Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Understanding Enterprise Risk Management Presented by Dorothy Gjerdrum Arthur J Gallagher

Learning Objectives Understand the components of a wellrun ERM program Review scope and process Explore the role of the CBO in ERM Assess your institution s readiness

Agenda What does a successful ERM program look like? Five key questions what, why, who, how and when? Roles and responsibilities Recommendations for next steps

ERM What s in a Name? 2004 COSO ERM Framework 2009 ISO 31000 (ANSI/ASSE), the international standard on risk management Other references NACUBO, GRC, AGB

Key Differentiators Definition of risk Accountability and ownership Managing risk is part of every decision, project and activity Prioritization of risk is linked to key objectives & strategy

Defining Risk Risk = the effect of uncertainty on your objectives (ISO 31000) The effects can be positive or negative Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

Why Does it Make Sense to Take a Broader Approach to Risk? Only 20-30% of all risks are insurable Global interconnectedness forces us to think more broadly for example: o Pandemic flu o o Cyber attacks World economy & supply chain risks Now more than ever, we need all stakeholders to be risk aware

The Intent of ERM To manage risk better to support opportunities To identify, assess and prepare for what could go wrong To focus on what s most important to the institution and its stakeholders and link key risks to key goals & objectives

Profiles of Successful Programs President endorsed the project ERM Advisory Committee created to create lexicon/framework, implementation plan and provide oversight Facilitated Risk Assessment processes rolled out applied broadly Software implemented to track progress Education offered across institution Management of risk performance reviews #1

Profiles of Successful Programs CRO hired; Chancellor & Board endorsed program Cross functional Risk Council formed Developed risk portfolio Biannual review of risk treatment plans by Risk Council Good engagement of stakeholders #2

Risk, in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad, and our goal is not to eliminate all risk, for by doing so we would cease all productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary. #3

The reasons we implemented ERM: Break through operational silos Identify key exposures Assess appetite for risk Identify best practices Plan proactively Prioritize resources NO SURPRISES! #3

Five Key Questions To Begin (or Improve) 1. What is ERM? 2. Why is ERM relevant to my institution? 3. Who knows about ERM and What do they know? 4. How can you create a sustainable framework for managing risk? 5. When do you know you ve succeeded? When do you stop?

What is ERM? How will your institution define ERM? Do you have an elevator speech? What are the benefits of taking a broader approach to managing risk?

What is ERM? from ISO 31000 Key outcomes: The organization has a current, correct and comprehensive understanding of its risks. The organization s risks are within its risk criteria Attributes: Continual improvement Full accountability for risks Application of risk management in all decision making Continual communication Full integration into the organization s governance structure

What is ERM? Sample Elevator Speech Risk management is about supporting opportunities as well as preventing problems ERM is tied to business objectives and strategies and supports them ERM works within the institution s culture and will become integral to decision making The initiative will ensure that risk management applies to all levels of the organization and to all activities

The Benefits of Risk Management Increase likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources ISO/ANSI/ASSE 31000:2009 Risk management Principles and Guidelines Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve operational effectiveness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance

Why is ERM Relevant to My Institution? Bond rating Better & more thorough decision making Response to regulatory oversight Peer influence Governing board members influence Desire to be a progressive industry leader To manage resources more effectively

Why ERM? Example 1: We strategically manage risk to create greater financial stability and help the university achieve its mission. Example 2: Our goal is to assume risk judiciously, mitigate it when possible and prepare ourselves to respond effectively and efficiently when necessary.

Who Knows about ERM and What do they Know? Internal Audit from the IIA/COSO ERM Framework Governing Board Members from peers, conferences, AGB Compliance GRC, legal framework General Counsel NACUA, governance models CFO from financial rating companies, NACUBO

Sources of Information ANSI/ASSE/ISO 31000 the only international standard on risk management 2009 COSO ERM Framework 2004 Risk Management An Accountability Guide for University and College Boards by Janice Abraham AGB & UE 2013 Consulting firms KPMG, Protiviti, Deloitte, PwC & brokerage firms, too GRC Governance, Risk & Compliance (software and consulting)

www.coso.org www.nacubo.org $$ (Download this one free) (Download this one free)

www.asse.org $$

Four Primary Objectives: Strategic, Operations, Reporting, Compliance Control Activities Source: Committee of Sponsoring Organizations of the Treadway Commission

