You are on page 1of 14

RISK MANAGEMENT REPORTING

GUIDELINES AND MANUAL


2013/14
For North Simcoe Muskoka LHIN
Health Service Providers

Table of Contents
Purpose of this document............................................................................................................................. 2
Introduction .................................................................................................................................................. 3
What is Risk? ................................................................................................................................................. 4
What kinds of risks are there? ...................................................................................................................... 4
Why Manage Risk? ........................................................................................................................................ 5
How Do We Manage Risks? .......................................................................................................................... 5
Roles and Responsibilities for Monitoring Risk............................................................................................. 5
Types of Risks to be reported to the LHIN .................................................................................................... 7
Process of Risk Reporting from HSPs to the LHIN ......................................................................................... 8
APPENDIX #1 - SAMPLE RM POLICY .............................................................................................................. 9
APPENDIX #2 SAMPLE RISK REGISTER FOR SMALL ORGANIZATIONS ......................................................... 10
APPENDIX #3 NEW AND EMERGING RISK REPORTING FORM .................................................................... 11
APPENDIX #4 SAMPLE EVALUATION QUESTIONS FOR BOARDS TO ASSESS RISK OVERSIGHT
EFFECTIVENESS ........................................................................................................................................... 13

Purpose of this Document


This RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL is intended to set the context for the
reporting of risk related issues to the North Simcoe Muskoka LHIN by Health Service Providers as
outlined in the respective Service Accountability Agreements.
This manual complements the NSM LHIN Enterprise Risk Management Framework (June 2010) and the
NSM LHIN Enterprise Risk Management Policy (June 2012) which outline the risk management approach
for the NSM LHIN.
The manual is primarily targeted to senior managers of Health Service Providers to outline the
requirements and provide sample tools where they do not currently exist. The manual is developed to
support organizations with varying degrees of risk management maturity, recognizing that risk
management is a continuous journey. Although the manual will be particularly helpful to those health
service providers that may not have robust risk reporting mechanisms in place, the majority of the
content is applicable to all NSM LHIN health service providers.
Health service providers will need to exercise discretion and some degree of judgment when choosing
the types of risks to be reported to the LHIN. At a minimum, health service providers are expected to:
Have an organization-specific policy in place related to the management of risk
Ensure that significant and major risks are identified and reported promptly to the LHIN using
the form provided in Appendix 3.
Identify and implement mitigating actions, where necessary, and provide status updates where
risks remain unmitigated.

Page 2

Introduction
Risk identification and management is a vital function of health service providers, Local Health
Integration Networks (LHINs), and the Ontario Ministry of Health and Long-Term Care (MOHLTC or the
Ministry). This document:

provides highlights of significant portions of the NSM LHINs Enterprise Risk Management Policy
clarifies the reporting requirements for Risk Management under the Service Accountability
Agreements established with service providers within the NSM LHIN
provides sample documents and guidance for HSP use to facilitate the reporting of risk related
information to the LHIN

The reporting of risks to the NSM LHIN by Health Service Providers is based upon several principles:
1. Future Planning Requirements: The LHIN requires risk information from Health Service
Providers (HSPs) to inform both short and long term planning requirements. This information
helps inform the LHIN of risks that may expose the healthcare system to potential liability.
2. Compliance with Reporting Requirements: LHINs report high level risks to the Ministry by
completing a Quarterly Risk Summary template with specific reporting requirements. Further,
the LHIN Board regularly reviews risks associated with the achievement of organizational
objectives and requires information to make informed decisions.
3. Timely Communication of Risks: Communicating risks to the LHIN in a timely manner is an
important way of ensuring appropriate management strategies are evaluated and implemented
by HSPs and the LHIN.
Please contact your designated LHIN Account Manager or email NSMRiskRegister@lhins.on.ca should
you require any further information or assistance in implementing risk management within your
organization.

