RISK RATINGS The overall assessment of risk should be made in consideration of both the Impact of the area to Trinity Health and the Likelihood of a significant risk issues occurring in the area being assessed. IMPACT The purpose of assessing the impact is to answer the question How significant are the potential consequences of the risk? It is helpful to focus on a realistic worst-case scenario when assessing the impact or significance of a risk area. Consider the impact or significance of an area in terms of the organization s ability to achieve it s Strategic Goals Operational Goals Financial Goals Impact on Strategic Goals Consider the impact of a significant risk event occurring in the identified area on the achievement of Trinity Health and/or Ministry Organization strategic goals by asking questions such as: Is this risk area a key objective in the Trinity Health and/or Organization s Strategic Plan? Would the occurrence of a significant risk event in this area have a material impact on the organization s ability to achieve its desired strategic goals and objectives? Would the occurrence of a significant risk event in this area have a material impact on Trinity Health and/or the Ministry Organization s reputation? Impact on Operations Consider the impact of a significant risk event occurring in the identified area on Trinity Health and/or the Ministry Organization s operations by asking questions such as: How significant is the identified risk area to Trinity Health and/or the Ministry Organization s total operations? Would the occurrence of a significant risk event have a material impact on the organization s operations? Impact on Financial Goals Consider the impact of a significant risk event occurring in the identified area on the achievement of Trinity Health and/or Ministry Organization financial goals by asking questions such as How significant is the risk area in terms of measures such as operating revenue, operating expenses, total assets, net income or loss to Trinity Health and/or the Ministry Organizations total operations? Would the occurrence of a significant risk event in this area have a material impact on the organization s ability to achieve its desired financial goals and objectives? 1
The measure of materiality most meaningful to the area should be used in evaluating financial impact. In certain cases, a combination of different criteria may be used. Evaluations will be necessarily judgmental and will likely involve discussions with your Manager or Director. However, the basis for the evaluation should be reasonable and supportable based on objective criteria. Examples of Potential Financial Impact Measures: Materials Management Inventory Payroll Pharmacy Home Health subsidiary - annual purchases - balance sheet amounts - annual payroll expense - department operating revenue or expenses - total assets, revenues or expenses, net income/loss Impact Risk Rating After giving consideration to the impact or significance of the identified risk area based on the above criteria, assign an impact risk rating to the area based on its significance to Trinity Health and/or the Ministry Organization s strategic, operational and/or financial goals: Scale 1 Not Significant Description 3 Minor Significance 5 Moderate Significance 7 High Significance 9 Extremely High Significance LIKELIHOOD The purpose of assessing the likelihood is to answer the question How likely is it that a potential significant risk event will occur in this risk area? In assessing the likelihood of a significant risk event occurring, you should give consideration to the following risk factors when making your evaluation: Control and Operating Environment Internal and External Factors Regulatory and Compliance Factors Control and Operating Environment The control and operating environment reflects the overall attitude, awareness, and actions of management and associates concerning the importance of controls and the emphasis placed on control in the organization s policies, procedures, methods and organizational structure. The 2
overall assessment of the control and operating environment ultimately comes down to three questions: Has management installed the necessary risk management/control mechanisms to monitor risks? Are the risk management/control mechanisms established functioning effectively? Consider the overall control and operating environment of the risk area giving consideration to the following: Probability that a material risk event could occur and not be detected by management in the course of daily operations; Effectiveness of accounting and reporting system in providing management with sufficient, accurate, and timely information; Area requiring significant estimation or judgment by management and/or analyses performed on only a non-routine basis; The extent of self-monitoring mechanisms established to monitor risks in the normal performance of operations (quality control standards and reporting, periodic sample audits, system controls or edits, etc.) Existence of documented and communicated policies and procedures; Physical controls; Segregation of duties; Key management review (monitoring of actual vs. budgeted performance, comparisons to industry benchmarks, etc.); Appropriateness of organizational structure. In general, entities, departments, business units which are not integrated with other local operations (e.g. financial and information systems, policies, procedures are separate and independent) generally present higher risks than those fully integrated within local operations. Management s historical philosophy and operating style concerning internal controls and risk avoidance; Nature of findings or conditions noted in prior audits or external audit management letters. Management s input is critical in evaluating the control environment and should be obtained through inquiry and discussion. As a general rule of thumb, an audit area should be evaluated as "Moderate" risk in the absence of any specific knowledge of the effectiveness of the control environment. Internal and External Factors Factors outside the control of the organization/department and management may also have an impact on area. These factors can directly affect management s attitude toward the conduct and reporting of operations and the importance of the control environment. Consider the risk area in consideration of the following internal and external factors: Economic conditions - pressure to improve overall operating performance or to meet established budget targets; Influence of joint venture owner or business partner on activities of the area; Competition and strategic position in the marketplace; Complexity of the area; Recent changes in key personnel or organizational structure; Recent acquisition of a previously non-affiliated entity; Concerns of management, board of trustees or its committees concerning the area. 3
Regulatory and Compliance Factors Consider the extent to which the area under consideration is impacted by requirements of federal or state laws and regulations or subject to standards of accrediting organizations such as JCAHO, NCQA, etc. Consider the following: Extent of current regulatory review of identified area by federal or state agencies such as the Office of Inspector General, Department of Justice, etc; Extent and results of previous reviews of the identified area performed by OIAS personnel, external consultants or the organization; The existence or lack of systems, procedures and policies addressing the identified risk area as well as the effectiveness of current monitoring procedures as obtained through prior reviews or management inquiries; The results of reviews of the identified area performed by OIAS personnel for other Ministry Organizations; Likelihood Risk Rating After giving consideration to likelihood of a significant risk event occurring in the identified risk area based on the above criteria, assign an impact risk rating to the area based on the following: Scale 1 Very Low Description 3 Low 5 Moderate 7 High 9 Very High 4
Based on the risk ratings assigned to impact and likelihood, a weighted risk rating is determined. For purposes of weighting, the impact risk factor is multiplied by.6, while the likelihood risk factor is weighted.4. The end result is that additional emphasis will be placed on those areas considered to have the most significant impact to Trinity Health and/or the Ministry Organization s strategic, operational and financial goals. The combined weighted average risk can be presented on a matrix as follows: 6 8 9 Impact 3 5 7 1 2 4 Likelihood WORK PLAN DEVELOPMENT Those risk areas with the highest combined risk rating as identified in the risk assessment process should be prioritized in developing the annual OIAS Work Plan based on timing, availability of resources, etc. 5