Selected Risk Management Program Documents
Enterprise Risk Management Presentation
Safety, Security & Risk Management Department Safety&RiskManagement@ourpeoplework.org
March 17, 2011 SENSITIVE BUT UNCLASSIFIED PROPERTY OF SERVICESOURCE NETWORK Copying, including electronic copying, dissemination, or distribution of any information contained herein, or any part thereof, to unauthorized persons or without written permission of ServiceSource Network is prohibited.
Safety, Security & Risk Management
Page 1
Dear Attendee, It is my honor to have presented this information at the NISH Conference. Please do not hesitate to contact me for any information regarding the presentation. If you email me I will provide all of the information mentioned in their original format (e.g., Excel, Word, etc.) so that you can download and alter them to meet your needs. My email address is skuebler@ourpeoplework.org With the exception of Mr. Kuhn’s spreadsheet, there are no copy right issues to worry about – just remove the ServiceSource logo information and insert yours. Mr. Kuhn’s work can be altered and used as noted on the first page. Generally, he does not mind you using the spreadsheet so long as he is credited. Alterations are fine, too. In addition to the presentation materials, I have included a selection of forms we, at ServiceSource, use as part of our process. Again, those wishing workable copies merely need to send me an email. Thank you, again, for attending. Sincerely,
Scott A Kuebler
Safety, Security & Risk Management
Page 2
Risk Management Issues Identification & Response Plan Understanding the Network’s Risk Management Identification & Response Plan A Risk Management Plan outlines the foreseeable risks & hazards and provides a set of actions to be taken to both prevent the risk from occurring and reduce the impact of the risk should it eventuate. More specifically, the plan includes: • • • • • • •
A full list of identified foreseeable risks A rating of the likelihood of each risk's occurring A rating of the impact on the organization/program should each risk actually occur A priority rating of the overall importance of each risk A set of preventative actions to eliminate or reduce the likelihood of the risk(s) occurring A set of contingent actions to reduce the impact should the risk eventuate A process for managing risks & hazards over a set period of time.
The ServiceSource Network staff leadership prepares and submits the plan to our voluntary Board of Directors for review and approval so that our governing Board may be informed of risk management identification and mitigation processes. The plan should not be considered an external or independent audit of risk and risk management activities; rather, it is a management information and planning tool. However, external reviews are included in many areas of planned activities and the results are additionally provided to the Board of Directors and committees. Risk Process It is the responsibility of all employees to identify potential operating and environmental risks to the ServiceSource Network and the services and programs of its affiliates. The process of identifying such operational and environmental risks is known as “risk analysis.” By definition, risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The identification of risk is a complicated process that involves all levels of employees. This process starts, in its organized form, with the various safety committees throughout the Network. As each safety committee is made up of a cross section of employees and management this ensures risk identification activities include all levels of employees. As issues are identified, they are discussed and reported on at regular safety committee meetings and, where appropriate, bubble up through the chain of command to the Network level.
Whenever possible, local risk issues are encouraged to be handled at the local level and only major risk issues – those either requiring Network support or having a Network wide impact – are added to this report. In addition to the local safety committee, each affiliate has a cross-functional team (see corporate policy 100.10 Cross Functional Management Team) that also has responsibility to identify risk and either act upon it or raise it to the Network level. This team also is the functional body that would often receive risk information from the local safety committee, as well as from other sources (e.g., direct employee contact, local state regulatory bodies, persons served, etc.). Understanding the above, this document will serve as the platform for the development, control and review of the risks and hazards identified for the Network – as a whole. This plan will follow the general accepted practices of any risk management analysis and reporting function, as portrayed in the following chart (reference: The Presidential/Congressional Commission on Risk Assessment and Risk Management – Framework for Environmental Health Risk Management):
In summary form, the process is as follows: • • • • • •
Define the problem and put it into context. Analyze any risks associated with the problem. Examine options addressing the risks identified. Make informed decisions on which, if any, options to implement. Take action to implement the decisions. Conduct regular analysis of any actions taken to ensure the outcomes are what was expected - if not, restart the process.
