Enterprise Risk Management: Taking the First Steps

Transcription

1 Enterprise Risk Management: Taking the First Steps TN PRIMA, 2012 DOROTHY GJERDRUM, ARM, CIRM NOVEMBER 15, 2012 Agenda Goal: To understand how to begin to implement a broader approach to risk management Practice risk-based decision making Compare ERM & traditional RM Understand the framework Steps in the process Potential next steps for you

2 Taking Risk Hating Surprises Who are the risk takers? Who hates surprises? Page 3 Small Sized City Mission: To provide quality services while preserving and advancing the collective interests of all the citizens and visitors of our community. Potential Projects (pick one): Merge police force with county sheriff s office & close jail Seek voter approval to issue bonds to build a new marina and park Develop a mental health resource center Build a skateboard park You only have 10 minutes!! Page 4

3 Risk Management: Getting to Yes Getting to Yes After full consideration of all risks, the community college supported the trip. Six students & one faculty member participated. Downside risk was addressed through training, info on cultural context & travel abroad insurance. Result: Awarded silver medal!

4 Traditional ARM Model of Risk Management Traditional ARM Model of Risk Management Review against objectives & performance standards Begin process again as new risks are identified Risk Financing Retention Insurance Contractual transfer Values exposed to loss Perils (natural, human, economic) Consequences (freq & severity) Surveys, loss histories, financial statements, inspections, consultations Risk Control Exposure avoidance Loss prevention Loss reduction Segregation Contractual transfer Technical decisions Managerial decisions Considerations Political climate Legal obligations Tolerance for risk Budget

5 Risks Managed in Silos What s Missing? A broad-based sustainable framework Linking risks to what matters most to the organization Holding risk owners accountable for treatment & management of risks A clear and replicable prioritization process Links to decision making, budget questions, strategic planning Risk can be a good thing!

6 Differentiators Traditional RM Focused on hazards & the downside of risk Many risk management silos lack of integration Who s responsible? Mitigation tools = insurance, risk transfer, prevention ERM Anything that can affect your objectives Management of risk from top down & all across the organization Risk owners assigned Risk owners identify and track mitigation ERM requires risk leadership, not just management Why We Need to Manage Risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland

7 Defining ERM Enterprise Risk Management describes a broader approach to managing risk. It is a coordinated effort to direct and control all activities related to risk. It defines risk as the effect of uncertainty on objectives. It therefore ties the management of risk to what is most important to the organization. The responsibility for managing risk is spread across the organization to those who have accountability and authority risk owners. What is risk?? Risk is present in everything we do. The definition from ISO 31000, the international standard on risk management: Risk = the affect of uncertainty on your objectives. Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

8 Overview of the Process from ISO The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization Monitoring & review, continual improvement and communication occur throughout The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment Principles Framework RM Process Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review

9 Principles Framework RM Process Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review

10 The Internal Context Lots of conflicting interests Lots of RM silos Unique City Charter authorities Very small RM Dept But also Strong support from key players Enterprises issuing debt Willingness to utilize technology

11 City-County of San Francisco ERM One Dept/Project at a Time Risk Management Division Public Utilities Commission Port of San Francisco Harvard Acting in Time Disaster Preparedness Project Emory University: It started at the top Chair Audit Committee President Exec VP Finance & Administration Internal Audit 22

12 Emory: Why did we implement ERM? Break through operational silos Identify key exposures Assess appetite for risk Identify best practices Plan proactively Prioritize resources Can you use these to develop support for ERM? NO SURPRISES! 23 Mission Statements From Around the State Dyersburg The city s mission is to provide and maintain essential services that meet the basic collective needs of the citizens of Dyersburg and to identify and pursue opportunities for a higher quality of life. First TN Human Resource Agency Our mission is to improve the quality of life for the people of Northeast TN through effective delivery of social services.

13 Connecting to What is Most Important Franklin Long term, we see performance measurements as a comprehensive program that will lead to better management of the City s resources, more accountability, more productivity and specific goal setting. Clarksville Mayor s Priorities Transparency in government, continuing economic development, maintaining and improving quality of life. Maryville The City Government s goal is to continue to enhance the quality of life of our residents. Principles Framework RM Process Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review

14 Components of the Framework Understanding the organization & its context Establishing RM policy Accountability & authority Integration into organizational processes Determining appropriate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Framework Example: Benefits of RM Increase likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve operational effectiveness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance

15 Framework Example: Context External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment Key drivers and trends that will have an impact on your organization Relationships with and perceptions & values of external stakeholders Internal Context Governance, organizational structure, roles & accountabilities Policies, objectives & strategy Capabilities & resources Info systems Organizational culture Contractual relationships Relationships with, perceptions & values of internal stakeholders ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Excerpt Statement of Context

