10/1/2024

WiFi
•Name: AP_ISO-73324
RISK 2024
•Password: threEthreEtwO
MANAGEMENT

1 2

OBJECTIVES LEARNING OUTCOMES

• Toreview systematic risk At the end of the two-day workshop, participants are
expected to
management and apply to day-to-
1. Understand risks and the importance of
day operations using the Risk and systematically identifying and addressing risks
Opportunity Registry
2. Understand different tools to manage risks
3. Review the use of the LHMRH Risk and
Opportunity Registry

3 4

OUTLINE Risk and opportunity

I. Introduction to Risk • Effectiverisk management is
II. Risk Management essential for any business to achieve
a. Principle its strategic objectives and improve
b. Framework the outcomes for both employees and
c. Process customers. But what is risk?
III. Risk Management Procedure in LHMRH
IV. Risk and Opportunity Registry

Source: https://kayaconnect.org - Risk Management

5 6

1
 10/1/2024

Definition of Terms
ISO 31000:2018

Risk - effect of uncertainty on

objectives (clause 3.1)

ISO 31000:2018 Risk Management

7 8

Risk and opportunity

• At a personal level, buying a lottery ticket is a good
example of risk because it entails one of two
outcomes: opportunity - you could win a prize; and
threat - you could lose your stake money.

ISO 31000:2018 Risk Management Source: https://kayaconnect.org - Risk Management

9 10

Risk can be a threat (downside) or

an opportunity (upside)
• A threat is an event or action that will adversely
affect an organization's ability to achieve its stated
objectives and to successfully deliver approved
strategies. This will include both external and
internal risks.
• An opportunity is an event or action that will
enhance the organization's ability to achieve its
objectives and deliver approved strategies. This will
include both external and internal risks.

Source: https://kayaconnect.org - Risk Management

11 12

2
 10/1/2024

Risk Management
• Definition: coordinated activities to direct and
control an organization with regard to risk
Risk management should be a
(clause 3.2) part of, not separate from, the
• Motive: safeguard assets organizational purpose,
• Minimize or maximize uncertainty in favor of governance, leadership and
business objectives. commitment, strategy,
objectives, and operations.

ISO 31000:2018 Risk Management

13 14

How can you manage risk? Are you a risk manager?

• Risk management is about being 'risk aware'; it • Although there is a formal risk management process
is not about being 'risk averse'. Risk is ever- one can learn and apply, you probably already do
present and some amount of risk taking is some risk management already.
inevitable if any business is to achieve its
objectives.
• Try the next two questions to find out...
• Risk management is about making the most of
opportunities and about achieving objectives once
those decisions are made. By being 'risk aware',
the company is in a better position to avoid
threats and take advantage of opportunities.
Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

15 16

Question 1 Question 2
Would a risk manager take a ride on a roller-coaster? Would a risk manager invest money in shares?
 Yes, I go on every roller-coaster I can.
 Yes, if it was on a well-run site with clear safety  Yes. Over time the stock market always out-performs
features. savings.
 No way! People get injured on roller-coasters.  Yes, if my research showed the company was a sound
proposition.
 And watch the value plummet? No, thank you!

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

17 18

3
 10/1/2024

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT

- stressesthe use of technology to synchronize
“Enterprise risk management in healthcare risk mitigation efforts across the entire
promotes a comprehensive framework for organization and remove risk associated with
making risk management decisions which siloed departments or business units
maximize value protection and creation by - dataanalytics are embedded to support decision-
managing risk and uncertainty and their making, departmental cohesiveness, risk
connections to total value.” prioritization, and resource allocation.
American Society for Healthcare Risk - elements of ERM are built on top of a governance
Management (ASHRM) structure that aligns business operations with the
risk management program.
What is risk management in healthcare? (2018) What Is Risk Management in Healthcare? | NEJM
Catalyst. Available at: https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0197 (Accessed: 29 September
2024).

19 20

ENTERPRISE RISK MANAGEMENT

Traditional Reactive RM
Increasing Complex
Focus on Holistic & Proactive RM
patient safety expanding role of
and reducing healthcare financial risk is
medication technologies increasingly shifting
from payers to
errors increased providers
cybersecurity
concerns
fast pace of medical
science,
ever-changing
regulatory, legal,
political, and
reimbursement
climate
What is risk management in healthcare? (2018) What Is Risk Management in Healthcare? | NEJM
Catalyst. Available at: https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0197 (Accessed: 29 September
2024).

21 22

Risk Management: Principles

Reference: Reddy, V. Risk Management Cycle: Process and Framework Explained. Simplilearn.
Accessed 09/30/2024 at https://www.simplilearn.com/risk-management-cycle-article ISO 31000:2018 Risk Management

23 24

4
 10/1/2024

Risk Management Framework

Risk management framework • set of components that provide the
foundations and organizational arrangements
 This is the corporate risk management framework for designing, implementing, monitoring,
used by some companies - a policy and strategy
reviewing and continually improving risk
supported by a detailed management toolkit.
management throughout the organization.

Source: https://kayaconnect.org - Risk Management ISO 31000:2018 Risk Management

25 26

Risk Management Framework Proving Leadership &

Commitment
Top management and oversight bodies, where
relevant, need to make sure that risk
management is INTEGRATED into all
organizational activities

ISO 31000:2018 Risk Management

27 28

Clause 5.5 Planning to Implement the

Clause 5.4.1 Understanding the Framework
Organization & its Context Developing a relevant plan:
• Identifying time and resources needed for
• When designing and developing implementing the framework
the risk management framework, • Identifying decisions corporate demographics
Where, when, and how different types of decisions are
the organization needs to examine •
made across the organization
and comprehend its external and • Who makes the different types of decisions at different
levels
internal context. • Adapting the appropriate decision-making processes
where needed
• Making sure that the organization’s arrangements for
managing risk are clearly comprehended and practiced.