Procedures Provide a diagrammatic representation of the processes undertaken to identify and mitigate risks within the Network. Responsibilities Define the roles and responsibilities of all resources involved with the identification and mitigation of risks within the Network. The first step in creating a risk plan is to identify the likely risks & hazards that may affect the Network. A series of risk categories is identified and for each category a suite of potential risks is listed. This may take place during a ‘Risk Planning’ workshop, involving key stakeholders, management representatives, employees, contractors, etc., who are involved in / affected by the operations of the organization or program. Each of the risks identified is described in detail and documented within the plan. Definition “A risk is defined as any event which is likely to adversely affect the ability of the Network to achieve the defined objectives”. © Categories Identify the likely categories of risks for the Network. Each risk category is a particular aspect of the Network that is likely to experience a risk at some point in time. Currently, ServiceSource Network has identified the following categories: •
• • •
• •
Governance o The edifice of corporate governance includes: the national/regional laws governing the formation of corporate bodies the bylaws established by the corporate body itself the organizational structure of the corporate body Operations o Those activities involved in the running of a business for the purpose of producing value for the stakeholders. Financial o Those activities involving balancing risk and profitability. Information Technology (IT) o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities. Human Resources (HR) o Those activities associated with hiring, firing, retaining, training, and other human capital concerns. Contract
• •
•
o Those activities concerned with the development, maintenance, performance, renewal or obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake. Corporate Development (CD) o Those activities associated with corporate strategic planning expansion and merger & acquisition execution. Program Development (PD) o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives. Safety o Those activities associated with maintaining a safe, secure and healthful work environment.
Risk Quantification & Prioritization The next step is to quantify the likelihood of each risk's eventuating along with its potential impact on the Network. This process then allows each risk to be effectively prioritized. A simple method of reviewing each issue and assigning a ranking by using the following chart assists in properly prioritizing each risk.
Impact
Likelihood High Impact/Low Likelihood
High Impact/High Likelihood
Priority 2
Priority 1
Low Impact/Low Likelihood
Low Impact/High Likelihood
Priority 4
Priority 3
Management staff, both at the Network and local levels, is provided with worksheets to help them identify and prioritize risks (copies attached to this document). This process, when completed is then summarized on a matrix and this matrix is provided to senior leadership as a tool to constantly monitor open issues. The summary of all of this work is kept in a database file by the Vice President of Safety,
Potential Risk Identification Notification
To: From: Date: Requested Reply Date: The Risk Management Department, as part of its ongoing review of processes and practices, has identified the following issue(s) as posing a potential risk to the Network or one of its affiliates. Identification of these risks does not necessarily mean that the risks are real or even pose a valid threat to any portion of the Network – it only means that the Risk Management Department has identified the issue(s) and poses the following questions as to its validity as a risk. Please review and mark the appropriate action you and your team feel best addresses the issue(s) identified and rely back to Skuebler@ourpeople.org. Thank you.
Issue
Potential Owner
Risk Department Comments
Recommended Action □ □ □
□
CC: Bertha Ngenge, SVP HR & Compliance Officer
Not Considered an Issue at this Time. Add to the Risk Plan for Formal Tracking. Issue under Review by the Identified Owner and Considered an Interdepartmental Issue. No Further Risk Action Required at this Time. Not a Risk Item; However Assigned as an Action Item to:
Risk/Hazard Identification Form RISK DETAILS
©
Risk Title: Risk Owner:
Title of the risk/hazard to which the risk relates Name of the risk owner responsible for mitigating the risk
RISK DETAILS Risk ID: Raised By: Date Raised:
Unique identifier assigned to this risk (Risk Management to provide) Name of person who is raising the risk Date on which this form is completed
Risk Description: Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets)
Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate.