16 A Few Definitions ISO Risk Owner = the person or entity with the accountability and authority to manage risk Stakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders interests and fears should be taken into account Risk management process is the systematic application of management policies, procedures and practices to the tasks and activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. ISO: Establishing RM Policy Rationale for managing risk Links between objectives and policies and the RM policy Accountabilities & responsibilities for managing risk How you ll deal with conflicting interests Commitment to necessary resources How you ll measure & report Commitment to review & revise

17 Principles Framework RM Process Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Risk Assessment Begin with communication & consultation Internal & external stakeholders Establish the context Objectives, internal & external context of operations, the scope & context of RM process Define risk criteria Nature and types of causes & consequences How likelihood will be defined Level of risk tolerance and acceptance Combinations

18 Risk Identification, Analysis & Evaluation Sources of risk, areas of impact, events and potential consequences Understanding the risk considering causes, likelihood and consequence and expressing that as a level of risk Evaluating which risks need further treatment; prioritizing treatment decisions Treating Risks Modifying risks through options such as: Avoiding the risk Taking or increasing the risk in order to pursue an opportunity Removing the risk source Changing the likelihood Changing the consequence Sharing the risk with other parties Retaining the risk by informed choice

19 Principles Framework RM Process Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management ISO/ANSI/ASSE 31000:2009 Risk management Principles and guidelines Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Monitoring and Review Monitor and review all aspects of the risk management process to: Ensure that controls are effective and efficient Obtain further information to improve risk assessment Analyze and learn lessons from events Detect changes in the environment Identify emerging risks

20 Growing into ERM Link the management of risk to what is most important to the organization Make everyone responsible for risk Increase accountability Get serious about measurement and communication Look for interrelated and emerging risks Keep your eye on the whole field and continue to learn

21 Who is Interested in ERM? Boards of Directors Board members from private industry understand how ERM supports an organization s objectives; the Board s oversight role requires evidence that risks are identified, prioritized and managed within tolerance levels Stakeholders The broad management of risk includes stakeholder input, values and needs and builds in appropriate communication about risk Credit and Rating Agencies Seek evidence of a comprehensive and forward-looking risk management program Peers As the practice of ERM grows across a sector, it pushes innovation & drives leadership International Community ISO is the guide for standardized risk management practices; its widespread adoption across the globe will affect business operations everywhere

22 Standard and Poor s recognized the University of CA for its ERM program. The UC has implemented a system-wide enterprise risk management information system which, in our opinion, is a credit strength. September 9, 2010 Ratings Direct Global Credit Portal Sample Rating Agency Classifications Excellent Strong Adequate Weak Advanced capabilities to identify, measure & manage all risks within tolerances Advanced implementation, development & execution of ERM parameters Consistently optimizes risk adjusted returns throughout organization Clear vision of risk tolerance and overall risk profile Risk Control exceeds adequate for most major risks Has robust processes to identify and prepare for emerging risks Incorporates risk management & decision making to optimize risk adjusted returns Has fully functioning control systems in place for all major risks May lack a robust process for identifying and preparing for emerging risks Not fully developed process to optimize risk adjusted returns Incomplete control process for one or more major risks Inconsistent or limited capabilities to identify, measure or manage major risk exposures

23 Risk Management is Evolving Traditional Risk Management Purchase insurance to cover risks Hazard-based risk identification and controls Compliance issues addressed separately Safety & emergency mgmt handled separately Silo approach risk mgmt is not integrated across the organization Risk Manager is the insurance buyer Integrated Transactional Strategic Advanced Risk Management Greater use of alternative risk financing techniques More proactive about preventing and reducing risks Integrates claims mgmt, contracts review, special event RM, insurance and risk transfer techniques Cost allocation used for education and accountability More collaboration as depts are willing Risk Manager may be the risk owner Enterprise-wide Risk Management A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational Aligns RM process with strategy and mission May include upside risks (opportunities) Helps manage growth, allocate capital & resources Risks are owned by all & mitigated at the department level Many risk mitigation & analytical tools available Risk Manager is the risk facilitator and leader Risk is bad focus is on transferring risk Risk is an expense focus is on reducing cost-of-risk Risk is uncertainty focus is on optimizing risk to achieve goals Implementation Tips Educate yourself Develop talking points, find your champions; develop your pitch Consider the barriers & challenges up front Expect the process to be messy (so have a plan) Take the long view Build your support network

24 Why is Risk Management Important? All organizations exist to achieve their objectives. The purpose of risk management is to manage the barriers and exploit opportunities to achieve those objectives. Before embarking on his trip around the world, Portuguese explorer Ferdinand Magellan said, The task is not to make sure that the sea is calm, but to prepare oneself to sail in stormy, unknown waters.

25 NOVEMBER 15, 2012 DOROTHY GJERDRUM Page 49