Skip to article navigation Skip to content

Risk control

UMC Utrecht is an extensive, open organization in a dynamic environment. This naturally entails risks. Due also to our social role and the financing of our core activities with public funds, we are obliged to exercise adequate control over these risks and to be conservative when it comes to risk appetite.

At the end of 2020, we started off with a trajectory to raise our risk control to a higher maturity level. Focal points here are: integrality, uniformity, and alignment of risk control with existing procedures. In establishing it, we have sought alignment with the COSO-ERM framework. For this, we started on two trajectories.

The first trajectory led to a strategic heat map of risks. These are the main risks that could stand in the way reaching our goals. In 2021, we held the control of these risks up to the light, , in order of priority, and where necessary, started to improve this control. This resulted at the end of 2021 in an updated heat map, which we explain in the following paragraph.

The second trajectory pertains to the setting up of a framework, in which we bring together all activities that relate to risk management at a strategic, tactical and operational level. One component of this was a strategic risk analysis, whereby we eventually identified the thirteen biggest risks in our organization. UMC Utrecht has a high degree of decentralization. In accordance with the principles of the COSO-ERM framework, the responsibility for risk management lies with our divisions, directorates, and departments. For the analysis and control of these risks, they are assisted by disciplines for instance in areas such as patient safety, labor conditions, integral safety, data security, infection prevention, and financial continuity. This decentralized aspect will mostly be maintained, but will be supplemented by a central Risk & Compliance Officer who will be appointed to monitor and if necessary rectify the process. Integral risk management will enable us better to identify possible risks in the organization and combine them in order to control them more effectively. This gives us more certainty that we can reach our strategic goals.

We are also taking active steps in terms of fiscal risk control. Our intrinsic motivation to comply persistently with fiscal laws and regulations alone is not sufficient to keep us in line with the covenant on horizontal supervision with Tax Authorities from 2023 onwards. Recently we started to formalize our tax control framework based on COSO-ERM. The implemented actions should lead to a solid, up-to-date framework by the end of 2022.

Risk overview

As last year, COVID-19 remains an important concern

COVID-19 had a great impact on our entire organization. The downscaling of care, growing waiting lists, higher extra costs due to COVID-19, more difficult access to care for our patients, increased work pressure for staff and more absence due to sick leave, and government measures like lockdowns and social distancing, had a significant effect on patient care. Education and research were also negatively impacted in 2021. These developments in particular proved costly for our staff and management activities.

In 2022 too, COVID-19 will have an impact on employees and management activities, and our patients will experiences the consequences thereof. 2022 is seen worldwide as the year in which COVID-19 should be downgraded to the status of a regular virus. If this happens, previously postponed care will be our highest priority. Whether this can be accomplished will depend a lot on how scarce staff and capacity and be deployed. How it will be funded is also relevant. The additional demand for care due to postponed treatments is counterproductive for the limiting of care funding from the Global Agreement on medical specialist care. Further agreements and effective funding will be crucial in this regard.

Other risks

The heat map below gives an overview of the main strategic risks at the end of 2021, including COVID-19. Featuring on this heat map depends on the one hand on the estimated chance that a risk may occur, and on the other hand, on the potential impact that the risk would have on reaching the organizational goals. The size of the dot indicates to what extent we believe that the control measures are sufficient.

The following overview shows which risks were taken up in the heat map above.




The risk that UMC Utrecht may not have sufficient (qualified) staff at its disposal.

Action undertaken

The risk that the intended cross-division (multidisciplinary) changes may not be successful.

The risk that a (further) concentration of healthcare in the Netherlands may lead to loss of specific care that is essential for UMC Utrecht.

The risk that UMC Utrecht may not demonstrably or in a timely manner comply with laws & regulations and internal guidelines.

The risk that the proposed efficiency goals for certain divisions will not be attained.

The risk that large programs that are underway or that have been planned, will not yield the intended returns.

The risk of impactful cyber incidents leading to data loss or IT system failure.

The risk that patient-care incidents or a data leak may cause reputational damage for UMC Utrecht.