Published in 2013 by AGB Press, the Association of Governing Boards of Universities and Colleges and United Educators Insurance, a Reciprocal Risk Retention Group www.agb.org or 800.356.6317 $$

Enterprise Risk Management (ERM) is a business process, led by senior leadership, that extends the concepts of risk management and includes: Identifying risks across the entire enterprise Assessing the impact of risks to the operations and mission Developing and practicing response or mitigation plans, and Monitoring the identified risks, holding the risk owner accountable, and consistently scanning for emerging risks Risk Management An Accountability Guide for University and College Boards by Janice Abraham, 2013, AGB Press, Washington DC

RM Accountability Guide Board and President jointly articulate commitment Senior management implements Emphasis on roles and oversight Sample risk registers Board committee oversight of key risks by category: Strategic Board governance Financial Operational Risk Management An Accountability Guide for University and College Boards by Janice Abraham, 2013, AGB Press, Washington DC

High Financial Impact $ 10 Million 3-Corporate Investments 32-Brand Reputation 13-Tax 39-Bio/ Epidemic Event 28-Cost of Quality 38-Terrorism 40-Customer Experience Green:: Perceived as well controlled 35-Product Innovation 14-Regulatory Compliance Light Green: Perceived as medium to good controls 30-Cost Competitiveness Yellow: Perceived as moderately well controlled 34-Distribution Strategy Red: Perceived as poorly controlled 33- Pricing Strategy Low Financial Impact 36-Market Share 6-Cash Mgmt & Liquidity 25-SAP Manufacturing LOW 16-Record Retention 15-Intellectual Property 1-Working Capital 27-Complexity 18-Employee Relations 19-Cost of Health Care 29-Capacity Management 5-Foreign Exchange 23-Logistics/ Transportation 24-Supply Chain Mgmt 12-Sarbanes -Oxley 11-Management Reporting 22A-Business Continuity-Mfg. 7-Dealer Credit MEDIUM LIKELIHOOD OF PROBLEM OCCURRING IN AREA 2-Dealer Transition 17-Productivity Improvements 4-Derivatives Management 20-Retirement Plans 21-Compensation Strategies HIGH 31-Commodity Pricing 9-IT Systems Integration 8-Data Security 41-China Strategy 22B-Business Continuity-IT Rectangles represent risks identified as Corporate risks The numbers present correspond to the Business Risk Inventory chart.

How can you create a sustainable framework? Need a common language Need to tailor processes and structure to your operations Need to communicate with and engage stakeholders Need to monitor & review and continually improve

Principles Framework RM Process Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review From ISO 31000

Principles Creates and protects value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization The principles provide guidance on the rationale for managing risk and the characteristics of effective risk management These shape the design and structure of your framework for managing risk The principles can assist in continual improvement and serve as a maturity model for implementation

Framework Building the framework includes planning for implementation, monitoring & review and communication Continually improve the framework Mandate & Commitment Design framework for managing risk Implement risk management Based upon a model of continual improvement, the framework is what will sustain your risk management efforts Monitor and review the framework This assures that you are consistent, processfocused and held accountable

ISO 31004 Guidance for Implementation Annex C How to express mandate & commitment C.2.1 Key characteristics The expression of the mandate and commitment should meet the following criteria: a) It should be compatible with the organization s strategic plan, objectives, policies, styles of communication and management system; b) It should be compatible with the risk criteria determined by the oversight body; c) It should meet the principles of ISO 31000 as well as strive for excellence in risk management as outlined in Annex A; d) It should be easy to communicate and be tested for comprehension inside and outside the organization; e) It should have reasonable expectations of being successfully implemented; and f) It should address the responsibilities of risk owners.

