How I learned to stop worrying and love

How I learned to stop worrying and love the risk Tren n a e t. D

PPB Survey (2010) of Not for Profit organisations in Australia and New Zealand: 1. Almost half did not have, or did not know if they had, a risk management plan 2. 61% of respondents stated that risk to their organisation had increased over the past five years 3. Over one third of Not-For-Profit boards were not held accountable for managing risk in their respective organisations 4. Almost half of respondents believe that budgetary constraints was the main barrier to adequate risk management support

The Ultimate Risk Management Consultant

Managing risk is a good thing. . . �Moves us away from avoidance or transference �It forces creativity �The only way to achieve innovation and growth

The most important things. . . Risk Management Framework - Fully integrated and informed Leadership - Prepared to take calculated risks

The Optimistic Gamblers The Risk Averse

The Innovators

Where to begin? �Design a RM framework that fits your organisation �Identify your strategic risks �Identify risk owners �Do something. . . anything �Monitor, Rinse and Repeat

What is Risk? “Effect of uncertainty on objectives” ISO 31000: 2009 Risk Management Objectives can have very different aspects

Major risks can impact on a range of areas including, but not limited to: � Client Safety � Staff Safety � Business continuity � Organisational Reputation � Financial Sustainability � Employee Relations

Strategic Objectives Risk Category Identified Strategic Risks Lack of brand awareness and / or reputational loss Grow more Christian Communities Increased industry competition Growth Poor due diligence and management of merger and acquisitions Limited church planting and sustained congregational growth Operate and grow in a financially sustainable way Financial Sustainability Unsuitable or poor performing investments Overextending on capital work projects Loss of / decreased funding sources Poor budgeting (organisational / project) and treasury strategy Loss of PBI / DGR status

Consequence Type Audit and Compliance Business Continuity Insignificant Compliance with standards or licensing requirements maintained with negligible level of control weakness Loss / interruption less than 1 hour Minor Major Catastrophic Single non compliance with standards or Compliant with standards licensing requirements or licensing requirements resulting in / minimal level of control recommendations for improvement / weakness moderate level of control weakness identified Multiple non compliances with standards or licensing requirements resulting in recommendations for improvement / Fully non compliant with standards or licensing requirements resulting in sanction or penalty / Loss / interruption <= 8 hours / some disruption Loss / interruption <=1 day / Disruption to a number of areas within a Division or Unit, possible flow on to other locations Loss / interruption <= 1 Total system dysfunction week / all operational areas of a Division or Unit and /or total shut-down of compromised, other operations locations are affected Temporary loss of function or Permanent loss of function or harm caused / serious mismanagement Loss of life / totally unsatisfactory client outcome or experience of client care $500 – 2 m $25 -100 k Greater than $2 m Greater than $100 k manageable by altered operational routine Client Safety and Care Finance Fraud Health and Safety No injury or harm caused Minimal harm caused / unsatisfactory client experience not directly related to client care experience - readily < $100 k <$2 k No injury / illness - no $100 – 200 k $2 -10 k time lost, minor adjustment to operational routine Reputation Vision and Values Single injury / minor illness – lost time of less than 4 rostered days mismanagement of client care $200 – 500 k $10 -25 k Single serious injury >4 rostered days lost. high level of control weakness critical failure of key controls Multiple serious injuries or illness (more than 4 Fatality rostered days lost, or an event which is notifiable) publicity Significant adverse local publicity Significant adverse state. Significant and sustained wide state-wide publicity Sustained national adverse publicity Negligible misalignment with strategic objectives or expected behaviours Minor misalignment with strategic objectives or expected behaviours Moderate misalignment with strategic objectives or expected behaviours Significant misalignment with strategic objectives or expected behaviours Minimal adverse local Short term low staffing level Workforce resolvable Moderate temporarily reduces service quality Moderate annualised staff Ongoing low staffing level turnover (< 30% ) Late delivery of key objectives reduces service quality / services due to lack of staff Major misalignment with strategic objectives or expected behaviours Very high annualised staff turnover (> 30% / Non delivery of key Uncertain delivery of key objectives / services due objective / service due to to lack of staff

Likelihood Rating Almost Certain Descriptor Frequency Is expected to occur frequently (in Expected to occur at least monthly most circumstances) Is expected to occur occasionally (to be expected) Expected to occur at least quarterly Possible Could occur at least once (capable of happening / foreseeable) Expected to occur at least biannually Unlikely Might occur at some time (not to be expected) Expected to occur at least annually May occur in exceptional circumstances only Not expected to occur for years Likely Rare Rank Colour Description Low 1 Action plans, policies or controls are not mitigating the risk and /or deemed to be very weak or ineffective. Risk may be outside control of organisation. Medium 2 Action plans, policies or controls may be partially mitigating the risk and scope for some improvement. High 3 Action plans, controls or policies deemed to be satisfactory and tested regularly.