29 30

5
 10/1/2024

Risk Management Framework Risk Management Framework

• Main objective: empower the organization to • Foundations: risk management commitment,
integrate and align risk management into policy, and objectives
important activities and processes
• organizational arrangements: resources,
• Comprehensive assessment of risk activities, processes, plans, accountability,
management practices and processes, identify relationships, etc.
gaps, and resolve those gaps within the
• implanted in the company's strategic and
framework.
base-level policies and practices.
• Should be tailored to the organization's
requirements.

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

31 32

Clause 5.4.2 Articulating Risk Clause 5.4.2 Articulating Risk

Management Commitment through Management Commitment through
Policy Policy
• Top management and oversight bodies, where The commitment include the following, among others:
applicable, should prove and express their Company’s purpose for regulating its risk and
continual commitment to risk management connections to its objectives and other policies
through a (written) policy within an
organization & with its stakeholders. Reinforcing
the requirement to integrate risk
management into the culture of the organization
• Risk Management Policy - statement of
Leading the integration of risk management into core
the overall intentions and direction of an
business functions, activities, and decision-making
organization related to risk management
(clause 2.1.2) Authorities, responsibilities, and accountabilities

ISO 31000:2018 Risk Management

33 34

Clause 5.4.2 Articulating Risk

Management Commitment through Oversight Bodies
Policy • Ascertain that risks are
Making the necessary resources available sufficiently considered when fixing
The method in which conflicting and contradictory the organization’s objectives
objectives are managed
Reporting and measurement within the company’s key
• Comprehend the risks facing the
performance indicators organization to achieve its
Review and Continual improvement objectives
The risk management commitment should be
communicated within an organization & with its
stakeholders.

35 36

6
 10/1/2024

Clause 5.4.4 Allocating Resources Clause 5.4.4 Allocating Resources

• Topmanagement and oversight bodies • Thework methods, processes, and tools to
need to make sure issuance of sufficient be utilized for managing risk
resources for risk management. Examples: • Documented procedures and processes.
• Information
and organization's knowledge
• Theorganization should reflect and
management systems contemplate the limitations and
• Human Resources, headcounts, experience, capabilities of existing resources.
skills, and competence
• Trainingneeds identification with
professional development programs

37 38

Clause 5.4.3 Assigning Organizational

Roles, Authorities, Responsibilities & Roles and responsibilities: Chief
Accountability executive
Top management and oversight bodies, where
relevant, need to make sure that the authorities, The chief executive has ultimate
responsibilities, and accountabilities for relevant responsibility for embedding risk
roles concerning risk management are allocated
and communicated at all levels and functions of management throughout the
the organization organization.
They also need to:
• Highlight that risk management is a core
responsibility for all
• Recognize persons who have the accountability
and authority to administer risk (risk owners).
Source: https://kayaconnect.org - Risk Management

39 40

Roles and responsibilities: Executive Roles and responsibilities: Corporate

directors risk management team
Implementing the risk management policy and strategy Developthe risk management policy and strategy with
arrangements for annual review
Contribute towards the identification and management of strategic
and cross-cutting risks and opportunities facing the organization Corporate advisors of risk at strategic and operational level
Receiveand consider reports on key strategic risk issues as part of Promote a culture of risk awareness within the organization
the annual statement of assurance
Continual development of the corporate risk register
For key issues/projects to determine the business's risk preference
Advice and support to keep risk profiles up-to-date and provide
(risk averse or risk taking)
assistance in the identification of emerging risks
Promote the integration of risk management principles into the
Co-ordinating and facilitating the risk management process
culture of the business via all heads of service
Regular reporting to the executive team
Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

41 42

7
 10/1/2024

Accountability for Leadership & Oversight Bodies

Oversight Bodies • Make sure that systems to
administer risks are implemented
• Leadership is accountable for and operating robustly
managing risks, while oversight
• Make sure that such risks are
bodies are liable for supervising relevant in the perspective of the
risk management relevant to organization’s objectives
them. • Make sure that information about
such risks and their management is
correctly communicated.

43 44

Roles and responsibilities: Audit and Roles and responsibilities: Heads of

risk committee department
Consider the effectiveness of the company's risk management Identify, analyze and profile service risks and manage
arrangements, as part of seeking assurances on the overall governance risks using identified control measures and actions
and control environment
Ensure risk management is a regular item in team
Seek assurance that action has been taken on risk related issues meetings
identified by internal and external audit and inspectors
Maintain
awareness of and promote the approved risk
Ensure that the organization's assurance statements, including the management policy and strategy to all relevant staff
annual governance statement, properly reflect the risk environment
and any actions required to improve it Ensure that risk management is incorporated into service
plans.
Review arrangements for strategic risk management and monitor the
key corporate risks
Attend awareness training
Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

45 46

Roles and responsibilities: All Who is really responsible for risk

Employees management in a typical company?
Maintain awareness of risks and contribute to the control A. The audit and risk committee
process where appropriate.
B. The chief executive and executive directors
C. Heads of department and all other service managers
D. The corporate risk management team
E. The employees
F. Everyone

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

47 48

8
 10/1/2024

Clause 5.6 Evaluation Clause 5.7 Improvement

The organization should take actions to Adapting - The organization is
assess the effectiveness of the risk recommended to continually monitor and
management framework. Examples: update or adapt the risk management
• periodicallymeasure framework framework to resolve external and internal
performance against its basic purpose, issues newly arising. The organization can
indicators, implementation plans, and enhance its value by monitoring and
anticipated behavior. adapting (5.7.1)
• identify
whether it is still suitable to
empower the organization to achieve
business objectives.