Page 3

What is Risk?
We come across risk in all sorts of ways and everything we do carries some sort of risk. However careful
we are to plan things well, there are always things that can go wrong or not turn out just as we hoped.
Sometimes, depending on what we are doing, we may be prepared to take some risks to achieve our
goals. Other times we may need to minimize the risks as much as possible. If we dont take some risks
as an organization we will probably never achieve anything great.
We still need to be careful not to rush into things without considering the risks or much could go wrong
costing money and reputation. Risk management is not about eliminating all risk. It is about
understanding what the risks are, what the likely consequences would be if they come about and how
we would deal with them. Only by understanding the risks can we make well-informed decisions.
A risk can be defined as any internal or external situation or event that has the
potential to impact upon an organization, preventing the organization from
successfully achieving its objectives, delivering its services, capitalizing on its
opportunities or carrying out its projects or events. 1

What Kinds of Risks are There?


An identified risk may fall into multiple categories. The categories of risks currently identified under
NSM LHINs Enterprise Risk Management framework include:

Operational Risks The risk of direct or indirect loss or inability to provide LHIN core services,
especially to stakeholders, resulting from inadequate or failed internal processes, resources
(including human resources, equipment malfunction), and systems;
Financial Risks The risk of financial loss. This may include effectiveness of internal controls,
financial processes for reporting, budgeting, and fiscal stewardship as well as the monitoring of
full financial and performance reporting. These risks may also affect the ability to acquire
assets, technology, etc.;
Reputational Risks The risk of significant negative public or HSP opinion that results in a critical
loss of confidence (public, families, HSPs).
Strategic Risks These are risks that affect the ability to carry out the goals and objectives as
articulated in the NSM LHIN Integrated Health Services Plan;
Compliance Risks Affect compliance with laws and regulations, Ministry-LHIN performance
agreements, workplace health and safety requirements, environmental issues, litigation,
conflicts of interest, etc.;
Patient Safety Risks These are risks that compromise the provision of safe care to patients,
clients, residents and others. These could include infection control issues, medical errors, and
unsafe equipment.

Do not mistake risks with consequences. Injuries, Financial Loss and Reputation Damage are not risks but impacts/consequences of a risk - i.e. if your
risk was to occur, it could result in injuries, financial loss and/or reputation damage.

Page 4

Systemic Risks Systemic risk refers to the probability of breakdowns in an entire system, as
opposed to breakdowns in individual parts or components.

Why Manage Risk?


The primary reason for managing risk is to enable health service providers to successfully achieve their
goals.
With the growing need for transparent decision-making, a structured, systematic
risk management process demonstrates the due diligence that is required and
provides an audit trail for decision making.
The risk management process is designed to help you:

Understand the factors that might prevent you from achieving your objectives.
Quantify the likely impact of these factors.
Make informed decisions about whether to go ahead with a project or how an activity should be
managed.
Identify the steps that can be taken to reduce the likelihood of these factors occurring or
successfully manage the impact if they do.

A comprehensive understanding of the risk exposures facing health providers within NSM LHIN also
facilitates effective planning and resource allocation, and encourages a proactive management culture,
with flow-on benefits for every aspect of an HSPs operation.
Remember that it is not always possible or desirable to eliminate risk. We must
understand what threat or opportunity the risk poses and manage it.

How Do We Manage Risks?


Risk management is most successful when it becomes fully integrated into normal operating procedures,
processes and systems. Like all good management practices, it should be driven from the top down and
be recognized as the responsibility of everyone. Executives and Senior Managers have a particular
responsibility in demonstrating commitment to the implementation and use of the risk management
process and the information it generates.

Roles and Responsibilities for Monitoring Risk


All government agencies face increasing requirements for sound and transparent decision making and
prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these
requirements. HSPs should treat the monitoring and review of the risks that their organization faces as
an integral part of all their core business functions.

