Enterprise Risk Management Building Reflective Practices June
23, 2011
Slide 2
Michael Jordan Chief Operating Officer Director, DAS 2
Slide 3
Pamela J. Stroebel-Valencia Chief Audit Executive, DAS 3
Slide 4
Agency Risk Self-Assessment Three Value-Added Objectives: An
opportunity to have an internal conversation about Enterprise Risk
Management Provides a baseline for Cyber Security insurance needs
Meet statewide policy requirements for an Information Security
risk-assessment 4
Slide 5
Enterprise Risk Management For the State of Oregon, defined as:
A systematic approach throughout all functional levels of an
organization to continually identify, evaluate and effectively
manage real or perceived barriers to the achievement of the
organizations mission (purpose) and strategic goals (objectives).
5
Slide 6
ERM Roles & Responsibilities Governing or Advisory
Board/Commission Management Internal Audit/Audit Committee Business
Function Experts: Risk Management Coordinators, Information
Security Officers All Employees 6
Slide 7
7 ERM Benefits Provide a simple, uniform methodology that is
applicable in all environments Enhance accountability and
communication Continuously eliminate unnecessary controls and add
needed controls Reduce response time for emerging risks Focus
efforts on important issues and concerns
Slide 8
Drew Zavatsky Risk Management Division, Washington State 8
Slide 9
Enterprise Risk Management in Washington State: Building
Reflective Practices
Slide 10
Introductions Goals for this session ERM is not insurance learn
how we started using ERM in Washington learn some ERM best
practices learn from our missteps SO: to get where you want to go,
know where youve been Office of Financial Management State of
Washington Risk Management Division
Slide 11
History of Public Risk Management: growth from reactive to
strategic practice Office of Financial Management State of
Washington Risk Management Division 1978198819982008 Insurance
Procurement Insurance Policy Admin. Risk Financing Loss Control
Organizational RM Focus Claims Mgmt. Regulatory Compliance Public
Safety RM Employee Benefits Risk Finance Cost Allocation Loss
Control Contractual Risk Transfer Claims/Litigation Management
Outcome Orientation and Benchmarking Integrated Disability Mgmt.
Chief Risk Officer Enterprise RM Consultancy Risk Financing Multi-
Jurisdictional Integration Loss Control Claims/Litigation Mgmt.
Cost Allocation Bus./Govt. Partnerships Key change: culture shift
from knowing to learning
Slide 12
Knowers and learners Knower: someone who cant admit they dont
know something for fear that doing so will make them look bad.
Knowers often pretend to know things that they dont (know-it-alls),
and are unwilling to be influenced. Learner: someone who admits
they could be wrong or uncertain. Learners are willing to be
influenced. Office of Financial Management State of Washington Risk
Management Division From The Learners Path, Brian Hinken
(2007)
Slide 13
Typical tendencies Reacting --- Creating Compliance ---
Commitment My part --- The whole Protection --- Reflection Debate
--- Mutual Learning These tendencies apply to both behaviors and
learning styles. Key question: which culture creates value? Office
of Financial Management State of Washington Risk Management
Division From The Learners Path, Brian Hinken (2007)
Slide 14
Self-test: knower/learner Are you getting what you want? Yes:
non-learning situation No: will you do something about it? No:
Non-Learner Yes: what will you try to change? Someone/something
else Yourself If you said someone/something else - knower If you
said yourself - learner Office of Financial Management State of
Washington Risk Management Division From The Learners Path, Brian
Hinken (2007)
Slide 15
Why create a learning, reflective culture? You only live once,
but if you do it right, once is enough. - Mae West Everyone has a
plan, until they get punched in the face. - Mike Tyson Planning
without action is futile, action without planning is fatal. -
Anonymous SO: with this background, lets talk about what were doing
in Washington. Office of Financial Management State of Washington
Risk Management Division
Slide 16
Washington State Facts Statehood in 1889 Per 2010 census: 13 th
largest state FY09-FY11 Biennial budget: $30.97B Law passed in
1961: No sovereign immunity! Therefore, we have tort liability
exposure. Then, 2001 happened. Office of Financial Management State
of Washington Risk Management Division
Slide 17
2001: tort payouts nearly quadrupled Office of Financial
Management State of Washington Risk Management Division
