Quantitative Enterprise Risk Management (ERM) Assessment

Transcription

1 Quantitative Enterprise Risk Management (ERM) Assessment Palisade 2013 Risk Conference November 20-21, 2013 Dr. Mark Krahn, Ph.D., PMP Revay & Associates Ltd. Calgary, Canada 1

2 Sub-title: The quantitative project risk consultants approach to ERM assessment 2 2

3 Set the context Revay Entrance into ERM ERM Definition Challenges Two Case Studies Approaches to ERM Qualitative and quantitative ERM assessment Agenda Conclusions lessons learned 3 3

4 About Revay 4

5 Risk Management Dispute Resolution Management Consulting Project Management Calgary (403) Montreal (514) Ottawa (613) Toronto (416) Vancouver (604) Wilmington (302)

6 Project event risk Getting into the ERM Business Identify risks that don t fit project or operations buckets Cost and schedule assessment of certain risk areas Health Safety Environment Project risk clients wanting more 6 6

7 ERM Context 7

8 Growing Interest in Risk Management Project Risk Risk management is the fastest growing area of interest in project management (several sources) Project management is among the top 3 skills most desired by employers (other two are leadership and business analysis) (US News and World Report) Enterprise Risk 26% of executives believe having the ability to analyze value and risk is the most important skill in their arsenal 50 percent of executives rated it as the first or second most important skill ( Deloitte Survey) 8 8

9 Enterprise / Project / Operations Context Mission Increasing Structure / Hierarchy Opportunities Strategic Goals Lessons Learned Operations Corporate Values Clarity / Alignment Practicability Practicality (Resources) Correct Metrics (Goals) Measurability (Success) Priority (Utility Factor) Strategic Planning Deliverables Projects Handover Sustainability Health and Safety Environmental Property Damage Public Liability Reliability Operations Organization Staff Resourcing Public Relations Criminal Liability Cost Time Quality (Scope) Detail Planning Project Environment Project Economics Project Organization Start-up and Commissioning Tactical Planning 9 9

10 What is ERM? Methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives and corporate strategy (Wikipedia) Process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings 10 10

11 Honest Definition! Is difficult to define, but generally it's a relatively new (less than a decade old) management discipline that calls for corporations to identify all the risks they face, to decide which risks to manage actively, and then to make that plan of action available to all stakeholders (not simply shareholders) as part of their annual reports Question How? 11 11

12 Why Growing Interest in ERM? 20,000 staff Over 100B in revenue (2000) "America's Most Innovative Company" for six consecutive years. Bankrupt in 2001 due to many factors including elaborate and creatively planned accounting fraud and corruption Ripple effect: Investors and employees lost everything Creation of Sarbanes-Oxley Act Dissolution of Arthur Anderson 12 12

13 Sarbanes-Oxley Act Recent ERM Trends Section 404 requires U.S. publicly traded corporations to utilize a risk control framework in their internal assessments NYSE Corporate Governance NYSErequires the Audit Committees of its listed companies to disclose and discuss risk exposure and risk management policies Standard & Poor's (S&P) debt rating Includes ERM and risk assessment metrics 13 13

14 ERM Risk Framework ISO International Standard for Risk Management 14 14

15 Operational risk Reputational risk Strategic risk Personal Safety and Health risk Financial risk Environmental / Containment risk Productivity/Morale risk ERM Risk Categories 15 15

16 Example -ERM Risk Descriptors People Information Property Insignificant Negligible Moderate Extensive Significant Minor injury or first aid treatment Compromise of information otherwise available in the public domain. Injury requiring treatment by medical practitioner and/or lost time from workplace. Minor compromise of information sensitive to internal or sub-unit interests. Minor damage or vandalism Minor damage or loss of to asset. <5% of total assets Single death and/or multiple Major injury / hospitalization Multiple deaths major injuries Compromise of information sensitive to the organizations operations. Damage or loss of <20% of total assets Compromise of information sensitive to organizational interests. Extensive damage or loss <50% of total assets Compromise of information with significant ongoing impact. Destruction or complete loss of >50% of assets Econonic 1% of budget (organizational, division or project budget as relevant) 2-5% of annual budget 5-10 % of annual budget > 10% of budget > 30% of project or organizational annual budget Reputation Local mention only. Quickly forgotten. Freedom to operate unaffected. Selfimprovement review required Scrutiny by Executive, internal committees or internal audit to prevent escalation Short term local media concern. Some impact on local level activities Persistent national concern. Scrutiny required by external agencies. Long term brand impact. Persistent intense national public, political and media scrutiny. Long term brand impact. Major operations severely restricted. International concern, Governmental Inquiry or sustained adverse national/international media. Brand significantly affects organizational abilities. Capability Minor skills impact. Minimal impact on non-core operations. The impact can be dealt with by routine operations. Some impact on organizational capability in terms of delays, systems quality but able to be dealt with at operational level Impact on the organization resulting in reduced performance such that targets are not met. Organizations existence is not threatened, but could be subject to significant review. Breakdown of key activities leading to reduction in performance (eg. service delays, revenue loss, client dissatisfaction, legislative breaches). Protracted unavailability of critical skills/people. Critical failure(s) preventing core activities from being performed. Survival of the project/activity/organization is threatened

