ENTERPRISE RISK MANAGEMENT FRAMEWORK

Transcription

1 ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT

2 CONTENTS 1.0 PURPOSE OF THE DOCUMENT INTRODUCTION AND OVERVIEW GOVERNANCE STRUCTURE AND ACCOUNTABILITY ERM PRINCIPLES AND FRAMEWORK COV ERM PRINCIPLES MANDATE AND COMMITMENT FRAMEWORK DESIGN IMPLEMENTATION MONITOR AND REVIEW CONTINUOUS IMPROVEMENT CONCLUSION LEGAL & RISK MANAGEMENT PAGE 2 OF 15

3 1.0 PURPOSE OF THE DOCUMENT Enterprise Risk Management (ERM) brings together policies, methods and tools for managing risk at Covenant Health (COV) and within our healthcare structure. Risk is defined in the ISO 31000:2009 standard for ERM as the effect of uncertainty on objectives. This document will help to outline: What is ERM How everyone is a risk manager and the role they play; The Guiding principles of ERM; That ERM is part of a decision making lifecycle; How to ensure successful integration within existing business processes with effective monitoring, review and continuous improvement; and How ERM can assist COV to achieve its strategic objectives COV s policies, glossary of terms and risk assessment guide with accompanying tools will be stand alone documents as they will evolve over time and with use. LEGAL & RISK MANAGEMENT PAGE 3 OF 15

4 2.0 INTRODUCTION AND OVERVIEW COV recognizes risk management as an integral part of good governance and management practice. The Board is responsible for setting risk tolerance and overseeing risk management activities. The President and Chief Executive Officer (CEO) has overall responsibility for the implementation of a strategic, comprehensive and systematic ERM process. In particular, to ensure that there is a process to identify, analyze, evaluate, treat and monitor risks as part of the annual business cycle and to assess strategic initiatives for risk. There are hundreds of operational risks within the organization that are being managed on a day to day basis. ERM will allow SLT and Risk Owners to manage operational risks consistently across our organization. It will also provide SLT and the Board with business intelligence to allocate resources and prioritize initiatives more effectively. COV s ERM framework is designed to incorporate strong corporate oversight with a series of well-defined risk management systems with integration into business and decision-making processes. The ERM process involves participation of the CEO, SLT, Strategic Risk Committee, Risk Owners, and the ERM Operations Committee. The Board, primarily through the CEO, oversees the organization s risk management practices. The COV ERM program will provide a continuous, proactive and systematic process to understand, manage and communicate risk from a strategic and enterprise-wide perspective. ERM for SLT and the Board is about making decisions that contribute to achieving COV s strategic objective by identifying the top enterprise-wide threats or opportunities and processes to manage their uncertainty. ERM does not replace any traditional risk management process currently in place or require additional support from frontline staff. It will enhance decision making processes already in place. Moreover it will demonstrate sound management and is increasingly an expectation of our leaders. Within COV, ERM is envisioned to be: Everyone s responsibility without boundary of business unit or level of the organization; A holistic, co-ordinated and collaborative approach to managing risk; Designed to encourage timely identification, mitigation and administration of risks to COV s mission; An interactive process which enables continual improvement in decision making A process for communicating and facilitating discussion on risk throughout the organization; Aligned with achievement of our strategic goals and objectives; and A source for reasonable assurance to our Senior Leadership Team (SLT) and the Board of Directors (Board) on process controls. LEGAL & RISK MANAGEMENT PAGE 4 OF 15

5 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY Everyone is a Risk Manager and plays a role in ensuring risks are indentified, analysed, evaluated, treated and monitored. Although ERM is successful with a tone from the top approach; it is reliant on the feedback loop from the ground up. The CEO will establish a strong relationship with and is accountable to the Board for ERM. The CEO will oversee SLT and other functional areas across the organization to direct ERM issues to appropriate existing channels for investigation and resolution. Frontline staff will not have any new roles or accountability for ERM functions within COV. Frontline staff are still required to fulfill their job related risk and hazard assessments, management and reporting. Frontline staff must make supervisors and managers aware of risks that they cannot manage on their own. These supervisors and managers are Risk Owners; who have a responsibility to assist with a risk management or escalate the risk to ensure they are dealt with at the appropriate level within the organization. FIGURE 1- GOVERNANCE STRUCTURE LEGAL & RISK MANAGEMENT PAGE 5 OF 15