Slide 18
Statewide Leadership on Risk Management Issues Message was
immediate and compelling Easy to get leadership buy-in The Governor
and Legislature acted: 2001Executive order on risk management
2002-03Legislature wrote laws that expanded loss prevention
programs, moved statewide risk management into the Office of
Financial Management, and added funding 2005Governor Gregoire
declared ERM is a best practice of state government Office of
Financial Management State of Washington Risk Management
Division
Slide 19
Washington State Risk Management Division (RMD) RMD undertakes
two major initiatives: 1. Administer the State Insurance Liability
Fund (self- insurance) 2. Administer the State Loss Prevention
Program RMD is responsible for ERM implementation statewide Office
of Financial Management State of Washington Risk Management
Division
Slide 20
Barriers to Implementing ERM Our mission was daunting: 165
separate state agencies, many with their own risk management
offices Subject matter experts across the board (DOT, DSHS, WSP,
DOC) Staff of 4! Helpful fact: 95% liability from 32 agencies
Office of Financial Management State of Washington Risk Management
Division
Slide 21
Fortunately, we had help Many available resources were
incredibly useful: - Support from the top - Some key people are
learners, not knowers - Existing systems were ERM-compatible POG
Governors Management System GMAP Office of Financial Management
State of Washington Risk Management Division
Slide 22
Priorities of Government (POG) Begun in 2002, state budget
office started a process (POG) that canvasses a cross-section of
citizens to arrive at statewide service priorities POG aids budget
development by providing a portfolio view of government priorities
as determined by our citizens Added benefit: agencies use a uniform
management tool. Office of Financial Management State of Washington
Risk Management Division
Slide 23
Governors Management Tool Office of Financial Management State
of Washington Risk Management Division
Slide 24
Government Management, Performance, and Accountability (GMAP)
Requires agencies to create performance measures around priorities
of government established through the POG process Governor meets
each month with Agency Directors in GMAP forums to candidly
evaluate the results that agencies are delivering These discussions
address what is working, what is not, and how to improve results In
this context, we came up with a plan Office of Financial Management
State of Washington Risk Management Division
Slide 25
Our plan: first steps 1. Trained ourselves (RIMS, internet
research) 2. Reviewed what others were doing (UC system, BC
government) 3. Happy discovery: the Washington State Investment
Board was already using COSO-ERM! 4. But: COSO, or... ? Office of
Financial Management State of Washington Risk Management
Division
Slide 26
Next steps 5. Which model? 6. Appeared that no state in the US
was using ERM 7.Looked abroad the AS/NZ 4360:2004 standard was
everywhere 8. Found a training program one that had already trained
hundreds of government personnel (in Canada...) in AS/NZ Office of
Financial Management State of Washington Risk Management
Division
Slide 27
How we met the challenge Purchased ERM training for agency
executives Developed in-house a prototype of a flexible 7-Step ERM
method designed to work for agencies regardless of their business
functions Saved >$500k Pilot Training Program - State Parks -
Special Commitment Center - Health & Recovery Services Office
of Financial Management State of Washington Risk Management
Division
Slide 28
Then things got rolling We formalized our training program and
rolled it out statewide (32 agencies first) We created a Maturity
Model for agencies to use GMAP began to monitor agency
implementation of ERM We used our performance measures to create
dashboards of our activities. Example: Logic Model Office of
Financial Management State of Washington Risk Management
Division
Slide 29
Then things got rolling We formalized our training program and
rolled it out statewide. We formalized our training program and
rolled it out statewide. We created a Maturity Model for agencies
to use. We created a Maturity Model for agencies to use. GMAP began
to monitor agency implementation of ERM. ERM became a budget
reporting item We used our performance measures to create
dashboards of our activities. Example: Logic Model Office of
Financial Management State of Washington Risk Management
Division
Slide 30
Then things got rolling We formalized our training program and
rolled it out statewide. We formalized our training program and
