Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 1
Portland, OregonSeptember 15, 2016
Risk Management forRegulators
Rebecca Durcan and Deanna Williams
Agenda
1. Explaining Risk Management concepts
2. Applying Risk Management as a Regulator
Part 1 - Overview
What is risk management?
Key concepts
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 2
Portland, OregonSeptember 15, 2016
Application of Risk Management
Two Main Areas:
1. Organizational Level
2. Individual Decisions / Policies / Processes(E.g., how should we process complaints?)
Enterprise Risk Management (ERM)
Three Main Features:
1. Look at risk throughout the entire organization(E.g., not just risks that can be insured)
2. Look at inter-relationship of risk(E.g., implications on complaints if languagefluency requirements are changed)
3. Look at (pure) negative & (speculative) positive risk(E.g., opportunities that can arise with a decision)
Fad or Trend?
• New emphasis, but have always done it, in part– E.g., insurance– E.g., IT measures– E.g., audit requirements– E.g., occupational health and safety requirements– E.g., human resources– E.g., getting a legal opinion
• But now is intentional and systematic• Likely here to stay
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 3
Portland, OregonSeptember 15, 2016
Consider…
Consider applying the following concepts to:
• Your entire organization– Communicate existence in easy to understand
language
• Your complaints process– Diversion?
• Your CE Program– Re-evaluate criteria and eligibility?
Risk to What? – Regulator’s Goals
Need to identify goals of the regulator:• Protect the public / serve the public• Reputation
Risk Management Cycle
IdentifyRisk
AssessRisk
TreatRisk
Monitor& Review
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 4
Portland, OregonSeptember 15, 2016
Risk Sources / Categories
Hazard Operational
Financial Strategic
Identifying Risks - Techniques
• Begin with a scan
• Already doing this to some degree– Media reports– Umbrella organizations– Newsletters / court cases– What is happening to other regulators– Conferences like CLEAR– The lunch circuit
Identifying Risks - Techniques
• Checklists• Interviews and workshops• Process flow analysis• Team approaches
– SWOT
• Document analysis• Inspections• Expertise within and external to organization
– Delphi Technique
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 5
Portland, OregonSeptember 15, 2016
Identifying Risks - Hazard
• Fire and property damage• Storms and other natural perils• Theft / Crime• Personal injury• Business interruption• Disease and disability• Liability claims
Identifying Risks - Operational• People
– E.g., errors and dishonesty– E.g., succession issues– E.g., rogue Board, committee or staff person
• Processes, procedures and practices– E.g., departing from registration or complaints
policies
• Systems– E.g., technology and equipment
• External events affecting operations– E.g., utility failure, software changes, loss of supplier
Identifying Risks - Financial
• Liquidity risks
• Market risk on investments
• Price risk for products and services you buy or sell(E.g., economy / Statutory authority says youcannot raise your registration fees)
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 6
Portland, OregonSeptember 15, 2016
Identifying Risks - Strategic
• Economic environment (e.g., recession)• Demographics (e.g., aging profession &
population)• Regulatory environment
– Human rights, workplace violence, accessibility,anti-spam
• Political / media / reputation– “Secrecy” or “Failure to act” stories in the media– Prominent regulatory failure
Assess Risk
Assess Risk
Quantitative and Qualitative
• Quantitative– E.g., calls for clarification for registration process– E.g., recidivism rates based on various criteria
• Qualitative– Informed opinion as to where it fits– Beware of risk misperception issues
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 7
Portland, OregonSeptember 15, 2016
Risk Treatment
Avoid
Modify
Transfer
Retain
Exploit
Risk Treatment
• Why?– To assist organization in meeting objectives
• May not necessarily eliminate risk – but if risk istolerable?
• May involve combination of avoidance,modification, transfer, retaining and/or exploiting
Implementation, Monitoring and Revision
• Written plan– Comprehensiveness is the key (i.e., covering all types
of risks)
• Communications strategy• Internal controls, internal monitoring, risk
assurance, management monitoring and reporting• Consider new information• Look for emerging risks• Repeat assessment and treatment stages as well
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 8
Portland, OregonSeptember 15, 2016
Who Does It?
Everyone, but with different roles• Board: policy decision, support and oversight• CEO / ED / Registrar: directs and supports it• Champion: does most of work
– In smaller organizations may be CEO / ED / Registrar
• Managers: provide data, participate, supervises• Staff: provide data, participate, implement
Project Risk Management• Risk management principles can be applied to
individual decisions / projects– E.g., significant regulations, policies, standards,
guidelines– E.g., operational initiatives, such as going paperless– E.g., review of an activity (e.g., complaints,
inspections)
• Same general process– Identification Assessment Treatment
Monitoring / Revising
Conclusion• Risk management is an important tool for
regulators• Risks of risk management
– Risk aversion– Excuse for Board to interfere in operations
• It must be integrated into the entire organizationincluding strategic planning, governance,management, legal, compliance, humanresources, information technology and operations
• Do not overlook positive risk (opportunities)
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 9
Portland, OregonSeptember 15, 2016
Regulatory Risk- The PublicPerspective
In the world of professional and occupationalregulation…
Public perspective drives (or should drive):•what we do•how we do it•a new way of approaching the notion of RISK
Not Paying Proper Attention
Puts both regulators andthe public we protectat risk.
