POLICY. Number: Title: Enterprise Risk Management. Authorization

Transcription

1 POLICY Number: Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index: Date Approved: January 24, 2014 Date Revised: Date Effective: April 16, 2014 Date Reaffirmed: Scope: SHR Any PRINTED version of this document is only accurate up to the date of printing. Saskatoon Health Region (SHR) cannot guarantee the currency or accuracy of any printed policy. Always refer to the Policies and Procedures site for the most current versions of documents in effect. SHR accepts no responsibility for use of this material by any person or organization not associated with SHR. No part of this document may be reproduced in any form for publication without permission of SHR. Overview: All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria 1. Saskatoon Health Region (SHR) has developed an approach to Enterprise Risk Management (based on the International Standard (2009)) and an organizational process to support the integration of Risk Management into SHR s strategic and operational planning. Saskatoon Regional Health Authority (SRHA) recognizes that the proper management of risk is an essential capability that must be developed and practiced throughout the region at all levels. SRHA is committed to building increased awareness and a shared responsibility for Risk Management with employees, at all levels of the organization, and across all sectors of the organization. SRHA has governance responsibility for risk in the organization. The SRHA s Governance Charter formally establishes SRHA s commitment and support for an effective Risk Management strategy within SHR. SHRA Audit, Finance & Risk Committee is accountable to the SRHA as defined in its terms of reference. The Audit, Finance & Risk Committee reports to the SRHA on an annual basis, or more frequently as may be required. The SRHA Audit, Finance & Risk Committee, a joint committee of the RHA and St. Paul s Hospital Board of Directors that: formally expresses SHR s risk tolerance through a SRHA-approved Risk Tolerance Statement, reviews, at least annually, the Risk Tolerance Statement, participates in identifying and assessing SHR s Risk Register, a summarized list of significant risks reviews and receives regular reports on the status of the risks identified in the Risk Register. 1 International Standard ISO 31000: 2009 Risk management Principles and guidelines Page 1 of 10

2 DEFINITIONS All staff means SHR employees, professional staff, practitioner staff and students. Enterprise Risk Management (ERM) means is a continuous, proactive and systemic process applied across the Region for assessing and addressing risks from all sources that threaten the achievement of the objectives of SHR. ERM is about making strategic decisions that contribute to the achievement of the Region s overall corporate objectives. Monitoring means continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Risk means the effect of uncertainty on SHR objectives. Risk Appetite means the amount of risk SHR is prepared to accept, tolerate or be exposed to at any point in time. Risk Assessment means the overall process of risk identification, analysis and evaluation. Risk Management means the a systemic process of identifying, measuring/assessing, analyzing, mitigating, evaluating and reporting actual or potential risks to prevent, control and minimize risk exposure. Risk Management provides the methodology for integrating risk into decision making. Risk Owner means the person or entity with the accountability and authority to manage a risk. Risk Profile means the description of any set of risks. Risk Register means a summarized list of significant risks known to SHR. Risk Response means the process of selecting and implementing risk reduction strategies within SHR s risk tolerance (accept, mitigate, avoid or transfer). 1. PURPOSE The purpose of this policy is to establish SHR s approach to Enterprise Risk Management, to: 1.1 Ensure efficient and effective processes and systems are in place to manage all aspects of risk within SHR and to provide reasonable assurances that SHR is meeting its objectives while maintaining a safe environment for its patients, staff and public. 1.2 Ensure there are mechanisms in place to control risk in a systemic way utilizing a quality improvement approach that encompasses the full continuum of care. 1.3 Ensure necessary linkages to existing (and potentially new) working groups and committee structures to ensure continuous, proactive and a systemic process is undertaken to manage risk. 2. PRINCIPLES SHR recognizes that Risk Management is an integral part of good governance and management practice and is committed to its application at all management levels within the organization. For Risk Management to be effective, the following principles apply at all levels throughout SHR. 2 2 International Standard ISO 31000:2009 Risk management Principles and guidelines Page 2 of 10

3 2.1 Risk Management creates and protects value Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, project quality, project management, efficiency in operations, governance and reputation. 2.2 Risk Management is an integral part of all organizational processes Risk Management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk Management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes. 2.3 Risk Management is part of decision making Risk Management helps decision makers make informed choices, prioritize actions and distinguish alternative courses of action. 2.4 Risk Management explicitly addresses uncertainty Risk Management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 2.5 Risk Management is systematic, structured and timely A systematic, timely and structured approach to Risk Management contributes to efficiency and to consistent, comparable and reliable results. 2.6 Risk Management is based on the best available information The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modeling used or the possibility of divergence among experts. 2.7 Risk Management is tailored Risk management is aligned with the organization s external and internal context and Risk Profile. 2.8 Risk Management takes human and cultural factors into account Risk Management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization s objectives. 2.9 Risk Management is transparent and inclusive Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up to date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria Risk Management is dynamic, iterative and responsive to change Risk Management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change and others disappear. Page 3 of 10

4 2.11 Risk Management facilitates continual improvement of the organization Organizations should develop and implement strategies to improve their Risk Management maturity alongside all other aspects of their organization. 3. POLICY 3.1 SHR shall implement Enterprise Risk Management that will involve all aspects of the organization. 3.2 SHR will ensure that existing and emerging risks are identified and managed within an established Risk Appetite. 3.3 Risk Management shall be considered in all organizational approvals in a manner appropriate to the nature and scope of the initiative. Risk Management will be considered early in any planning process. 3.4 Directors, Program and Dyad Leaders and the SRHA s Audit, Finance and Risk Committee shall identify and assess all significant risks at least annually. 4. ROLES AND RESPONSIBILITIES 4.1 Vice Presidents Accountable for Risk Management within their areas of responsibility, including the delegation of Risk Management to Directors, Program and Dyad Leaders Collectively, the Senior Leadership Team is responsible for: The formal identification and assessment of risks that impact the SHR s goals, Determination of priorities, Development of strategic Risk Management plans, Monitoring progress in Risk Management, Progress review of Risk Management plans. 4.2 Directors, Program and Dyad Leaders as Risk Owners Implementation of this policy within their respective areas of responsibility Assess identified risk using the SHR Risk Matrix/Grading Tool Risk (see Appendix A) The development and implementation of effective Risk Management strategies Actively participating with the Risk Assessment process Report on the status of items in the Risk Register as required when it impacts their respective responsibilities as part of either the annual planning or review cycle. 4.3 Director, Enterprise Risk Management Maintain and implement ERM: Provide on-going guidance to all levels of management on Risk Management processes, Support the Region in carrying out the Risk Management role by providing education related to Risk Management methodologies and facilitating Risk Assessment on a region-wide basis, Facilitate development of the Risk Register for SHR which includes prioritized Risk Response, defined risk mitigation processes and measures Page 4 of 10

5 monitoring effectiveness; and facilitating action in those areas where improvements are required, Perform a periodic review of the Risk Management process, Report regularly on the status and adequacy of ERM to the Audit, Finance & Risk Committee. 4.4 Managers/Supervisors Development of Risk Management processes and the implementation of risk reduction strategies Integrate Risk Management processes into existing planning processes and management activities. 4.5 All staff Effective management of risk including the identification of potential risks. 5. POLICY MANAGEMENT The management of this policy including policy education, monitoring, implementation and amendment is the responsibility of the Director, Enterprise Risk Management. 6. NON-COMPLIANCE/BREACH Any instance of non-compliance is to be promptly communicated to and reviewed by Director, Enterprise Risk Management. The Director, Enterprise Risk Management will follow up with the appropriate business owner to document the nature of the non-compliance and the proposed remedy and timing to bring the issue to compliance. The Director, Enterprise Risk Management will report findings to the Vice President, People and Partnerships and the Senior Leadership Team as appropriate. 7. REFERENCES International Standard ISO 31000: 2009 Risk management Principles and guidelines Page 5 of 10

6 PROCEDURE Number: Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Service Source: Director, Enterprise Risk Management Cross Index: Date Approved: January 24, 2014 Date Revised: Date Effective: April 16, 2014 Date Reaffirmed: Cross Index: Scope: SHR 1. PURPOSE The purpose of this procedure is to establish SHR s organizational process for Enterprise Risk Management. 2. PRINCIPLES 2.1 Mechanisms and methodologies are in place to identify, assess, mitigate and report risk in a systemic way. 2.2 Linkages to existing (and potentially new) working groups and committee structures ensure continuous, proactive and systemic processes to manage and integrate risk. 3. PROCEDURE 3.1 The SRHA Audit, Finance & Risk Committee establishes the organization s risk tolerance and assesses corporate risk on an annual basis. 3.2 Directors, Program and Dyad Leaders Assess and monitor SHR s risks outlined in the annual Risk Register Endorse the ERM implementation plan on an annual basis or as needed Monitor the preparedness and business continuity planning of SHR to cope with major disruption Receive regular risk reporting from Directors, Program and Dyad Leaders (Risk Owners) as appropriate or upon request. 3.3 Directors, Program and Dyad Leaders as Risk Owners Identify, assess risk (see Appendix A), mitigate and report to their respective Vice Presidents and to the Director, Enterprise Risk Management regarding risks identified in SHR s Risk Register. Page 6 of 10

7 3.3.2 Utilize risk methodologies for risk identification, assessment (see Appendix A), mitigation and reporting as required for operational planning. 3.4 Director, Enterprise Risk Management Reports to the SRHA Audit, Finance and Risk Committee on risks identified in the Risk Register on a regular basis Reviews and reports on Enterprise Risk Management and implementation plan(s) as necessary Shares/further distributes risk reporting broadly as appropriate throughout the organization Facilitates learning opportunities for staff and management to further risk awareness. 3.5 Management and Staff Embed Risk Management into all business processes and decisions and promote a culture of risk awareness when possible. 4. PROCEDURE MANAGEMENT The management of this procedure including procedures for education, monitoring, implementation and amendment is the responsibility of the Director, Enterprise Risk Management. 4. NON-COMPLIANCE/BREACH Non-compliance with this procedure may result in additional reporting to the Senior Leadership Team as appropriate. 5. REFERENCES SHR Enterprise Risk Management Policy SHR Business Continuity Policy SRHA Audit, Finance & Risk Committee Terms of Reference SRHA Governance Charter Page 7 of 10

8 Appendix A SASKATOON HEALTH REGION Risk Matrix/Grading Tool LIKELIHOOD (How likely is the risk going to occur given what we currently do?) IMPACT (How much of an impact will the risk have if it does occur?) Insignificant Minor Moderate Major Extreme Almost certain Moderate Risk Moderate Risk High Risk Critical Risk Critical Risk Likely Low Risk Moderate Risk High Risk Critical Risk Critical Risk Possible Low Risk Moderate Risk Moderate Risk High Risk High Risk Unlikely Low Risk Low Risk Moderate Risk Moderate Risk High Risk Rare Low Risk Low Risk Low Risk Moderate Risk Moderate Risk Adapted from Winnipeg Regional Health Authority

9 Risk Impact Risk Assessment Tool Impact: EXTREME Impact: MAJOR Impact: MODERATE Impact: MINOR Impact: INSIGNIFICANT STRATEGIC RISK Brand, reputation and advertising risks and risks associated with business strategy. Failure to adapt to changing environment, changing priorities, competitive risk and clinical research. Extensive adverse publicity resulting in decreased reputation Gross failure to meet strategic directions Full public inquiry (eg. Coroner s Inquest) Major scrutiny resulting in adverse publicity and impact on reputation A number of strategic objectives are not met Independent external reviews (eg. Privacy Commissioner) Moderate adverse publicity and impact on reputation Moderate number of strategic objectives are not met Minimal scrutiny resulting in some adverse publicity Minimal strategic objectives are not met No public scrutiny expected No impact to achievement of strategic objectives RESOURCE RISK An explosive area of exposure in today s labour market including employee selection, retention and turnover, absenteeism and compensation. Risks such as capital structure, credit and interest rate fluctuations, foreign exchange and accounts receivables. Death or significant harm to staff Financial loss of greater than $1M Financial impact to budget of.5% Significant mechanical, structural or information technology breakdown Permanent physical and/or emotional harm to staff lasting greater than 1 year Financial loss of $250K-$1M Financial impact to budget of.4% Significant impact to mechanical, structural or information technology systems Short term injury/harm to staff with recovery expected within 1 month Financial loss of $50K-$250K Financial impact to budget of.3% Short term impact to mechanical, structural or information technology systems Non-permanent or minor harm to staff lasting less than 1 week Financial loss of less than $50K Financial impact to budget of.2% Minimal impact to mechanical, structural or information technology systems No injury/harm to staff or no intervention required Minimal financial loss Financial impact to budget of.1% Insignificant impact to mechanical, structural or information technology systems COMPLIANCE RISK Incorporates risk arising out of product liability, management liability, failure to comply with statutes, standards, rules and regulations, and issues related to intellectual property. Gross failure to meet professional standards or comply with corporate policies and procedures Repeated failure to meet regional and/or national standards Repeated failure to meet professional standards or comply with corporate policies and procedures Failure to meet regional and/or national standards Single failure to meet professional standards or comply with corporate policies and procedures Single failure to meet regional and/or national standards Failure to meet standard with no significant consequence Minor noncompliance with regional standards, policy, protocols or guidelines Failure to meet OPERATIONAL RISK Risks related to the conduct of the business operation that results from inadequate or failed internal processes, people or systems (medical malpractice) that affect patient safety. Critical Incident as per provincial legislation Total shut down of operations Incident Command and region-wide emergency response required Injury or harm lasting greater than 1 year Adverse event resulting in increased length of stay of greater than 2 weeks All operational areas or majority of areas compromised or affected More than one site or area requiring an emergency response Short term hospital stay due to injury/harm Some disruption to services within an operational area or location One area or site emergency response required Some service disruption manageable by altered routine Incident requiring internal reporting and minor damage Minimal service disruption manageable by altered routine service objectives Adapted from Winnipeg Regional Health Authority

10 Likelihood of Occurrence DESCRIPTOR SELECT THE DESCRIPTION & FREQUENCY THAT BEST REFLECTS THE PROBABILITY THAT A RISK WILL OCCUR IN THE ABSENCE OF ANY CONSTROLS TO PREVENT THE RISK Description Frequency Almost Certain Expected to occur in most circumstances Multiple times per year Likely Will probably occur in most circumstances Has occurred several times or more, expected to occur in the next two years Possible Might occur at some time Could occur a couple of times or is expected to occur once every ten years Unlikely Could occur at some time Has not yet occurred but could occur at some time, or is expected to occur once every 30 years Rare May occur only in exceptional circumstances Have not heard of this occurring Adapted from Winnipeg Regional Health Authority