Insignificant Minor Moderate Major Catastrophic Almost Certain Medium High Extreme Likely Medium High Extreme Possible Low Medium High Unlikely Low Medium High Rare Low Low Medium Risk Rating Low Medium High Action Required Manage by routine controls and processes Ongoing monitoring of control effectiveness by local management Manage by routine controls and processes May require a detailed risk action plan Ongoing monitoring of control effectiveness by local management Immediate notification of relevant Senior Management Should have a detailed risk action plan Risk action plan to be monitored by relevant Senior Management and progress reported to relevant Divisional Director Updates to be provided to Executive Committee members, as required Ongoing monitoring of control effectiveness by Senior management Immediate notification of relevant Divisional Director Must have specific risk mitigation plan Risk action plan to be monitored by Divisional Director and progress reported to Executive Committee members Updates to be provided to Board Risk, Audit and Compliance Committee members, as required Ongoing monitoring of control effectiveness by Divisional Director Extreme

Risk Assessments Risk Statement Contributing Factors Consequences Control effectiveness Risk Analysis Action Required Risk Ownership

What should the Board know about? �Key strategic / operational risks �Presentations by individual risk owners �Key issues / incidents / compliance breaches �Crisis / Disaster Management �OH&S �Fraud and Corruption �Internal Audit reports �External Audit reports

Say what? �What are the risks, both strategic and operational? �How effective are the controls, and how do you know they are working? �What are you doing about the risks? �How are the risks trending? �What are the known or possible risks ahead of us?

Board Report – Risk Heat Map

Risk 2 (SR-AC): Poor integration and support of client focused care Risk Owner: A. Staff Accountable Executive: B. Cool Definition of Risk Poor integration and support of client focused care Contributing Factors / Issues • • Poor awareness of integration of services (both care and • support) • Constraints by regulatory and compliance obligations • Limited creativity with application of compliance and regulatory • obligations • Lack of support or resistance for client focused care Existing Controls • Training on customer focused awareness • CMS focused on client outcomes • Appointed project manager for the client focused care project • Appointed GM for shared services and integration • Appointed regional volunteer coordinators Comments / Updates Current Risk Rating Risk Category • • Client Focus Client not viewed as central to all tasks and functions Lack of awareness of services and functions that input or interface with client care delivery Poor history and culture – task focused and output driven at both industry and occupational level Gaps and planned response • Client focused education at every level of organisation • Review of all functions that interface / input into client outcomes • Churches of Christ Care Strategic Plan/ actions from the Strategic Plan • Gap assessment of CMS / Care Governance • Action learning approach to learning • Client satisfaction survey Gap assessment of CMS/Care Governance is almost complete Actively recruiting 5 regional volunteer coordinators Likelihood Consequence Rating 4 3 12 Control effectiveness / scope for control improvement Key Risk Indicators • Number of volunteers • Compliance with standards and licensing • Client satisfaction surveys • Predetermined and measured outcomes of care • Culture survey results

Key Risk Indicators

An integrated approach Identify and Assess Risk Management Design and Implement Controls Internal Audit Quality Improvement Monitor and Review Controls

Churches of Christ in Queensland • • A group of mainstream Christian churches which has been an active part of the Queensland community for over 100 years. We are a significant presence within Queensland with over 200 services in more than 100 communities, touching tens of thousands of lives each year.

Churches of Christ Care • • Established in 1930; operates 137 services with the support of more than 2, 800 staff and over 700 volunteers. The care services are active in the areas of early childhood services, child protection, social and affordable housing, retirement living, community aged care, and residential aged care.

Assurance Services Group Manager Quality Officer Quality Advisor Internal Auditor Health, Safety and Rehabilitatio n Consultant Risk and Complianc e Advisor Internal Audit Coordinator Director Health, Safety and Rehabilitatio n Specialist Health, Safety and Rehabilitatio n Consultant

What we do. . . • Risk Management Framework • Fraud Risk Management • Sentinel Event Management • Root Cause Analysis • Crisis / Disaster Management • Child. Safe Program • Legislative Compliance • Quality Management (Continuous Improvement) Framework • Controlled Documents • Archiving / Records Management • Internal Audit • Self Audits • Compliance Reviews • Due Diligence • Forensic Investigations • Workplace Health and Safety • Worker Rehabilitation

A Call to Action Ask yourself. . . �Do I know my organisation’s strategic risks, and are they meaningful to me? �Is ‘risk management’ only raised as part of a dedicated risk meeting, or is it part of every Board conversation? �What is the risk appetite and tolerance of the Board, the organisation, and me?