Risk Likelihood, Impact & Prioritization:
□ □ □ □
Highly Likely/High Impact – Priority 1 Low Likelihood/High Impact – Priority 2 Highly Likely/Low Impact – Priority 3 Low Likelihood/Low Impact – Priority 4
RISK CATEGORY Risk Category: Select the appropriate risk category based on the following descriptors: □
□ □ □ □
Governance o The edifice of corporate governance includes: the national/regional laws governing the formation of corporate bodies the bylaws established by the corporate body itself the organizational structure of the corporate body Operations o Those activities involved in the running of a business for the purpose of producing value for the stakeholders. Financial o Those activities involving balancing risk and profitability. Information Technology (IT) o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities. Human Resources (HR) o Those activities dealing with hiring, firing, training, and other personnel issues.
Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc
□
□ □
□
Contract o Those activities concerned with the development, maintenance, performance, renewal or obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake. Corporate Development (CD) o Those activities associated with corporate strategic planning expansion and merger & acquisition execution. Program Development (PD) o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives. Safety o Those activities associated with maintaining a safe, secure and healthful work environment.
RISK RESPONSE STRATEGY Strategy: The appropriate leadership team identifying the hazard or risk should identify the best strategy to handle the issue. These strategies include:
□
□ □ □
Avoidance – the leadership team decides that the best practice to handle this particular hazard or risk is to eliminate it or its impact. This may be achieved by changing operational activities or policies, adding resources, extending time frames, or otherwise removing the opportunities for the hazard or risk to manifest itself. Transference – the leadership transfers the hazard or risk to another (e.g., purchasing insurance coverage is an example). Mitigation – the leadership team understands that the risk or hazard cannot be completely eliminated or transferred; however they implement process, policies, and methods to reduce the probability or the consequences of the hazard or risk, in the event it manifests itself. Acceptance – the leadership team, after careful review, decides to accept the risk and decide to not develop or implement any strategy or specific response, other than to agree to address the issue if and when it occurs.
RISK MITIGATION Based on the strategy chosen, explain how the identified hazard or risk will be handled: Recommended Preventative Actions: Add a brief description of any actions that should be taken to prevent the risk from eventuating
Recommended Time Specific Actions: Specify and describe any actions, along with an estimated completion date, that should be taken, in the event that the risk happens, to minimize its impact on the organization or program
Signature: _______________________
Date: ___/___/____
PLEASE FORWARD THIS FORM TO THE DIRECTOR OF SAFETY & RISK MANAGEMENT
Scott Kuebler Page 2 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc
Risk Status Form RISK IDENTIFICATION DETAILS
©
Risk ID#: Risk Title: Risk Owner: Date of Report: Person Submitting:
Number assigned by Safety & Risk Management Title of the risk/hazard to which the risk relates Name of the risk owner responsible for mitigating the risk Date this form completed Name of person submitting this report
RISK DESCRIPTION DETAILS Risk Description: Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets) Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate.
RISK MITIGATION ACTIVITY DETAILS Describe any activity either completed or currently in progress that addresses the risk/hazard identified: Recommended Preventative Actions Identified: Add a brief description of any actions that have been taken to prevent the risk from eventuating
Recommended Time Specific Actions: Specify and describe any actions taken to either prevent or mitigate the identified risk/hazard
APPROVAL DETAILS
©
Issue status:
□ Open □ Closed
Issue priority change (current status is Yellow):
□ Green □ Yellow □ Red
Supporting Documentation: Reference any supporting documentation used to substantiate
Signature: _______________________
Date: ___/___/____
PLEASE FORWARD THIS FORM TO THE DIRECTOR OF SAFETY & RISK MANAGEMENT
Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Status Form.doc
RISK MANAGEMENT MATRIX Name of Program/Area RISK
IMPACT
PRIORITY
Highly
Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4) Highly Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4) Highly Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4)
