Professional Documents
Culture Documents
Table of Contents
Purpose of this document............................................................................................................................. 2
Introduction .................................................................................................................................................. 3
What is Risk? ................................................................................................................................................. 4
What kinds of risks are there? ...................................................................................................................... 4
Why Manage Risk? ........................................................................................................................................ 5
How Do We Manage Risks? .......................................................................................................................... 5
Roles and Responsibilities for Monitoring Risk............................................................................................. 5
Types of Risks to be reported to the LHIN .................................................................................................... 7
Process of Risk Reporting from HSPs to the LHIN ......................................................................................... 8
APPENDIX #1 - SAMPLE RM POLICY .............................................................................................................. 9
APPENDIX #2 SAMPLE RISK REGISTER FOR SMALL ORGANIZATIONS ......................................................... 10
APPENDIX #3 NEW AND EMERGING RISK REPORTING FORM .................................................................... 11
APPENDIX #4 SAMPLE EVALUATION QUESTIONS FOR BOARDS TO ASSESS RISK OVERSIGHT
EFFECTIVENESS ........................................................................................................................................... 13
Page 2
Introduction
Risk identification and management is a vital function of health service providers, Local Health
Integration Networks (LHINs), and the Ontario Ministry of Health and Long-Term Care (MOHLTC or the
Ministry). This document:
provides highlights of significant portions of the NSM LHINs Enterprise Risk Management Policy
clarifies the reporting requirements for Risk Management under the Service Accountability
Agreements established with service providers within the NSM LHIN
provides sample documents and guidance for HSP use to facilitate the reporting of risk related
information to the LHIN
The reporting of risks to the NSM LHIN by Health Service Providers is based upon several principles:
1. Future Planning Requirements: The LHIN requires risk information from Health Service
Providers (HSPs) to inform both short and long term planning requirements. This information
helps inform the LHIN of risks that may expose the healthcare system to potential liability.
2. Compliance with Reporting Requirements: LHINs report high level risks to the Ministry by
completing a Quarterly Risk Summary template with specific reporting requirements. Further,
the LHIN Board regularly reviews risks associated with the achievement of organizational
objectives and requires information to make informed decisions.
3. Timely Communication of Risks: Communicating risks to the LHIN in a timely manner is an
important way of ensuring appropriate management strategies are evaluated and implemented
by HSPs and the LHIN.
Please contact your designated LHIN Account Manager or email NSMRiskRegister@lhins.on.ca should
you require any further information or assistance in implementing risk management within your
organization.
Page 3
What is Risk?
We come across risk in all sorts of ways and everything we do carries some sort of risk. However careful
we are to plan things well, there are always things that can go wrong or not turn out just as we hoped.
Sometimes, depending on what we are doing, we may be prepared to take some risks to achieve our
goals. Other times we may need to minimize the risks as much as possible. If we dont take some risks
as an organization we will probably never achieve anything great.
We still need to be careful not to rush into things without considering the risks or much could go wrong
costing money and reputation. Risk management is not about eliminating all risk. It is about
understanding what the risks are, what the likely consequences would be if they come about and how
we would deal with them. Only by understanding the risks can we make well-informed decisions.
A risk can be defined as any internal or external situation or event that has the
potential to impact upon an organization, preventing the organization from
successfully achieving its objectives, delivering its services, capitalizing on its
opportunities or carrying out its projects or events. 1
Operational Risks The risk of direct or indirect loss or inability to provide LHIN core services,
especially to stakeholders, resulting from inadequate or failed internal processes, resources
(including human resources, equipment malfunction), and systems;
Financial Risks The risk of financial loss. This may include effectiveness of internal controls,
financial processes for reporting, budgeting, and fiscal stewardship as well as the monitoring of
full financial and performance reporting. These risks may also affect the ability to acquire
assets, technology, etc.;
Reputational Risks The risk of significant negative public or HSP opinion that results in a critical
loss of confidence (public, families, HSPs).
