Partly because of our social role and the financing of our core activities with public money, we are obliged to manage these risks adequately and to be conservative when it comes to risk appetite. We still applied this conservatism generically in 2022. In 2023, as part of the further structuring of the integrated risk management framework, we will assess the appropriateness of formulating a differentiated risk appetite.
Organization & Governance
In 2022, we continued the trajectory we started in 2020 to take risk management to a higher maturity level. The focal points integrality, uniformity, and alignment of risk control with existing procedures therefore remained unchanged. The Risk & Compliance Manager who was appointed in 2021 had the primary task in 2022 to bring together all risk management activities at strategic, tactical and operational levels in an integrated framework based on the COSO-ERM framework. The framework looks like this:
In accordance with the principles of the COSO-ERM framework and the three lines of responsibility, responsibility for risk management lies primarily with our divisions, boards and departments. For the analysis and control of these risks, they are assisted by disciplines for instance in areas such as patient safety, labor conditions, integral safety, data security, infection prevention, and financial continuity. The Risk & Compliance Manager monitors the process and adjusts it where necessary. This enables us better to identify possible risks in the organization and combine them in order to control them more effectively. This gives us more certainty that we can reach our strategic goals.
To implement this framework, we are initially working from top to bottom. This means that, in addition to the strategic risk analyses conducted by the Executive Board, we have added a risk paragraph to the management contracts concluded between the Executive Board and the management teams of the various divisions and departments. In 2023, our main focus will be on implementing a PDCA (Plan, Do, Check, Act) cycle to achieve the ongoing nature of good risk management.
We also just about completed formalizing our tax control framework based on the same COSO-ERM framework in 2022. In 2023, we expect to sign a new Horizontal Surveillance Covenant, which is largely based on risk management.
In 2022 the Internal Audit department did a fraud-risk analysis and discussed the results of the investigation with the Executive Board. The main conclusion is that the key components are in place to achieve a good integrity climate in a formal sense. The greatest risks are conflicts of interest in the procurement of goods and services and in the funding of investigations. For both these indicated risks, action plans have been set up and it was agreed with Internal Audit that the progress of the action plans would be assessed further in 2023.
The heat map below gives an overview of the main strategic risks at the end of 2022/beginning of 2023. The position on the heat map depends on the one hand on the potential impact that the risk has on reaching the organizational targets, and on the other hand, the estimate of whether there are enough control measures in place to mitigate the risk sufficiently. The size of the circles indicate the chances that a risk will occur.
Staff Availability: There is insufficient personnel with the right qualifications. As a result, the quality of primary (care) tasks is under pressure, and there is insufficient capacity to implement desired strategic changes.
Cross-Divisional Changes: Divisions primarily focus on their own organization. This makes strategic projects difficult and prevents the UMC Utrecht from presenting itself as a unified organization externally.
Healthcare Concentration: The UMC Utrecht fails to establish a clear profile in primary tasks and related collaborations or influence the choices made in that regard.
Compliance: The UMC Utrecht is at risk of not meeting internal and external laws, regulations, and guidelines.
Efficiency Objectives: Operational and support processes are insufficiently covered, leaving little room for essential innovation and resulting in exceeding financial frameworks for major projects.
Supply Chain: The UMC Utrecht encounters suppliers who are unable to deliver (or are too expensive) due to shortages. This causes delays or disruptions in essential (primary) processes and projects.
Cyber Incidents: The UMC Utrecht is highly automated, posing the risk of operational process disruptions due to internal and external factors (ransomware, unauthorized access to sensitive data).
Reputation Damage: The UMC Utrecht receives negative news coverage, becoming an unattractive healthcare provider for patients, an unattractive employer, and an unattractive partner to collaborate with.
Climate Change & Sustainability: The UMC Utrecht is at risk of not achieving its sustainability objectives.
"For all risks, we have appointed or will appoint action holders who will work in collaboration with the Risk & Compliance manager to develop control measures. These measures aim to both reduce the likelihood of occurrence and minimize the impact to an acceptable level. We monitor the progress and effectiveness of these measures in a PDCA (Plan-Do-Check-Act) cycle. Some important and specific measures we have taken or will take include:
Risk 1: Optimizing the operations of our central capacity center to maximize the utilization of available capacity.
Risks 2 and 3: Establishing and implementing strategic projects, such as HiX standardization and the Strategic Development Vision for Housing (SOH), as described later in this chapter.
Risk 4: Implementing a compliance framework to ensure ongoing compliance with laws and regulations.
Risk 5: Strengthening the performance dialogue, as further described later in this chapter.
Risk 6: We are exploring the best way to mitigate this risk.
Risk 7: Increasing focus on IT general controls within our regular activities in this area.
Risk 8: No specific actions have been outlined for this, as it is a consequential damage resulting from other areas of focus.