rolled it out statewide. We created a Maturity Model for agencies
to use. We created a Maturity Model for agencies to use. GMAP began
to monitor agency implementation of ERM. GMAP began to monitor
agency implementation of ERM. ERM became a budget reporting item We
used our work flow to create performance measures. Example: Logic
Model Office of Financial Management State of Washington Risk
Management Division
Slide 31
Then things got rolling We formalized our training program and
rolled it out statewide. We formalized our training program and
rolled it out statewide. We created a Maturity Model for agencies
to use. We created a Maturity Model for agencies to use. GMAP began
to monitor agency implementation of ERM. GMAP began to monitor
agency implementation of ERM. ERM became a budget reporting item
ERM became a budget reporting item We used our work flow to create
performance measures. Example: Logic Model Office of Financial
Management State of Washington Risk Management Division
Slide 32
Intermediate OutcomeUltimate Outcome... so that... GOAL:
Improve health and safety for all citizens... so that... Resources
are efficiently used to further program goals PERFORMANCE MEASURES:
Risk analysis integrated into agencies strategic and budget
planning Risk register integrated into agency operations We reduce
deaths, serious injuries and other substantial loss statewide
PERFORMANCE MEASURES: % decrease in claims and lawsuits % decrease
in reported incidents Ultimate Intent Degree of Control and
Influence Output ACTIVITY: We implement Enterprise Risk Management
(ERM) in state agencies PERFORMANCE MEASURE: Increased Maturity
Model Scores in Target Agencies Immediate Outcome Agencies can
identify, evaluate and mitigate risks by concentrating scarce
resources in the areas of most need to reduce losses PERFORMANCE
MEASURE: % of agencies that have fully implemented risk analysis
and mitigation practices OBJECTIVE: Implement effective enterprise
risk management practices Enterprise Risk Management Logic Model
Office of Financial Management State of Washington Risk Management
Division
Slide 33
Ongoing assessment of ERM implementation Agencies complete the
maturity model every fall Agencies provide ERM & Safety Updates
every Spring We publish ERM best practice reports Benefit of
program: actuary estimates a 17% reduction of outstanding liability
for FY09-FY11 Office of Financial Management State of Washington
Risk Management Division
Slide 34
It also helps to get lucky 2009: ISO 31000 promulgated 2011:
ANSI adopts ISO 31000 as the American standard for risk management
BUT ISO 31000 is nearly identical to AU/NZ 4360:2004 SO: Washington
risk management practices are fully consistent with ISO 31000!
Office of Financial Management State of Washington Risk Management
Division
Slide 35
The Washington ERM Tool Well review certain key elements:
Definition of risk/opportunity Steps of the ERM process Specific
examples of how the tool has been used in Washington (HIPAA/HITECH,
ARRA) Office of Financial Management State of Washington Risk
Management Division
Slide 36
The Washington ERM Tool Risk: anything that can interrupt the
achievement of your goal on time. Opportunity: the flip side of
risk anything that results in over-achievement of your goal Office
of Financial Management State of Washington Risk Management
Division Definitions of Risk and Opportunity:
Slide 37
The Washington ERM Tool Seven Steps of ERM (ISO 31000) 1.Define
your goal(s) 2.Identify risks/opportunities 3.Analyze
risks/opportunities 4.Prioritize risks/opportunities 5.Respond to
risks/opportunities 6.Make a risk/opportunity register
7.Monitor/communicate results Office of Financial Management State
of Washington Risk Management Division
Slide 38
Our register template Office of Financial Management State of
Washington Risk Management Division GOAL: Priority Risk/
Opportunity (Briefly describe) Root Cause(s) Risk/Opportunity
Response (Check type and briefly describe) How will we know the
risk or opportunity was successfully handled? (What are the
measures?) Response Review Date Person Responsible Exploit Avoid
Accept & Monitor Change frequency Change impact Transfer
Exploit Avoid Accept & Monitor Change frequency Change impact
Transfer
Slide 39
ERM in action Well be reviewing two examples of how we used ERM
recently: HIPAA/HITECH (w/State Attorney Generals Office) ARRA (the
American Recovery and Reinvestment Act) Office of Financial
Management State of Washington Risk Management Division
Slide 40
Seven steps in practice goal definition HIPAA/HITECH 1.