49 50

Clause 5.7.2 Continually Improving

Definition of Terms
• Risk Management Plan - scheme within the
The organization is recommended to risk management framework specifying the
continually improve the relevancy, approach, the management components and
adequacy, and robustness of the risk resources to be applied to the management of
management framework. risk
Also, they need to improve the method for
integrating the risk management process
within the organization's core business
processes.

ISO 31000:2018 Risk Management

51 52

Risk management framework: Risk Management Process

Strategy - systematic application of
identifiesthe risk management process for all management policies, procedures
members of staff, thus maintaining a and practices to the activities of
consistent approach when embedding risk
management across the organization.
communicating, consulting,
establishing the context, and
identifying, analyzing, evaluating,
treating, monitoring and reviewing
risk
Source: https://kayaconnect.org - Risk Management ISO 31000:2018 Risk Management

53 54

9
 10/1/2024

Risk Management Process Clause 6.3.2 Defining the Scope

• The organization needs to state the scope
of its risk management activities.
• As the risk management process may be
implemented at various levels (such as
project, program, strategic, operational, or
other activities), it is significant to
explicitly identify the scope.
• The scope should be defined in
consideration with relevant objectives and
their alignment with organizational
objectives.
ISO 31000:2018 Risk Management

55 56

Clause 6.3 Scope, Context & Criteria Clause 6.3.3 External & Internal Context
• Objective of developing the scope, context, • The external and internal environment is
another name for the context in which the
and criteria: tailor the risk management organization opts to state and attain its
process, facilitating effective risk business objectives.
assessment and relevant risk treatment.
• Scope, context, and criteria comprise • The risk management process environment
defining the scope of the process and should be developed from the comprehension
of the external and internal issues in which
comprehension of the organization's the company functions and should exhibit the
external and internal context. particular environment of the activity (where
the risk management process is
implemented).

57 58

Establishing the Context External Context

• defining the external and internal parameters
to be taken into account when managing risk,
and setting the scope and risk criteria for the financial,  technological
risk management policy  legal  economic
 regulatory  natural
 political competitive
environment
 cultural
 social

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

59 60

10
 10/1/2024

Internal Context Internal Context

- internal environment in which the Governance, roles, responsibilities and
accountabilities, organizational structures
organization seeks to achieve its
Policies, the strategic themes, objectives, and targets
objectives that are in place to achieve them
The capabilities, explained in terms of resources and
knowledge (e.g., people. capital, systems, time,
processes, and technologies)
Decision-making processes, either formal or informal
based on the information systems, or the informal
flow of information
ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

61 62

Internal Context Clause 6.3.4 Defining Risk Criteria

Relationships with and perceptions and values of
• The organization should identify the risk
internal stakeholders
quantity and risk type that it will tolerate
Culture of the organization or not based on its objectives.
Guidelines, standards, and models implemented by • Itshould also explicate criteria to assess
the company the importance of risk and to enhance
Contractual relationships types, forms, and decision-making processes.
magnitude of compliance.

ISO 31000:2018 Risk Management

63 64

Clause 6.3.4 Defining Risk Criteria Clause 6.3.4 Defining Risk Criteria
Risk criteria should Since risk criteria should be established at
a. be lined up with the risk management the inception of the risk assessment process,
framework and tailored to the activity's they should not be static. Therefore, it
particular objective and scope under
examination. should be continually reviewed and
b. contemplate the company's values,
improved where it seems necessary.
objectives, and resources and be consistent
with a policy statement about risk
management.
c. be tailored where possible as per the
organization’s obligations and the opinions
of stakeholders.

65 66

11
 10/1/2024

Clause 6.3.4 Defining Risk Criteria Clause 6.3.4 Defining Risk Criteria
Considerations in determining risk criteria: Considerations in determining risk criteria:
1. The type and nature of uncertainties that 4. Consistent method for measurements'
can influence outcomes and objectives, application
whether tangible or intangible
5. Determination of the method to identify the
2. How negative and positive consequences magnitude of risk
and their likelihood will be identified,
6. Determination of the method to work with
stated, and measured
compound risks along with its combinations
3. Factors related to time and sequences
7. The capacity of the organization.

67 68

Risk Management Process Clause 5.4.5 Communication and

Consultation
• continual and iterative processes that an
organization conducts to provide, share or
obtain information, and to engage in
dialogue with stakeholders regarding the
management of risk (3.2.1)

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

69 70

Communication Consultation
• Empowers by enhancing awareness and • Bi-directional process of enlightened
comprehension of risk communication between a company and its
stakeholders on an issue before deciding or
identifying its line of action.
•A process that influences a decision rather
than being authoritative in that process
• An input to decision making which cannot be
termed as joint decision making.

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

71 72

12
 10/1/2024

Communication and Consultation Stakeholder

Aims: • person or organization that can affect, be
• Gather diverse zones of expertise together for affected by, or perceive themselves to be
each step of the risk management process affected by a decision or activity (clause 3.2.1)
• Make sure that different views are • can also be a decision-maker
sufficiently considered when defining risk
criteria and when assessing risks
• Offeradequate information to enable risk * Risk perception - stakeholder's view on a risk
surveillance and decision-making (clause 3.2.3)
• Devisea sense of ownership and inclusiveness
among those influenced by risk.

