Skip to article navigation Skip to content

Risk control

Risk appetite

Partly because of our social role and the financing of our core activities with public money, we are obliged to manage these risks adequately and to be conservative when it comes to risk appetite. We applied this conservative approach generically in 2023. We also started discussions about whether it was expedient to formulate a differentiated risk appetite for different risk categories. We are finalizing these in 2024.

Organization & Governance

All our activities with regard to risk management at a strategic, tactical, and operational level have been brought together in one comprehensive framework, based on the COSO-ERM framework.

In accordance with the principles of our framework (comprehensiveness, uniformity, and alignment of risk management with existing procedures) and the three lines of responsibility, the responsibility for risk management lies primarily with our divisions, departments, and sections. For the analysis and control of these risks, they are assisted by disciplines for instance in areas such as patient safety, labor conditions, integral safety, data security, infection prevention, and financial continuity.

The Risk & Compliance Manager formulates policy, gives instructions, monitors the process, and adjusts if necessary. This enables us better to identify possible risks in the organization and combine them in order to control them more effectively. It gives us more certainty that we can reach our strategic goals.

To implement this framework, we are initially working from top to bottom. This means that in 2023, besides the strategic risk analysis (for the next 3 to 5 years) which is performed by the Executive Board, we added a risk paragraph to management contracts that are signed between the Executive Board and the management teams of divisions and departments (for 1 year). This paragraph stipulates identified risks that go together with the annual goals that the divisions and departments have to reach.

In 2023 we worked on an integral risk-management policy that endorses our principles, whereby we do not prescribe but rather describe the main principles/minimum requirements. Any specific focal areas, for example how to deal with compliance, are supported by additional standards. The intention is that this policy should enable the organization at an operational level to judge whether its risk analysis/risk management complies with the current requirements.

With the signing of a new Horizontal Supervision covenant with the Dutch Tax authority, we also completed the formalization of our tax-control framework in in 2023 on the basis of the same COSO-ERM framework. A significant part of this was based on risk management.

Risk overview

Strategic risks

The heat map below gives an overview of the main strategic risks at the end of 2023. The position on this heat map depends on the one hand on the estimated chance that a risk may occur, and on the other hand, on the potential impact that the risk would have on reaching the organizational goals. These are the gross risks that were identified. Any impacts of control measures that are taken will not be visible here




Availability of staff: There is a shortage of staff with the right qualities. This not only puts pressure on the quality of primary tasks, it also gives us insufficient adaptability/agility to bring about the desired strategic changes.


Inter-division changes: Divisions focus mainly on their ‘own’ organization. As a result, strategic projects are progressing slowly, and UMC Utrecht is not seen as one organization from the outside.


Centralization of Healthcare: IZA requirements and the vision formulated by UMC Utrecht demand intensive cooperation with (regional) partners. There is a risk that arrangements/activities within UMC Utrecht will not be sufficiently suited to the cooperations that are organized. This will also put pressure on our position as an innovative medical science center.


Digitalization: A large part of the change agenda is based on the further digitalization of healthcare (digital unless). The risk is that, due to the lack of an automation strategy to support this transformation, the necessary steps cannot be taken that the Healthcare of Tomorrow requires from us. And that this strategy will does not lead to the intended improvement of efficiency.


Efficiency targets: If operational and support processes are insufficiently covered by existing financing flows and the cost level cannot be lowered fast enough, there is a risk that there will be too little scope left for essential innovation (for example through research and education) and that financial frameworks of large projects will be exceeded. This has an impact on the sustainability task, building-renovation task, and transformation task (for example through lack of investments in staff).


Supply chain: The supply chain of UMC Utrecht is vulnerable. Not only are certain suppliers unable to make (affordable) deliveries due to shortages or sustainable alternatives in line with sustainability goals are not available. It could also lead to delays in (primary) processes and projects that are essential for UMC Utrecht. In addition there is a great dependency on a few large suppliers.


Cyber incidents: The risk of attacks from outside UMC Utrecht (DDos, ransomware) keeps growing. The security of data, but also guarantees of continuity (availability of data and systems) is becoming increasingly important as the importance of automation becomes bigger. In addition, there is a risk that laws and regulations may not be complied with.


Climate change & Sustainability: Not meeting the targets of the Dutch Climate Act and the Green Deal for Sustainable Healthcare could potentially have far-reaching consequences. In the long term a failure to meet these could impact our ability to attract funding (for example for building renovations), to retain people in the organization who are necessary to implement the strategy, and to find network partners. Eventually, climate damage could create an additional demand for healthcare.


Buildings: The renovation/new-build task is crucial for the transformation (including the concentration of healthcare/network care) of UMC Utrecht. There is a risk that insufficient progress will be made which means that the transformation task will not be fulfilled and that divestments will have to take place. There is also a risk of significant cost overruns.

(Expected) impact of risks on results or financial positions

The risks as mentioned did not have a material impact on the 2023 results and the financial position at year-end. What the impact of these risks will be in the near future, is unclear. The consequences of the centralization of care and the agreements in the Integral Care Agreement (IZA) are also still unclear. We can however say that these will only become visible in the medium term (three to five years).