Requires agencies that obtain medical information about individuals
to preserve the security of the data 2. Severe penalties where
there is failure in security 3. Requires periodic risk assessments
of security system 4. Rules about training, procedures in response
to a breach, documenting security processes, etc. What would be a
meaningful goal statement? Office of Financial Management State of
Washington Risk Management Division
Slide 41
Example: goal statement Office of Financial Management State of
Washington Risk Management Division
Slide 42
HIPAA/HITECH risk analysis Risk identification driven by goal
statement 41 sub-goals described 288 risks identified All risks
identified in two 3-hour work sessions Eight priority risks
established Heres how it looks in the register: Office of Financial
Management State of Washington Risk Management Division ERM Steps
Goal definition Risk id Risk analysis Risk prioritization Risk
response Risk register Communicate results
Slide 43
Example: priority risk and root cause Office of Financial
Management State of Washington Risk Management Division
Slide 44
HIPAA/HITECH risk response A combination of risk acceptance,
likelihood reduction, and impact reduction strategies. Arguably,
one of the best most cost-effective strategies is to stop using
unencrypted data devices. Most interesting innovation: business
rules requiring all associate agencies/companies to provide data in
encrypted formats. Unencrypted data is no longer accepted by the
agency. If not treated Cignet Health, $4.3 million penalty Office
of Financial Management State of Washington Risk Management
Division
Slide 45
Example: completed register Office of Financial Management
State of Washington Risk Management Division
Slide 46
Communicate results Report to agency executive committee and
stakeholders Demonstrate value our agency received xx million HIPAA
records in the past 6 months; zero improper disclosures we avoided
millions in penalties and loss of reputation. Office of Financial
Management State of Washington Risk Management Division
Slide 47
Creating value with ERM Risk registers create value statements
Improved internal communication about risk Anyone believe Lehman
excelled here? Efficiency Choose the right risk treatment, at the
right time, in the most cost effective way Registers help track the
value of opportunities harvested through the ERM process Office of
Financial Management State of Washington Risk Management
Division
Slide 48
Seven steps in practice - ARRA The American Recovery and
Reinvestment Act 1. Brought over $8B to Washington State 2.
Requires agencies to account for all funds granted 3. Agencies must
account for all funds used by grantees 4. Severe penalties where
there is failure in security 5. Requires use of ERM What would be a
meaningful goal statement? Office of Financial Management State of
Washington Risk Management Division
Slide 49
Example: goal statement Office of Financial Management State of
Washington Risk Management Division Another way to express a goal
statement is through using a logic model.
Slide 50
Office of Financial Management State of Washington Risk
Management Division Intermediate OutcomeUltimate Outcome... so
that... Logic Model for ERM and the Recovery Act GOAL: Use ERM to
analyze each of the national and state goals for the Act... so
that... Resources are used efficiently to effectively implement the
Recovery Act PERFORMANCE MEASURES: % of funds used by state
agencies to administer the Recovery Act Agencies achieve the goals
of the Recovery Act: create and save jobs, jumpstart our economy
and promote economic recovery and growth PERFORMANCE MEASURES: # of
jobs created % increase in state revenue Ultimate Intent Degree of
Control and Influence Output ACTIVITY: We use ERM in state agencies
to identify, evaluate, and plan how to mitigate risks associated
with the Recovery Act PERFORMANCE MEASURE: % of agencies that have
identified and analyzed Recovery Act-related priority risks
Immediate Outcome Agencies create risk registers that include their
risk mitigation plans, procedures and controls of priority Recovery
Act risks PERFORMANCE MEASURES: % of risk mitigation plans that are
successful OBJECTIVE: Superb stewardship of all Federal funds
received by the State of Washington
Slide 51
Sample ARRA risk register Office of Financial Management State
of Washington Risk Management Division Goal #1: The agency will
implement this program timely and accurately through June 30, 2013.