MITIGATION PLAN
ACTIONS
PROGRESS COMMENTS
Highly Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4) Highly Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4) Highly Likely/High Impact (Priority 1) Low Likelihood/High Impact (Priority 2) Highly Likely/Low Impact (Priority 3) Low Likelihood/Low Impact (Priority 4)
ReadMe
Author: Version: Version Date: Copyright:
Brad Kuhn - Carnegie Quality http://www.carnegiequality.com 1 6/13/2007 Copyright Š 2007 by Brad Kuhn Some rights reserved. This work is licensed under a Creative Commons License. You are free: - to copy, distribute, and transmit the work - to make derivative works Under the following conditions: - Attribution. You must attribute the work in the manner specified by the author or licensor. - You may not use this work for commercial purposes. - If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. - Any of these conditions can be waived if you get permission from the copyright holder
Legend Risk Category Affiliate/Operation Potential Outcome Raised By Raised Date Source Impact Probability Matrix Score Qualitative Impact Risk Strategy Response Notes Owner Status Trigger Date Notes
3/17/2011 1:23 PM
Select from categories as defined in the values list in cells A36:A64. Iderntify the appropriate affiliate/operation affected. What happens if the risk occurs - usually written in the form "then <this outcome occurs>". Person who identified the risk. Date risk identified. Source of risk - who or what process identified it. Qualitative ranking of impact to project, using scales defined in the Risk Management Plan. You will find the values list in cells E47:F51. Probability of risk being realized, using scales defined in the Risk Management Plan. You will find the values list in cells E54:F58. This is calculated once you select the Impact and Probability. These cells use conditional formatting to display color shadings as defined in cells E61:G64. Space for further description of potential impact. Select from strategies as defined by the Risk Management Plan. You will find the values list in cells H36:H41. Additional notes about the response plan. Risk owner. Risk status. You will find the values list in cells H44:H52. If the risk was triggered (occurred), the date the trigger occurred. Additional notes.
Risk Matrix FY11.xlsx
Page 1 of 1
Risk Register ServiceSource Network
Risk Identification Risk ID
Risk Category
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Insert Rows Above This Line Only
3/17/2011 1:27 PM
Affiliate/Operation
Risk Description
Risk Analysis
Raised By
Date Raised
Source
Impact
Probability
Matrix Score 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
Qualitative Impact
Response Planning Risk Strategy
Response Notes/Plan
Risk Monitoring and Control
Owner
Status
Trigger Date
Notes
Insert Rows Above This Line Only
Risk Matrix FY11.xlsx
Page 1 of 1
Risk Register ServiceSource Network
Risk ID
Risk Category
Affiliate/Operation
Risk Description
Raised By
Date Raised
Source
Impact
Probability
Matrix Score
Qualitative Impact
Risk Strategy
Warning: Be careful adding/removing rows in the following section - these values are used for data validation Risk Category
Governance
Operations
Finance
Information Technology
Human Resource
Contract
3/17/2011 1:29 PM
Relates to corporate bylaws, government regulation, organizational structure, required certifications/licenses Relates to any activities involved in operating/managing sites, contracts, programs, etc. Relates to finance & accounting risks (e.g., fraud, misuse, taxes, budget, expenditures, revenues, etc.) Relates to the use of technology, processing of information, data transmission or storage, electronic data security, etc. Related to the hiring, firing, retaining, training, etc., of employees, participants & volunteers. Related to the development, maintenance, performance, renewal or any obligatory requirements of any contract.
Risk Source
Risk Strategy
Local Management
Avoid
External Audit/Review
Transfer
Internal Audit/Review
Mitigate
Stakeholder
Accept
Other
Risk Matrix FY11.xlsx
Page 1 of 2
Risk Register ServiceSource Network
Risk ID
Risk Category
Corporate Development
Program Development
Safety/Security
3/17/2011 1:29 PM
Affiliate/Operation
Risk Description
Raised By
Date Raised
Source
Impact
Probability
Matrix Score
Qualitative Impact
Risk Strategy
Related to activities associated with corporate strategic planning, expansion and merger & acquisition activities. Activities associated with the development or maintenance of service programs, grants and any activities related to the organizations strategic activities to meet it's stated goal and objectives. Related to those activities associated with maintaining a safe, secure and healthful work environment.