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

73 74

Risk Management Process Clause 6.4 Risk Assessment

ISO 31000:2018 Risk Management

75 76

Definition of Terms Definition of Terms

• Exposure - extent to which an organization • Vulnerability - intrinsic properties of
and/or stakeholder is subject to an event something resulting in susceptibility to a risk
source that can lead to an event with a
• Probability - measure of the chance of consequence
occurrence expressed as a number between 0
• Risk Matrix – a tool for ranking and
and 1, where 0 is impossibility and 1 is displaying risks by defining ranges for
absolute certainty consequence and likelihood
• Frequency - number of events or outcomes per • Level of Risk - magnitude of a risk or
defined unit of time combination of risks, expressed in terms of
the combination of consequences and their
likelihood

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

77 78

13
 10/1/2024

Definition of Terms Definition of Terms

• Risk Attitude - organization's approach to • Risk Aversion - attitude to turn away from risk
assess and eventually pursue, retain, take or • Risk Aggregation - combination of a number of
turn away from risk. risks into one risk to develop a more complete
• Risk Appetite – the amount and type of risk understanding of the overall risk
that an organization is willing to pursue or • Risk Acceptance - informed decision to take a
retain particular risk
• Risk Tolerance – the organization's or
stakeholder's readiness to bear the risk after
risk treatment in order to achieve its
objectives

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

79 80

Clause 6.4.2 Risk Identification

Step 1. Identify Risk Aim: to search, recognize, and elaborate risks
that might assist or prevent an organization
• At the start of the risk assessment, the from attaining its objectives.
objective of the service, project or partnership
should be identified.
• Once the objective has been established, The organization needs to identify risks
consideration should be given to what may irrespective of the fact that its sources are
controlled or not.
prevent the objective being met (threat), or
alternatively what may assist the company in
meeting that objective (opportunity). Control - measure/s that maintains and/or
modifies risk (clause 3.8)
Source: https://kayaconnect.org - Risk Management

81 82

Clause 6.4.2 Risk Identification Clause 6.4.2 Risk Identification

When employing techniques to identify risks, When employing techniques to identify risks,
consider the following:
consider the following:
7. Assets' nature and value
1. Risk Source, either tangible or intangible 8. Resources' nature and value
2. Events and Causes 9. Consequences' impact on objectives
3. Opportunities and threats 10. Knowledge limitation and information
reliability
4. Capabilities & vulnerabilities 11. Factors related to time
5. Modification in Organization's context 12. Stakeholders' biases, beliefs and
assumptions.
6. Emerging Risk Indicators

83 84

14
 10/1/2024

Clause 6.4.2 Risk Identification Risk Identification Tools

1. Brainstorming (ex. meetings)
In the process of risk identification, 2. SWOT analysis
emphasis should be allocated that 3. Root cause analysis
there may be multiple outcomes with
4. Delphi method
different types. Moreover, these
outcomes can result in numerous 5. Interviews (SMEs)
consequences which can be tangible or 6. Inspections
intangible. 7. Review requirements and documentation
8. Risk Breakdown Structure

85 86

ENTERPRISE RISK MANAGEMENT Operational

The business of health care is the delivery of care that is
safe, timely, effective, efficient, and patient-centered
within diverse populations.
Operational risks relate to those risks resulting from
inadequate or failed internal processes, or systems that
affect business operations.
Ex. risks related to adverse event management,
credentialing and staffing, documentation, chain of
command, lack of internal controls, supply chain and
identification of existing opportunities within
management oversight.
What is risk management in healthcare? (2018) What Is Risk Management in Healthcare? | NEJM
Catalyst. Available at: https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0197 (Accessed: 29 September The American Society for Health Care Risk Management. ERM Quick Reference Tool
2024).

87 88

Clinical/Patient Safety Strategic

Risks associated with the delivery of care Risks associated with the focus and direction of the
organization.
to patients, residents and other health
care customers. Because the rapid pace of change can create
unpredictability, risks included within the strategic
Ex.: failure to follow evidence-based domain are associated with brand, reputation, competition
or failure to adapt to changing times (such as health
practice, medication errors, hospital reform or shifting customer priorities).
acquired conditions (HAC), serious safety
Ex.: Managed care relationships/partnerships, conflict of
events (SSE), health care equity, interest, marketing and sales, media relations, mergers,
opportunities to improve safety within the acquisitions, divestitures, joint ventures, affiliations and
care environments, and others. other business arrangements, contract administration, and
advertising
The American Society for Health Care Risk Management. ERM Quick Reference Tool
The American Society for Health Care Risk Management. ERM Quick Reference Tool

89 90

15
 10/1/2024

Financial Human Capital

Decisions that affect the financial sustainability of the This domain refers to the organization’s workforce.
organization, access to capital or external financial
ratings through business relationships or the timing Ex. risks associated with employee selection,
and recognition of revenue and expenses make up this retention, turnover, staffing, absenteeism, on-the-
domain. job work-related injuries (workers’ compensation),
work schedules and fatigue, productivity,
Ex.: capital structure, credit and interest rate compensation, succession planning and labor
fluctuations, foreign exchange, growth in programs
unionization activity.
and facilities, capital equipment, regulatory fines and
penalties, budgetary performance, accounts Human capital associated risks may cover
receivable, days of cash on hand, capitation contracts, recruitment, diversity, retention, and termination
reimbursement rates, managed care contracts, of members of the medical and allied health staff.
revenue cycle/billing and collection.
The American Society for Health Care Risk Management. ERM Quick Reference Tool The American Society for Health Care Risk Management. ERM Quick Reference Tool

91 92

Legal/Regulatory Technology
Risk within this domain incorporates the failure to This domain covers machines, hardware, equipment,
identify, manage and monitor legal, regulatory, devices, wearable technologies and tools, but can also
and statutory mandates on a local, state and include techniques, systems and methods of
federal level. organization.

