Download Risk Mngt Reporting Guidelines HSPs 13-14.pdf...
RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14 For North Simcoe Muskoka LHIN Health Service Providers
Table of Contents Purpose of this document............................................................................................................................. 2 Introduction .................................................................................................................................................. 3 What is Risk? ................................................................................................................................................. 4 What kinds of risks are there? ...................................................................................................................... 4 Why Manage Risk? ........................................................................................................................................ 5 How Do We Manage Risks? .......................................................................................................................... 5 Roles and Responsibilities for Monitoring Risk............................................................................................. 5 Types of Risks to be reported to the LHIN .................................................................................................... 7 Process of Risk Reporting from HSPs to the LHIN ......................................................................................... 8 APPENDIX #1 - SAMPLE RM POLICY .............................................................................................................. 9 APPENDIX #2 SAMPLE RISK REGISTER FOR SMALL ORGANIZATIONS ......................................................... 10 APPENDIX #3 NEW AND EMERGING RISK REPORTING FORM .................................................................... 11 APPENDIX #4 SAMPLE EVALUATION QUESTIONS FOR BOARDS TO ASSESS RISK OVERSIGHT EFFECTIVENESS ........................................................................................................................................... 13
Purpose of this Document This RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL is intended to set the context for the reporting of risk related issues to the North Simcoe Muskoka LHIN by Health Service Providers as outlined in the respective Service Accountability Agreements. This manual complements the NSM LHIN Enterprise Risk Management Framework (June 2010) and the NSM LHIN Enterprise Risk Management Policy (June 2012) which outline the risk management approach for the NSM LHIN. The manual is primarily targeted to senior managers of Health Service Providers to outline the requirements and provide sample tools where they do not currently exist. The manual is developed to support organizations with varying degrees of risk management maturity, recognizing that risk management is a continuous journey. Although the manual will be particularly helpful to those health service providers that may not have robust risk reporting mechanisms in place, the majority of the content is applicable to all NSM LHIN health service providers. Health service providers will need to exercise discretion and some degree of judgment when choosing the types of risks to be reported to the LHIN. At a minimum, health service providers are expected to: Have an organization-specific policy in place related to the management of risk Ensure that significant and major risks are identified and reported promptly to the LHIN using the form provided in Appendix 3. Identify and implement mitigating actions, where necessary, and provide status updates where risks remain unmitigated.
Page 2
Introduction Risk identification and management is a vital function of health service providers, Local Health Integration Networks (LHINs), and the Ontario Ministry of Health and Long-Term Care (MOHLTC or “the Ministry”). This document: • • •
provides highlights of significant portions of the NSM LHIN’s Enterprise Risk Management Policy clarifies the reporting requirements for Risk Management under the Service Accountability Agreements established with service providers within the NSM LHIN provides sample documents and guidance for HSP use to facilitate the reporting of risk related information to the LHIN
The reporting of risks to the NSM LHIN by Health Service Providers is based upon several principles: 1. Future Planning Requirements: The LHIN requires risk information from Health Service Providers (HSPs) to inform both short and long term planning requirements. This information helps inform the LHIN of risks that may expose the healthcare system to potential liability. 2. Compliance with Reporting Requirements: LHINs report high level risks to the Ministry by completing a Quarterly Risk Summary template with specific reporting requirements. Further, the LHIN Board regularly reviews risks associated with the achievement of organizational objectives and requires information to make informed decisions. 3. Timely Communication of Risks: Communicating risks to the LHIN in a timely manner is an important way of ensuring appropriate management strategies are evaluated and implemented by HSPs and the LHIN. Please contact your designated LHIN Account Manager or email
[email protected] should you require any further information or assistance in implementing risk management within your organization.
