Helse i Nord, der vi bor. Årskonferanse internrevisorforeningen 27. mai2013 Lars Vorland Helse Nord RHF

Helse i Nord, der vi bor Årskonferanse internrevisorforeningen 27. mai2013 Lars Vorland Helse Nord RHF

Spesialisthelsetjenestens oppgaver Behandling Undervisning Forskning Opplæring

Nøkkeltall 2013 Omsetning ca 15 mrd NOK Ca 14000 ansatte 60% av kostnadene er lønn Innkjøpsvolum Helse Nord ca 1,5 mrd Investeringer 1.5 mrd 45% av landareal i Norge, inkl. Svalbard 9 % av befolkningen Prehospital og pasienttransport nesten 1.9 milliarder/år Overskudd 437 mill (2012)

Helse Finnmark HF Sykehusapotek Nord HF Universitetssykehuset Nord-Norge HF Nordlandssykehuset HF Helgelands- sykehuset HF 5 Helseforetak 11 Somatiske sykehus + spesialistsenter m.m.. + Longyearbyen s.hus 2 Psykiatriske sykehus 14 DPS o.l. 5 (6) DMS 100 spesialisthjemler 10 (11) luftambulanseenheter 130 ambulanser 10 ambulansebåter 1 sykehusapotekforetak

KVENSKE SKILT: Flere av bygdene i kommunen skal få opp skilt med kvenske stedsnavn. Bystyret har vedtatt fire navn. På Vadsø-skiltet er det både samisk og finsk stedsnavn. Foto: Henriette Baumann

Kvalitetsstrategi Helse Nord 2011-14 Satsingsområde 1: Kunnskapsforankring Satsingsområde 2: Pasientfokus Satsingsområde 3: Pasientsikkerhet Satsingsområde 4: Dokumentasjon og analyse

Årlig melding 2012 Kvalitet og pasientsikkerhet ledelsens arbeid og offentliggjøring Pasientsikkerhet, kvalitetssikring og internkontroll skal være en integrert del av ledelsesarbeid på alle nivå SANNSYNLIGHET Svært stor Stor Middels Liten c a X d b Svært liten Ubetydelig Lav Middels Alvorlig Svært alvorlig/ Kritisk KONSEKVENS

Cervical cancer screening, percentage of women screened aged 20-69 Cervical cancer five-year relative survival rate 27.05.2013 9

Mammography screening, percentage of women aged 50-69 screened Breast cancer five-year relative survival rate 27.05.2013 10

In-hospital mortality rates following heart attack have decreased in all OECD countries, indicating improvements in acute care 27.05.2013 11

Fortsatt utfordringer Kronikere Pasientsikkerhet Brukerorientering Samhandling Kommunikasjon

Skulderoperasjoner, Norge 2011 Boomr Helse Førde HF Boomr Helse Finnmark HF Boomr Helse Møre og Romsdal HF Boomr Helse Nord-Trøndelag HF Boomr UNN HF Boomr Østfold HF Boomr St. Olavs hospital HF Boomr Vestre Viken HF Boomr Akershus HF Boomr Innlandet HF Boomr Helgeland HF(u/Bindal) Boomr Sørlandet HF Boomr Helse Fonna HF Boomr NLSH HF Boomr Vestfold HF Boomr Telemark HF Boomr Helse Bergen HF Boomr Oslo universitetssykehus HF Boomr Helse Stavanger HF Antall skulderoperasjoner per 1000 innbyggere, 2011, for bosatte i helseforetakenes opptaksområder 0 0,5 1 1,5 2 2,5 3 3,5 Totalt antall skulderoperasjoner i 2011=7323