Risk (Briefly describe) Risk Mitigation (Check type and briefly
describe) How will we know when we succeed? (What are the
measures?) Target Date Person Responsible Current Status of the
Mitigation Effort 1. Sub-recipients and vendors may lack the needed
sense of urgency regarding the timely completion of all aspects of
an ARRA funded project because of past dealings with the agency
(i.e. contract extensions) that are not available under the ARRA
rules. Likelihood: Medium Severity: High ReduceAgency staff will
monitor ARRA funds and ensure compliance with contractual
deadlines. Agency staff will communicate with ARRA fund recipients
the need to comply with contractual timelines and hold the sub-
recipients to those timelines. ARRA program recipients are met by
sub-recipients through Agency contracting processes. QuarterlySue
SmithOn target
Slide 52
Some lessons learned Support from top management is essential
Each iteration produced stronger results Essential to have clarity
around who the risk owner is its not the Risk Management Dept.
Start where you are, use what youve got, do what you can, measure
results Office of Financial Management State of Washington Risk
Management Division
Slide 53
Also: ERM is an iterative process no such thing as graduating
and definitely not a box-check exercise To be truly successful,
risk management must become embedded in your organization, with
ownership and implementation at every level This is only possible
in a learning organization Office of Financial Management State of
Washington Risk Management Division
Slide 54
For your consideration: Joe from operations comes to you for
help because hes recently heard you attended the state risk summit
and learned about ERM His boss Cindy wants him to solve their
budget issue by reducing the costs of their earthquake preparedness
measures at work Using ERM, how would you advise Joe? Office of
Financial Management State of Washington Risk Management Division
ERM Steps Goal definition Risk id Risk analysis Risk prioritization
Risk response Risk register Communicate results
Slide 55
Some reflections No such thing as the right standard The
correct ERM approach is the one that fits the complexity, culture,
and yes, risk appetite of your organization Risk appetite, risk
tolerance, risk aversion the long road trip to Disneyland Office of
Financial Management State of Washington Risk Management
Division
Slide 56
Where is ERM headed? State risk register Bond issues (pun
intended) Strategy, strategy, strategy Office of Financial
Management State of Washington Risk Management Division
Slide 57
Just in case youre not convinced Brand-new study of Washingtons
risk management practices Brand-new audit of Washingtons risk
management practices The auditors used ERM principles to determine
the quality of risk management practices. This practice is becoming
more widespread (IIA, AICPA) Office of Financial Management State
of Washington Risk Management Division
Slide 58
Impact of statewide enterprise risk management Office of
Financial Management State of Washington Risk Management
Division
Slide 59
What we covered today Learned about ERM Learned how Washington
undertook ERM implementation Heard about some best practices and
lessons learned. Thank you for participating! Drew Zavatsky Loss
Prevention Program Coordinator Risk Management Division, Office of
Financial Management 210 11 th Avenue SW Olympia, WA 98504 (360)
902-9813 [email protected] Office of Financial Management
State of Washington Risk Management Division
Slide 60
ODOT Enterprise Risk Management (ERM) The Journey Begins
Slide 61
cc marfis75 flickr
Slide 62
cc Alaskan Dude flickr
Slide 63
Erica_Marshall flickr
Slide 64
Getting Started Presented ERM process to Executive staff in
November 2010. ODOT Internal Audits supported Executive staff in
the process. Used four basic steps of risk mapping: Identify the
risk Assess the risk Rate the risk Manage the risk
Slide 65
Common Categories of Risk External Operational Financial People
Regulatory Governance
Slide 66
Blank Template
Slide 67
What keeps you up at night? Brainstorm at the Executive Staff
level. List vetted and refined at the division and unit level.
Slide 68
Support Services Branch Matrix
Slide 69
Central Services Division Matrix
Slide 70
ODOT Matrix
Slide 71
Prioritizing Risk Manage top 3 at Executive level. Manage
others at a division specific level. Identify risks to consider in
the internal audit plan.