Page 3
What is Risk? We come across risk in all sorts of ways and everything we do carries some sort of risk. However careful we are to plan things well, there are always things that can go wrong or not turn out just as we hoped. Sometimes, depending on what we are doing, we may be prepared to take some risks to achieve our goals. Other times we may need to minimize the risks as much as possible. If we don’t take some risks as an organization we will probably never achieve anything great. We still need to be careful not to rush into things without considering the risks or much could go wrong costing money and reputation. Risk management is not about eliminating all risk. It is about understanding what the risks are, what the likely consequences would be if they come about and how we would deal with them. Only by understanding the risks can we make well-informed decisions. A risk can be defined as any internal or external situation or event that has the potential to impact upon an organization, preventing the organization from successfully achieving its objectives, delivering its services, capitalizing on its opportunities or carrying out its projects or events. 1
What Kinds of Risks are There? An identified risk may fall into multiple categories. The categories of risks currently identified under NSM LHIN’s Enterprise Risk Management framework include: •
•
• • •
•
Operational Risks – The risk of direct or indirect loss or inability to provide LHIN core services, especially to stakeholders, resulting from inadequate or failed internal processes, resources (including human resources, equipment malfunction), and systems; Financial Risks – The risk of financial loss. This may include effectiveness of internal controls, financial processes for reporting, budgeting, and fiscal stewardship as well as the monitoring of full financial and performance reporting. These risks may also affect the ability to acquire assets, technology, etc.; Reputational Risks – The risk of significant negative public or HSP opinion that results in a critical loss of confidence (public, families, HSPs). Strategic Risks – These are risks that affect the ability to carry out the goals and objectives as articulated in the NSM LHIN Integrated Health Services Plan; Compliance Risks – Affect compliance with laws and regulations, Ministry-LHIN performance agreements, workplace health and safety requirements, environmental issues, litigation, conflicts of interest, etc.; Patient Safety Risks – These are risks that compromise the provision of safe care to patients, clients, residents and others. These could include infection control issues, medical errors, and unsafe equipment.
1
Do not mistake risks with consequences. “Injuries”’, “Financial Loss” and “Reputation Damage” are not risks but impacts/consequences of a risk - i.e. if your risk was to occur, it could result in injuries, financial loss and/or reputation damage.
Page 4
•
Systemic Risks – Systemic risk refers to the probability of breakdowns in an entire system, as opposed to breakdowns in individual parts or components.
Why Manage Risk? The primary reason for managing risk is to enable health service providers to successfully achieve their goals. With the growing need for transparent decision-making, a structured, systematic risk management process demonstrates the due diligence that is required and provides an audit trail for decision making. The risk management process is designed to help you: • • • •
Understand the factors that might prevent you from achieving your objectives. Quantify the likely impact of these factors. Make informed decisions about whether to go ahead with a project or how an activity should be managed. Identify the steps that can be taken to reduce the likelihood of these factors occurring or successfully manage the impact if they do.
A comprehensive understanding of the risk exposures facing health providers within NSM LHIN also facilitates effective planning and resource allocation, and encourages a proactive management culture, with flow-on benefits for every aspect of an HSP’s operation. Remember that it is not always possible or desirable to eliminate risk. We must understand what threat or opportunity the risk poses and manage it.
How Do We Manage Risks? Risk management is most successful when it becomes fully integrated into normal operating procedures, processes and systems. Like all good management practices, it should be driven from the top down and be recognized as the responsibility of everyone. Executives and Senior Managers have a particular responsibility in demonstrating commitment to the implementation and use of the risk management process and the information it generates.
Roles and Responsibilities for Monitoring Risk All government agencies face increasing requirements for sound and transparent decision making and prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these requirements. HSPs should treat the monitoring and review of the risks that their organization faces as an integral part of all their core business functions.
Page 5
A structured risk management process provides a means for Senior Executives and Boards to stay informed about the risks associated with their HSP’s activities and to ensure appropriate measures are in place to address those risks. It contributes transparency and objectivity to decision making and it provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to provide good governance. All NSM LHIN funded Health Service Providers are encouraged to practice risk management, regularly undertake a structured risk assessment process to identify the risks facing their organization, demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption. It is expected that risk management processes will be embedded into the Health Service Provider’s management systems and processes. The Health Service Provider should make additional efforts to ensure that their risk management efforts are focused on their organizational objectives while aligning to NSM LHIN system-wide strategies and complying with accountability agreements. Therefore, each funded Health Service Provider is recommended to develop a risk management framework and associated procedures that include: • • •
A Risk Management Policy (a sample template is provided in Appendix 1) Formal and ongoing identification of risks that impact the Health Service Provider’s goals (a sample risk register for small organizations is provided in Appendix 2); and Reporting of risks so that Significant Risks can be rolled up to the System level (the New and Emerging Risk Reporting Form for reporting of risks to the NSM LHIN is provided in Appendix 3).
It is also suggested that Health Service Provider boards conduct a review of the effectiveness of their Risk Management Oversight on an annual basis. (A template providing questions regarding effectiveness has been provided in Appendix 4).