Such risks are generally associated with fraud and Health care has seen an escalation in the use of
abuse, licensure, accreditation, product liability, technology for clinical diagnosis and treatment,
training and education, information storage and
management liability, Centers for Medicare and
retrieval, and asset preservation.
Medicaid Services (CMS) Conditions of
Participation (CoPs) and Conditions for Coverage Ex.: Electronic Health Records (EHR) and Meaningful
(CfC), as well as issues related to intellectual Use, financial and billing systems, social media and
property. cyber security; cyber risks can be significant.
The American Society for Health Care Risk Management. ERM Quick Reference Tool The American Society for Health Care Risk Management. ERM Quick Reference Tool

93 94

Hazard
This ERM domain covers assets and their value. Hazard
Traditionally, insurable hazard risk has related to • source of potential harm; can also
natural exposure and business interruption.
be a risk source.
Ex.: risk related to logistics/supply chain, facility
management, plant age, parking (lighting,
location, and security), valuables,
construction/renovation, earthquakes,
windstorms, tornadoes, floods, fires and
pandemics

The American Society for Health Care Risk Management. ERM Quick Reference Tool

95 96

16
 10/1/2024

Why do we need to identify Why do we need to identify

hazards? hazards?
• Ourrights: Everyone has a fundamental • About85% of the time, accidents happen to those
right to live and work in a safe who do what is called an 'unsafe act’
environment. • Theother 15% are the bystanders and coworkers
who did not do an unsafe act
• Our goal at work and throughout our lives:
work in a safe environment
assess the risks and implement controls
to reduce the probability that harm could
occur
identify hazards that could cause us harm

97 98

Heinrich's Triangle Theory from

Definition of Terms 1931
• Unsafeact: a behavior or action which
could have resulted in an accident but
did not; often leads to near misses
• Near
miss - when an accident almost
happened, but luckily for one reason
or another, an accident did not happen

99 100

Frank Bird’s Safety Pyramid Anticipating Accidents

(1966) • Our past experience
• Someone else's past experience
• The signs around us
Job Hazard Alert
• Thinking about the next sequence of
events that the objects around us
could go through - what could go
wrong, how could it happen and what
are the consequences?

101 102

17
 10/1/2024

Hazard Management Tools Hazard Management Tools

• Job Hazard Alert - when a new hazard is • JobHazard or Safety Assessment - a quick
discovered and a formal method of tracking the way of assessing a situation before
new topic through its mitigation or what actions beginning to work, where work crew walks
are taken to make the situation safe. through a list of possible issues looking for
their response and resolution
• Safety alerts briefly report on incidents and whose
goals are to record the following:
• 1. Description of the incident and what caused it
• 2. Contributing factors
• 3. Corrective/preventive actions

103 104

Hazard Management Tools Hazard Management Tools

• Safety Inspection Checklist - a standardized • Hazard Tracking Log - a list of all the hazards
way of reviewing a set of criteria before in a workplace and is a document which is
confirming that the equipment is safe to continuously updated as new hazards are
operate, used for routine activities which need identified.
to be checked each day/week/month/year

105 106

Hazard Tracking Log

Step 2. Risk Analysis
Once a risk or opportunity has
been identified, how effectively
that risk/opportunity is being
managed needs to be measured.

Source: https://kayaconnect.org - Risk Management

107 108

18
 10/1/2024

Clause 6.4.3 Risk Analysis Clause 6.4.3 Risk Analysis

• process to comprehend the nature of risk and • Comprehensive focus on uncertainties,
to determine the level of risk sources of risk, events and consequences,
likelihood, situations and scenarios, controls,
• offers the foundation for risk evaluation and
and effectiveness of those controls.
also helps in forming decisions about risk
treatment. • Where possible the analysis should also
conclude on identifying the level of risk.
• incorporates risk estimation
• Main purpose: understand the risk's nature
and characteristics

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

109 110

Definition of Terms Clause 6.4.3 Risk Analysis

• Risk source - element which alone or in Risk analysis can be performed with different
combination has the potential to give rise to risk levels of insight and analytical complexities,
(clause 3.4) depending on the purpose of the risk analysis,
the information availability and reliability,
• Event - occurrence or change of a particular set and the available resources.
of circumstances.(clause 3.5) Following analysis techniques can be used
• Consequence - outcome of an event affecting based on context & its application:
objectives (clause 3.6) • Qualitative
• Risk Owner - person or entity with the • Quantitative
accountability and authority to manage a risk • Combination of Qualitative & Quantitative
Method.

ISO 31000:2018 Risk Management

111 112

Clause 6.4.3 Risk Analysis

Risk analysis should consider factors such as: RISK ANALYSIS TOOLS
1. Risk Assessment Matrix – provides risk level
• Event and consequences' likelihood
• Consequences' magnitude and nature
• Connectivity and complexity
• Volatility
• Considerations for time
• Current controls' effectiveness
• Confidence level and sensitivity.