Status
Impact Values Very Low Low Moderate High Very High
0.05 0.10 0.20 0.40 0.80
Probability Values Very Low Low Moderate High Very High
0.10 0.30 0.50 0.70 0.90
Risk Matrix FY11.xlsx
Identified Analysis Complete Planning Complete Triggered Resolved Retired Open
Page 2 of 2
3/17/2011
Enterprise Risk Management ServiceSource’s Risk Management Program A Plan for Success
Presented by: Scott A. Kuebler, Ph.D. Vice President Safety, Security & Risk Management ServiceSource Email: Skuebler@ourpeoplework.org V Acknowledgement Brad Kuhn – Carnegie Quality http://www.carnegiequality.com For spreadsheet design
What is a risk?
Scott’s definition – “The potential for some event to have a significant negative impact on the organization, tangible or intangible, as measured by both its likelihood to occur and its resulting impact.”
1
3/17/2011
What can a risk event impact? A risk event can impact – Direct cost the organization (loss of revenue, fines, etc.) Loss of valued physical assets (property loss) Injury/death to employees or others Negative impact in the organization’s reputation
Risk impact example Operation: Mail Services Risk Event: Sensitive material lost and potentially exposed to the outside world. Potential Impact: Reputation as it relates to performance. Potential Result: Contract loss; failure to qualify for additional or new.
What is not a risk? • If the event already happened - that’s history and a learning event. • If the event in question is a “certainty” – makes the event part of an existing operational, insurance or similar plan. Example, a scheduled DOL audit is not a “risk” – it is a manageable event. • If the event or issue is generally accepted as “impossible” or “improbable” (a meteor destroying your facility).
2
3/17/2011
Why have a risk management plan? A risk management plan, working in partnership with an organization’s strategic plan, is like upgrading from a paper roadmap to a GPS system. While the roadmap is great at providing needed information to get from point “A” to point “B”, no one would question the wisdom of a GPS system that provides up-todate directions, with alternatives; real time traffic reports, voice enhanced direction, etc. In short – a proactive risk management plan provides data to allow an organization to identify and then eliminate, mitigate or knowingly accept identified risks; all with the intent on making the organization more adept at success!
What does a risk management plan do? From “Framework for Environmental Health Risk Management”
The Presidential/Congressional Commission on Risk Assessment and Risk Management
Risk management process Steps in the risk management process
Planning
Risk Identification Prioritization
Control & Monitoring
Closure & Audit
Tracking, Management, Reporting
3
3/17/2011
Step One - Planning
Determine who will be involved in the process (accountability). Gain management buy-in at every level. Know how you are going to collect, track, trend and present information. Align the program with the organization’s mission, vision and strategic goals/objectives.
Risk Management Process
Planning
Risk Identification Prioritization
Control & Monitoring
Closure & Audit
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
Step Two – Identification of Risk Experience/History Experts Brainstorming Formal Assessments Surveys
4
3/17/2011
Step Two – Identification of Risk
Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
Control & Monitoring
Closure & Audit
• Experience • Experts • Brainstorming • Assessments • Surveys
Step Three - Prioritization Two criteria to examine: 1. Probability (likelihood) that the event identified will happen –
Minimal/unlikely to high/very likely
2. Consequence (impact or severity) the event would cause if it happened –
Low or minor impact to high or severe (catastrophic) impact
Step Three - Prioritization
3
Severity of Occurrence
Red 2
Yellow 1
Green 1
2
3
Probability of Occurrence
5
3/17/2011
Step Three - Prioritization
Probability of Occurrence
Consequence of Occurrence Very Low
Low Moderate High Very High
Very Low Low Moderate High Very High Low Risk
Medium Risk
High Risk
Step Three - Assessment Risk Priority Table Impact
Probability
Significant Financial loss >$100,000 Impact on organization's reputation Major safety issues w/potential to harm Imposed fines, fraud, crime, etc. Liability exposure & legal actions Significant IT system issues
Impact high likelihood low impact = 7 probability = 3
Impact high likelihood moderate impact = 7 probability = 7
Impact high likelihood high impact = 10 probability = 10
Impact moderate likelihood low impact = 3 probability = 3
Impact moderate likelihood moderate impact = 5 probability = 5
Impact moderate likelihood high impact = 5 probability = 10
Impact low likelihood low impact = 1 probability = 1
Impact low likelihood moderate impact = 3 probability = 5
Impact low likelihood high impact = 3 probability = 10
Labor disruption, major contract issues, etc. Moderate Financial loss <$50,000 Safety issues violating OSHA, insurance, etc. Isolated criminal activity/fraud IT issues w/potential to affect ops. Multiple employee grievances Management issues affecting operations Labor & contract issues Minor Financial loss <$10,000 Isolated safety issues w/o potential to harm Non-criminal and non-liability legal issues Minor IT related issues Minor and isolated employee issues Internal audit/inspection issues Misc. issues w/potential to impact ops.