Page 5

A structured risk management process provides a means for Senior Executives and Boards to stay
informed about the risks associated with their HSPs activities and to ensure appropriate measures are
in place to address those risks. It contributes transparency and objectivity to decision making and it
provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to
provide good governance.
All NSM LHIN funded Health Service Providers are encouraged to practice risk
management, regularly undertake a structured risk assessment process to
identify the risks facing their organization, demonstrate the management of risks,
and where appropriate, have continuity plans to ensure they can respond to and
recover from any business disruption.
It is expected that risk management processes will be embedded into the Health Service Providers
management systems and processes. The Health Service Provider should make additional efforts to
ensure that their risk management efforts are focused on their organizational objectives while aligning
to NSM LHIN system-wide strategies and complying with accountability agreements.
Therefore, each funded Health Service Provider is recommended to develop a risk management
framework and associated procedures that include:

A Risk Management Policy (a sample template is provided in Appendix 1)


Formal and ongoing identification of risks that impact the Health Service Providers goals (a sample
risk register for small organizations is provided in Appendix 2); and
Reporting of risks so that Significant Risks can be rolled up to the System level (the New and
Emerging Risk Reporting Form for reporting of risks to the NSM LHIN is provided in Appendix 3).

It is also suggested that Health Service Provider boards conduct a review of the effectiveness of their
Risk Management Oversight on an annual basis. (A template providing questions regarding
effectiveness has been provided in Appendix 4).

Page 6

Types of Risks to be Reported to the LHIN


While HSPs will be monitoring, reporting and responding to risks within the context of their own
organization, not every type of risk needs to be reported to the LHIN.
In most instances, only significant risks (or those that could become significant) need to be reported to
the LHIN. Significant Risks include those risks that have a high likelihood and significant impact and
where there is limited ability for mitigation by the HSP. These risks are identified and assessed based on
the HSPs expertise, judgment and knowledge of their role within the local system.
Types of Significant Risks to be reported include:
Risk to achieving Key Government Priorities
Risk to achieving key local Priorities including
o Risk of not achieving a LHIN objective /commitment in the Integrated Health Service
Plan)
o Risk of not achieving an objective in the Annual Business Plan
o Risk of not achieving a commitment identified by the Care Connections Leadership
Council
Risk to achieving a commitment identified in the Service Accountability Agreement
Risk to achieving a balanced budget for a Health Service Provider including:
o Risks and occurrences that result in substantial financial costs either in excess of the
impacted Health Service Providers ability to pay or in an amount that may jeopardize
the Health Service Providers core mission
Risk to meeting the target for a Ministry-LHIN Performance Agreement (MLPA) Indicator
Risk of significant damage to a Health Service Providers reputation or damage to the NSM
LHINs reputation
Depending upon an assessment by the LHIN, these risks may also be rolled up at the LHIN level and
incorporated into LHIN reporting to the Ministry of Health and Long-Term Care.
Risks to Key Government Priorities: The HSP should report to the LHIN, risks that may impair the
achievement of key government priorities. The ER Strategy is an example of a key government strategy.
Both the LHIN and the ministry would need to be aware of top/significant risks to elements of this
strategy. The ER Strategy includes:

Reducing the number of ER visits


More home care
The Seniors Strategy to support seniors in the community
Improved community-based mental health and addiction treatment
Better chronic disease management

Risks to Key Local Priorities: NSM LHINs key priorities are identified in the 3-year Integrated Health
Service Plan (IHSP) and Annual Business Plan (ABP). If significant risks emerge that could jeopardize the
achievement of these priorities, that information should be communicated to the LHIN.