Styring krever enkel tilgang til viktige nøkkelindikatorer

16 Hva har vi fått til i Helse Nord? Helse i Nord der vi bor desentraliserte og sentraliserte tjenester Bedre arbeidsdeling på flere områder (hjerte, kreft, traume mv) I front på IKT selv om mye fortsatt er uløst Opprusting av pasienttilbudet gjennom byggeprosjekter Økt oppmerksomhet om kvalitet i pasientbehandling Et mer samarbeidende fellesskap i nord Samhandling er på dagsorden En sunn økonomisk drift Bygd organisasjon balansepunkt i Nord

Helse Nord en regional organisasjon Et beslutningssystem som har ansvar for spesialisthelsetjenesten i nord Tjenester som omfatter hele regionen En pengepott for hele regionen Fordeling av ressurser må skje likeverdig i hele regionen en forutsetning for tillit Struktur på tjenester bør ha god aksept i hele regionen Investeringer må balanseres i regionen

Risiko Unngåelig risiko (preventable) Strategisk risiko (strategic) Ytre risiko (external) Harvard Business Review: June 2012: 49-60

Avvik fra styringskrav (1000 kr) 500 000 400 000 300 000 200 000 100 000 0 Avvik fra styringskrav (1000 kr) 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012-100 000-200 000-300 000-400 000-500 000

Unngåelig risiko etterlevelses basert Økonomi : Ramme ISF Ramme + ISF (60% + 40%)

Nye sykehus Vesterålen Kirkenes Bodø UNN Narvik Narvik

Nordlandssykehuset - Bodø

Mange nye sykehusbygg hva vil vi oppnå? Bedre pasientbehandling Bedre arbeidsmiljø Mer effektiv drift Lang planleggings- og byggefase må legges til rette for at fagmiljøene involveres og planlegger i bruktaking og ny drift Suksessen ligger i detaljene

Strategisk risiko Bygg 50 % lån + 50% egenkapital 70 % lån + 30% egenkapital OPS (0 egenkapital) RHF: Likviditet RHF Bærekraft : HF (+ gruppen)

Strategisk risiko Fiks (felles innføring kliniske systemer) Samhandling Arbeidskraft (kompetanse)

Ekstern risiko Askesky Askesky + flom Svineinfluensa + askesky Lønnsoppgjør Arbeidsmiljøloven/arbeidstid

Lege - pasient Samtaler (individuell) Handling Prosedyrer standardisering Rett kurs (rett diagnose) Kompetanse forskning - kurs/konferanse/undervisning Clinical audits Intern revisjon GTT elektronisk overvåking

Strategisk og ytre risiko Ikke compliance based Må baseres på åpen og tydelig risiko diskusjoner Vanskelig : ofte kommer diskusjonene for sent Gruppetenkning, særlig hvis konfliktsky ledelse, minimalisering av forsinkelser og noen utfordrer hans/hennes autoritet kultur (verdier, høyt under taket ) Normalisering av avvik flinke folk ikke vant til å tenke på feil og hva som kan gå galt

Intern Revisjon Uvanlig organisering Sunn fornuft nødvendig Så lang svært nyttig for Helse Nord Kultur for risikovurdering og risikohåndtering Ønske: Enda mer veiledning Risk manager/compliance officers?

Risk appetite for operational and non-financial risks John Thirlwell IIA, Bodø, 27 May 2013

Agenda

Defining operational risk the risk of loss resulting from inadequate or failed internal processes, people or systems or from external events [Basel II] + why it s different: no cap/limit don t take on more consequence of being in business + inherent in all activities + responsibility of everybody in firm, so v difficult to manage and set an appetite for

Is operational risk different from other risks? Credit, market, commodity, liquidity Operational Is the risk transaction-based? Y N Is the risk assumed proactively? Y N Can it be identified from accounting information e.g. the P&L? Y N Can audit confirm that every occurrence of the risk has been captured? Y N Can its financial impact be capped or limited? Y N Can you trade the risk? Y N Is everybody in the firm responsible for the risk? N Y Does the risk affect every activity? N Y

Risk appetite Amount and type of risk that an organisation is prepared to seek, accept or tolerate. (BSI 31100) international? The amount and type of risk that an organisation is willing to take to achieve its strategic objectives [over a specified time horizon at a given level of confidence]

A regulatory perspective on ORA Operational risk differs from other banking risks in that it is typically not directly taken in return for an expected reward, but exists in the natural course of corporate activity. [Basel Committee] Appetite, in the true sense, may not be appropriate. But a residual level of operational risk (events) may be tolerable, for example where the cost of mitigating the risk outweighs its impact, or where the cost can be mitigated by income.