Risk 9: We have appointed a sustainability program manager, tasked with coordinating sustainability initiatives.
(Expected) impact of risks on results or financial positions
The risks as mentioned did not have a material impact on the 2022 results and financial position at year-end. What the impact of these risks will be in the near future, is unclear. The consequences of the centralization of care and the agreements in the Integral Care Agreement are also still unclear. We can however say that these will only become visible in the medium term (three to five years). Price developments in the supply chain as well as rising costs due to new CLA agreements will have an immediate impact on our results and financial position if they are not sufficiently compensated. These issues therefore have our full attention in contract negotiations with health insurers.
Use of financial instruments
UMC Utrecht does not make active use of financial instruments. So-called "open positions," due to their risky nature, are not allowed under the treasury statute. Should we ever use a financial instrument, we would do so only to hedge an existing position. As of year end, there are no (material) positions.
Needless to say, we employ many control tools to manage these risks. We explain the main measures below.
To deal with the uncertainties arising from the Integral Care Agreement and the related concentration of care, we rolled out several strategic programs and started the Healthcare of Tomorrow movement to prepare our organization for the future. In it we focus both on the question of which care we are going to deliver, and how we should deliver it. The teams working on these programs come from all levels of the organization, so that all the knowledge and expertise present in the organization can find a place and so that the results can be driven by all stakeholders. The risks regarding the implementation of the Strategic Accommodation Development (SOH) vision, partly due to the deteriorating financial outlook, will demand extra attention in the coming period
As a leading research institute, we are aware of the knowledge security risks our organization faces. Our Research office, in cooperation with Utrecht University, has been paying attention to this for some time. In 2022, we took the first steps to further formalize procedures around knowledge security. The guiding principle here is the points of interest given from the National Knowledge Safety Guide.
Risk-control and monitoring system
An important step we will take in 2023 is to continue to build the comprehensive Risk & Compliance Framework. As in previous years, we are identifying actionees for this purpose who will:
Identify which control measures reduce the listed risks to what extent.
Identify what additional measures are needed to reduce risks to the desired level and evaluate existing measures for effectiveness.
We will continue to monitor the remaining risks in the aforementioned PDCA Cycle for:
The continued implementation of measures.
The degree of mitigation of risk in line with the desired risk appetite.
Whether the estimate of the risks must be adjusted.
Evaluate whether new risks should be added due to new circumstances.
In addition, the internal risk management and control system consists of the following, among others:
We conduct performance dialogues on a weekly basis, discussing the status of patient experience, employee satisfaction, productivity, quality and safety, and impact at all levels of the organization using (strategic) KPIs. Visual dashboards provide insights into the status of each focus area and KPI at both central and departmental levels, facilitating monitoring and control.
Planning & Control Cycle/Management Contracts
Our planning and control cycle begins with an annual update of the key internal and external opportunities and threats, derived from our strategy. Management contracts based on this information, which include a risk analysis and concrete actions using the OGSM methodology, along with the budget, form the basis for monthly monitoring of financial and non-financial performance, including risk management, and serve as a foundation for corrective measures. Divisions and departments include KPIs in their monthly reports in areas such as quality, safety, employees, and finances.
Policy & Guidelines
The UMC Utrecht has formal policies and guidelines in various areas, such as scientific research, quality and safety of care, data and system security, and finances. Where possible, we have embedded these policies in our systems to ensure optimal compliance through IT applications.
Targeted Control Instruments
Quality and patient safety control is conducted through SAFER (Scenario Analysis of Failure Modes, Effects, and Risks). SAFER is a method for proactive (or predictive) risk analysis. We have consolidated guidelines and protocols related to quality and patient safety in one accessible location for all employees. Incident reporting is highly relevant, and we support it in multiple ways.
For risk analysis in healthcare registration, we engage in a dialogue with health insurers on an annual basis through Horizontaal Toezicht Zorg to jointly identify high-risk healthcare processes. We establish control measures for these risks and, following an assessment by external auditors, provide accountability to the health insurers.
Three Lines of Responsibility
Within the UMC Utrecht, we follow the "Three Lines of Responsibility" system for risk management. Our Internal Audit department has been operational for several years, working based on an annually updated organization-wide risk analysis and an audit annual plan. Using this risk analysis and annual plan, the department conducts audits and reports to the Board of Directors and the Supervisory Board. The second-line risk management function has been further formalized.
Risk management also includes promoting and ensuring desired and ethical behavior among employees and management, known as informal controls. Informal controls receive ongoing attention within the UMC Utrecht, including in the following areas:
Recruitment of the most suitable employees with the right education and experience, provision of training and development throughout employees' careers, fostering a safe working environment to minimize risks and learn from mistakes when they occur.
Informal controls are an implicit part of audits and recommendations from the third line (internal audit).