Risk management

Risk appetite

As UMC Utrecht we have a societal role. And our core activities are financed by public money. Partly for this reason, we are obliged to manage risks effectively and to be conservative when it comes to risk appetite.

Organization & Governance

We combine all our risk-control activities at a strategic, tactical, and operational level in one comprehensive framework that is based on the COSO-ERM framework.

In accordance with the principles of our framework (comprehensiveness, uniformity, and alignment of risk management with existing procedures) and the three lines of responsibility , the responsibility for risk management lies primarily with our divisions, departments, and sections. They are assisted in the analysis and management of these risks by the relevant disciplines. For example colleagues from patient safety, labor conditions, integral safety, data security, infection prevention, and financial continuity.

The Risk & Compliance Manager formulates policy, gives instructions, monitors the process, and makes adjustments if necessary. This enables us better to identify possible risks in the organization and combine them in order to manage them more effectively. We thus have more certainty that we can reach our strategic goals.

For the implementation of this framework, the Executive Board conducted a strategic risk analysis (for the next 3 to 5 years). Since 2023, we have also been adding a risk paragraph to management contracts that are signed between the Executive Board and the management teams of divisions and departments (for 1 year). This paragraph stipulates identified risks linked to the annual goals that the divisions and departments have to reach.

Risk overview

Strategic risks

The heat map and explanations below give an overview of the main strategic risks. The position on this heat map depends (1) on the estimated likelihood that a risk may occur, and (2) on the potential impact that the risk could have on reaching the organizational goals. These are the identified gross risks. Any impacts of control measures that are taken will not directly be visible here.

Number	Explanation
1	Availability of staff: There is a shortage of staff with the right qualities. This puts pressure on the quality of primary tasks. It also gives us insufficient adaptability/agility to bring about the desired strategic changes.
2	Cross-divisional changes: Divisions focus mainly on their ‘own’ organization. As a result, strategic projects are progressing slowly, and UMC Utrecht is not seen as one organization from the outside.
3	Centralization of healthcare: IZA requirements and the vision formulated by UMC Utrecht demand intensive collaboration with (regional) partners. There is a risk that organizational practices/activities within UMC Utrecht will not be sufficiently aligned with the collaborations that are signed. This could also put pressure on our position as an innovative medical science center.
4	Digitalization: A large part of the change agenda is based on the ongoing digitalization of healthcare (digital, unless). IT dependency brings the risk that we will not be able to take the necessary steps that the Healthcare of Tomorrow requires of us. And that this strategy will not lead to the intended improvement of efficiency.
5	Efficiency targets: Operational and support processes must sufficiently be covered by existing financial flows and the cost level must be lowered fast. This introduces the risk that there will be too little scope left for essential innovation (including through research and education) and that the financial frameworks of large projects will be exceeded. This has an impact on our sustainability task, building-renovation task, and transformation task (for example through lack of investments in staff).
6	Supply chain: The supply chain of UMC Utrecht is vulnerable. Not only are certain suppliers unable to make (affordable) deliveries due to shortages, there is also a lack of sustainable alternatives that are in line with sustainability goals. This could also lead to delays in (primary) processes and projects that are essential for UMC Utrecht. In addition, there is a great dependency on a few large suppliers.
7	Cyber incidents: The risk of attacks from outside UMC Utrecht (DDos, ransomware) keeps growing. Measures to increase data security, but also guarantees of continuity (availability of data and systems), are becoming increasingly important with the growing importance of automation. There is also the risk of not complying with laws and regulations (e.g. NIS2).
8	Climate change & Sustainability: The consequences of not meeting the targets of the Dutch Climate Act and the Green Deal for Sustainable Healthcare could potentially be far-reaching. In the long term a failure to meet these could impact our ability to attract funding (for example for building renovations), retain people in the organization who are necessary to implement the strategy, and find network partners. Eventually, climate damage could create an additional demand for healthcare.

(Expected) impact of risks on results or financial positions

The risks as mentioned did not have a material impact on our results in 2024 and our financial position at year-end. What the impact of these risks will be in the near future, is unclear. The consequences of healthcare centralization and the agreements in the Integral Care Agreement (IZA) are also still unclear. We can however say that these will only become visible in the medium term (three to five years).

Use of financial instruments

UMC Utrecht does not make use of any compound or complex financial instruments. Due to their risky nature, our treasury charter does not allow for so-called ‘open positions’. Should we ever use a financial instrument, we would do so only to hedge an existing position. There were no (material) positions at the end of 2024.

As indicated, the heat map shows our gross estimate. Needless to say, we have many control tools to manage these risks. We explain the main measures below.