ISO 31000 Guidance for Implementation Components of the Framework Understanding the organization & its context Establishing RM policy Accountability & Authority Integration into organizational processes Determining appropriate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms ISO 31000:2009 Risk management Principles and guidelines

ISO 31000: Establishing RM Policy Rationale for managing risk Links between objectives and policies and the risk management policy Accountabilities & responsibilities for managing risk How you ll deal with conflicting interests Commitment to provide necessary resources How you ll measure & report Commitment to review & revise

The context applies to both the organization as a whole and the specific project, risk or portfolio of risks RM Process Establish the context Several elements take stakeholder interest and perceptions into account Monitor and review continually asks: Do we have this right? Communication and consultation is how the management of risk stays connected and relevant Communicate and consult Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review The same consistent process used across the organization

A Few Definitions from ISO 31000 Risk = the effect of uncertainty on objectives (ISO 31000) An effect is a deviation from the expected positive or negative Uncertainty is the state of deficiency of information Risk is often expressed in terms of a combination of consequences and likelihood. Risk Management = the coordinated activities to direct and control an organization with regard to risk (ISO 31000) Risk Owner = the person or entity with the accountability and authority to manage risk (ISO 31000) Stakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders interests and fears should be taken into account (ISO 31000) 2012 ARTHUR J. GALLAGHER & CO.

Risk is present in everything we do Risk = the effect of uncertainty on your objectives Objectives = the outcomes you seek, the highest expression of intent and purpose Uncertainty = the state of not knowing, a deficiency of information Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk ISO/ANSI/ASSE 31000:2009 Risk management Principles and Guidelines 2012 ARTHUR J. GALLAGHER & CO.

When do you know you ve succeeded? When do you stop? Implementation takes time You do need to measure success This is an iterative, continual process

NACUBO Example Risk ID Description Actions to Manage Risk Risk Direction Strategic Objectives Interrelated Risks Risk Ownership Board Comm Oversight 1 UG and grad enrollment and aid strategies Reputation, $$ Stability 2,4,6,7,8,9,10 Provost, VP Enrollment Enrollment & Marketing 2 Tuition dependency, fundraising strategy Reputation, $$ Stability 1,3,4,6,7,9,10 President, VP Advancement Advancement 3 Tuition dependency, alternative revenue strategies Stability, Operational Efficiency 1,2,4,7,9,10 Cabinet Academic, Finance 4 Sustainable long range $$ plan Stability, Operational Efficiency 1,2,3,7,8,9,10 Cabinet, CFO Business & Finance 5 IT security & privacy Reputation 6,8,9,10 CIO, GC IT 6 Website Reputation 1,2,5,9 Provost, VP Marketing Enrollment & Mkting 7 Investment strategy $$ Stability, Reputation 1,2,3,4,9,10 VP Business & Finance Investment 8 Debt strategy $$ Stability 1,2,3,4,9,10 VP Business & Finance Business & Finance 9 10 40 Safe and secure living environment Financial operations & controls $$ Stability, Reputation $$ Stability, Operational Efficiency All Cabinet, VP Stud Affairs 1,2,3,4,5,7,9 CFO Audit Student Affairs

Standard and Poor s recognized the University of CA for its ERM program. The UC has implemented a system wide enterprise risk management information system which, in our opinion, is a credit strength. September 9, 2010 Ratings Direct Global Credit Portal

Principles of Effective Risk Oversight 1. Understand the company s key drivers of success 2. Assess the risk in the company s strategy 3. Define the role of the full board and its standing committees with regard to risk oversight 4. Consider whether the company s risk management system including people and processes is appropriate and has sufficient resources 5. Work with management to understand and agree on the types (and format) of risk information the board requires 6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions 7. Closely monitor the potential risks in the company s culture and its incentive structure 8. Monitor critical alignments of strategy, risk, controls, compliance, incentives & people 9. Consider emerging and interrelated risks: What s around the next corner? 10. Periodically assess the board s risk oversight processes Excerpted from Risk Governance: Balancing Risk and Reward 2009, NACD Blue Ribbon Commission

Open Discussion re Roles Line of authority Who s responsible for the oversight of risk? Who are your risk leaders?

Is Your Institution Ready for ERM? It can support key management initiatives Can be implemented without lots of $$$ It instructs and spreads understanding about risk and everyone s role re risk Think about the why

ERM Checklist Educate yourself Talk to your peers Review your answers to the 5 questions Identify your champions, skeptics and supporters engage them to make a plan

How to Implement ERM Using ISO 31000 Three-part training: Webinar How to apply the standard Workshop Introduction to ERM & ISO 31000 Workshop Implementing ERM Info at www.primacentral.org or www.urmia.org PRIMA = Public Risk Management Assoc URMIA = University Risk Management and Insurance Association

Thank You! Dorothy M. Gjerdrum Senior Managing Director Public Sector & ERM Consultant Higher Education Arthur J. Gallagher & Co. Dorothy_Gjerdrum@ajg.com