Growing the Enterprise Risk Management Culture in Human Services OMSSA 2017 Leadership Symposium Staying Ahead of the Curve: Future Proofing Human Services in Ontario May 29, 2017 Agenda Topic Speaker Timing Welcome and introductions All 10:30 – 10:45 am Background: About ERM Simon 10:45 – 10:55 am The Toronto Children's Services experience Trish 10:55 – 11:10 am The Deloitte ERM framework Shannon 11:10 – 11:30 am Risk Assessment Exercise Simon 11:30 – 11:50 am Lessons Learned and Questions All 11:50 am – 12:15 pm © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 2 Welcome and introductions © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 3 Welcome and introductions Meet your presenters Deloitte team Toronto Children’s Services Project Lead Trish Horrigan Lead Engagement Partner Simon O’Keefe Project Senior Manager Shannon Field Project Senior Consultant Catherine Cormier © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 4 Welcome and introductions Opening Exercise: Who are you and how much do you know about risk management? Now that you’ve met us.... Its time for us to meet you, find out about your organization and see how much you really know about risk management! © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 5 Background: About ERM © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 6 Background: About ERM Understanding risk management “Broadly defined, risk management is the discipline of improving your chances of survival and success, particularly in uncertainty and turbulence.” Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, 2010 Risk management is about understanding what your risks are and deciding if you will take action to reduce, eliminate, transfer or leverage some or all risk for a particular exposure. © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 7 Background: About ERM (cont’d) Practicing risk management is at the heart of running any successful organization and is evident in dayto-day decision-making and when: • Policies and procedures are established • Service/Product offering trade-offs are made • Strategic direction is set • Insurance is purchased Given the various risk management activities that you perform, why consider ERM? © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 8 Background: About ERM (cont’d) ERM provides you with the processes, tools and disciplines required to effectively identify, assess and manage the risks that matter most. ERM is: • A process to continually evaluate and manage threats and opportunities to organizational strategies and objectives on an entity-wide basis • A common framework to manage all types of risk, both on the downside and the upside • An integral, repeatable and demonstrable business process that is strategic in nature • A process to enhance accountability and transparency of risks at all levels of the organization © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 9 The Toronto Children's Services experience © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 10 The Toronto Children's Services Experience The many faces of risk Risk comes in many forms and from various sources: © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 11 The Toronto Children's Services Experience Risk in a Human Services Context The risk to the integrity of public programs, services and assets is an inherent part of day to day business in all divisions at the City of Toronto. • Unprecedented growth within the early learning and child care sector • Development of new divisional strategic objectives as part of the 2015-2019 Service Plan • Continued emphasis on increased on good governance and fiscal sustainability • Expansion of the existing risk management functions within the Division and need to formalize the role of the Risk and Accountability unit The time has never been better to think about our risks! © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 12 The Deloitte ERM framework © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 13 The Deloitte ERM framework Span of ERM ERM considers all levels and types of risks within an organization that could impact: • The achievement of strategies and objectives • The “viability” and “thrivability” of the business and/or the effectiveness of business activities © Deloitte LLP and affiliated entities. “Effective risk management practices enable an organization to be risk intelligent.” Growing the Risk Management Culture in Human Services 14 The Deloitte ERM framework (cont’d) Deloitte’s ERM architecture Risk management activities from the board and executive management to business units and supporting functions are integrated into a systematic, enterprise-wide program that embeds a strategic view of risk into all aspects of business management. Risk governance Tone at the top Stakeholder expectations Risk appetite Strategy & performance Risk management enablers/infrastructure Policies Framework & methodology Culture & capabilities Information & reporting Technology Risk management processes Risk identification Risk measurement Risk assessment Risk response Escalation & monitoring Integration with the business © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 15 The Deloitte ERM framework (cont’d) High level overview of project plan Phase 1 Plan project and review draft ERM work plan • Conducted kick-off meeting, refined project plan & timelines • Created the project launch communication • Delivered revised project plan • Review existing ERM policies & procedures Phase 2 Policy and procedure review Phase 3 Identify gaps in existing draft risk register, identify key risk owners Phase 4 Assess risks, develop mitigating strategies and reporting tools Phase 5 Develop an ERM information and communication