Page 7

Risk to Obligations identified in the Service Accountability Agreement: If there is a risk to achieving the
obligations identified in a HSPs service accountability agreement, the HSP is required to communicate
this information to the LHIN.
Risks associated with not achieving Balanced Budget: Each HSP has balanced budget requirements and
should identify to the LHIN if there is a risk that this objective will not be achieved. Further, if
achievement of this objective will impact the provision of health care services (i.e. the risk management
plan includes a reduction or significant delay in the provision of a health care service), the LHIN will be
required to communicate the information to the Ministry as well. When communicating, these types of
risks, the HSP would also need to provide details on quantifying the dollar amounts involved, the actions
being taken to address the issue and relevant time frames.
Risks associated with damage to Reputation: Risks associated with of Risk of significant damage to a
Health Service Providers reputation or damage to the NSM LHINs reputation. These risks could also be
related to negative media attention and/or public reaction to an initiative.

Process of Risk Reporting from HSPs to the LHIN


The New and Emerging Risks (NER) Reporting Form provides an opportunity to highlight emerging risks
or add new risks to the risk register throughout the year. On an ongoing basis, when a new or emerging
risk is identified, a designated individual from the Health Service Provider will notify the LHIN by
completing the NER Form and submitting it to the LHINs designated email address for inclusion in the
LHINs ongoing risk register (NSMRiskRegister@lhins.on.ca ).
This form helps to develop awareness and understanding of the importance of managing new and
emerging risks and provides a formalized structure for the reporting of these risks. The form requires
the following information to be completed:
Legal/Regulatory/Accountability

Short Descriptive Title of the Risk


Compliance, Patient Safety)

Risk description;

Current controls in place and/or

Impact Description;
mitigating actions

Likelihood of Occurrence;

Contact Name for further

Significance of Impact on various


information/clarification
risk categories (Operations,

Contact Name for status updates (if


Finances, Reputation, Strategy,
different than above)
After submission of the NER, the form (and its accompanying risk) will be assigned an identification
number which will be communicated back to the HSP via an acknowledgement of receipt. After a
review of the NER and any further clarifications from the HSP, NSM LHINs Designated Risk Officer (or
delegate) will determine whether the risk contained in this report warrants inclusion in the risk register. 2
Where risks are included in the risk register, the NSM LHIN Board and/or relevant Board committees
would have visibility of the new risk information in the Quarterly Risk Register Report.
2

It is important to recognize that confidentiality of the communication will be maintained, however, the LHIN is subject to access to information requests under
Ontarios Freedom of Information and Protection of Privacy Act. Unless exceptions from the act apply, the information may be subject to disclosure. See:
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm#BK15

Page 8

APPENDIX #1 - SAMPLE RM POLICY


This sample risk management policy is from the Insurance Bureau of Canada. It may need to be adapted based upon the size,
complexity or the objectives of different health service providers.
See: http://www.ibc.ca/en/Business_Insurance/documents/Policies-Procedure-Sample-Risk-Management-Policy.pdf

Risk Management Policy


HSP NAME
Policy Statement
Risk management is the process of making and carrying out decisions that will minimize the adverse
effect of accidental losses upon our organization. The risk management process is vital to the personal
health and safety of each employee and the safety of our members/clients/customers. In financial
terms, it is vital to our ability to pursue our goals, commence and operate programs, and to perform
duties in an efficient and professional manner.
The organization has formed a risk management program to pursue our risk management goals and
objectives. These goals and objectives include:
1. To avoid exposure to accidental loss by not undertaking functions, contracts, programs or
activities where the potential loss is greater than the potential benefit to be derived from these
undertakings;
2. To prevent loss by identifying loss exposures and implementing policies and procedures to
reduce the risk of these losses occurring;
3. To control losses that do occur by:
a. assisting and supporting injured parties;
b. developing contingency plans for possible loss scenarios; and
c. properly documenting and investigating losses.
4. To determine the most cost-effective balance of different risk financing tools.
5. To raise the awareness of all management, employees, volunteers and
members/clients/customers concerning risk management within our organization.
These goals and objectives will be accomplished by:
1. Establishing a Risk Management Committee with representatives from each department, whose
responsibilities will be to implement, monitor, evaluate and revise plans to achieve our goals
and objectives;
2. Electing a Risk Management Coordinator to serve as the head of the Risk Management
Committee and report to senior management;
3. Including risk management as an item for discussion at every meeting. Cooperation is expected
from management, employees and volunteers. Everyone must work as a team with common
goals and objectives to ensure the success of this risk management program and in turn, the
organization.

