Getting Started with Enterprise Risk Management Session 2: GPGFOA Fall Conference Friday 05 October 2012 Andrew Bent Integrated Risk Management Branch Edmonton Police Service
Overview What is ERM and why do you need it? Getting started Challenges and Opportunities Resources Questions
What is ERM? Enterprise Risk Management describes a way of coordinating all the risk management activities undertaken by an organization / entity. ERM allows an organization to manage risk in a way that is: Comprehensive, Coordinated, Consistent, and Cost-effective!
Why does the EPS use ERM? Police have always managed operational risk Focused on traditional hazard risks only Hierarchal approach with multiple business lines operating in silos Not a lot of coordination, lots of overlap
Why does the EPS use ERM? Increased scrutiny and budget pressures Needed to demonstrate value of all programs There was a recognized need to do a better job at managing risk across the organization
Why do you need ERM? ERM is a force-multiplier that maximizes the ROI for risk management activities Regulatory compliance Occupational Health & Safety, Workers Compensation, SOX, Environmental Protection, etc Supports the achievement of organizational goals by driving cross-functional action
Getting Started The good news is that you probably do most of the risk management you need already! First step: Understand your Context Identify what is important to your organization is it financial performance, business / service objectives, or something else? Identify what risk management you already do, where you do it and how much you have to do (not always the same as how much you actually do now)
Getting Started First step: Understand your Context Don t worry too much about how well your separate risk functions are performing at this stage Identify your tolerance and appetite for risk
Getting Started Step 2: Identify your risks What information sources can you draw on? What is already reported? Go ask the experts (and the not-so-experts) Start wide, narrow after you have finished collecting your data Can you group your risks by category?
Getting Started Step 3: Analyse your risks What is really going on here? (Warning: root cause analysis required!) How likely are your risks? What are their actual impacts? What is the difference between your inherent and residual risk? Do you even need to care?
Getting Started Step 4: Evaluate your risks Are you seeing regular themes or issues? Are your risk controls consistent with your risk tolerance? Are you over or under managing specific risks? Do you have gaps in your risk management program? What are the most important risks to manage?
Getting Started Step 5: Treating your risks Come up with a plan based on your organization s priorities Start small and don t try to do everything Communicate the plan, and then do it again (and again) ERM program managers DO NOT own (many) risks Get the risk owners to develop the specific treatments Risk ownership is a right, not a privilege Ownership doesn t mean having to do it all yourself
Getting Started Step 6: Monitor your risks Once your plan is underway, make sure you have a way of knowing if it is working or not Use metrics, but choose them carefully and apply sparingly Sometimes the absence of information is all you will have to know if it is working ERM is a continuous process, not a batch operation Communicate constantly upwards, sideways and downwards on the risk priorities, the plan and how it is going
Challenges Organizational buy-in why do we need to do this? Executive support crucial Operational groups tend to get it Overcoming reporting resistance Building a culture of corporate risk awareness and accountability Assigning responsibility at the right level
Opportunities Risk management is already done by a number of groups Operations Legal OH&S Lots of corporate information available Use any data mining tools available KISS/JIT approach to training
Opportunities Effective and efficient risk management is often an easy sell to oversight bodies (and the funders paying for it) Lots of free or low-cost resources available to agencies implementing ERM programs It can be as big or small as it needs to be at the beginning, and often small works best
Resources Risk and Insurance Management Society (RIMS) ERM Centre of Excellence www.rims.org/erm RIMS Risk Maturity Model Treasury Board of Canada Secretariat www.tbs-sct.gc.ca (search Framework for the Management of Risk )
Questions?