113 114

19
 10/1/2024

Risk Criteria
Risk Scoring: Assess Impact - terms of reference against which the
In this example, there are four impact levels for risks and significance of a risk is evaluated
two for opportunities.
- arefounded on external, internal context,
Once the impact has been established, it will generally not
change throughout the scoring process as the effect of and organizational objectives.
something occurring remains the same unless it is a
business continuity risk. - can be acquired from policies, standards,
contractual obligations, laws, policies, and
other requirements.

Source: https://kayaconnect.org - Risk Management ISO 31000:2018 Risk Management

115 116

Risk Scoring: Assess Impact Risk Scoring: Assess Impact

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

117 118

Risk Scoring: Assess Impact

Risk Scoring: Assess Likelihood
After you've assessed the impact level for a risk or an
opportunity you need to gauge the likelihood that it will
occur.

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

119 120

20
 10/1/2024

Definition of Terms Risk Scoring: Assess Likelihood of

• Likelihood - Chance of something happening (clause 3.7)
Risks
• identifies the probability or possibility of an occurrence.
Unlikely Likely Very likely Certain
• The likelihood should be:
Less than 10% 10-40% chance of 40-75% chance of More than 75%
 Defined chance of occurrence occurrence chance of
 Measured occurrence Only likely to Likely to happen occurrence
Has happened happen once at some point Regular
 Determined: objectively or subjectively, qualitatively or rarely or never every three or within the next occurrence
quantitatively before four years 1-3 years Circumstances
Circumstances frequently
 Described with simple terms
occasionally encountered -
 Described mathematically with some probability or in encountered (few daily/weekly/mo
terms of frequency for a time period times a year) nthly

Source: https://kayaconnect.org - Risk Management

121 122

Risk Scoring: Assess Likelihood of

Opportunities
Unlikely Likely Very likely Certain
Description: less than Description: some Description: reasonable Description: a
10% chance of chance of favorable prospects of favorable favorable outcome is
occurrence. outcome in the medium results in one year 40% likely to be achieved in

Possible indicators: has

term or less than 40%
chance of occurrence.
to 75% chance of
occurrence.
one year or better than
75% of occurrence. Risk
Scoring:
happened rarely or Possible indicators:
never before. possible opportunity Possible indicators: Possible indicators:
that has yet to be fully opportunities that may clear opportunity,
investigated by
management.
Opportunity for which
be achievable but will
require careful
management.
which can be relied on
with reasonable
certainty, to be
Matrix
the likelihood is low on Opportunities that achieved in the short-
Source:
the basis of arise over and above term, based on current https://kayaconnect.or
management resources the plan. management processes. g - Risk
currently being Management
applied.

Source: https://kayaconnect.org - Risk Management

123 124

Risk Scoring Risk Scoring

When you use the matrix table to score a risk, there are 2. Controlled Risk Score - reflects the position once all the
three stages to the process. controls to mitigate (reduce) the risk are in place and
should represent the current level of risk to the company.
1. Uncontrolled risk score - the score for the risk before
any controls have been put in place to mitigate the risk,
that is if nothing was being done to prevent the risk
occurring. All control measures identified must actually be in
place and working.

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

125 126

21
 10/1/2024

Risk Scoring Sample Scenario

3. Fully Controlled Risk Score – risk is scored to include all When crossing a busy road, which category of risk is likely
controls, and any further actions that could be to represent the greatest risk to the individual?
implemented in future, to further reduce the risk.
A. Health and safety F. Service or project
B. Service or project effectiveness
These identified actions should include timescales for provision/continuity risks G. Value for money
completion and can then be used by the manager to C. Financial risks H. Security risks
produce an action plan. D. Reputation I. Compliance
E. Environment

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

127 128

Sample Scenario: Uncontrolled Risk

Sample Scenario Score
When crossing a busy road, the impact is established by When crossing a busy road, the likelihood will be
considering what the effect of being hit by traffic would be, established by considering how likely being hit by traffic
should it actually happen. Which is the correct impact actually could be. Which of these is the correct likelihood
category? category for crossing a busy road without taking any
precautions (controls) at all?
A. Catastrophic
A. Certain
B. Severe
B. Very likely
C. Marginal
C. Likely
D. Negligible
D. Unlikely

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

129 130

Sample Scenario: Uncontrolled Risk Sample Scenario: Current Risk

Score Score
What's the correct risk score Which of these are controls which could mitigate the risk
for crossing a busy road as you cross a busy road?
without taking any
precautions (controls) at all?

A. 9 A. Stop and stand behind the curb before crossing

B. 12 B. Look both ways and look again before crossing
C. 14 C. Listen for cars whilst crossing
D. Don't cross between parked cars or at junctions
E. Don't run across the road

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

131 132

22
 10/1/2024

Sample Scenario: Controlled Risk Sample Scenario: Controlled Risk

Score Score
When crossing a busy road, the likelihood will be When crossing a busy road, the likelihood will be
established by considering how likely being hit by traffic established by considering how likely being hit by traffic
actually could be. Which of these is the correct likelihood actually could be. Which of these is the correct likelihood
category for crossing a busy road with the identified category for crossing a busy road with the identified
controls in place? controls in place?
A. Certain A. Certain
B. Very likely B. Very likely
C. Likely C. Likely
D. Unlikely D. Unlikely

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

133 134

Sample Scenario: Controlled Risk Sample Scenario: Fully Controlled

Score Risk Score
What's the correct score for Which of these are future actions which could further
crossing the road with the reduce the risk of crossing the road?
controls in place?
A. Plan to use underpasses, pedestrian and zebra crossings
wherever available, even if this makes the route longer
A. 5 B. Plan a route that avoids crossing major roads
B. 8 C. Do not use MP3s/iPods/mobile phones whilst crossing the
C. 11 road
D. Attend a road safety training course

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

135 136

Sample Scenario: Fully Controlled Sample Scenario: Fully Controlled

Risk Score Risk Score
Which of these is the correct likelihood category for What's the correct score for
crossing a busy road with the actions in place? crossing the road with the
controls in place?