Use of financial instruments

UMC Utrecht does not make use of any compound or complex financial instruments. ‘Open positions’, due to their risky nature, are not allowed under the treasury statute. Should we ever use a financial instrument, we would do so only to hedge an existing position. At year end 2023, there are no (material) positions.

As indicated, the heat map shows our gross estimate. Needless to say, we employ many control tools to manage these risks. We explain the main measures below.

Availability of staff (risk 1)

See the chapter ‘Our colleagues’  for all programs/measures aimed at attracting and retaining colleagues.

Strategic projects (risk 2, 3 and 4)

To deal with uncertainties ensuing from the Integral Healthcare Agreement (IZA) and the consequent concentration of healthcare, we have rolled out various strategic programs including the Healthcare of Tomorrow . In it we focus both on the question of which care we are going to deliver, and how we should deliver it. Colleagues across the organization are working towards these goals.

Efficiency targets (risk 5) 

We have set up the program ‘Creating financial scope’  to find room for the necessary innovation and primary tasks. This also receives ample attention in our planning & control cycle (cf. risk-control and -monitoring systems). More about this in ‘Our tasks’ in the chapter UMC Utrecht in society.  

Supply chain (risk 6)

To fight this risk, we apply proactive assortment management where we keep an eye on the most critical products. We continuously evaluate the availability and pricing of products and where necessary study alternative products that will fit in with the (sustainability) targets of our organization.

Cyber risks (risk 7)

In 2023 we performed our yearly audits for the annual report (IT General Controls), Security certifications (ISO27001 and NEN7510), and the use of DigiD. These were concluded successfully.

Climate change (risk 8)

See the chapter ‘Sustainability’  for programs under way and control measures taken with regard to this risk. 

Buildings (risk 9)

In 2023, the program planning of the strategic development outlook for buildings (SOH) will be managed under the Healthcare of Tomorrow program . In addition, we are setting up a new Real Estate, Buildings, and Area Development department in 2024 to give appropriate attention to the issue. 

Risk-control and monitoring system

As in previous years we have identified action owners for risk management who:

  1. Identify which control measures reduce the listed risks to what extent.

  2. Identify what additional measures are needed to reduce risks to the desired level and evaluate existing measures for effectiveness.

We continue to monitor the remaining risks for:

  • The continued implementation of measures.

  • The degree of mitigation of risk in line with the desired risk appetite.

  • Whether the estimate of the risks must be adjusted.

  • Evaluate whether new risks should be added due to new circumstances.

In addition, the internal risk management and control system consists of the following, among others:

Performance dialog

We have a weekly performance dialog with each other. In it, we discuss the current state in all focal areas - patient experience, employee satisfaction, productivity, quality and safety, and impact - at all levels of the organization via (strategic) KPIs. Visual dashboards give us insight into the current state for each focal area and per KPI at central as well as departmental level, and thus facilitate monitoring and coordination.

Planning & control cycle/ Management contracts

Our planning & control cycle starts with an annual update of the most important internal and external opportunities and threats, including those resulting from our strategy. Management contracts (which include a risk analysis and execute actions using the OGSM methodology) and budget based on these form the basis for the monthly monitoring of financial and non-financial performance, including risk management, and are the prelude to taking corrective measures. Divisions and departments included KPIs in their monthly reports in areas such as quality and safety, employees and finances.

Policy and guidelines

At UMC Utrecht, formal policies and guidelines exist for a variety of focal areas, such as scientific research, quality and safety of care, and the security of data and automated systems and finances. Where possible we have embedded policy in our systems with the aim to guarantee optimal compliance via IT applications.

Targeted management instruments

Control of quality and patient safety is done via SAFER (Scenario Analysis of Failures, Effects and Risks). SAFER is a method for proactive (or predicative) risk analysis. Guidelines and protocols regarding quality and patient safety have conveniently been brought together in one place and are accessible to all employees. Incident reporting is very relevant and we support it in various ways.

For risk analysis in healthcare registration, we conduct an annual dialog with health insurers on the basis of Horizontal Supervision of Healthcare to jointly create an overview of risky healthcare processes. For these risks, we set up control measures and, after a review by the external auditor, we report back to the health insurers.

Three lines of responsibility

Within UMC Utrecht, we have a ‘three lines of responsibility’ system for risk control. Our Internal Audit department works according to a group-wide risk analysis that is updated each year, and an audit year plan. Based on this risk analysis and the annual plan, the department conducts audits and reports to the Executive and Supervisory Boards. The second-line risk management function is formalized further.

Informal controls

Risk management also lies in promoting and securing desirable and ethical behavior among employees and management, known as informal controls. Informal controls receive structural attention within UMC Utrecht, including in the following areas: By recruiting the most suitable employees with appropriate prior training and experience, providing career training and development, and fostering a safe work environment, we strive to mitigate risks and, in the event that they occur, to learn from our mistakes. Informal controls form an implicit part of audits and recommendations from the third line (internal audit).