KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SECTION: ADMINISTRATION
PROCEDURE
APPROVED BY:
NUMBER: I-20
DATE: 2016-01-27
PAGE: 1 of 9
RISK MANAGEMENT
Definitions
Risk: the chance of something happening that will have an impact on the achievement of
objectives. Risk can represent an opportunity or a threat to the achievement of objectives.
Risk management: a systematic approach to setting the best course of action under uncertainty
by identifying, assessing, understanding, acting on, and communicating risk issues.
Integrated risk management: a continuous, proactive and systematic process to understand,
manage and communicate risk from an agency-wide perspective. It is about making strategic
decisions that contribute to the achievement of an organization's overall objectives.
Risk management process: a simple, systematic process for incorporating risk management into
the decision-making process for all agency activities. The five-steps include: stating objectives,
identifying risks and controls, assessing risks, planning and taking action; and monitoring and
reporting.
Risk owner: individual who is responsible for managing the risk or who has the most influence
over its outcome.
Risk register: is a document that outlines the results of the risk identification, evaluation and
prioritization process and includes additional information related to actions being taken and
persons or groups responsible for the actions.
Inherent risk: the level of risk if no controls or other mitigating factors were in place.
Residual risk: the level of risk remaining after evaluating the effectiveness of existing risk
mitigation or controls.
Heat map: a tool used to present the results of a risk assessment process visually and in a
meaningful and concise way. It illustrates the likelihood and potential impact of identified risks.
Risk category: The Ontario Public Service (OPS) risk management framework has been
adopted and classifies risks into the following risk categories: compliance/legal; equity;
financial; governance/organizational; information/knowledge; environment; human resources;
operations; political; privacy; security; stakeholder; strategic; and technology. Appendix A
includes descriptions of each category.
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 2 of 9
Risk mitigation: reducing the negative impact of risk exposure or likelihood of occurrence
through preventive, detective or corrective measures. Preventive controls or mitigation
strategies are designed to prevent a risk from occurring, focusing on the cause of the risk and
reducing its likelihood (e.g., security, awareness and training programs, qualified staff, planning
and procedures); detective controls or mitigation strategies are designed to detect the occurrence
of risk, focusing on either the cause or the consequence of the risk, allowing for early
intervention and reducing the impact of the occurrence (e.g., reporting mechanisms, financial
reconciliation, fire alarms and audits); and corrective or recovery controls or mitigation
strategies are designed to respond after the risk occurs, focusing on reducing the impact of the
occurrence (e.g., contingency plans, backups and insurance).
Procedure
1.0 Risk Management Process
1.1. Stating Objectives
1.1.1 The risk management process shall occur at all levels of the organization
annually (e.g., in conjunction with operational planning) or when major
decisions are being considered or new projects are started.
1.1.2 The most responsible person for the project, program or initiative shall define
the context and confirm the objective(s) prior to initiating a risk identification
process. The more specific that the objectives are, the easier that it will be to
identify and assess potential risks associated with them.
1.2. Identifying Risks & Controls
1.2.1 Relevant stakeholders, both external and internal, with a common
understanding of the objective(s) in question shall identify key risks associated
with the objective(s).
1.2.2 Following the identification of the risks, the stakeholders will systematically
go through all categories of risk in the Ontario Public Service (OPS)
framework to ensure that the identification process is comprehensive. If the
stakeholder group does not have expertise in all risk categories, they shall seek
out individuals, both external and internal, with the necessary expertise to
complete this step of the process.
1.2.3 Risks shall be documented by category in a risk register (Appendix B).
1.2.4 For each documented risk, the existing risk controls (preventive, detective,
corrective) shall be identified and documented in the risk register. Any
potential future controls can be documented in the register for consideration in
the risk planning and action step of the process.
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 3 of 9
1.3. Assessing Risks
Risk assessment involves evaluating the likelihood and potential impact (e.g., financial,
safety, morale, fines and retention) of identified risks using the following scale:
Likelihood
Unlikely to occur
May occur occasionally
Is as likely as not to occur
Is likely to occur
Is almost certain to occur
Impact
Insignificant
Minor
Moderate
Major
Extreme
Value
1
2
3
4
5
The risk score is calculated by multiplying likelihood and impact.
1.3.1 The inherent risk shall be assessed and each score documented in the risk
register.
1.3.2 The residual risk based on current controls identified shall be assessed and
each score documented in the risk register.
1.3.3 The residual risk based on future controls identified shall be assessed and each
score documented in the risk register.
1.3.4 The current residual risks on the heat map (Appendix C) to determine the level
of residual risk (low, medium, high) shall be assessed. This process will assist
in setting priorities for the risks that need to be considered in the planning and
taking action step of the process.
2.0 Planning & Taking Action
2.1 The risk register and heat map shall be reviewed with the appropriate stakeholders and
decision-makers to determine appropriate responses. The four basic risk responses
are: Avoidance, Control, Acceptance, and Transfer.
2.1.1 Avoidance refers to a decision not to engage in an activity because of the
associated risks.
2.1.2 Control refers to specific mitigation strategies aimed at reducing the
likelihood, the severity or both of a negative impact (e.g., physical security
and safety measures).
2.1.3 Acceptance refers to the recognition that a given risk is best absorbed given
the relative cost-benefits of active management (e.g., the deductible portion of
an insurance contract).
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 4 of 9
2.1.4 Transfer refers to arrangements to shift the risk to another party (e.g.,
insurance and other hedging practices).
