Risk Criteria Matrix Risk Assessment TEMP
Transcript Of Risk Criteria Matrix Risk Assessment TEMP
Score 1
2
Risk Criteria Matrix Enterprise Risk Management
Scoring Definitions
Impact to the Organization
Vulnerability
Controls
Mission/Reputation
Little or no mission risk at either System or hospital level. Back press very unlikely.
Financial
Legal
Very remote chance the loss Technical violation of law or
would exceed $________ of regulation. Little or no fine
gross revenue.
probable.
Slight mission risk. Possible Loss between $_______ bad press but no significant and $______of gross patient, physician, constituent revenue. consequences.
Civil fines and/or penalties up to $100,000 possible, but little risk of exclusion, CIA, loss of accreditation/licensure.
Likelihood of Risk
Low risk, unlikely to occur. Historical and industry experience show low likelihood of occurrence.
Detectability
Failures are likely to be detected. Process is directly supervised. Automated safeguards for identifying variations/errors.
Slight risk, historical industry experience shows some likelihood however not experienced in organization to date; simple well understood process; competency demonstrated - less likely to fail
Slight risk that failure will be detected - process failures; moderate safeguards in place; partially automated process with moderate management oversight
Controls Internal and/or automated controls proven to be highly effective in mitigating all risk'
Routinely audited and/or tested. Performance metrics are established, routinely reviewed and show little variation. Current policies and procedures exist. Employee training and competency established. Wellprepared to manage this risk appropriately based on implemented risk management plans.
Moderate mission risk.
Real possibility of loss
Civil fines and/or penalties up Moderate risk of occurrence Moderate risk that failure will Periodically audited and/or tested.
Probable bad press. Probable between $_______ and
to $1,000,000 probable.
within next 12 months;
not be detected. Limited
Corrective action plans developed and
modest physician, patient $______ of gross revenue. Modest risk of exclusion, CIA isolated to single facility
safeguards in place to identify tested for effectiveness. Limited
3 and/or constituent fallout.
possible.
failure prior to occurrence. Partially automated process
performance metrics established. Risk management plans expected to
with limited management
manage the risks appropriately.
oversight.
Significant negative press Real possibility of loss
Civil fines and/or penalties up Significant risk; likelihood of Significantly difficult to detect Management Review and approval
coverage. Significant patient, between $_______ and
to $1,000,000 probable. Loss occurrence in up to 50% of prior to failure; manual
required. Process not audited or tested
physician and/or constituent $______ of gross revenue. of business unit
facilities; complex and/or
safeguards in place to identify or infrequently audited or tested.
4
fallout.
licensure/accreditation. Exclusion possible. CIA
manual process
failures; no automated processes; periodic
Limited policy or procedure guidance. Some risk management plans or steps
probable.
management oversight
undertaken; not reasonably expected
to manage the risk appropriately or
fully.
Extensive and prolonged
Real possibility of loss
Criminal conviction and/or
High risk of occurrence. Likely Extremely hard to detect prior No formal controls in place. No risk
negative press coverage.
greater than $_________ of exclusion of hospital or
to occur in next 12 months. to failure. Highly automated management plans or steps in place
Significant sponsor/board gross revenue.
System probable. Fines,
Highly complex process with with little or no human
currently.
questions of management.
penalties and or legal
numerous hand-offs. Relies intervention, oversight or
5
Extensive patient, physician,
exposure in excess of 1% net on extensive specialized skills. control. No built-in safeguards,
and/or constituent fallout.
revenue. CIA certain.
Note: should assume
cross-checks, or other
natural/manmade disasters mechanisms to identify
are likely to occur in next year. errors/failures prior to
submission/completion.
2
Risk Criteria Matrix Enterprise Risk Management
Scoring Definitions
Impact to the Organization
Vulnerability
Controls
Mission/Reputation
Little or no mission risk at either System or hospital level. Back press very unlikely.
Financial
Legal
Very remote chance the loss Technical violation of law or
would exceed $________ of regulation. Little or no fine
gross revenue.
probable.
Slight mission risk. Possible Loss between $_______ bad press but no significant and $______of gross patient, physician, constituent revenue. consequences.
Civil fines and/or penalties up to $100,000 possible, but little risk of exclusion, CIA, loss of accreditation/licensure.
Likelihood of Risk
Low risk, unlikely to occur. Historical and industry experience show low likelihood of occurrence.
Detectability
Failures are likely to be detected. Process is directly supervised. Automated safeguards for identifying variations/errors.
Slight risk, historical industry experience shows some likelihood however not experienced in organization to date; simple well understood process; competency demonstrated - less likely to fail
Slight risk that failure will be detected - process failures; moderate safeguards in place; partially automated process with moderate management oversight
Controls Internal and/or automated controls proven to be highly effective in mitigating all risk'
Routinely audited and/or tested. Performance metrics are established, routinely reviewed and show little variation. Current policies and procedures exist. Employee training and competency established. Wellprepared to manage this risk appropriately based on implemented risk management plans.
Moderate mission risk.
Real possibility of loss
Civil fines and/or penalties up Moderate risk of occurrence Moderate risk that failure will Periodically audited and/or tested.
Probable bad press. Probable between $_______ and
to $1,000,000 probable.
within next 12 months;
not be detected. Limited
Corrective action plans developed and
modest physician, patient $______ of gross revenue. Modest risk of exclusion, CIA isolated to single facility
safeguards in place to identify tested for effectiveness. Limited
3 and/or constituent fallout.
possible.
failure prior to occurrence. Partially automated process
performance metrics established. Risk management plans expected to
with limited management
manage the risks appropriately.
oversight.
Significant negative press Real possibility of loss
Civil fines and/or penalties up Significant risk; likelihood of Significantly difficult to detect Management Review and approval
coverage. Significant patient, between $_______ and
to $1,000,000 probable. Loss occurrence in up to 50% of prior to failure; manual
required. Process not audited or tested
physician and/or constituent $______ of gross revenue. of business unit
facilities; complex and/or
safeguards in place to identify or infrequently audited or tested.
4
fallout.
licensure/accreditation. Exclusion possible. CIA
manual process
failures; no automated processes; periodic
Limited policy or procedure guidance. Some risk management plans or steps
probable.
management oversight
undertaken; not reasonably expected
to manage the risk appropriately or
fully.
Extensive and prolonged
Real possibility of loss
Criminal conviction and/or
High risk of occurrence. Likely Extremely hard to detect prior No formal controls in place. No risk
negative press coverage.
greater than $_________ of exclusion of hospital or
to occur in next 12 months. to failure. Highly automated management plans or steps in place
Significant sponsor/board gross revenue.
System probable. Fines,
Highly complex process with with little or no human
currently.
questions of management.
penalties and or legal
numerous hand-offs. Relies intervention, oversight or
5
Extensive patient, physician,
exposure in excess of 1% net on extensive specialized skills. control. No built-in safeguards,
and/or constituent fallout.
revenue. CIA certain.
Note: should assume
cross-checks, or other
natural/manmade disasters mechanisms to identify
are likely to occur in next year. errors/failures prior to
submission/completion.