Working with The Doctors' Health Fund to offer bursaries to medical students.

Governance Model for Risk Management

Overview
This model sets out the Governance structure for the management of risk at The Doctors’ Health Fund.

This is done with reference to the Risk Management Policy to enable the business to retain the flexibility to organise the Risk Management (RM) function as most befits the particular circumstances of the business.

This approach enables the model to be adaptable in the face of ongoing organisational change.
The main Board has ultimate responsibility for the management of risk across The Doctors’ Health Fund and is supported by the Board Audit, Risk Compliance Committee (ARCC).

The ARCC is the organisational unit that is primarily responsible for supporting the business to define and implement an effective risk management framework. It also monitors the effectiveness of the risk management framework.

The precise allocation of operational responsibilities may vary for practical reasons.

This document specifies the allocation of responsibilities, and the segregation of duties that needs to be considered in order to maintain a sufficient level of control.

The Head of Business, service providers and staff members in general, all have an important contribution to make to the management of risk, and this document describes the specific roles and responsibilities of each of these parties.

Finally the framework of decision-making bodies regarding risk management is also set out.

Introduction

Risk Management
The mission of the organisational function “Risk Management” (RM) is to enable the business to manage its risks in an informed, pro-active manner with a view to prevention of unacceptable risks. The function is driven by the business and aims to build the trust and confidence of stakeholders and clients by establishing industry good practice and by meeting regulatory requirements.

The business needs to carefully balance cost, risk and utility requirements in the implementation of an effective risk management framework. This necessitates a clear understanding of risk levels, which can then be used to set the agenda for risk management and support acceptance of residual risks as appropriate.

Purpose and Scope
The purpose of this document is to set out the governance model for risk management at
The Doctors’ Health Fund; i.e. relating to both the function and to risk management activities in their broadest sense.

The document is intended to provide a cohesive overview of risk management governance in the first instance, and will be used to update the appropriate elements of The Doctors’ Health Fund Policies and Procedures in due course. Where there are differences between the direction stated in this document and current policy, this document takes precedence.

The model applies to risk management roles and responsibilities across the whole of The Doctors’ Health Fund.
It does not address roles associated with The Doctors’ Health Fund customers or other third parties.

Definitions
Security relates to the protection of assets against loss, misuse, disclosure or damage.
Where the assets in question are information assets then the term “Information security” is used, and where the assets are specifically systems-based then the term Information Technology (IT) Security” is used.

The management of risks to information security is referred to in this document as “information risk management”. This reflects not only the technical implementation aspects of security, but also the development, maintenance and operation of an overall information risk management framework.

Operational risk may be defined as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events”.

Operational risk management therefore takes an overview of a portfolio of risk types under a single umbrella – including not only information risk, but also others such as transaction, human resources, and legal and compliance risk.

Role of the Board/ARCC
The Board has ultimate responsibility for risk across The Doctors’ Health Fund with the ARCC having specific delegated accountability for risk management. In general terms, the Board’s responsibilities for the management of risk include the following: 

  • Deciding the strategic direction for risk management
  • Approving the strategic budget and facilitating the allocation of appropriate 
  • funding by the business through the Budget Planning process
  • Demonstrating involvement and commitment to addressing risk
  • Establishing the organisation’s risk appetite and communicating requirements for  risk management to the organisation
  • Ensuring that risk management is appropriately positioned in the overall The Doctors’ Health Fund governance framework and that responsibility and accountability are in the right place
  • Ensuring that an awareness of where risk exists is maintained, and driving actions from Board level address issues
  • Monitoring information risk at Board level and providing feedback and direction to the organisation accordingly
  • Oversight of policies, compliance and compliance reporting, and actions to enforce accountability. Oversight of security spend

In addition, the Board/ARCC is directly responsible for formally accepting residual risks and deviations where appropriate.

The ARCC is responsible for recommending to the Board tolerances for KRI’s and for monitoring compliance with Risk Management.

The Risk Management function (RM)
Within The Doctors’ Health Fund and in view of its size the RM function vests in the Head of Business who reports directly to the ARCC.

Responsibilities for managing risk across the organisation

Head of Business
Head of Business is ultimately responsible for managing risk in the business as part of his/her wider management responsibilities. In general terms the Head of Business is responsible for the provision and maintenance of cost-effective risk management that is commensurate with risk levels in that business. Authority for completing the tasks and activities involved can be delegated, although overall accountability cannot.

Key responsibilities therefore include ensuring that: 

  • Risk is assessed, monitored and managed in compliance with The Doctors’ Health Fund Policies and Standards and in alignment with the risk profile of the business
  • A suitable controls environment is developed and maintained to address risks
  • This includes not only technical solutions (Information Security) but also aspects relating to governance, awareness and risk management processes
  • Regulatory requirements for risk management are met
  • The effectiveness of risk management policies, procedures and practices, and the status of information security across the business is regularly reported o

Where services are provided from outside the business eg through shared service centres or external service providers, it remains the responsibility of the business to define information risk management requirements that need to be met, and to put in place arrangements to oversee their definition, implementation and maintenance. These should be supported by the appropriate Outsource agreements.

All staff
All staff, of whatever level and in whatever role, will have specific personal responsibilities for information and operational risk as part of an overall responsibility. Such responsibilities should be included in the Code of Conduct as appropriate, and incorporated into the staff induction process. For example, each staff member is responsible and accountable for:
Complying with The Doctors’ Health Fund Information Security policy, procedures and standard to maintain the confidentiality, integrity and availability of data they process or have access to.
Activities associated with assigned accounts, as well as assigned equipment and removable media. 