Page 6
Types of Risks to be Reported to the LHIN While HSPs will be monitoring, reporting and responding to risks within the context of their own organization, not every type of risk needs to be reported to the LHIN. In most instances, only significant risks (or those that could become significant) need to be reported to the LHIN. Significant Risks include those risks that have a high likelihood and significant impact and where there is limited ability for mitigation by the HSP. These risks are identified and assessed based on the HSP’s expertise, judgment and knowledge of their role within the local system. Types of Significant Risks to be reported include: Risk to achieving Key Government Priorities Risk to achieving key local Priorities including o Risk of not achieving a LHIN objective /commitment in the Integrated Health Service Plan) o Risk of not achieving an objective in the Annual Business Plan o Risk of not achieving a commitment identified by the Care Connections Leadership Council Risk to achieving a commitment identified in the Service Accountability Agreement Risk to achieving a balanced budget for a Health Service Provider including: o Risks and occurrences that result in substantial financial costs either in excess of the impacted Health Service Provider’s ability to pay or in an amount that may jeopardize the Health Service Provider’s core mission Risk to meeting the target for a Ministry-LHIN Performance Agreement (MLPA) Indicator Risk of significant damage to a Health Service Provider’s reputation or damage to the NSM LHIN’s reputation Depending upon an assessment by the LHIN, these risks may also be rolled up at the LHIN level and incorporated into LHIN reporting to the Ministry of Health and Long-Term Care. Risks to Key Government Priorities: The HSP should report to the LHIN, risks that may impair the achievement of key government priorities. The ER Strategy is an example of a key government strategy. Both the LHIN and the ministry would need to be aware of top/significant risks to elements of this strategy. The ER Strategy includes: • • • • •
Reducing the number of ER visits More home care The Seniors Strategy to support seniors in the community Improved community-based mental health and addiction treatment Better chronic disease management
Risks to Key Local Priorities: NSM LHIN’s key priorities are identified in the 3-year Integrated Health Service Plan (IHSP) and Annual Business Plan (ABP). If significant risks emerge that could jeopardize the achievement of these priorities, that information should be communicated to the LHIN.
Page 7
Risk to Obligations identified in the Service Accountability Agreement: If there is a risk to achieving the obligations identified in a HSP’s service accountability agreement, the HSP is required to communicate this information to the LHIN. Risks associated with not achieving Balanced Budget: Each HSP has balanced budget requirements and should identify to the LHIN if there is a risk that this objective will not be achieved. Further, if achievement of this objective will impact the provision of health care services (i.e. the risk management plan includes a reduction or significant delay in the provision of a health care service), the LHIN will be required to communicate the information to the Ministry as well. When communicating, these types of risks, the HSP would also need to provide details on quantifying the dollar amounts involved, the actions being taken to address the issue and relevant time frames. Risks associated with damage to Reputation: Risks associated with of Risk of significant damage to a Health Service Provider’s reputation or damage to the NSM LHIN’s reputation. These risks could also be related to negative media attention and/or public reaction to an initiative.
Process of Risk Reporting from HSPs to the LHIN The New and Emerging Risks (NER) Reporting Form provides an opportunity to highlight emerging risks or add new risks to the risk register throughout the year. On an ongoing basis, when a new or emerging risk is identified, a designated individual from the Health Service Provider will notify the LHIN by completing the NER Form and submitting it to the LHIN’s designated email address for inclusion in the LHIN’s ongoing risk register (
[email protected] ). This form helps to develop awareness and understanding of the importance of managing new and emerging risks and provides a formalized structure for the reporting of these risks. The form requires the following information to be completed: Legal/Regulatory/Accountability • Short Descriptive Title of the Risk Compliance, Patient Safety) • Risk description; • Current controls in place and/or • Impact Description; mitigating actions • Likelihood of Occurrence; • Contact Name for further • Significance of Impact on various information/clarification risk categories (Operations, • Contact Name for status updates (if Finances, Reputation, Strategy, different than above) After submission of the NER, the form (and its accompanying risk) will be assigned an identification number which will be communicated back to the HSP via an acknowledgement of receipt. After a review of the NER and any further clarifications from the HSP, NSM LHIN’s Designated Risk Officer (or delegate) will determine whether the risk contained in this report warrants inclusion in the risk register. 2 Where risks are included in the risk register, the NSM LHIN Board and/or relevant Board committees would have visibility of the new risk information in the Quarterly Risk Register Report. 2
