Emergency Planning and Crisis Management initiatives rolled up into a viable Business Continuity and Enterprise Risk Management Program. Or: How I Learned to Stop Worrying and Love the ERM!
Is this You?
Why Should We Be Concerned and What Are the Trends? U.S. Schools and University Incidents April 2008 to April 2009*= 12 months = 4 per month Bombs and Bomb Threats 13 Shootings 17 Adjacent Police Activity 11 Chemical Release 2 Found Bodies 2 Stabbings 2 Flooding 1 TOTAL * NC4 48 Incidents
Trends? U.S. Schools and University Incidents from April 2009 to January 27, 2011*= 21 months = 18 per month Bombs and Bomb Threats 113 Shootings 72 Guns on Campus 59 Evacuations (Fire,Chem,etc) 63 Hostage Situation 6 Stabbings 14 White Powder 6 Misc (Police/Suicides/Bodies) 55 TOTAL * NC4 382 Incidents
Trends? U.S. Schools and University Incidents Feb. 2011 to January 2012 11 Months = 29 per Month Bombs and Bomb Threats 96 Shootings 48 Guns on Campus 36 Evacuations (Fire,Chem,etc) 45 Hostage Situation 3 Stabbings 13 White Powder 40 Misc (Police/Suicides/Bodies) 15 TOTAL * NC4 320 Incidents
Trends? U.S. Schools and University Incidents January 2012 to Feb. 4, 2013 = 13 Months = 23 per Month Bombs and Bomb Threats 128 Shootings 50 Guns on Campus 32 Evacuations (Fire,Chem,etc) 28 Hostage Situation 0 Stabbings 5 White Powder 5 Misc (Police/Suicides/Bodies) 45 TOTAL * NC4 293 Incidents
KENNESAW STATE INDIVIDUAL UNIT RESPONSIBILITIES ENTERPRISE RISK COORDINATOR SSS/ERM Advisory Group WORKING GROUP STRATEGIC RISKS OPERATIONAL RISKS FINANCIAL RISKS COMPLIANCE AND REGULATORY REPUTATION AND MEDIA RISKS RISKS ENTERPRISE RISK MANAGEMENT DIRECTIVE EMERGENCY MANAGEMENT BUSINESS CONTINUITY DISASTER RECOVERY CRISIS MANAGEMENT Facility or Institution STRATEGIC PLANS
EMERGENCY MANAGEMENT Early Warnings Sirens, Big Voice Early Notifications SMS Texts Voice Cell Email Desktop Computer Override PC Mac Digital Signage Stagnant Scrolling Main Facility Webpage Override Fire Panel (Voice or recorded) Camera (IP and Analog)
CRISIS MANAGEMENT What are you trying to accomplish? Who is your customer? What are your resources? What time frame is your expectation? Most shooter events are over in less than 3 minutes! Can you wait for Police appearance?
DISASTER RECOVERY Has two meanings IT Data recovery Hot/Cold sites Offsite storage Internal Procedures Physical Facility Predetermined Co. Contract Response time?
BUSINESS CONTINUITY Originally CONOPS Concept of Operations Contingency Operations Continuity Of Operations Control Operations Continuous Operations Conduct of Operations TO Business Continuity TO Business Resilience Individual forms to all depts on what they do and with whom Review forms and provide input Identify highest processes to survive Rank others Determine who else supports ops vendors, outside stakeholders, funds Obtain software if possible to correlate results and interface with other depts. Premise what if 75% of your dept. did not show up for work! Identifies processes/procedures as Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.
Risk Assessment as part of the Business Continuity, Em. Mgt./Crisis Mgt. Planning and Disaster Recovery Now that your baseline Preparedness, Mitigation, Response and Recovery plans and procedures are in place, many of the questions needed in the process have already been answered. However, the next step is determining the Risk through Analysis, Frequency, Type and Severity.
KENNESAW STATE INDIVIDUAL UNIT RESPONSIBILITIES ENTERPRISE RISK COORDINATOR SSS/ERM Advisory Group WORKING GROUP STRATEGIC RISKS OPERATIONAL RISKS FINANCIAL RISKS COMPLIANCE AND REGULATORY REPUTATION AND MEDIA RISKS RISKS ENTERPRISE RISK MANAGEMENT DIRECTIVE EMERGENCY MANAGEMENT BUSINESS CONTINUITY DISASTER RECOVERY CRISIS MANAGEMENT Facility or Institution STRATEGIC PLANS
Transactional Risk Management (where most are in Risk Mgt. efforts Purchase Insurance Safety and Emergency Preparations separate Claims Management Separate Risks are all perceived as NEGATIVE (Integrated) Advanced Risk Management (Skip?) Use of Alternative Financing Techniques More Proactive Prevention and Reducing Risks Integrates Safety and Em. Mgt. and Claims Mgt. More Collaboration and Fewer Silos (Strategic) Enterprise Risk Management (Includes all above) Top Down approach aligns ERM with Strategy and Mission Strategic, Operational, Financial, Compliance and Reputational Evaluate Opportunities to Risk Taking Offers Risks OWNED and mitigated at Dept. Level Many tools (software) available to assist
How does ERM work? Process Establish ERM Framework Step 1 - Identify Project Champion - Identify Project Owner - Establish Steering Committee Identify Key Objectives Step 2 - List key objectives - Prioritize objectives - Select objectives for assessment Identify Key Risks Step 3 - Brainstorm and assess risks - Assign risks of 4 or higher to risk owner Manage Risks Step 4 - Identify current controls and mitigation requirements - Develop mitigation plan for key risks - Conduct qtrly. mtgs. to review status - Initiate steps 2-4 for add. objectives
How does ERM work? Establish ERM Framework Step 1 - Identify Project Champion - Identify Project Owner - Establish Steering Committee -Establish Working Group A. Identify Project Champion Executive-level official (President, Chief X Officer) who will provide support and direction to process. B. Identify Project Owner - Senior-level official who will provide ongoing management and oversight to ERM implementation. C. Establish Steering Committee Executive/senior-level officials representing key organizational areas. Working Groups will be established based on departments and assess key risks. 16
How does ERM work Identify Key Objectives Step 2 - List key objectives - Prioritize objectives - Select objectives for assessment A. List key objectives Working Group identifies institutional and strategic objectives. B. Prioritize objectives Steering Committee uses ranking or other system to select top objectives (should not exceed 3-5 objectives per division head). C. Select Main Institute Risks for assessment Steering Committee selects 4-6 top Risks for initial risk assessment by the Working Group that are mainly full Institute wide risks that an individual department is incapable of providing relief itself.