  • Protecting the secrecy of their passwords
  • Participating in risk assessment processes as requested
  • Reporting known or suspected security incidents
  • Compiling Incident Reports
  • Complying with Whistle-blowing policy

Operational Risk Management (ORM)
Operational risk is defined as:
‘The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.’

Operational risk comprises of 10 operational risk types: 

  1. Internal crime/fraud 
  2. External crime/fraud 
  3. Information security failure 
  4. Unauthorised activities 
  5. Processing failure 
  6. Control failure 
  7. IT failure 
  8. Business disruption 
  9. Client business products malpractice 
  10. Employment and workplace safety failure

In practical terms this generally involves the risk of things going wrong with the day-to-day operational business activities of the company, which can then result in financial loss and/or reputation damage.

The Head of Business is ultimately responsible for operational risk management in the business. In The Doctors’ Health Fund, the Head of Operations establishes and reports to the Head of Business on an appropriate ORM system.

Information Risk Management (IRM)
Information risk management is one aspect of these day-to-day activities, and losses may be incurred where information risk is not adequately controlled. For example, failure to adequately secure payments systems could result in unauthorised payments, resulting in financial loss.

Head of Business is ultimately responsible for information risk management in the business. However, as subject matter experts, IT function is clearly accountable for the provision of appropriate, timely advice to the Head of Business on the business and technology management to ensure that an effective risk management framework is implemented, operated and maintained in alignment with corporate policy, business and legal requirements.

The Head of IT is responsible for this as well as for continuously monitoring the operating effectiveness of that framework, and should escalate information risk issues through their own functional reporting lines where appropriate.

Information Asset Owners
Owners should be allocated to each information asset and should ensure that the assets, and security processes associated with them are established. For data the asset owner is generally the business owner.

Responsibilities of information asset owners include the following: 

  • Ensuring that risk assessments associated with the asset have been completed and signed off
  • Defining access rules associated with assigned assets, including rules for accessing files/directories, connecting to networks
  • Reporting incidents involving assigned assets through the appropriate channels and ensuring that they are investigated in accordance with established processes
  • An information asset owner may delegate authority for the operation and protection of assets under their responsibility to an asset custodian

However, it will remain the responsibility of the asset owner to accept risk and to take appropriate steps to ensure that delegated authority is being responsibly applied.

Currently responsibility for Health Fund support rests with HAMBS.

Current responsibility for internal financial systems (MYOB) Microsoft and security applications rests with the Head of IT.

Outsourcing

Technology infrastructure service providers

Applications developers
Where infrastructure services are provided by an external service provider (HAMBS) or applications, systems, are being developed and maintained by an IT function embedded in the business either by the business itself, or by a third party, such services should be subject to a specific Service Level Agreement with the provider.

Such agreement should specify the rights and responsibilities attaching to all parties to the agreement.

An SLA does not over-ride the need for a risk assessment to be performed by the Head of IT and approved by the Head of Business or ARCC as appropriate.

It should be noted that for third party software the agreement with the vendor should include a security section to cover items that cannot be assessed as a consequence of the design documents and source code not being available to The Doctors’ Health Fund.

Security

Information Security
Refer Section 4.4: Information Risk Management (IRM)

Physical Security
The Head of Business is the controlling authority on rights of access to premises (including restricted/sensitive areas).

Access privileges are to be reviewed regularly.

Out of hours access should be monitored to ensure compliance with The Doctors’ Health Fund’s policies and procedures.

Personal Security
The Board is ultimately responsible for the security of all personnel.

The objectives of personal security are to prevent or minimise exposure to, or the consequences of, criminal and environmental threats that might endanger the safety of The Doctors’ Health Fund personnel and are detailed in the relevant policy and procedure document.

Measures should be taken to minimise the risks that might endanger the safety of personnel when performing their duties at the office or when travelling for business purposes.

Legislation concerning health and safety should be adhered to and implemented. Precautionary or risk mitigating measures may not conflict with applicable laws and regulations.

Audit

Internal Audit
The internal audit function performs scheduled operational audits which evaluate both adequacy and efficiency of processes and effectiveness of controls used by the business in its day to day operations.

External
The external audit function provides an independent review of financial and regulatory compliance with the various governances controlling the business.

Monitoring risk across the organisation
All risks identified in association with the business are recorded in the Risk Register.
(Appendix 1.)

The Risk Register also records: 

  • Existing controls in situ; 
  • Compliance checks established; and 
  • Key Risk Indicators to be measured by a designated function.

KRI’s
Each designated function will be required to regularly measure their allocated risks in a
KRI Worksheet. (Appendix 2.)

Results will be compiled in a master KRI worksheet (Appendix 3.) and translated to a
KRI Dashboard (Appendix 4.) for presentation to the next ARCC meeting.

Operational Risks
Operational Risk Trigger Lists (Appendix 5.) will be required to be completed regularly by designated functions. These lists contain related operational functions, a breach of which could (or did) result in an actual financial loss to the business or a perceived loss of reputation which could impact the business.

Where a positive response to an item is recorded, the impact is measured via an Incident Report Flowchart (Appendix 6.) and where appropriate an Incident Report (Appendix 7.) completed and presented to the next ARCC meeting.

Compliance Checks
To complete the risk management framework a designated function (Internal Audit) will be responsible for undertaking a series of Compliance Checks (Appendix 8.).

These audits are designed to examine and evaluate the adequacy and effectiveness of The Doctors’ Health Fund’s business controls and regulatory compliance.

By its nature each compliance check is a snapshot of the adequacy of controls and regulatory compliance of a particular function at a particular point in time.

The compliance audit is not a replacement for day-to-day risk monitoring, management, or internal control activities.