PREPARED BY: Planning and Strategic Initiatives
DATE: November 20, 2025
SUBJECT: 2026 Organizational Risk Management
BACKGROUND/PURPOSE
The Ontario Public Standards requires the Board of Health to have a risk management framework in place that identifies, assesses, and addresses risks. Risk management at the WECHU is governed by the Risk Management Policies and Procedures (2023) and covers 21 risks across 12 categories in a diverse array of topics such as finances, security, service delivery, equity, technology, and privacy, for example.
Local Health Units are also required to submit a list of corporate risks and mitigation strategies to the Ministry of Health (MOH) during Q3 Standards Activity Reporting.
DISCUSSION
In September 2025, the WECHU completed a full review of its organizational risk registry. This process included input from Control Owners, who manage risks in their daily work, Risk Owners, and senior leaders accountable for final oversight. Their combined expertise ensured the registry was updated and refined to reflect current conditions.
Of the 21 identified risks, 11 risks remained in the “high” category after mitigation measures.
The MOH requires reporting of highly ranked risks. The WECHU’s submission included the following high-risk categories and types for 2026:
- Equity-Health Disparity
- Financial-Fraud
- Financial-Funding
- People/Human Resources-Staff Engagement
- People/Human Resources-Talent Management
- Privacy-Privacy Breach
- Privacy-Privacy Requirements
- Privacy-Records Management
- Security-Facilities
- Technology-Cyber-Security
- Technology-System Outages
Figure 1 illustrates all the risks and their residual risk levels for 2026.
Figure 1. Risks by residual risk levels for 2026