It is important to recognize that confidentiality of the communication will be maintained, however, the LHIN is subject to access to information requests under Ontario’s Freedom of Information and Protection of Privacy Act. Unless exceptions from the act apply, the information may be subject to disclosure. See: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm#BK15
Page 8
APPENDIX #1 - SAMPLE RM POLICY This sample risk management policy is from the Insurance Bureau of Canada. It may need to be adapted based upon the size, complexity or the objectives of different health service providers. See: http://www.ibc.ca/en/Business_Insurance/documents/Policies-Procedure-Sample-Risk-Management-Policy.pdf
Risk Management Policy HSP NAME Policy Statement Risk management is the process of making and carrying out decisions that will minimize the adverse effect of accidental losses upon our organization. The risk management process is vital to the personal health and safety of each employee and the safety of our members/clients/customers. In financial terms, it is vital to our ability to pursue our goals, commence and operate programs, and to perform duties in an efficient and professional manner. The organization has formed a risk management program to pursue our risk management goals and objectives. These goals and objectives include: 1. To avoid exposure to accidental loss by not undertaking functions, contracts, programs or activities where the potential loss is greater than the potential benefit to be derived from these undertakings; 2. To prevent loss by identifying loss exposures and implementing policies and procedures to reduce the risk of these losses occurring; 3. To control losses that do occur by: a. assisting and supporting injured parties; b. developing contingency plans for possible loss scenarios; and c. properly documenting and investigating losses. 4. To determine the most cost-effective balance of different risk financing tools. 5. To raise the awareness of all management, employees, volunteers and members/clients/customers concerning risk management within our organization. These goals and objectives will be accomplished by: 1. Establishing a Risk Management Committee with representatives from each department, whose responsibilities will be to implement, monitor, evaluate and revise plans to achieve our goals and objectives; 2. Electing a Risk Management Coordinator to serve as the head of the Risk Management Committee and report to senior management; 3. Including risk management as an item for discussion at every meeting. Cooperation is expected from management, employees and volunteers. Everyone must work as a team with common goals and objectives to ensure the success of this risk management program and in turn, the organization.
Page 9
APPENDIX #2 SAMPLE RISK REGISTER FOR SMALL ORGANIZATIONS Step 1: Risk Identification List of Possible Risks
Step 2: Risk Assessment Likelihood
Impact
H/M/L
H/M/L
Step 3: Risk Management What are we already doing about it? (mitigating factors)
Date to be reviewed
Person/Group responsible for review
Page 10
What more can we do about it?
Timescale
Person Responsible
Reviewed Level of Risk
APPENDIX #3 NEW AND EMERGING RISK REPORTING FORM Please use this form to highlight emerging risks or add new risks to the NSM LHIN risk register. This form may be completed electronically and submitted to
[email protected] or, alternatively in writing and submitted by mail or fax to: Designated Risk Officer, NSM LHIN, Suites 127-130, 210 Memorial Avenue, Orillia, ON L3V 7V1 PHONE: (705) 326-7750 or 1-866-903-5446 FAX (705) 326-1392
1. REPORTING INFORMATION Name of person making report
Organization Name
Date of Reporting
Contact Phone # (incl. extension)
Contact Email
RISK REGISTER ID (Assigned by NSM LHIN Designated Risk Officer)
2. DESCRIPTION OF NEW OR EMERGING RISK DESCRIPTIVE TITLE Provide a short descriptive Title for the Risk that provides a way to reference the information in the Risk Register.
TYPE OF RISK BEING REPORTED (Check a box below) Risk to Achieving a Balanced Budget for a Health Service Provider Risks that may impair the achievement of key government priorities Risks jeopardizing the achievement of a key local priority Risks jeopardizing the achievement of a commitment made in the Service Accountability agreement (SAA) Risks jeopardizing the achievement of a commitment made in the Ministry-LHIN Performance Agreement Risk of significant damage to a Health Service Provider’s reputation or damage to the NSM LHIN’s reputation Other risk not categorized above
Description of the Risk
High Risk Immediate action required
Risk Rating for this risk – tick one as appropriate: Significant Risk Moderate Risk Action required as soon as possible
Action required within 1-3 months
Describe what the impact if this risk is not mitigated?
Low Risk Further Monitoring required
Minimal immediate action How serious would the impact be in each of the categories if this risk was not mitigated? Choose a number below. Refer to Page 2 for guidance
(Include dollar impact where possible)
Low Impact High Impact
What actions have already been taken after identifying this risk?
Operational
1
2
3
4
5
Financial
1
2
3
4
5
Reputational
1
2
3
4
5
Strategic
1
2
3
4
5
Compliance
1
2
3
4
5
Safety
1
2
3
4
5
Target Date(s) for Completion of proposed actions
What actions are planned in response to this risk?