Likelihood
Step Three - Prioritization
Risk Management Process Steps Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
Control & Monitoring
Closure & Audit
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
6
3/17/2011
Step Four â&#x20AC;&#x201C; Control & Monitoring Four Methods to Control Risk: Transfer Mitigate Accept Avoid
Step Four â&#x20AC;&#x201C; Control & Monitoring Risk Identification Risk ID
Risk Category
Affiliate/Operation
Risk Description
Owner
Date Raised
Source
Housing boards do not have D&O coverage.
11/01/10
2 Operations
CARF Certification
Internal 11/01/10 Audit/Review
3 Finance
Formalized expenditure and revenue approval process.
11/01/10
External Audit/Review
4 Information Technology
Lack of a readily available method to transmit sensitive data.
11/01/10
Internal Audit/Review
5 Human Resource
Ethics Training Requirements
11/01/01
Internal Audit/Review
6 Operations
Paint booth is out of compliance with NFPA codes
11/01.201External 0 Audit/Review
7 Human Resource
Current policy titled "Code of Ethics, Conduct and Corporate Compliance" (300.38) does not contain proper "whistleblower" protection.
11/01/10
1 Operations
Internal Audit/Review
Internal Audit/Review
Step Four - Prioritization Risk Analysis Prob- Matrix Qualitative Impact ability Score Impact D&O exposure without coverage 5 0 5.00 and potential risk of losing directors. Loss of certification; loss of income streams 9 3 12.00 where this is required; and loss of reputation.
4
4
Lack of a formalized and consistent approval matrix governing expenditures/reven 8.00 ue leaves the organization vulnerable to misuse or misappropriation of funds.
7
3/17/2011
Risk Monitoring and Control
Response Planning Risk Response Notes/Plan Strategy Worked with Housing management and our Transfer brokers/carriers to develop and implement an insurance solution. New Quality Manager will be Mitigate working with each affiliate to ensure CARF compliance.
Resolved
CFO team is developing a Mitigate formalized process that will include an authority matrix.
Authority matrix Resolved approved and published.
TBD
Issue has been referred to the IT team.
HR developed and implemented a vigorous ethics program with ongoing training. All employees are Mitigate now required to receive this training upon hire and then, must take a refresher course annually.
Status
Open
Notes D&O policy in place. SSRM Team has started safety audits.
Open
Resolved
Step Four – Control & Monitoring
Risk Management Process Steps Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
Control & Monitoring
Closure & Audit
• Categorized • Described • Assigned • Prioritized • Response • Monitored
Step Five - Closure Closure or Status Possibilities: Resolved Retired Open Triggered
8
3/17/2011
Understanding Closure: Know in advance what elements are required to “qualify” an issue for closure! Update the organization’s Risk Management Plan to account for issue closure. Maintain archives for future reference, auditing and “proof” when required. External Audit
Step Three -
Risk Management Process Steps Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
Control & Monitoring
• Categorized • Described • Assigned • Prioritized • Response • Monitored
Closure & Audit
• Understand • Update Plans • Archive • External Review
Resources • • • •
Ethics Resource Center - http://www.ethics.org/ Carnegie Quality - http://www.carnegiequality.com/ Committee of Sponsoring Organizations of the Treadway Commission (COSO) - http://www.coso.org/ Nonprofit Risk Management Center - http://www.nonprofitrisk.org/
Scott A. Kuebler Vice President Safety, Security & Risk Management ServiceSource skuebler@ourpoeplework.org
9