Availability of staff (risk 1): See the chapter ‘What our colleagues want to know ’ for programs/measures aimed at attracting and retaining colleagues.
Strategic projects (risk 2, 3 and 4): To deal with uncertainties ensuing from the Integral Healthcare Agreement (IZA) and the accompanying concentration of healthcare, we have implemented various strategic programs including the Healthcare of Tomorrow. In it, we focus on the question both of which care we are going to deliver, and how we should deliver it. Colleagues throughout the organization are working to achieve these goals.
Efficiency targets (risk 5): Under the motto ‘Create financial scope’, we are looking for scope to accomplish the necessary innovation and primary tasks. This also receives ample attention in our planning & control cycle (cf. risk-control and audit systems). More about this in ‘Our direction and approach ’ in the chapter UMC Utrecht in society.
Supply chain (risk 6): To tackle this risk, we apply proactive assortment management. This means that we keep an eye on the most critical products. We continuously evaluate the availability and pricing of products and where necessary, study alternative products that will fit in with the (sustainability) goals of our organization.
Cyber security (risk 7): In 2024, we performed our yearly audits for the annual report (IT General Controls), Security certifications (ISO27001 and NEN7510), and the use of DigiD. These were concluded successfully.
Climate change (risk 8): See the sections on ‘Environment’ in this annual report for programs that have been introduced and control measures take with regard to this risk.

Risk-control and audit system

As in previous years, we identified action owners for risk control who:

Identify which control measures reduce the mentioned risks to what extent.
Identify what additional measures are needed to reduce risks to the desired level and evaluate existing measures for effectiveness.

We continue to monitor the remaining risks for:

The continued implementation of measures.
The degree of mitigation of the risk in line with the desired risk appetite.
Whether the risk estimate must be adjusted.
Evaluating whether due to new circumstances, newly arised risks should be added.

In addition, the following aspects also formed part of the internal risk-control and audit system:

Performance dialog	We conduct a weekly performance dialog with each other. In it, we discuss the current state in the focal areas patient experience, employee satisfaction, productivity, quality and safety, and impact at all levels of the organization via (strategic) KPIs. Visual dashboards give us insight into the state of affairs per focal area and per KPI at central as well as departmental level, and thus facilitate monitoring and coordination.
Planning & control cycle/Management contracts	Our planning & control cycle starts with an annual update of the most important internal and external likelihoods and threats, including those resulting from our strategy. Management contracts (which include a risk analysis and make actions concrete using the OGSM methodology) based on these as well as the budget form the basis for the monthly monitoring of financial and non-financial performance. This includes risk control. Based on this, we take corrective measures. Divisions and departments include KPIs in their monthly reports in areas such as quality and safety, employees, and finances.
Policy & Guidelines	At UMC Utrecht, formal policies and guidelines exist for a variety of focal areas. These include scientific research, quality and safety of care, and ensuring the safety of data and automated systems and finances. Where possible, we embed policy in our systems. The aim is to guarantee optimal compliance with IT applications.
Targeted control instruments	Risks linked to quality and patient safety are controlled through SAFER (Scenario Analysis of Failures, Effects and Risks). SAFER is a method for proactive (or predictive) risk analysis. Guidelines and protocols regarding quality and patient safety have conveniently been brought together in one place and are accessible to all employees. Incident reporting is extremely relevant. We support this in various ways.

	For risk analysis with healthcare registration, we conduct an annual dialog via Horizontaal Toezicht Zorg with health insurance companies. Together, we establish an overview of risky healthcare processes. For these risks, we set up control measures and, after a review by the external auditor, we report back to the health insurance companies.
Three lines of responsibility	Within UMC Utrecht, we have a ‘three lines of responsibility’ system for risk control [link to H81. Governance – Management and structure]. Our Internal Audit department works according to a, annually updated group-wide risk analysis and an audit year plan. Based on this risk analysis and the year plan, the department conducts audits and reports to the Executive Board and the Supervisory Board. The second-line risk-control function was formalized further.
Informal audits	Risk control also means promoting and ensuring wanted and ethical behavior among employees and management. This is known as informal controls. Informal controls receive structural attention within UMC Utrecht. This includes the following areas: recruiting the most suitable employees with the right training and experience, providing on-the-job training and growth opportunities, and fostering a safe work environment. We strive to limit risks. En, if risks do occur, we learn from our mistakes. Informal controls form an implicit part of audits and recommendations from the third line (internal audit).

Go to

Research funding In 2024, our fund-raising capacity for research was € 185 million (€ 133 million in 2023). This means that we more than achieved our target of € 112 million. Previous

Looking ahead at the financial situation in 2025 Healthcare in the Netherlands is facing big challenges and we have bit ambitions, as this report shows. We are seeing a continuous increase of complex healthcare demands, partly due to a growing number of people with multiple chronic diseases. Next

Annual Report 2024