Risk appetite and risk tolerance Risk appetite = the amount of risk which is taken for reward? Risk tolerance = maximum amount of risk which can be taken before financial distress? Risk appetite = pursuit of risk? Risk tolerance = what you can allow the organisation to deal with? Risk appetite = a forward view of risk acceptance? Risk tolerance = the amount of risk a firm has accepted in the past? My own view...

Operational risk appetite(s) Different nature of risks (and different approaches to operational risk) means different approaches to measures of risk appetite. No single appetite figure for operational risk. Can be expressed through losses, RCAs, indicators or qualitative statements, e.g.

Zero appetite and zero tolerance Do they exist for operational risk? Behaviours Retail (shoplifting) Regulatory breaches / investigations, e.g. S166

Whose risk appetite is it anyway?

Whose risk appetite is it anyway? Politicians Investors Customers Regulators Public Employees

ORA governance Business strategy and objectives Rigorous approval process Involving all relevant management ORA part of operational risk policy; establishes a common language

Classifying risks and ORA Identifying and classifying risks Accept controls and mitigants Accept capital and/or BAU profits Accept part (all?) transferred through, for example, insurance Accept part (all?) transformed through, for example, outsourcing Avoid Tolerate, treat, transfer/transform, terminate (possible?)

Whose risk appetite is it anyway and how might they express it?

ORA statements Simple - easily communicated and resonate with multiple stakeholders Practical - guiding management Allow flexibility but not strategic drift Include: Definition Term / time horizon Confidence level Monitoring Measurable, although can often be qualitative with selected metrics

Example ORA statements do they succeed? We seek to minimise the downside risk from the impact of unforeseen operational failures within our business and in our suppliers and service providers. The firm has no appetite for individual operational losses above x and cumulative losses above y within a 12 month period. Any operational risk losses exceeding z are reported to the Group Operational Risk Committee. Zero statements The firm has no appetite for financial crime and will implement appropriate measures to control it. Legal and regulatory risks. The group has minimal risk appetite and seeks to operate to high ethical standards.

And a risk appetite one Board and senior management must understand and be able to manage all risks. [quoted in Senior Supervisors Group report on developments in risk appetite frameworks, December 2010]

What measures can we use: loss events Which events or losses? Amount (the basis of impact/severity) Direct or indirect? Date (the basis of likelihood/frequency) Boundary losses Multiple events Data capture

Measurement and management NB better slide CAUSE EVENT EFFECT

Some Nobel thoughts on quantification Unlike the position that exists in the physical sciences, in economics and other disciplines that deal with essentially complex phenomena [operational risk?], the aspects of the events to be accounted for about which we can get quantitative data are necessarily limited and may not include the important ones. [Friedrich von Hayek, Pretence of Knowledge, Nobel acceptance speech 1974] So be humble and acknowledge the limitations of op risk loss event data!

Losses and ORA

What measures can we use? Risk and control assessments Likelihood High (4) 4 8 12 16 Med High(3) 3 6 9 12 Med Low (2) 2 4 6 8 Low (1) 1 2 3 4 Impact Low (1) Med Low (2) Med High (3) High (4)

Residual risks (assuming controls work) Likelihood High (4) 4 8 n/a n/a Med High(3) 3 6 9 n/a Med Low (2) 2 4 6 8 Low (1) 1 2 3 4 Impact Low (1) Med Low (2) Med High (3) High (4)

Assessing risks How many bands or ranges? Ensure periods for likelihood and impact are appropriate Frequency of assessment how often are risks likely to change? And what is a reasonable time for risk appetite?