3. PROVIDE THE NAME AND CONTACT INFORMATION FOR THE INDIVIDUAL(S) THAT WILL PROVIDE STATUS UPDATES ON THIS RISK? Name:
Contact email:
Contact Phone number:
Name:
Contact email:
Contact Phone number:
Page 11
RISK IMPACT TABLE: The following table provides guidance on choosing the severity of the impact if a risk remains unmitigated. This table is a guideline only. IMPACT
IMPACT
LEVEL
DESCRIPTION / EXAMPLE Operational
Financial
Reputational
Strategic
Compliance
Safety No impact on Patient Safety Event caused inconvenience but no apparent injury First aid treatment.
0
No Impact
No impact on Operations
No financial impact
No Reputational Impact
No Strategic Impact
No impact on Compliance
1
Insignificant
Impact absorbed through routine operations
Revenue/cost impact 02% of operational budget
Unsubstantiated, low impact or no news item.
N/A
No noticeable regulatory or statutory impact
2
Minor
Minor delays in achieving objectives. Majority of objectives remain on track.
Revenue/cost impact 25% of operational budget
Substantiated, low impact, low news profile.
N/A
Some temporary non compliances
3
Moderate
Management effort required to redirect resources to avoid delays in achieving strategic intents. Administration of the program/ project/ activity could be subject to significant review or change
Revenue/cost impact 510% of operational budget
Substantiated, public embarrassment, moderate impact, moderate news profile, Ministerial involvement.
Setback in achieving strategic direction/goals or objectives. Failure to meet objectives by year 1
Short term non compliance but with significant regulatory requirements imposed
Event caused minimal loss of time or minimal restrictions May be threat of potential legal actions
4
Significant
Revenue/cost impact of 10-20% of operational budget
Substantiated, public embarrassment, high impact, high news profile, Third Party actions, public Ministerial involvement.
Performance reporting and measurement indicate variance from expectations. Failure to meet objectives by year 2
Non compliance results in termination of service or imposed penalties
Serious or extensive injuries.
5
Major
Significantly reduced ability to achieve objectives / key deliverables. Continued function of the program/ project/ activity would be threatened. Failure to achieve one or more key deliverables resulting in, major flow on effects for external stakeholders and other public sector agencies.
Revenue/cost impact more than 20% of operational budget.
Substantiated, public embarrassment, very high multiple impacts, high widespread multiple news profile, Third Party actions, public Ministerial involvement, Government censure.
Breakdown of community partnerships and alliances. Failure to meet objectives by year 3
Non compliance results in criminal charges or loss of required accreditation
Death or permanent injury Pending legal action
Page 12
APPENDIX #4 SAMPLE EVALUATION QUESTIONS FOR BOARDS TO ASSESS RISK OVERSIGHT EFFECTIVENESS NO. A.
1 2 3 4 5
6 7 8 9 10 11 12 13 14 15 16
ASSESSMENT QUESTION
YES
BOARD RISK OVERSIGHT PROCESS
Is the definition of "risk" as articulated in the Enterprise Risk Management Policy still adequate? Is the board organized to oversee risk management effectively? Does the board have a process in place to get the knowledge and experience it needs to oversee risk management? Are the risk oversight objectives articulated by the board consistent with the ethical values defined by the Board? Does the board understand the primary risks and uncertainties inherent in the business model of the LHIN and how they are addressed? a. Does the board periodically review risks and possible “worst case” scenarios? b. Does the board know the current status of the major risks facing the LHIN? c. Are the risks documented? d. Is there sufficient time during board meetings to discuss them? e. Is the board satisfied that management has in place an effective process to continuously identify risk, measure its impact and evaluate risk mitigation capabilities? Is the board and/or responsible committees, confident that directors are receiving the comprehensive, objective information they need to perform risk oversight? Is the board satisfied that roles, responsibilities, authorities and accountabilities are clearly established? Is the board satisfied that the risk reporting process is effective, efficient and frequent enough? Is the board satisfied that the risk oversight process is focused on the most critical risks and not mired in minutiae? Is the board satisfied with the process to decide how much risk the organization can take on? Is the board satisfied with the process to assess the organization's financial capacity to take on risks? Is the board satisfied that management pays attention to the warning signs and gives timely consideration to emerging risks? Are coordinated mechanisms in place to communicate the board’s expectations for risk management across the organization and to staff? Is the board satisfied that contingency plans are in place in the event of a crisis? Has the organization learned from its experience with risk? Is the board satisfied with its evaluation of the effectiveness of its risk oversight processes in achieving its risk oversight objectives ?
Page 13
NO
NA
COMMENT