plan • Identify gaps and opportunities for improvement • Assess the completeness and conciseness of the existing risk register • Review the presentation and categorization of the risk register to identify opportunities for improvement • Conduct enterprise risk assessment workshop on final risk universe • Develop tools/templates for managing and documenting the ERM process • Request risk owners to complete risk management templates for the top 10 major risks • Review documentation of existing communication strategies and associated tools • Identify opportunities for improvement to existing processes and tools • Develop an information and communication strategy for the ERM program • Develop draft report for review and feedback Phase 6 Develop and present report © Deloitte LLP and affiliated entities. • Develop and present final report to Steering Committee Growing the Risk Management Culture in Human Services 16 The Deloitte ERM framework (cont’d) Risk universe The Risk Universe is intended to document and define the risks which are in Toronto Children’s Services (TCS) goals and strategy for the next three years. The risk universe promotes a common understanding of risk and will be used as the basis for the upcoming risk assessment. As part of this process, we will consider the mitigating controls that already exist, including those from the Division’s strategic objectives. The TCS Risk Universe consists of five primary categories of risk and the following sub-categories: Risk category 1. Strategic 2. People 3. Operational 4. Financial 5. Administration Sub-category • • • • • • • • • • • • • Strategic governance Stakeholder Community needs Staff Clients Health and safety Quality of services Legal, regulatory and professional standards compliance Vendor management Facilities Revenue and expenses Information and technology Business continuity The risk universe does not illustrate or represent TCS’s most significant risks (i.e. TCS risk profile). To understand TCS’s most significant risks, the universe of risks must be assessed using risk-rating criteria. © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 17 The Deloitte ERM framework (cont’d) Building a risk register The risk assessment workshop will focus on assessing/evaluating the top risks in the TCS risk universe using anonymous voting technology. The following activities will be performed for each risk: Review and discuss the risk definition to ensure clarity Discuss existing risk management activities for the risk Assess the likelihood of the risk occurring (considering the risk management activities that were discussed) Assess the impact / consequence to TCS should the risk occur Determine the trend of the risk Identify the risk owner Review the risk assessment results and discuss if necessary The end product of the risk assessment workshop will be a Risk Register of the most significant risks facing TCS. © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 18 The Deloitte ERM framework (cont’d) Workshop heat map and management actions 5.0 • Very high impact with mitigating controls / practices that are not working effectively • High vulnerability • Requires active management 4.0 Impact 3.0 Risk Tolerance Threshold 2.0 1.0 1.0 • Low impact and/or mitigating controls / practices that are working effectively • Low vulnerability • No major concerns © Deloitte LLP and affiliated entities. 2.0 3.0 Likelihood 4.0 5.0 High Risk Medium Risk Low Risk • Moderate vulnerability • Requires periodic monitoring Growing the Risk Management Culture in Human Services 19 We will now complete a mock Risk Assessment Exercise. Think through the likelihood and impact that these risks will occur in the next three years. © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 20 Lessons Learned and Questions © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 21 Lessons Learned and Questions Benefits of an Enterprise Risk Management process 1 Enhanced ability to achieve the organization’s strategic objectives 2 Greater awareness of risk and how to respond 3 Increased organizational effectiveness 4 Improved compliance with legal, regulatory and reporting requirements 5 The Risk Management Unit becomes a more value added partner © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 22 Lessons Learned and Questions Expected challenges in implementing an ERM process 1 Weak or non-existent risk culture undermines the process 2 Board of Directors and Senior Management don’t see the link between ERM and organizational performance 3 Disconnect between individual business units that operate in silos 4 Process is seen as overly complicated… not adding value, box ticking exercise 5 Staff engagement requires both training and development © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 23 Lessons Learned and Questions Key success factors • Senior Management commitment to a process that drives a stronger risk culture • Include a governance framework • Must be accompanied by a staff engagement process and include staff • Should build on existing risk management activities • Keep it simple • Talk to people in a language they can relate to • Start small • Design an ERM solution around your environment (make it fit) • Make it an on-going, iterative process that includes reporting mechanisms and oversight © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 24 Lessons Learned and Questions Questions or Comments? © Deloitte LLP and affiliated entities. Growing the Risk Management Culture in Human Services 25 Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. The information contained herein is not intended to substitute for competent professional advice. © Deloitte LLP and affiliated entities.
© Copyright 2026 Paperzz