6 The COV ERM Governance Structure is designed for a top-down direction with bottom-up feedback loop; this is how everyone plays a role in managing risk. The Board provides policy and sets the tolerance for risk; which provides consistency on how much risk to take as it relates to COV s Strategic Objectives. Each subcommittee of the Board will receive risk reporting relevant to their mandate; providing guidance and feedback on the organization s risk management efforts. The Board monitors risk through reporting processes to adapt strategy and prioritize resources. The Board delegates the oversight of risk to the CEO. SLT identifies risk to the organization s Strategic Direction. SLT are responsible for identifying, assessing, treating and monitoring Strategic Risks via the Strategic Risk Committee. SLT is also responsible for overseeing Operational Risks and ensuring appropriate risk management activities are being used within their business units and reporting to the CEO. CEO has a responsibility to the Board to ensure risks are being managed and provide supporting information. The Enterprise Risk Business Unit is responsible for the risk management guidance, education and advice for the Board, SLT, Risk Owners and Frontline Staff. The Enterprise Risk Business Unit is the risk reporting function for the organization and responsible for the administering the risk registers with information provided by Risk Owners. Operational Directors/Managers are Risk Owners and have a responsibility to identify, assess, treat and monitor risks that affect their day to day and project based business or clinical activities. Risk Owners have a responsibility to the organization to ensure compliance with law, regulation, best practice and policy within their operations. Risk Owners will form a peer-based Enterprise Risk Committee and assist with collating information on risks associated with their operations for reporting to SLT and the Board. Frontline staff has a responsibility to manage day to day hazard based risks. Frontline staff have a responsibility to perform hazard assessments prior to commencing work and ensuring the safety of themselves, patients, staff and guests. Frontline staff provide information on risks to Risk Owners to commence a feedback loop Risk Assessment in the context of ERM is the responsibility of Risk Owners and SLT with support by the Enterprise Risk Business Unit. These risks have a potential to impact overall operations and our strategic objectives. Traditional hazard-based risks differ as they are task specific and more so a function for Frontline Staff. When traditional risks can no longer be managed by frontline processes and procedures; they are to be escalated as an ERM risk. Risks can be complex and may not have a linear solution. ERM can require the participation and support at multiple levels within our organization. However, solutions can be found and risks can be managed at any level. LEGAL & RISK MANAGEMENT PAGE 6 OF 15

7 4.0 ERM PRINCIPLES AND FRAMEWORK COV has adopted the ISO/CSA 31000:2009 Risk Management Standard for our ERM Framework which will ensure we be able to: increase the likelihood of achieving objectives; encourage proactive management; be aware of the need to identify and treat risk throughout the organization; improve the identification of opportunities and threats; comply with relevant legal and regulatory requirements and international norms; improve mandatory and voluntary reporting; improve governance; improve stakeholder confidence and trust; establish a reliable basis for decision making and planning; improve controls; effectively allocate and use resources for risk treatment; improve operational effectiveness and efficiency; enhance health and safety performance, as well as environmental protection; improve loss prevention and incident management; minimize losses; improve organizational learning; and improve organizational resilience. The ISO/CSA 31000:2009 standard is intended to meet the needs of a wide range of stakeholders, including: a) those responsible for developing risk management policy within their organization; b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity; c) those who need to evaluate an organization s effectiveness in managing risk; and d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents. LEGAL & RISK MANAGEMENT PAGE 7 OF 15

8 The function of ERM will be guided by an adaptation from the ERM Process Model as shown at FIGURE 2. The ERM Process Model is consistent with the standards laid out in the International Organization for Standardization (ISO) Implementation Guide and Guide 73 will provide vocabulary support. Further description of each element of the ERM Process Model is described at sections 4.1 to 4.6 below. FIGURE 2- ERM PROCESS MODEL (ADAPTED FROM THE ERM PROCESS MODEL FROM ISO/CSA 31000:2009) LEGAL & RISK MANAGEMENT PAGE 8 OF 15

9 4.1 COV ERM PRINCIPLES COV has adopted the ISO/CSA principles (Clause 3) for managing risk to ensure a proactive and systematic approach to risk. Risk Management is everyone s responsibility from the Board of Directors to individual employees. a) Risk management creates and protects value. Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. b) Risk management is an integral part of all organizational processes. Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes. c) Risk management is part of decision making. Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. d) Risk management explicitly addresses uncertainty. Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. e) Risk management is systematic, structured and timely. A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. f) Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modeling used or the possibility of divergence among experts. g) Risk management is tailored. Risk management is aligned with the organization s external and internal context and risk profile. h) Risk management takes human and cultural factors into account. Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization s objectives. i) Risk management is transparent and inclusive. Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. j) Risk management is dynamic, iterative and responsive to change. Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. k) Risk management facilitates continual improvement of the organization. Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization. LEGAL & RISK MANAGEMENT PAGE 9 OF 15

10 4.2 MANDATE AND COMMITMENT The introduction of risk management and ensuring its ongoing effectiveness requires strong and sustained commitment by the Organization, as well as strategic and rigorous planning to achieve commitment at all levels. The governance structure as set in Section 3.0 for the organization will: define and endorse the risk management policy; ensure that the organization s culture and risk management policy are aligned; determine risk management performance indicators that align with performance indicators of the organization; align risk management objectives with the objectives and strategies of the organization; ensure legal and regulatory compliance; assign accountabilities and responsibilities at appropriate levels within the organization; ensure that the necessary resources are allocated to risk management; communicate the benefits of risk management to all stakeholders; and ensure that the framework for managing risk continues to remain appropriate. LEGAL & RISK MANAGEMENT PAGE 10 OF 15