How does ERM work? Identify Key Risks Step 3 - Brainstorm and assess risks - Assign Key Risks to risk owner A. Brainstorm and assess risks Working Group conducts initial risk assessment through calculation of impact and likelihood without consideration of current controls or mitigation plans. 1. Working Group must understand the key components/process associated with selected objectives. 2. Working Group performs risk ranking with guidance from Project Owner. 3. Steering Committee validates risk ranking to Project Champion B. Steering Committee, with Project Owner, selects Key Risks and assigns to a specific Risk Owner.
How does ERM work? Identify KEY Risks Risk Identification sorted by adjusted risk score Likelihood of occurring 1 - low 2 - medium 3 high 4- critical Potential impact 1 low; unlikely to have a permanent or significant effect on institution s reputation or achievement of its strategic objectives. 2 - medium; will have a significant impact on institution but can be managed without major impact. 3 - high; will have a significant effect on institution and requires a major effort to manage and resolve the occurrence, as well as its ramifications 4 - critical; will threaten the existence of the institution if not resolved.
How does ERM work? Manage Risks Step 4 - Identify current controls and mitigation requirements - Develop mitigation plan for key risks - Conduct qtrly. mtgs. to review status - Initiate steps 2-4 for add. objectives A. Identify current controls and mitigation requirements Risk owners identify the current controls, mitigation steps, or other actions already taken by the institution to reduce risk. The risk is assessed again to determine likelihood and impact. B. Develop mitigation plan for key risks Risk owners develop mitigation plans for risks still ranked 3 or higher. C. *Conduct meetings to review status Steering Committee holds initial meeting to approve and to review the status of risk owner mitigation plans. Risk scores may be adjusted by the Steering Committee to reflect the risk after implementation of the mitigation plan. D. Continue process Project Owner incorporates new risks into the ERM process (steps 2-4) as current risks are mitigated by risk owners.
Strategic Risks Those Risks that are the long range goals and objectives of any company or institution that if compromised, may affect the entire course and survivability: In essence, the failure to achieve those objectives. The funding formula for allocating budgets has been changed with the possibility of layoffs and furloughs. Technology changes that affect your long range plans on previously procured computer support. The inability to obtain qualified professors or instructors for disciplines offered. The Regents have decided to consolidate college and universities and yours is involved in order to save money. A specific brand of computer has been discontinued due to the company bankrupcy. The previously offered academic discipline has not enough students registered and cannot support the present faculty or staff.
Operational Risks Those Risks that usually attributed to human forces that either fail to respond or fail to prevent actions from affecting the health and welfare of the company. Power outages for facilities with no backup options Strikes and other labor issues that affect day to day operations requiring backup plan. A Pandemic Flu outbreak with no plan to staff primary support operational functions. The main server/s are down and no plan for redundant backup exists or no trained personnel are available for support. Gas prices go sky high or fuel is not available for your fleet. The 3 rd party supply chain vendor is going out of business and you have no backup vendor prepared to step in.
Financial Risks Those Risks that affect the bottom line financial stability of the college or institution. The inability to maintain payroll due to budget changes from State or Private funds. The investment strategy previously embraced by your Foundation management is no longer embraced by the Board of Directors. You ve been asked to reduce your budget allocation by 10% for the next fiscal year and face consequences of program curtailment. Your project enrollment does not come near the current status for this fiscal year. Potential loss of tax-exempt status due to any number of risks associated with the school. Loss of funding from Federal, State or Local government agencies.
Compliance Risks Those Risks that pertain to the company s obligations to laws, regulations, contracts, strategies and policies that if compromised, could affect the health and welfare of the University or Institution. Environmental Health and Safety issues with OSHA. Nuclear Regulatory Regulations relative to handling radioactive materials and transport. Title IX regulations affecting fedral funding in Universities. One of your main researchers has been pouring biospecific samples down the main sink in his lab. A significant quantity of radioactive materials is missing from the inventory list and the inspectors are due this week. A student has reported that she was sexually assaulted and you did nothing about it.
Reputational Risks Those Risks that pertain to the Institution s character or quality of service that is projected by its students, faculty and staff and if negative, could adversely affect its long term survivability. The methods your professors and instructors use when teaching courses. The SAT scores needed to enroll at your school. The publications of faculty and staff in journals and magazines reflecting opinionated topics. During a class, a professor removes his clothes to give an example of free speech. Discovery that many applicants to the university submitted SAT test scores taken by another student to get in. A high ranking job opening in the academic side of your Institution did not get applicants properly vetted before making the offer.
Key Points to Remember Risk, in one form or another, is present in virtually all worthwhile endeavors. ERM is a management tool this process can and should be changed to work for YOUR organization. ERM ultimately should change the organizational culture however, change is slow, painful, and time-consuming. Frustration and confusion are simply part of the process the long-term result is worth it.
Contact Robert F. (Bob) Lang CSO, CPP, CEM rlang3@kennesaw.edu 770-423-6985