Page 9

APPENDIX #2 SAMPLE RISK REGISTER FOR SMALL ORGANIZATIONS


Step 1: Risk
Identification
List of Possible Risks

Step 2: Risk
Assessment
Likelihood

Impact

H/M/L

H/M/L

Step 3: Risk Management


What are we already doing
about it? (mitigating
factors)

Date to be reviewed

Person/Group responsible for review

Page 10

What more can we do


about it?

Timescale

Person
Responsible

Reviewed
Level of Risk

APPENDIX #3 NEW AND EMERGING RISK REPORTING FORM


Please use this form to highlight emerging risks or add new risks to the NSM LHIN risk register. This form may be completed electronically and submitted to
NSMRiskRegister@lhins.on.ca or, alternatively in writing and submitted by mail or fax to:
Designated Risk Officer, NSM LHIN, Suites 127-130, 210 Memorial Avenue, Orillia, ON L3V 7V1
PHONE: (705) 326-7750 or 1-866-903-5446
FAX (705) 326-1392

1. REPORTING INFORMATION
Name of person making report

Organization Name

Date of Reporting

Contact Phone # (incl. extension)

Contact Email

RISK REGISTER ID (Assigned by NSM LHIN Designated Risk


Officer)

2. DESCRIPTION OF NEW OR EMERGING RISK


DESCRIPTIVE TITLE
Provide a short descriptive Title for the Risk that provides a way to reference the information in the Risk Register.

TYPE OF RISK BEING REPORTED (Check a box below)


Risk to Achieving a Balanced Budget for a Health Service Provider
Risks that may impair the achievement of key government priorities
Risks jeopardizing the achievement of a key local priority
Risks jeopardizing the achievement of a commitment made in the Service Accountability agreement (SAA)
Risks jeopardizing the achievement of a commitment made in the Ministry-LHIN Performance Agreement
Risk of significant damage to a Health Service Providers reputation or damage to the NSM LHINs reputation
Other risk not categorized above

Description of the Risk

High Risk
Immediate action required

Risk Rating for this risk tick one as appropriate:


Significant Risk
Moderate Risk
Action required as soon as
possible

Action required within 1-3


months

Describe what the impact if this risk is not


mitigated?

Low Risk
Further Monitoring required

Minimal immediate action


How serious would the impact be in each of the
categories if this risk was not mitigated?
Choose a number below. Refer to Page 2 for guidance

(Include dollar impact where possible)

Low Impact High Impact

What actions have already been taken


after identifying this risk?

Operational

Financial

Reputational

Strategic

Compliance

Safety

Target Date(s) for


Completion of proposed
actions

What actions are planned in response to


this risk?

3. PROVIDE THE NAME AND CONTACT INFORMATION FOR THE INDIVIDUAL(S) THAT WILL PROVIDE STATUS UPDATES ON THIS RISK?
Name:

Contact email:

Contact Phone number:

Name:

Contact email:

Contact Phone number:

Page 11

RISK IMPACT TABLE:


The following table provides guidance on choosing the severity of the impact if a risk remains unmitigated. This table is a guideline only.
IMPACT

IMPACT

LEVEL

DESCRIPTION / EXAMPLE
Operational

Financial

Reputational

Strategic

Compliance

Safety
No impact on Patient
Safety
Event caused
inconvenience but no
apparent injury
First aid treatment.

No Impact

No impact on Operations

No financial impact

No Reputational Impact

No Strategic Impact

No impact on Compliance

Insignificant

Impact absorbed through


routine operations

Revenue/cost impact 02% of operational budget

Unsubstantiated, low impact or


no news item.