11 4.3 FRAMEWORK DESIGN The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels. The framework assists in managing risks effectively through the application of the risk management process (see ISO Clause 5) at varying levels and within specific contexts of the organization. The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels. This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner, as shown in Figure 2. FIGURE 3- RELATIONSHIP BETWEEN THE COMPONENTS OF THE FRAMEWORK FOR MANAGING RISK (ISO/CSA 31000:2009) The framework is designed to create and protect the value of healthcare delivery by working in a proactive versus reactive model for managing risk. Each risk will be assessed down to its root cause, how it impacts healthcare delivery and subsequently tied into COV s strategic objectives. These risks will be indentified and measured using a risk impact model that is tailored to COV and reviewed regularly to make ensure efficacy. The risk impact model, accompanying policies and our risk tolerance will be set at the Board level. LEGAL & RISK MANAGEMENT PAGE 11 OF 15

12 4.4 IMPLEMENTATION ERM is a business process that helps managers, SLT and the Board communicate and collaborate on providing safe, quality care to fulfill our Mission. As risk (in the context of ERM) is defined as the uncertainty to our objectives, ERM is best integrated into organizational processes to ensure risks are managed within our day to day decision making to prevent or be prepared for an adverse outcome or leverage an opportunity. An ERM Risk Assessment Guide and tools will be created that will pair decision processes with risk assessment tools to make proactively managing risk a part of everyday business. Decision making processes will vary depending on how it is framed. The risk assessment process will remain consistent using the following steps: FIGURE 4- PROCESS FOR MANAGING RISK (ISO/CSA 31000:2009) This cycle for risk management has a built in feedback loop that is not only part of each Risk Owner s processes, but built into our governance structure. Each risk will be tied back to one or more of COV s strategic objectives to identify any impact to our Mission. LEGAL & RISK MANAGEMENT PAGE 12 OF 15

13 4.5 MONITOR AND REVIEW Monitoring and review is concerned with: Creating a base register of strategic and operational risks that will be updated as risk information become available or as risks change; Creating business intelligence for SLT and the Board to ensure appropriate governance; Analyzing and learning lessons from events, changes and trends; Detecting changes in the external and internal context including changes to the risk itself which may require revision of risk treatments and priorities; and Ensuring that the risk control and treatment measures are effective in both design and operation. Actual progress in implementing risk treatment plans provides a performance measure and will be incorporated into COV performance management and internal and external audit reporting activities. Monitoring and review can involve regular checking or surveillance of what is already present or can be periodic or ad hoc. Both aspects will be planned. The results of monitoring and review will be recorded and internally and/or externally reported as appropriate and may also be used as an input to the review of the risk management framework. The management of risk has to be reviewed and reported on for the following reasons: To identify trends in risk within our organization; To monitor if the risk profile is changing; To gain assurance that risk management is effective; To identify when further action is necessary; To ensure effective application of risk management processes. LEGAL & RISK MANAGEMENT PAGE 13 OF 15

14 4.6 CONTINUOUS IMPROVEMENT The overall risk management process will be subject to regular review to deliver assurance that it remains appropriate and effective. Review of risks and review of the risk management process are distinct from each other and neither is a substitute for the other. The review processes should: Ensure that all aspects of the risk management process are reviewed at least once a year. Ensure that risks are subject to review with appropriate frequency (with appropriate provision for COV s own review of risks and for independent review/audit). Make provision for alerting the appropriate level of management to new risks or to changes in already identified risks so that the change can be appropriately addressed. The ERM Policy and Framework will be reviewed no later than 1 April 2017 This is a commitment from Legal & Risk Management to review and improve COV s approach to ERM after its second year of operation. At the end of year two, an assessment will be undertaken to determine the effectiveness and added value of the ERM and determine next steps. ERM must become an integral part of effective management practice and add value to the whole organization. Critical success metrics will be developed; aiming to demonstrate the success of ERM. LEGAL & RISK MANAGEMENT PAGE 14 OF 15

15 5.0 CONCLUSION This document presents a summary of COV philosophy on the management of risk, governance structure and accountability and provides a brief overview of risk management processes. COV will take an integrative point of view on the management of risk, and use tools and processes available to it in various situations including quantitative tools and qualitative assessments. Risk Management is designed in a continuous feedback and improvement loop.. The undertaking of risk management procedures often leads to the identification of previously unidentified sources of risk. For this reason, this document is expected to be a living document, and will be continually updated as COV updates its risk management systems, processes and objectives. LEGAL & RISK MANAGEMENT PAGE 15 OF 15