Monitoring and assessment

The risk that UMC Utrecht may lose its position as a leading research institute.


The risk that the intended benefits from strategic cooperations will not fully be obtained.


The risk that UMC Utrecht may not meet external and internal goals in terms of sustainability.


The risk that the quality of education may deteriorate and that UMC Utrecht might become less attractive for top talent.

Based on the ranking and our own risk policy, we have decided to focus on the first seven risks. For each risk, we shall determine an actionee who will:

  1. Identify which control measures will reduce the named risk to what an extent.

  2. Identify which additional measures are needed to reduce the risk to the desired level, and assess the efficiency of existing measures.

Other risks will be evaluated on a continuous basis to decide whether we may have to shift our focus.

The fact that we intend in the immediate future to take action with regard to the first seven risks does not imply that these risks are currently not or not sufficiently controlled. Below are further explanations regarding the risk-management and control system.

Risk-management and control system

To execute our core tasks, make decisions and mitigate risks in a responsible way, the risk-management and control system in 2021 also included the following:

Performance dialog

We organize weekly performance dialogs with each other. Here, we discuss the state of affairs at all levels in the organization via KPIs, in areas of concern: patient experience, employee satisfaction, productivity, quality and safety, and impact. Display dashboards give insight into the state of affairs for each area of concern and per KPI at central and department level, thereby facilitating monitoring and steering.

Planning & control cycle/Management of contracts

Our planning & control cycle starts with an annual update of the main internal and external opportunities and threats, also those that come from our strategy. Management contracts (in which a risk analysis is included and actions made concrete via the OGSM methodology) and budget that are based on this form the basis for the monthly monitoring of financial and non-financial achievements, which include risk control, and are a first step towards taking corrective measures. Divisions and directorates have included KPIs in their monthly reports in fields such as quality and safety, employees, and finance.

Policy and guidelines

At UMC Utrecht there are formal policies and guidelines for a variety of focal areas, such as scientific research, quality and safety of care, and the protection of data and automated systems and finances. Where possible, we have embedded policy in our systems with the aim to guarantee optimal compliance via IT applications.

Targeted control tools

Control of quality and patient safety is done via SAFER (Scenario Analysis of Failures, Effects and Risks). SAFER is a methodology for proactive (or predictive) risk analysis. We have made a comprehensive compilation of guidelines and protocols for quality and patient safety available in one place where all employees can access it. Reporting incidents is extremely important, and we support it in various ways.

For risk analysis in care registration, and based on Horizontal Supervision, we conduct an annual dialog with health insurers and together establish an overview of risky care processes. For these risks, we set up control measures and stand accountable, following a test by an external accountant, towards the health insurance companies.

‘Three lines of responsibility’

Within UMC Utrecht, we have a ‘three lines of responsibility’ system for risk control. Our Internal Audit department has been operational for some years already. This department works from an annually updated concern-wide risk analysis and an annual audit plan. Based on this risk analysis and the annual plan, the department conducts audits and reports on these to the Executive Board and the Supervisory Board. At present, compliance and risk management is being defined closer as a second-line function.

Attention to soft controls

Risk control also means encouraging and ensuring the desired behavior and integrity among employees and management, which is called soft controls. Structural attention is given to soft controls at UMC Utrecht, in the following areas among others.

  • By recruiting the most suitable people with the right educational background and experience, providing education and development during their career and stimulating a safe working environment, we strive to limit risks and, if they do occur, to learn from our mistakes. One of the topics that we are specifically focusing on at the moment, is leadership. All leaders at UMC Utrecht have followed an intensive leadership and cultural learning course via our program Connecting Leaders. After they have completed the course, they have the duty to follow periodical further training on cultural and behavioral topics of concern.

  • Soft controls form an implicit part of audits and advice from the third line (internal audit). In the past year for instance, soft controls were included in the assessment for advising on and auditing of strategic programs such as SOH, HiX and Works4U,

  • Maintaining a healthy and stimulating social climate, for example via a survey on social safety at Aios and Anios, conducted in 2021.