A. Certain A. 7
B. Very likely B. 11
C. Likely C. 14
D. Unlikely

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

137 138

23
 10/1/2024

Typical Risks: Reputational Typical Risks: Compliance

Risk: Risk of the business being poorly regarded due to Risk: Failure to adhere to Data Protection legislation.
negative public perceptions or poor media relations.
Inherent risk score: High (15)
Inherent risk score: High (16)
Controls: Adherence to the company's data strategy and
Controls: Consultation with customers; communications procedures; regular training for employees.
plan in place; regular communication to public and media
Controlled score: Low (4)
Controlled score: Medium (11)

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

139 140

Risk Scoring: Assess Impact

Typical Risks: Service Effectiveness
Risk: Risk that managerial resources are not effectively
utilized in tackling issues of the highest priority.
Inherent risk score: Medium (12)
Controls: A process is followed to identify appropriate
topics for review by task and finish groups; contribution
towards the business operating an effective overview and
scrutiny function.
Controlled score: Low (4)

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

141 142

Risk Scoring: Assess Impact Control Measures to Maximize

Opportunity
Although we have not looked at identifying and scoring an
opportunity, it is worth noting that the control measures
you will need to identify are those strategies used to
maximize the opportunity and that the scores increase
across the three scores, rather than decrease in the case of
a risk.

Source: https://kayaconnect.org - Risk Management Source: https://kayaconnect.org - Risk Management

143 144

24
 10/1/2024

Control Measures to Maximize Clause 6.6.4 Risk evaluation

Opportunity - processof comparing the results of risk
There's an opportunity for the business to tailor its analysis with risk criteria:
services to meet customers' needs and expectations as the
result of effective consultation and engagement. a) to determine whether the risk and/or its
Inherent Risk Score: Low magnitude is acceptable or tolerable or
Controls: Consultation & Engagement Strategy, Toolkit
not
and group is in place; Consultation & Engagement b) to identify whether additional action is
training has been provided to key employees.
required or not.
Controlled Score: High

Source: https://kayaconnect.org - Risk Management

145 146

Clause 6.6.4 Risk evaluation Clause 6.5 Risk Treatment

This can lead to a decision to: Definition: process to modify risk.
a) Work as it is and no need for a specific action as Objective: to choose and implement selected
risk is in acceptable range options for encountering risk
b) Ponder on the risk treatment options
c) Carry on additional analysis to better
comprehend the risk
d) Keep current controls
e) Make new achievable objectives and leave the
unrealistic current ones.

147 148

Clause 6.5.2 Selection of Risk Treatment

Clause 6.5 Risk Treatment Options
Choosing the most relevant and robust risk
treatment option encompasses balancing the
potential benefits versus its cost or negative
consequence of the implementation.

Potential Benefits Versus Likely Negative Costs

The potential benefit is derived in relation to

attaining the objectives, whereas negative is derived
from disadvantages of implementation, including
cost, work involved, and the negative consequences.

149 150

25
 10/1/2024

Risk Treatment Options Risk Treatment Options

1. Risk Avoidance - informed decision 2. Risk Sharing - form of risk treatment
not to be involved in, or to withdraw involving the agreed distribution of risk
from, an activity in order not to be with other parties
exposed to a particular risk

Ex. insurance contracts and risk

Risk avoidance is a decision as an
financing
outcome of risk evaluation comprised of
considering the legal and regulatory
obligations or considering possible
negative consequences.
ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

151 152

Risk Treatment Options Risk Treatment Options

3. Risk Retention - acceptance of the 4. Risk Financing - form of risk
potential benefit of gain, or burden of treatment involving contingent
loss, from a particular risk arrangements for the provision of funds
Risk retention incorporates the to meet or modify the financial
acceptance and allowance of residual consequences should they occur
risks
The level of risk retained or taken in the
discourse is reliant on risk criteria

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

153 154

Risk Treatment Options Risk Treatment Options

4. Removal of the risk source 5. Modifying the likelihood
Ex. for hazard of slippage due to wet Ex. using proper PPE and supplies to
floors, removing the water eliminates reduce likelihood of needlestick
the hazard injuries

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

155 156

26
 10/1/2024

Risk Treatment Options Definition of Terms

6. Modifying the consequences • ResidualRisk - risk remaining after risk
Ex. implementation of fall protection treatment, also known as retained risk
system (harnesses, net) in construction • notfully known every time and can
site comprise of an unidentified and
unknown risk

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

157 158

Clause 6.5.3 Preparing & Implementing Clause 6.5.3 Preparing & Implementing
Risk Treatment Plans Risk Treatment Plans
Purpose: specify how the selected treatment options Treatment plan information:
will be applied so that arrangements are
comprehended by those concerned and 1. The rationale for allocation and selection of the
breakthrough against the plan can be monitored.
treatment options, along with the anticipated
benefits to be attained
Treatment plan should explicitly recognize the order
in which risk treatment should be applied. 2. Those who are liable and responsible for
approving and implementing the plan
Treatment plans should be integrated well into the 3. The proposed planned actions
organization's management plans and processes in
consultation with relevant stakeholders. 4. The resources required, along with
contingencies

159 160

Clause 6.5.3 Preparing & Implementing

Risk Treatment Plans Sample Risk Treatment Plan
Treatment plan information:
5. The performance measures
6. The constraints and limitations
7. The required reporting and monitoring
8. When actions are anticipated to be undertaken
and completed.