Strategic Risks These are risks that affect the ability to carry out the goals and objectives as
articulated in the NSM LHIN Integrated Health Services Plan;
Compliance Risks Affect compliance with laws and regulations, Ministry-LHIN performance
agreements, workplace health and safety requirements, environmental issues, litigation,
conflicts of interest, etc.;
Patient Safety Risks These are risks that compromise the provision of safe care to patients,
clients, residents and others. These could include infection control issues, medical errors, and
unsafe equipment.
Do not mistake risks with consequences. Injuries, Financial Loss and Reputation Damage are not risks but impacts/consequences of a risk - i.e. if your
risk was to occur, it could result in injuries, financial loss and/or reputation damage.
Page 4
Systemic Risks Systemic risk refers to the probability of breakdowns in an entire system, as
opposed to breakdowns in individual parts or components.
Understand the factors that might prevent you from achieving your objectives.
Quantify the likely impact of these factors.
Make informed decisions about whether to go ahead with a project or how an activity should be
managed.
Identify the steps that can be taken to reduce the likelihood of these factors occurring or
successfully manage the impact if they do.
A comprehensive understanding of the risk exposures facing health providers within NSM LHIN also
facilitates effective planning and resource allocation, and encourages a proactive management culture,
with flow-on benefits for every aspect of an HSPs operation.
Remember that it is not always possible or desirable to eliminate risk. We must
understand what threat or opportunity the risk poses and manage it.
Page 5
A structured risk management process provides a means for Senior Executives and Boards to stay
informed about the risks associated with their HSPs activities and to ensure appropriate measures are
in place to address those risks. It contributes transparency and objectivity to decision making and it
provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to
provide good governance.
All NSM LHIN funded Health Service Providers are encouraged to practice risk
management, regularly undertake a structured risk assessment process to
identify the risks facing their organization, demonstrate the management of risks,
and where appropriate, have continuity plans to ensure they can respond to and
recover from any business disruption.
It is expected that risk management processes will be embedded into the Health Service Providers
management systems and processes. The Health Service Provider should make additional efforts to
ensure that their risk management efforts are focused on their organizational objectives while aligning
to NSM LHIN system-wide strategies and complying with accountability agreements.
Therefore, each funded Health Service Provider is recommended to develop a risk management
framework and associated procedures that include:
It is also suggested that Health Service Provider boards conduct a review of the effectiveness of their
Risk Management Oversight on an annual basis. (A template providing questions regarding
effectiveness has been provided in Appendix 4).
Page 6
Risks to Key Local Priorities: NSM LHINs key priorities are identified in the 3-year Integrated Health
Service Plan (IHSP) and Annual Business Plan (ABP). If significant risks emerge that could jeopardize the
achievement of these priorities, that information should be communicated to the LHIN.
Page 7
Risk to Obligations identified in the Service Accountability Agreement: If there is a risk to achieving the
obligations identified in a HSPs service accountability agreement, the HSP is required to communicate
this information to the LHIN.
Risks associated with not achieving Balanced Budget: Each HSP has balanced budget requirements and
should identify to the LHIN if there is a risk that this objective will not be achieved. Further, if
achievement of this objective will impact the provision of health care services (i.e. the risk management
plan includes a reduction or significant delay in the provision of a health care service), the LHIN will be
required to communicate the information to the Ministry as well. When communicating, these types of
risks, the HSP would also need to provide details on quantifying the dollar amounts involved, the actions
being taken to address the issue and relevant time frames.
Risks associated with damage to Reputation: Risks associated with of Risk of significant damage to a
Health Service Providers reputation or damage to the NSM LHINs reputation. These risks could also be
related to negative media attention and/or public reaction to an initiative.