Identifying and assessing controls Types of controls: Likelihood (cause) Directive, e.g. policies, procedures, manuals Preventative, e.g. system checks on limits Impact (effect) Detective, e.g. indicators Corrective, e.g. follow-up on reconciliations, BCP Are controls independent or linked? Linked controls are only as good as the preceding link(s). Controls may mitigate more than one risk, but the application of the control may not be the same. Eg?

Assessing control design and performance Control effectiveness doesn t give clear control improvement guidance Design is the inherent ability of the control to mitigate the risk And is often about process or system Performance is about how the control is working in practice And is often about people

Control appetite The amount a firm is willing to spend (in time, money and/or resources) to mitigate a risk to an acceptable residual level. Can be expressed as: Acceptable level of control assessment Reduction in assessed risk from gross (inherent) to net (residual) Targets and thresholds of key control indicators Reductions in number and/or value of events and/or losses Cost / benefit of risk profile reduction

Example of RCA ID Risks I L S Controls D P E 1 Failure to attract, retain key staff A 4 4 16 Salary surveys D 2 2 4 Training and mentoring E 3 2 6 Retention packages D 4 4 16 2 Poor staff communication B 4 4 16 Defined communication channels F 4 3 12 3 Poor detection of money laundering Documented procedures and processes G 3 2 6 C 4 3 12 AML training D 3 2 6 Circulation of trade association briefings H 3 1 3 Know Your Customer procedures G 4 3 12

ORA using RCSA scores (step 1) Board expressed residual appetite Annual Loss Thresholds Low 25,000 Acceptable 100,000 Warning 450,000 Catastrophic 1,500,000

ORA using RCSA scores (step 2) Impact per event ( ) L'bound U'bound Mid point Low 0 50,000 25,000 Med-low 50,000 150,000 100,000 Med-high 150,000 500,000 325,000 High 500,000 1,500,000 1,000,000 Likelihood of event (per annum) L'bound U'bound Alternative label Mid point Low 0.04 0.10 10% likely in next year 0.07 Med-low 0.10 0.33 30% likely in next year 0.22 Med-high 0.33 1.00 Very likely in next year 0.67 High 1.00 12.00 Several times in next year 6.50

ORA using RCSA scores (step 3) Annual Loss Thresholds Low 25,000 Acceptable 100,000 Warning 450,000 Catastrophic 1,500,000 High 70,000 220,000 670,000 6,500,000 IMPACT Med-high 22,750 71,500 217,750 2,112,500 Med-low 7,000 22,000 67,000 650,000 Low 1,750 5,500 16,750 162,500 10% likely 30% likely Very likely Severe LIKELIHOOD

Types of controls Types of controls: Likelihood Directive, e.g. policies, procedures, manuals Preventative, e.g. system checks on limits Impact Detective, e.g. indicators Corrective, e.g. follow-up on reconciliations, BCP

Using the right controls

Spidergram: IT & Systems Risks & Controls Systematic approach to IT Strategy IT dependency on people Systems manuals and procedures documentation Computer Applications poorly specified 200.0 180.0 160.0 140.0 120.0 100.0 80.0 60.0 40.0 20.0 0.0 Computer Systems not adequately protected Systems and Processes not adequately protected Systems and Processes not adequately protected Training Procedures for IT Dependency on Technology Operational threats to IT Dependency on External Suppliers Testing of Systems Legacy systems will not support business Investment in Technology Risk Control

Indicators the different types K Risk I Change in likelihood or impact, linked to RCA K Performance I Change in business performance, linked to business objectives KIs K Control I Change in design or performance, linked to RCA

