHU staff and/or visitors Financial loss.
Controls: Develop facility safety plan with Windsor Police Association. Health and safety inspections (all sites) and training. Incident reporting policy and procedure and service request ticketing. Maintenance agreements for preventative, detective and corrective maintenance of building systems Building systems including surveillance cameras, intrusion and fire detection alarms; secure access (cards), etc. Property Insurance. On-site security during hours of operations as appropriate. Actively communicate with Emergency Services when there is a risk of protest or incident. Internal communication systems including facility paging system, panic buttons, overhead speaker announcements, Facilities Notices and RAVE emergency management system. Card access security systems updated regularly.
Final Ratings: Residual Impact (3) x Residual Likelihood (4) = Total Score (12). Risk Level is: High Risk
Risk Category: Service Delivery/Operational
Risk Type: Planning Information and Evaluation
Risk Description: Human Health Resources (HHR) and capacity constraints and/or inability to access/collect information/data resources to inform program planning/operations.
Consequences: Programs and services that do not align with the highest needs of the community Inability to meet the requirements of the Ontario Public Health Standards Inability to address local emerging public health concerns (e.g., secondary impacts of COVID-19 on local health outcomes) Increased health disparity/inequity in Windsor and Essex health outcomes The organization’s reputation is at risk
Controls: The development of annual WECHU Operational and Departmental Plans supported by Planning and Strategic Initiatives Department. Objectives and indicators of programs and interventions listed in Annual Service Plan submitted to Ministry of Health. Agency reorganization to manage 2025 OPHS changes.
Final Ratings: Residual Impact (3) x Residual Likelihood (4) = Total Score (12). Risk Level is: High Risk
Risk Category: Strategic/Policy
Risk Type: Strategic Priorities
Risk Description: The WECHU may be at risk of not accomplishing its refreshed strategic priorities.
Consequences: Organization’s reputation is at risk. Service delivery to residents of Windsor - Essex County is negatively impacted. Inability to meet the requirements of the Ontario Public Health Standards (2021).
Controls: Implementation of 2022-2025 Strategic Plan and quarterly progress reporting. Completion and reporting on the Annual Service Plan. Monitoring and review of changes to legislation, protocols, guidelines. Annual review and update of key policies and procedures. Steering committee is being formed for development of next Strategic Priority Plan to be implemented on Jan 1, 2026.
Final Ratings: Residual Impact (1) x Residual Likelihood (2) = Total Score (2). Risk Level is: Low Risk
Risk Category: Technology
Risk Type: Cyber-Security
Risk Description: The WECHU may be at risk of exposure or loss resulting from a cyberattack or data breach.
Consequences: Service delivery to residents of Windsor and Essex County is negatively impacted. Data, Information Technology Systems, and applications are compromised resulting in loss of data and misuse of PHI. Organization’s reputation is at risk. Financial loss.
Controls: Cyber Security Awareness Program and Annual Training Updating Information Technology Policies and Procedures including: i) Electronic Equipment use; ii) Internet and E-mail Use; Layered Security approach (i.e., intrusion detection system; firewall; antimalware; antivirus; two-factor authentication; operating system). Phishing campaigns and monthly training. Penetration testing (November) Cyber Insurance Coverage
Final Ratings: Residual Impact (4) x Residual Likelihood (4) = Total Score (16). Risk Level is: High Risk
Risk Category: Technology
Risk Type: System Outages
Risk Description: The WECHU may be at risk of system(s) outages without the presence of a formal disaster recovery plan. The WECHU may be at risk of information technology related disaster and/or ineffectual disaster response processes.
Consequences: Loss of productivity, communication channels, and business continuity. Loss of client information or operational data. Organization’s reputation is at risk. Financial loss.
Controls: System redundancies are in place for critical servers. Power redundancies are also in place in each facility. All WECHU staff are assigned information technology hardware with battery back-up. Technical recovery plans are in place, including redundant storage and cloud back up. Server/Network/Data redundancies are in place.
Final Ratings: Residual Impact (4) x Residual Likelihood (4) = Total Score (16). Risk Level is: High Risk