N/A

No noticeable regulatory or
statutory impact

Minor

Minor delays in achieving


objectives. Majority of
objectives remain on track.

Revenue/cost impact 25% of operational budget

Substantiated, low impact, low


news profile.

N/A

Some temporary non


compliances

Moderate

Management effort required


to redirect resources to avoid
delays in achieving strategic
intents. Administration of the
program/ project/ activity
could be subject to significant
review or change

Revenue/cost impact 510% of operational


budget

Substantiated, public
embarrassment, moderate
impact, moderate news profile,
Ministerial
involvement.

Setback in achieving
strategic direction/goals
or objectives. Failure to
meet objectives by year 1

Short term non compliance


but with significant
regulatory requirements
imposed

Event caused minimal


loss of time or
minimal restrictions
May be threat of
potential legal actions

Significant

Revenue/cost impact of
10-20% of operational
budget

Substantiated, public
embarrassment, high impact,
high news profile, Third Party
actions, public Ministerial
involvement.

Performance reporting
and measurement
indicate variance from
expectations. Failure to
meet objectives by year 2

Non compliance results in


termination of service or
imposed penalties

Serious or extensive
injuries.

Major

Significantly reduced ability to


achieve objectives / key
deliverables. Continued
function of the program/
project/ activity would be
threatened.
Failure to achieve one or
more key deliverables
resulting in, major flow on
effects for external
stakeholders and other public
sector agencies.

Revenue/cost impact
more than 20% of
operational budget.

Substantiated, public
embarrassment, very high
multiple impacts, high
widespread multiple news
profile, Third Party actions,
public Ministerial involvement,
Government censure.

Breakdown of community
partnerships and
alliances.
Failure to meet objectives
by year 3

Non compliance results in


criminal charges or loss of
required accreditation

Death or permanent
injury
Pending legal action

Page 12

APPENDIX #4 SAMPLE EVALUATION QUESTIONS FOR BOARDS TO ASSESS RISK OVERSIGHT


EFFECTIVENESS
NO.
A.

1
2
3
4
5

6
7
8
9
10
11
12
13
14
15
16

ASSESSMENT QUESTION

YES

BOARD RISK OVERSIGHT PROCESS

Is the definition of "risk" as articulated in the Enterprise Risk Management Policy still
adequate?
Is the board organized to oversee risk management effectively?
Does the board have a process in place to get the knowledge and experience it needs to
oversee risk management?
Are the risk oversight objectives articulated by the board consistent with the ethical values
defined by the Board?
Does the board understand the primary risks and uncertainties inherent in the business
model of the LHIN and how they are addressed?
a. Does the board periodically review risks and possible worst case scenarios?
b. Does the board know the current status of the major risks facing the LHIN?
c. Are the risks documented?
d. Is there sufficient time during board meetings to discuss them?
e. Is the board satisfied that management has in place an effective process to
continuously identify risk, measure its impact and evaluate risk mitigation capabilities?
Is the board and/or responsible committees, confident that directors are receiving the
comprehensive, objective information they need to perform risk oversight?
Is the board satisfied that roles, responsibilities, authorities and accountabilities are clearly
established?
Is the board satisfied that the risk reporting process is effective, efficient and frequent
enough?
Is the board satisfied that the risk oversight process is focused on the most critical risks and
not mired in minutiae?
Is the board satisfied with the process to decide how much risk the organization can take
on?
Is the board satisfied with the process to assess the organization's financial capacity to take
on risks?
Is the board satisfied that management pays attention to the warning signs and gives timely
consideration to emerging risks?
Are coordinated mechanisms in place to communicate the boards expectations for risk
management across the organization and to staff?
Is the board satisfied that contingency plans are in place in the event of a crisis?
Has the organization learned from its experience with risk?
Is the board satisfied with its evaluation of the effectiveness of its risk oversight processes in
achieving its risk oversight objectives ?

Page 13

NO

NA

COMMENT