17 17 17

18 Key Challenges of ERM Establishing a common risk language or glossary. Developing action plans to ensure the risks are appropriately managed. Developing consolidated reporting for various stakeholders communication strategy Monitoring the results of actions taken to mitigate risk. Implementing a risk-ranking methodology to compare and prioritize risks within and across functions

19 Questions: Risk Ranking Methodology Challenge How do you compare risks in different categories? How do you know what the top overall risk are? How do you know how significant the risks are on a relative basis (vs. the corporate objective, vs. another risk)? How do you know what the overall impact of the risks are on the organization s strategic goals? How likely is the organization to achieve its strategic goals? 19 19

20 KISS principle Keep it Simple! Solution to ERM Problems Apply project risk management principles Single qualitative and quantitative scale ** Key is to find the impact currency that allows all risk categories to be scored (risk impacts) on the same scale Utils (Utility) 20 20

21 Case Study 1 Growing International Airport 21 21

22 Case Study 1 Growing International Airport Unique location International airport Undergoing a major expansion (new $250M Terminal) New runway coming in future 22 22

23 Case Study 1 -Context of ERM Comprehensive strategic planning complete prior to ERM assessment Key Success Drivers (KSDs): Optimized Customer Experience (40%) To Lead a High Performing Airport Team (25%) To Achieve Environmentally Responsible, Sustainable and Profitable Growth (20%) To Foster Effective Stakeholder Relationships (15%) Each KSD area is broken into various Corporate Objectives with weightings 23 23

24 Corporate Objectives Example KSD1 Optimized Customer Experience (40%) Weight Corporate Objectives 5% 1.1 Achieve 100% Operational Status within the parameters of the Airport Operating Certificate. 3% 1.2 Play a lead role in the CRISP Air Transportation Process 15% 1.3 Implement the 2012 Phase of the Major Capital Project 2% 1.4 Implement the 2012 Maintenance Capital Expenditure Plan 4% 1.5 Develop and implement the 2012 Phase of the Customer Satisfaction Plan, including participation in the ACI/NA Benchmarking Metrics Survey and the development of branding for YMM and Team FlyFortMac. 5% 1.6 Achieve the 2012 Phase of Optimal Air Service 3% 1.7 Achieve and implement the 2012 Phase of a Management Contract for the Fort Chipewyan Airport (YPY) 3% 1.8 Continue the 2012 Phase of the process to achieve International Airport Status 24 24

25 Single Scale Utils Approach Risks and opportunities identified around each corporate objective The utils is the impact on the weighting percentage should the risk occur Scale Probability Impact (Utils)* VH Very High > 67% > 2% (>200) H High 33-67% 1 2% ( ) M - Moderate 10-33% 0.5 1% (50-100) L - Low 1-10% % (10-50) VL Very Low < 1% < 0.1% (<10) *Percent impact is a direct reduction to the percent impact of the Corporate Objectives weghting 25 25

26 ERM Risk Register 26 26

27 OVERALL RISK SCORE OVERALL RISK SCORE PRE-ACTION RISK CRITICALITY PROBABILITY POST-ACTION Very High High Moderate Low Very Low IMPACT Very Low Low Moderate High Very High Dashboard 60 PRE-ACTION RISK COUNT AND CRITICALITY 60 POST-ACTION KSD1: Optimized Customer experience KSD2: Lead a High Performing Team KSD3: Responsible Sustainable Growth KSD4: Effective Stakeholder Relationships

28 Case Study 2 Oil Development Joint Venture 28 28

29 Context of ERM within JV No formal strategic planning had been completed beyond creation of JV) No KSD s or specific corporate objectives Approach was to take a leadership role in helping the JV determine their strategic plan and corporate objectives Questionnaires Conducted interviews Facilitated workshops and discussions to develop alignment around the key corporate objectives to be assessed through ERM 29 29

30 ERM Model 30 30

31 ERM Model 31 31

32 ERM Matrix 32 32

33 Goals/objectives ERM Approach -Lessons Learned There must be specific corporate goals/objectives in place in order to conduct ERM Clear, concise and well-understood Education Risk team, management, stakeholders must understand and buy-in to the methodology, approach, expected outcomes Results Must be clear, transparent and well-understood 33 33

34 Next steps for Revay June 2013 Calgary experienced its worst flood ever 34 34

35 Emergency Response Planning Next steps for Revay 35 35

36 Thank you! 36 36