Risk description;
Impact Description;
mitigating actions
Likelihood of Occurrence;
It is important to recognize that confidentiality of the communication will be maintained, however, the LHIN is subject to access to information requests under
Ontarios Freedom of Information and Protection of Privacy Act. Unless exceptions from the act apply, the information may be subject to disclosure. See:
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm#BK15
Page 8
Page 9
Step 2: Risk
Assessment
Likelihood
Impact
H/M/L
H/M/L
Date to be reviewed
Page 10
Timescale
Person
Responsible
Reviewed
Level of Risk
1. REPORTING INFORMATION
Name of person making report
Organization Name
Date of Reporting
Contact Email
High Risk
Immediate action required
Low Risk
Further Monitoring required
Operational
Financial
Reputational
Strategic
Compliance
Safety
3. PROVIDE THE NAME AND CONTACT INFORMATION FOR THE INDIVIDUAL(S) THAT WILL PROVIDE STATUS UPDATES ON THIS RISK?
Name:
Contact email:
Name:
Contact email:
Page 11
IMPACT
LEVEL
DESCRIPTION / EXAMPLE
Operational
Financial
Reputational
Strategic
Compliance
Safety
No impact on Patient
Safety
Event caused
inconvenience but no
apparent injury
First aid treatment.
No Impact
No impact on Operations
No financial impact
No Reputational Impact
No Strategic Impact
No impact on Compliance
Insignificant
N/A
No noticeable regulatory or
statutory impact
Minor
N/A
Moderate
Substantiated, public
embarrassment, moderate
impact, moderate news profile,
Ministerial
involvement.
Setback in achieving
strategic direction/goals
or objectives. Failure to
meet objectives by year 1
Significant
Revenue/cost impact of
10-20% of operational
budget
Substantiated, public
embarrassment, high impact,
high news profile, Third Party
actions, public Ministerial
involvement.
Performance reporting
and measurement
indicate variance from
expectations. Failure to
meet objectives by year 2
Serious or extensive
injuries.
Major
Revenue/cost impact
more than 20% of
operational budget.
Substantiated, public
embarrassment, very high
multiple impacts, high
widespread multiple news
profile, Third Party actions,
public Ministerial involvement,
Government censure.
Breakdown of community
partnerships and
alliances.
Failure to meet objectives
by year 3
Death or permanent
injury
Pending legal action
Page 12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ASSESSMENT QUESTION
YES
Is the definition of "risk" as articulated in the Enterprise Risk Management Policy still
adequate?
Is the board organized to oversee risk management effectively?
Does the board have a process in place to get the knowledge and experience it needs to
oversee risk management?
Are the risk oversight objectives articulated by the board consistent with the ethical values
defined by the Board?
Does the board understand the primary risks and uncertainties inherent in the business
model of the LHIN and how they are addressed?
a. Does the board periodically review risks and possible worst case scenarios?
b. Does the board know the current status of the major risks facing the LHIN?
c. Are the risks documented?
d. Is there sufficient time during board meetings to discuss them?
e. Is the board satisfied that management has in place an effective process to
continuously identify risk, measure its impact and evaluate risk mitigation capabilities?
Is the board and/or responsible committees, confident that directors are receiving the
comprehensive, objective information they need to perform risk oversight?
Is the board satisfied that roles, responsibilities, authorities and accountabilities are clearly
established?
Is the board satisfied that the risk reporting process is effective, efficient and frequent
enough?
Is the board satisfied that the risk oversight process is focused on the most critical risks and
not mired in minutiae?
Is the board satisfied with the process to decide how much risk the organization can take
on?
Is the board satisfied with the process to assess the organization's financial capacity to take
on risks?
Is the board satisfied that management pays attention to the warning signs and gives timely
consideration to emerging risks?
Are coordinated mechanisms in place to communicate the boards expectations for risk
management across the organization and to staff?
Is the board satisfied that contingency plans are in place in the event of a crisis?
Has the organization learned from its experience with risk?
Is the board satisfied with its evaluation of the effectiveness of its risk oversight processes in
achieving its risk oversight objectives ?
Page 13
NO
NA
COMMENT