Leading and lagging indicators Risk indicators Likelihood indicators tell you about the chance of a risk happening (lead) Impact indicators tell you about the effects of the risk when it has happened (lag) Control indicators Preventative control indicators tell you about controls that stop a risk from happening (likelihood) (lead) Detective control indicators tell you about controls which reduce the impact of a risk (lag)

Thresholds and targets NB + predictive cause / likelihood; effect / impact from slides ahead < 5% 5-9% 10-15% 16-20% > 20%

Risks and risk indicators for Audit Committees Soft risks Inappropriate tone at the top Inexperienced management Frequent senior management over-rides Lack of transparency in the business model and the purposes of transactions (Late) surprises Exposure to rapid technological changes Autocratic management Poor management oversight Overly complex organisational structures or transactions Unrealistic earnings expectations Hard risks Unusually rapid growth Frequent organisational changes High turnover of senior management Lack of succession plans Ongoing or prior investigations by regulators or others Untimely reporting and responses to audit committee enquiries Industry softness or downturns Risk indicators % growth in sales Number Key staff lost % of divisions/units completed Number Number of days Industry growth/decline from industry reports (Derived from: KPMG Audit Committee Institute, Shaping the audit committee agenda, May 2004)

What is a scenario? potential vulnerability to exceptional but plausible events (Basel Committee) Events must have a low probability of occurring but should be realistic the nastiest you can imagine without being unrealistic They are stories, which is why they are effective and generate buy-in

Issues with scenarios Outcomes are too modest they must be severe enough Not considered credible by the business the nastiest you can imagine without being unrealistic

Considered too unlikely to plan for CIA scenario planners rejected this scenario as being just too unlikely

Comments about financial crisis predictions Shuttle, BP re stressing

Scenario analysis is an important risk management tool Alerts management to adverse unexpected outcomes Supplements other risk management approaches, especially during periods of expansion, providing data when none is available Provides forward-looking assessments of risk Overcomes limitations of models, including the tail problem, and historic data Supports internal and external communication and generally gets buy-in Feeds into capital and liquidity planning Assists in setting risk tolerance and appetite Facilitates contingency planning

Issues with scenarios Outcomes too modest - must be severe enough Not considered credible by the business the nastiest you can imagine without being unrealistic Scenarios are combinations of events. A single event is a stress test. Mechanical, point in time Assumed historical relationships were good basis for forecasting future Did not capture reputational risk Forgot the crisis management team and who will run business as usual

Natural biases when developing scenarios and RCSAs Wikipedia gives 84 types of cognitive bias, but they tend to resolve down to 3: Judgemental Availability bias (and the elephant) The ease with which relevant information is recalled or visualised, generally from personal experience Anchoring bias Arises when participants start with an initial value (including external loss data) and adjust it to yield their final answer. Motivational Arises when participant has an interest in influencing the results

Overcoming biases Two (or more) pairs of eyes, i.e. peer review Challenge by Group functions, e.g. Risk Internal audit of the risk assessment process Comparison of actual losses (including external data) against experts expectations Anchoring: Mitigate with deliberate use of availability, i.e. ask participants to posit extreme values for impact and then come up with scenarios outside those values

Behavioural appetite Plus something about BCP / rep risk

How to embed the right operational risk appetite culture Committed leadership, operating within agreed appetites Strategy and objectives which inform and are informed by agreed appetites Values and behaviours conform to appetites Clear roles and responsibilities Open channels of communication to ensure adherence to agreed appetites Selection, induction and training to communicate and reinforce agreed appetites Reward in line with risk appetites

Uses of ORA process Challenges strategy development and strategic decision-making Expands understanding of strengths and competitive advantage Identifies resource gaps i.e. capacity and constraints Fundamental to assessing insurance and outsourcing decisions Helps to assess mergers, project, investment and M&A decisions

Capacity and constraints People Systems, infrastructure Finance Reputation Political and other externals

Takk!

John Thirlwell Tel: 020 7628 4749 Mob: 0781 382 9362 Email: info@johnthirlwell.co.uk