What Constitutes Risk?
• Every action, decision and direction wetake that affect our ability to:
– Do the ‘right’ things and
– Do them ‘right’
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 10
Portland, OregonSeptember 15, 2016
Where Are the Risks?
• Risk exists in 3 primary areas:
– Operational
– Regulatory
– Reputational
Operational Risk
• Your place
• Your capacity
• Your governance
• Your controls
• Your ability to react
Regulatory Risk
• How effective are we at protecting thepublic our registrants serve through whatwe do?
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 11
Portland, OregonSeptember 15, 2016
Reputational Risk
• We each have the reputation we deserve
• It takes continuous ‘good’ decisions andactions to build a reputation
• It takes one very bad one to destroy it
Mitigate Reputational Risk by:
• Aligning all actions and decisions withpublic interest mandate
• Taking consistent and appropriate actions
• Embracing transparency
Considerations
• We regulate to reduce potential for risk
• How are risks to ‘your’ public identified?
• Are our requirements ‘right’ and arethey effective in protecting the public?
• What do we do to make sure?
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 12
Portland, OregonSeptember 15, 2016
• Several examples serve as cautionarytales…
– Nursing home fire, L’Isle Verte, Quebec inJanuary 2014 (32 dead) The Gazette
– Sea World Entertainment, 2011 “A Whale ofA Problem” The WSJ
“28 dead, 4 missing in nursing home fire”The Gazette, January 23, 2014
• But…
– Night staff requirements unrealistic
– Approved Fire Plan did not address ability forfull evacuation
– Firefighters could not evacuate in time
– Sprinklers in place were no match for old,wooden structure
Requirements Were in Place
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 13
Portland, OregonSeptember 15, 2016
• Fire, other emergencies
• Physical harm/abuse and falls
• Confidentiality breaches; financial abuse
• Medication errors
• Ongoing maintenance issues
• Poor inter-professionalcollaboration/care
Potential Areas of Risk?
• Are residents or their families involved inidentifying or validating identified areasof risk?
• In most instances, it is the regulator andthe regulated industry itself whoidentifies areas of potential risk ( ie. SeaWorld)
In this example• Fire drills were only held during day when
full staff in place, residents were up
• Sprinklers only required in every room forbuildings more than 3 stories high
• Maintenance issues often overseen byother regulatory agencies or ‘delegatedauthorities” with no obligation to report
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 14
Portland, OregonSeptember 15, 2016
What about Delegated Authority andRisk?
• A Regulator must be able to be accountfor all it is held accountable for
• But, in retirement home industry:
– Elevators (TSSA)
– Boilers, Furnaces (ESA)
– Food Services, Infection control (PublicHealth)
– Fire and Evacuation Plans (Fire Marshall)
– Medication Provision/Admin (Phms, RNs)
– Non-accountable Personnel? (PSWs, others?)
– When does a regulator know or need to knowidentified issues of concern exist about oneof their licencees/registrants?
Sea World
• Standards were set by the industry thatthen regulated itself against same
• Staff posed as animal-rights activists
• Trainers were exposed to recognizedhazards
• Failure to comply with s 5(a)(i) of OHSA
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 15
Portland, OregonSeptember 15, 2016
• Standards and requirements must bealigned with areas of identified risks tothe public, and not the industry’sidentified best interests
As Regulators
• We cannot guarantee nothing bad willever happen
• We can assure that we have the rightprocesses in place to identify andmitigate risks, and to take swift andappropriate actions when necessary
Asking the Right Questions• Why are we here?
• What are potential risks to the publicserved by our registrants?
• How do we use our regulatory powers toeffectively mitigate these? (facilityinspections, quality assurance measures)
• How do we ensure we ‘hit the rightmark’?
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 16
Portland, OregonSeptember 15, 2016
• What role should registrants and thepublic have in identifying risk?
• Do we collect and use current andemerging data/stats to inform standardsand changes?
• Are we collecting the right informationand from the right sources?
Mitigating Potential for Risk• Ask for/ collect the right information
• Verify self-reported or incomplete info
• Place emphasis on areas of greatest risk tothe public
• Ensure proper lines of accountability
• Align inspection/assessment criteria withareas of identified risk
• Make revisions as new evidence emerges
Summary• Regulation is a privilege that can and has
been lost
• Have risk on your radar; avoid gettingbogged down in it
• Regulatory Risk is mitigated when we areeffective at protecting the public throughour regulatory processes, decisions andactions.
Regulators Managing Risk – Why, What, andHow?
Council on Licensure, Enforcementand Regulation 2016 Annual Educational Conference 17
Portland, OregonSeptember 15, 2016
Questions
Speaker Contact InformationRebecca Durcan, Partner, Certified Risk ManagerSteinecke Maciura [email protected]
@SMLLawTorontoBlog: sml-law.com/blog-regulation-pro/
Deanna L. Williams, PresidentDundee Consulting Group [email protected]