How I learned to stop worrying and love the risk

Trent Dean

PPB Survey (2010) of Not for Profit organisations in Australia and New Zealand:

1. Almost half did not have, or did not know if they had, a risk management plan

2. 61% of respondents stated that risk to their organisation had increased over the past five years

3. Over one third of Not-For-Profit boards were not held accountable for managing risk in their respective organisations

4. Almost half of respondents believe that budgetary constraints was the main barrier to adequate risk management support

The Ultimate

Risk Management ConsultantCon

Managing risk is a good thing...Moves us away from avoidance or transferenceIt forces creativityThe only way to achieve innovation and growth

Risk Management Framework

- Fully integrated and informed

Leadership

- Prepared to take calculated risks

0

The most important things...

The Risk Averse

The Optimistic Gamblers

The Innovators

Where to begin?Design a RM framework that fits

your organisationIdentify your strategic risksIdentify risk ownersDo something... anythingMonitor, Rinse and Repeat

“Effect of uncertainty on objectives”

ISO 31000:2009 Risk Management

Objectives can have very different aspects

What is Risk?

Major risks can impact on a range of areas including, but not limited to:

Client Safety Staff Safety Business continuity Organisational Reputation Financial Sustainability Employee Relations

Strategic Objectives Risk Category Identified Strategic Risks

Grow more Christian Communities

Growth

Lack of brand awareness and / or reputational loss

Increased industry competition

Poor due diligence and management of merger and acquisitions

Limited church planting and sustained congregational growth

Operate and grow in a financially sustainable way

Financial Sustainability

Unsuitable or poor performing investmentsOverextending on capital work projectsLoss of / decreased funding sources

Poor budgeting (organisational / project) and treasury strategy

Loss of PBI / DGR status

Consequence Type Insignificant Minor Moderate Major Catastrophic

Audit and Compliance

Compliance with standards or licensing requirements maintained with negligible level of control weakness

Compliant with standards or licensing requirements / minimal level of control weakness

Single non compliance with standards or licensing requirements resulting in recommendations for improvement /

moderate level of control weakness identified

Multiple non compliances with standards or licensing requirements resulting in recommendations for improvement /

high level of control weakness

Fully non compliant with standards or licensing requirements resulting in sanction or penalty /

critical failure of key controls

Business ContinuityLoss / interruption less than 1 hour

Loss / interruption <= 8 hours / some disruption

manageable by altered

operational routine

Loss / interruption <=1 day / Disruption to a number of areas within a Division or Unit, possible flow on to other locations

Loss / interruption <= 1 week / all operational areas of a Division or Unit compromised, other locations are affected

Total system dysfunction

and /or total shut-down of

operations

Client Safety and Care

No injury or harm caused unsatisfactory client

experience not directly related to client care

Minimal harm caused / unsatisfactory client

experience - readily

resolvable

Temporary loss of function or

harm caused /

mismanagement of client care

Permanent loss of function or

harm caused / serious mismanagement

of client care

Loss of life / totally unsatisfactory client outcome or experience

Finance < $100k $100 –200k $200 – 500k $500 – 2m Greater than $2mFraud <$2k $2-10k $10-25k $25-100k Greater than $100k

Health and Safety

No injury / illness - no

time lost, minor adjustment

to operational routine

Single injury / minor illness – lost

time of less than 4 rostered days

Single serious injury >4 rostered days lost.

Multiple serious injuries or illness (more than 4 rostered days lost, or an event which is notifiable)

Fatality

ReputationMinimal adverse local

publicity

Significant adverse local publicity

Significant adverse state-wide

publicity

Significant and sustained state-wide publicity

Sustained national adverse publicity

Vision and ValuesNegligible misalignment with strategic objectives or expected behaviours

Minor misalignment with strategic objectives or expected behaviours

Moderate misalignment with strategic objectives or expected behaviours

Major misalignment with strategic objectives or expected behaviours

Significant misalignment with strategic objectives or expected behaviours

Workforce

Short term low staffing level

temporarily reduces service

quality

Ongoing low staffing level

reduces service quality

Moderate annualised staff turnover (< 30% ) Late delivery of key objectives / services due to lack of staff

Very high annualised staff turnover (> 30% / Uncertain delivery of key

objective / service due to lack of staff

Non delivery of key objectives / services due to lack of staff

Likelihood Rating Descriptor Frequency

Almost Certain

Is expected to occur frequently (in most circumstances) Expected to occur at least monthly

Likely Is expected to occur occasionally (to be expected) Expected to occur at least quarterly

PossibleCould occur at least once (capable of happening / foreseeable)

Expected to occur at least biannually

Unlikely Might occur at some time (not to be expected) Expected to occur at least annually

Rare May occur in exceptional circumstances only Not expected to occur for years

Rank Colour Description

Low 1Action plans, policies or controls are not mitigating the risk and /or deemed to be very weak or ineffective. Risk may be outside control of organisation.

Medium 2Action plans, policies or controls may be partially mitigating the risk and scope for some improvement.