2.2 The risk owner and others involved in the action response shall be identified. The risk
owner shall take the lead in determining the action response and the timelines
associated with each step of the response.
2.3 The risk owner shall document the action response details in the risk register. The
level of detail required in the action response will vary depending on the severity of
the risk. Low risks will require less detail, whereas, high risks will require more detail
and relatively short timelines.
3.0 Monitoring & Reporting
3.1 Ongoing risk monitoring is a key component of the risk management process.
3.2 The risk register and heat map shall be updated on a quarterly basis by the risk
owner(s).
3.3 Reporting frequency and audience is typically based on the level associated with a
risk.
3.3.1 Low risks are typically accepted and monitored, but normally don’t have
action plans. They are managed by routine procedures and reporting is to the
project manager, manager or director.
3.3.2 Moderate risks pose a moderate threat to the achievement of objectives, so
typically require mitigation plans, specific procedures and ongoing
monitoring. The risk owner shall manage the risk and regularly apprise his or
her immediate supervisor of the risk status.
3.3.3 High risks pose a significant threat to the achievement of key objectives.
Detailed and immediate management planning and attention is required by the
risk owner with regular monitoring. The risk owner shall apprise his or her
immediate supervisor on a monthly basis, or as required. High organizational
risks shall be reported to the Board of Health on a quarterly basis (Appendix
D).
3.4 Steps 2 to 3 shall be revisited annually to ensure that all relevant risks associated with
the objectives have been identified and assessed, and appropriate action taken. The
Board of Health shall receive an annual report of the status of all organizational risks
(Appendix D).
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 5 of 9
4.0 Training
4.1 Employees, volunteers, and students shall be made aware of the agency’s integrated
risk management framework, policy and procedure during orientation.
4.2 Employees shall review the risk management competencies associated with their job
with their manager.
4.3 Employees shall complete an introductory risk management eLearning module that
will cover basic risk concepts and terminologies and provide an introduction to the
agency’s integrated risk management framework. For new employees this shall be
completed within the probationary period.
4.4 Employees shall participate in risk assessment, prioritization and follow-up sessions as
they occur at either the organizational, program or project level. This hands-on
experience will enable application of risk management processes, tools and techniques
to everyday work.
5.0 Administration
5.1 The risk register, heat map and risk reporting planner for the organizational level risks
shall be maintained centrally in Corporate Services by the Administrative Senior
Secretary. Others shall be maintained de-centrally at the divisional or project level.
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 6 of 9
Appendix A
Risk Categories (Adapted from the Ontario Public Service Risk Management Framework)
Risk Category
Environment
Risk Description
Uncertainty usually due to external risks facing an organization
including air, water, earth, forests.
Financial
Uncertainty of obtaining, using, maintaining economic
resources, meeting overall financial budgets/commitments.
Includes fraud.
Governance/Organizational Uncertainty of having appropriate accountability and control
mechanisms such as organizational structures and systems
processes. Systemic issues, culture and values, organizational
capacity commitment, and learning and management systems,
etc.
Human Resources
Uncertainty as to the agency’s ability to attract, develop and
retain the talent needed to meet its objectives.
Knowledge/Information
Uncertainty regarding the access to or use of accurate,
complete, relevant and timely information. Uncertainty
regarding the reliability of information systems.
Legal/Compliance
Uncertainty regarding compliance with laws, regulations,
standards, policies, directives, contracts. May expose the
agency to the risk of fines, penalties, litigation.
Operational/Service
Uncertainty regarding the performance of activities designed to
Delivery
carry out any of the functions of the agency, including design
and implementation, including the uncertainty that policies,
programs, services have an equitable impact on the population.
Political
Uncertainty of the events may arise from or impact any level of
the government, e.g., a change in government political priorities
or policy direction.
Privacy
Uncertainty with regards to the safeguarding of personal
information or data, including identity theft or unauthorized
access.
Security
Uncertainty relating to physical or logical access to data and
locations.
Stakeholder/Public
Uncertainty around the expectations of the public, government
Perception
bodies, media or other stakeholders.
Strategic/Policy
Uncertainty that strategies and policies will achieve required
results or that policy, directives, guidelines, legislation will not
be able to adjust accordingly.
Technology
Uncertainty regarding alignment of IT infrastructure with
technology and business requirements. Uncertainty of the
availability and reliability of technology.
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 7 of 9
Appendix B
Risk Register
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
SUBJECT: Risk Management Procedure
NUMBER: I-20
PAGE: 8 of 9
Appendix C
Heat Map
KINGSTON, FRONTENAC AND LENNOX & ADDINGTON PUBLIC HEALTH
BY-LAW, POLICY & PROCEDURE MANUAL
NUMBER: I-20
SUBJECT: Risk Management Procedure
PAGE: 9 of 9
Appendix D
Quarterly Risk Report – High Risks
Risk
Category
Risk
Risk Owner
Risk Trend
Action Plan
Action RAG
Action Plan
Action RAG
Annual Risk Report – All Risks
Risk
Category
Risk
Risk Owner
Risk Trend
Risk trend: is the direction of movement of the residual risk over the most recent reporting
period as determined by the risk owner. The actual risk value may not change, but the actions
taken over the period may move the trend direction.
Action RAG: this cell will be colour coded with either R (red), A (amber), or G (green) and is
the most important indicator as it flags future period trending based on the risk owners
knowledge of future actions, opportunities or threats.
ORIGINAL DATE:
2016-01-27
REVISIONS: