09152016 - Regulators Managing Risk...Regulators Managing Risk – Why, What, and How? Council on Licensure, Enforcement and Regulation 2016Annual Educational Conference 2 Portland,

Regulators Managing Risk – Why, What, andHow?

Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 1

Portland, OregonSeptember 15, 2016

Risk Management forRegulators

Rebecca Durcan and Deanna Williams

Agenda

1. Explaining Risk Management concepts

2. Applying Risk Management as a Regulator

Part 1 - Overview

What is risk management?

Key concepts




Application of Risk Management

Two Main Areas:

1. Organizational Level

2. Individual Decisions / Policies / Processes(E.g., how should we process complaints?)

Enterprise Risk Management (ERM)

Three Main Features:

1. Look at risk throughout the entire organization(E.g., not just risks that can be insured)

2. Look at inter-relationship of risk(E.g., implications on complaints if languagefluency requirements are changed)

3. Look at (pure) negative & (speculative) positive risk(E.g., opportunities that can arise with a decision)

Fad or Trend?

• New emphasis, but have always done it, in part– E.g., insurance– E.g., IT measures– E.g., audit requirements– E.g., occupational health and safety requirements– E.g., human resources– E.g., getting a legal opinion

• But now is intentional and systematic• Likely here to stay




Consider…

Consider applying the following concepts to:

• Your entire organization– Communicate existence in easy to understand

language

• Your complaints process– Diversion?

• Your CE Program– Re-evaluate criteria and eligibility?

Risk to What? – Regulator’s Goals

Need to identify goals of the regulator:• Protect the public / serve the public• Reputation

Risk Management Cycle

IdentifyRisk

AssessRisk

TreatRisk

Monitor& Review




Risk Sources / Categories

Hazard Operational

Financial Strategic

Identifying Risks - Techniques

• Begin with a scan

• Already doing this to some degree– Media reports– Umbrella organizations– Newsletters / court cases– What is happening to other regulators– Conferences like CLEAR– The lunch circuit

Identifying Risks - Techniques

• Checklists• Interviews and workshops• Process flow analysis• Team approaches

– SWOT

• Document analysis• Inspections• Expertise within and external to organization

– Delphi Technique




Identifying Risks - Hazard

• Fire and property damage• Storms and other natural perils• Theft / Crime• Personal injury• Business interruption• Disease and disability• Liability claims

Identifying Risks - Operational• People

– E.g., errors and dishonesty– E.g., succession issues– E.g., rogue Board, committee or staff person

• Processes, procedures and practices– E.g., departing from registration or complaints

policies

• Systems– E.g., technology and equipment

• External events affecting operations– E.g., utility failure, software changes, loss of supplier

Identifying Risks - Financial

• Liquidity risks

• Market risk on investments

• Price risk for products and services you buy or sell(E.g., economy / Statutory authority says youcannot raise your registration fees)




Identifying Risks - Strategic

• Economic environment (e.g., recession)• Demographics (e.g., aging profession &

population)• Regulatory environment

– Human rights, workplace violence, accessibility,anti-spam

• Political / media / reputation– “Secrecy” or “Failure to act” stories in the media– Prominent regulatory failure

Assess Risk

Assess Risk

Quantitative and Qualitative

• Quantitative– E.g., calls for clarification for registration process– E.g., recidivism rates based on various criteria

• Qualitative– Informed opinion as to where it fits– Beware of risk misperception issues




Risk Treatment

Avoid

Modify

Transfer

Retain

Exploit

Risk Treatment

• Why?– To assist organization in meeting objectives

• May not necessarily eliminate risk – but if risk istolerable?

• May involve combination of avoidance,modification, transfer, retaining and/or exploiting

Implementation, Monitoring and Revision

• Written plan– Comprehensiveness is the key (i.e., covering all types

of risks)

• Communications strategy• Internal controls, internal monitoring, risk

assurance, management monitoring and reporting• Consider new information• Look for emerging risks• Repeat assessment and treatment stages as well




Who Does It?

Everyone, but with different roles• Board: policy decision, support and oversight• CEO / ED / Registrar: directs and supports it• Champion: does most of work

– In smaller organizations may be CEO / ED / Registrar

• Managers: provide data, participate, supervises• Staff: provide data, participate, implement

Project Risk Management• Risk management principles can be applied to

individual decisions / projects– E.g., significant regulations, policies, standards,

guidelines– E.g., operational initiatives, such as going paperless– E.g., review of an activity (e.g., complaints,

inspections)

• Same general process– Identification Assessment Treatment

Monitoring / Revising

Conclusion• Risk management is an important tool for

regulators• Risks of risk management

– Risk aversion– Excuse for Board to interfere in operations

• It must be integrated into the entire organizationincluding strategic planning, governance,management, legal, compliance, humanresources, information technology and operations

• Do not overlook positive risk (opportunities)




Regulatory Risk- The PublicPerspective

In the world of professional and occupationalregulation…

Public perspective drives (or should drive):•what we do•how we do it•a new way of approaching the notion of RISK

Not Paying Proper Attention

Puts both regulators andthe public we protectat risk.

What Constitutes Risk?

• Every action, decision and direction wetake that affect our ability to:

– Do the ‘right’ things and

– Do them ‘right’




Where Are the Risks?

• Risk exists in 3 primary areas:

– Operational

– Regulatory

– Reputational

Operational Risk

• Your place

• Your capacity

• Your governance

• Your controls

• Your ability to react

Regulatory Risk

• How effective are we at protecting thepublic our registrants serve through whatwe do?




Reputational Risk

• We each have the reputation we deserve

• It takes continuous ‘good’ decisions andactions to build a reputation

• It takes one very bad one to destroy it

Mitigate Reputational Risk by:

• Aligning all actions and decisions withpublic interest mandate

• Taking consistent and appropriate actions

• Embracing transparency

Considerations

• We regulate to reduce potential for risk

• How are risks to ‘your’ public identified?

• Are our requirements ‘right’ and arethey effective in protecting the public?

• What do we do to make sure?




• Several examples serve as cautionarytales…

– Nursing home fire, L’Isle Verte, Quebec inJanuary 2014 (32 dead) The Gazette

– Sea World Entertainment, 2011 “A Whale ofA Problem” The WSJ

“28 dead, 4 missing in nursing home fire”The Gazette, January 23, 2014

• But…

– Night staff requirements unrealistic

– Approved Fire Plan did not address ability forfull evacuation

– Firefighters could not evacuate in time

– Sprinklers in place were no match for old,wooden structure

Requirements Were in Place




• Fire, other emergencies

• Physical harm/abuse and falls

• Confidentiality breaches; financial abuse

• Medication errors

• Ongoing maintenance issues

• Poor inter-professionalcollaboration/care

Potential Areas of Risk?

• Are residents or their families involved inidentifying or validating identified areasof risk?

• In most instances, it is the regulator andthe regulated industry itself whoidentifies areas of potential risk ( ie. SeaWorld)

In this example• Fire drills were only held during day when

full staff in place, residents were up

• Sprinklers only required in every room forbuildings more than 3 stories high

• Maintenance issues often overseen byother regulatory agencies or ‘delegatedauthorities” with no obligation to report




What about Delegated Authority andRisk?

• A Regulator must be able to be accountfor all it is held accountable for

• But, in retirement home industry:

– Elevators (TSSA)

– Boilers, Furnaces (ESA)

– Food Services, Infection control (PublicHealth)

– Fire and Evacuation Plans (Fire Marshall)

– Medication Provision/Admin (Phms, RNs)

– Non-accountable Personnel? (PSWs, others?)

– When does a regulator know or need to knowidentified issues of concern exist about oneof their licencees/registrants?

Sea World

• Standards were set by the industry thatthen regulated itself against same

• Staff posed as animal-rights activists

• Trainers were exposed to recognizedhazards

• Failure to comply with s 5(a)(i) of OHSA




• Standards and requirements must bealigned with areas of identified risks tothe public, and not the industry’sidentified best interests

As Regulators

• We cannot guarantee nothing bad willever happen

• We can assure that we have the rightprocesses in place to identify andmitigate risks, and to take swift andappropriate actions when necessary

Asking the Right Questions• Why are we here?

• What are potential risks to the publicserved by our registrants?

• How do we use our regulatory powers toeffectively mitigate these? (facilityinspections, quality assurance measures)

• How do we ensure we ‘hit the rightmark’?




• What role should registrants and thepublic have in identifying risk?

• Do we collect and use current andemerging data/stats to inform standardsand changes?

• Are we collecting the right informationand from the right sources?

Mitigating Potential for Risk• Ask for/ collect the right information

• Verify self-reported or incomplete info

• Place emphasis on areas of greatest risk tothe public

• Ensure proper lines of accountability

• Align inspection/assessment criteria withareas of identified risk

• Make revisions as new evidence emerges

Summary• Regulation is a privilege that can and has

been lost

• Have risk on your radar; avoid gettingbogged down in it

• Regulatory Risk is mitigated when we areeffective at protecting the public throughour regulatory processes, decisions andactions.




Questions

Speaker Contact InformationRebecca Durcan, Partner, Certified Risk ManagerSteinecke Maciura [email protected]

@SMLLawTorontoBlog: sml-law.com/blog-regulation-pro/

Deanna L. Williams, PresidentDundee Consulting Group [email protected]

Documents

09152016 - Regulators Managing Risk...Regulators Managing Risk – Why, What, and How? Council on Licensure, Enforcement and Regulation 2016Annual Educational Conference 2 Portland,