161 162

27
 10/1/2024

Risk Management Process Definition of Terms

• Risk Reporting - form of communication intended
to inform particular internal or external
stakeholders by providing information regarding
the current state of risk and its management
• Risk Register - record of information about
identified risks; the term “risk log” is at times
utilized for “risk register.”
• Risk Profile - description of any set of risks; The
risks' set can have those that concern the
complete organization, the organization's part, or
as the company defines it.

ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

163 164

Clause 6.7 Recording & Reporting Corporate Risk Register

The risk management process and its outcomes - the corporate database of the company's key risks and
need to be documented and reported through opportunities, including mitigating controls and strategies to
applicable mechanisms. maximize opportunity.
Aim: - includes strategic, corporate, operational, partnership and
1. Communicate risk management activities and project risks and opportunities
outcomes across the organization
- As part of the continuous risk management process, it is vital
2. Offer information for decision-making that all service and project risk profiles are kept up to date.
3. Enhance risk management activities This requires senior managers, with the assistance of their
teams, to complete regular reviews of their risk profiles in
4. Empower communication and consultation with the risk register.
stakeholders, including those with responsibility
and accountability for risk management
activities.
Source: https://kayaconnect.org - Risk Management

165 166

Risk Management Process Monitoring & Review

Even if thoroughly designed and
implemented, risk treatments might not
yield the anticipated outcomes and could
result in unplanned consequences.
Therefore "monitoring and review" needs to
be an integral component of the risk
treatment application to offer the
commitment that the different forms of
treatment become and remain effective.

ISO 31000:2018 Risk Management

167 168

28
 10/1/2024

Definition of Terms Definition of Terms

• Monitoring - continual checking, • Review - activity undertaken to
supervising, critically observing or determine the suitability, adequacy
determining the status in order to and effectiveness of the subject matter
identify change from the performance to achieve established objectives
level required or expected • Review can also be implemented to a
risk management framework, risk
• should be implemented to a risk management process, risk or control
management framework, risk
management process, risk or control.
ISO 31000:2018 Risk Management ISO 31000:2018 Risk Management

169 170

Risk Register: Regular Review Definition of Terms

Regular reviews will include: • Risk Management Audit -
- Identification of new and emerging risks systematic, independent and
- Establishing the potential risk or benefit to the council documented process for obtaining
- Identification of current controls that are in place to help mitigate the
risk and any strategies to maximize opportunities
evidence and evaluating it
- Scoring of the risk or opportunity by assessing the impact and objectively in order to determine
likelihood of the risk occurring
the extent to which the risk
- Establish any further mitigating actions to be implemented
management framework, or any
Review and update mitigating controls, actions and scores of risk and
selected part of it, is adequate and
-
opportunities already identified
effective
Source: https://kayaconnect.org - Risk Management ISO 31000:2018 Risk Management

171 172

Clause 6.6 Monitoring & Review Clause 6.6 Monitoring & Review
Purpose: to persuade and enhance the Monitoring and review should take place in all
stages of the process. Monitoring and review
quality and effectiveness of process design, include:
application, and outcomes. • Planning
Continual monitoring and periodic review of • Gathering
the risk management process and its • Analyzing information
outcomes should be a planned part of the • Recording results
risk management process, with • Providing feedback.
responsibilities clearly defined. The monitoring and review results should be
embedded within the organization’s performance
management, measurement, and reporting
activities.

173 174

29
 10/1/2024

STEPS IN ENTERPRISE RM ROLE OF RISK MANAGER

1. Identify Risk proactively identify risks and estimate
2. Quantify & Prioritize Risk potential consequences and upsides
3. Investigate & Report Sentinel Events develop response plans in case risks become
4. Perform Compliance Reporting reality.
5. Capture & Learn from Near Misses & Good Catches  to mitigate organizational exposure, they
6. Think Beyond the Obvious to Uncover Latent Failures respond and execute containment plans when
adverse and unforeseen situations transpire
7. Deploy Proven Analysis Models for Incident Investigation
8. Invest in a Robust Risk Management Information System
(RMIS)
9. Find the Right Balance of Risk Financing/ Transfer/Retention

175 176

ROLE OF RISK MANAGER References

 communicate with stakeholders • Alison Module: Hazard Recognition and Risk Assessment

• Alison Module: ISO 31000:2018 Enterprise Risk Management Framework for Risk
 documenting and reporting on risk and Leaders

adverse circumstances • Cudney, Beth. Forcefield Analysis. Available at:

https://www.youtube.com/watch?v=l6Sy56i2m2M. (Accessed: 30 September 2024).
 creating processes, policies, and procedures • The American Society for Health Care Risk Management. ERM Quick Reference Tool
for responding to and managing risk and • Risk Management. https://kayaconnect.org
uncertainty. • What is risk management in healthcare? (2018) What Is Risk Management in
Healthcare? | NEJM Catalyst. Available at:
 continually monitor the ever-shifting https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0197 (Accessed: 29 September 2024).
landscape of the healthcare risk continuum • Reference: Reddy, V. Risk Management Cycle: Process and Framework Explained.
Simplilearn. Available at: https://www.simplilearn.com/risk-management-cycle-article.
(Accessed: 30 September 2024).

177 178

30