High 3 Action plans, controls or policies deemed to be satisfactory and tested regularly.

Insignificant Minor Moderate Major Catastrophic

Almost Certain Medium High High Extreme Extreme

Likely Medium Medium High Extreme Extreme

Possible Low Medium High High High

Unlikely Low Medium Medium Medium High

Rare Low Low Low Medium Medium

Risk Rating Action Required

Low Manage by routine controls and processes

Ongoing monitoring of control effectiveness by local management

Medium

Manage by routine controls and processes

May require a detailed risk action plan

Ongoing monitoring of control effectiveness by local management

High

Immediate notification of relevant Senior Management

Should have a detailed risk action plan

Risk action plan to be monitored by relevant Senior Management and progress reported to relevant Divisional Director

Updates to be provided to Executive Committee members, as required

Ongoing monitoring of control effectiveness by Senior management

Extreme

Immediate notification of relevant Divisional Director

Must have specific risk mitigation plan

Risk action plan to be monitored by Divisional Director and progress reported to Executive Committee members

Updates to be provided to Board Risk, Audit and Compliance Committee members, as required

Ongoing monitoring of control effectiveness by Divisional Director

Risk Assessments

Risk Statement Contributing Factors Consequences ControlsControl effectivenessRisk Analysis Action RequiredRisk Ownership

What should the Board know about?Key strategic / operational risksPresentations by individual risk

ownersKey issues / incidents / compliance

breachesCrisis / Disaster Management OH&SFraud and CorruptionInternal Audit reportsExternal Audit reports

Say what?What are the risks, both strategic

and operational?How effective are the controls,

and how do you know they are working?

What are you doing about the risks?

How are the risks trending?What are the known or possible

risks ahead of us?

Board Report – Risk Heat Map

Risk 2 (SR-AC): Poor integration and support of client focused care

Risk Owner: A. Staff Accountable Executive: B. Cool

Existing Controls• Training on customer focused awareness• CMS focused on client outcomes• Appointed project manager for the client

focused care project• Appointed GM for shared services and

integration• Appointed regional volunteer coordinators

Gaps and planned response• Client focused education at every level of organisation• Review of all functions that interface / input into

client outcomes• Churches of Christ Care Strategic Plan/ actions from

the Strategic Plan• Gap assessment of CMS / Care Governance• Action learning approach to learning • Client satisfaction survey

Key Risk Indicators• Number of volunteers• Compliance with standards and

licensing• Client satisfaction surveys• Predetermined and measured

outcomes of care• Culture survey results

Current Risk Rating Control effectiveness / scope for control improvement

Contributing Factors / Issues

• Poor awareness of integration of services (both care and support)

• Constraints by regulatory and compliance obligations• Limited creativity with application of compliance and regulatory

obligations• Lack of support or resistance for client focused care• Client not viewed as central to all tasks and functions

• Lack of awareness of services and functions that input or interface with client care delivery

• Poor history and culture – task focused and output driven at both industry and occupational level

Definition of Risk Poor integration and support of client focused care

Risk Category Client Focus

Likelihood Consequence Rating

4 3 12

Comments / Updates • Gap assessment of CMS/Care Governance is almost complete• Actively recruiting 5 regional volunteer coordinators

Key Risk Indicators

Quality Improvemen

t

Internal Audit

An integrated approach

Risk Managemen

t

Identify and Assess Risk

Design and Implement Controls

Monitor and Review Controls

Churches of Christ in Queensland

• A group of mainstream Christian churches which has been an active part of the Queensland community for over 100 years.

• We are a significant presence within Queensland with over 200 services in more than 100 communities, touching tens of thousands of lives each year.

Churches of Christ Care

• Established in 1930; operates 137 services with the support of more than 2,800 staff and over 700 volunteers.

• The care services are active in the areas of early childhood services, child protection, social and affordable housing, retirement living, community aged care, and residential aged care.

Director

Group Manager -

Quality

Quality Advisor

Health, Safety and Rehabilitati

on Consultant

Health, Safety and Rehabilitati

on Specialist

Health, Safety and Rehabilitati

on Consultant

Internal Audit

Coordinator

Health, Safety and Rehabilitati

on Consultant

Quality Officer

Internal Auditor

Internal Auditor

Risk and Complian

ce Advisor

Assurance Services

Health, Safety and Rehabilitati

on Consultant

What we do...

• Risk Management Framework

• Fraud Risk Management• Sentinel Event

Management• Root Cause Analysis• Crisis / Disaster

Management• ChildSafe Program• Legislative Compliance• Quality Management

(Continuous Improvement) Framework

• Controlled Documents

• Archiving / Records Management

• Internal Audit• Self Audits• Compliance Reviews• Due Diligence• Forensic

Investigations• Workplace Health

and Safety• Worker

Rehabilitation

A Call to ActionAsk yourself...Do I know my organisation’s strategic

risks, and are they meaningful to me?Is ‘risk management’ only raised as

part of a dedicated risk meeting, or is it part of every Board conversation?

What is the risk appetite and tolerance of the Board, the organisation, and me?