Slide 72
Work plan Template
Slide 73
Funding Pace of expenditures compared to revenue Funding
direction from Governor and legislature to shift a significant
amount of funding to OWIN, OSP, CRC etc Organizational funding,
ability to achieve and implement business goals and functions etc
The economy, budget cuts and insufficient amount of permanent full
time resources leads to delays and inability to deliver to the
customer
Slide 74
Succession Planning Succession planning and business continuity
Diminishing levels of institutional knowledge: salary and benefit
cuts, PERS changes, workforce trends etc Documenting procedures and
knowledge base for key positions High rate of retirements
Slide 75
State Data Center Disaster recovery planning and maintaining
high availability of the critical systems in the event of a
disaster Loss of data network Lack of data recovery SDC services do
not always meet SLAs/ODOTs needs and expectations
Slide 76
More Info Clyde Saiki, Deputy Director Central Services
Division [email protected] 503-986-4399 Marlene
Hartinger, Chief Auditor Audit Services Branch
[email protected] 503-986-4177
Slide 77
Kathy Ortega Chief Financial Officer, Lottery 77
Slide 78
The Lottery ERM Story 78
Slide 79
Kris Kautz Deputy Director, DAS 79
Slide 80
ERM at DAS 80
Slide 81
Questions? 81
Slide 82
Theresa A. Masse State Chief Information Security Officer
82
Slide 83
Enterprise Risk Management Agency Self Assessment Survey
Information Security June 23, 2011
Slide 84
Background Statewide Information Security Plan requires
agencies to conduct an annual risk assessment Provide a tool for
standard, consistent responses that can be aggregated Identify
general areas of concern Business driven 84
Slide 85
Implementation Identify a coordinator/facilitator Involve
cross-functional staff Enhance communication across the
organization Results inform agency leadership of greatest risk to
make strategic business decisions Use supplemental spreadsheet to
document internal discussions 85
Slide 86
Agency Workshops Whats the value: ask questions discuss issues
or concerns Who should attend: Business representatives IT
Representatives 86
Slide 87
Agency Workshops Three (3) identical workshops: Salem: June 28,
2011 1:30-3:30pm Revenue Building Fishbowl Portland: June 30, 2011
9:30-11:30am Portland State Office Bldg. - Room 1C Please register
for a workshop using iLearn June 29, 2011 9:30-11:30am Revenue
Building - Fishbowl 87
Slide 88
Survey Tool Main Survey Categories: Organization
Characteristics Risk Management People Technology Links are
inserted to definitions and examples 88
Slide 89
Survey Tool 89
Slide 90
Survey Tool Processes: Technology Policy Development and
Enforcement Governance Information Security Policy and Procedures
Physical Security Program Administration 90
Slide 91
Survey Tool 91
Slide 92
Confidentiality/Protection of Survey Results Agencies have
noted concerns about public records requests DOJ identified two
exemptions that conditionally protect agency responses to this
survey from disclosure. 1. Public Records Law does recognize a
valid public interest in encouraging frank communication between
agencies 92
Slide 93
Protecting Agency Results The protection from disclosure here
does not apply to any purely factual material contained within an
agency response, which could be redacted from responses, if such a
redacted response remains of interest to the requestor of the
information. 93
Slide 94
Protecting Agency Results 2. Public Records Law protects
information from disclosure that identifies "security measures, or
weaknesses or potential weaknesses in security measures, taken or
recommended to be taken to protect" state computer systems. 94
Slide 95
Protecting Agency Results The more obvious the security risk
that would be posed by disclosure the more likely an agency will be
able to successfully assert this exemption, subject to the public
interest balancing. 95
Slide 96
Protecting Agency Results Based on DOJ guidance: 17 questions
have been identified as non- exempt These questions are noted in
bold and underlined 96
Slide 97
Agency Results Each agency director will receive: A report
including: individual agency results with a related risk score
statewide aggregate results comparison Formats: Graphics Data only
97
Slide 98
Maturity Model 98
Slide 99
Results - Sample Graphic 99
Slide 100
Results Sample Data 100
Slide 101
Results Agency Management Use results to determine
appropriate/desired maturity level (goal) based on agency risk
Develop an ERM plan analysis of gaps of current state and to-be
state and prioritization of objectives 101
Slide 102
Results DAS Enterprise Security Office Identify Common Gaps
Evaluate Guidance & Training Opportunities DAS Risk Management
Assess the potential purchase of supplemental cyber security
insurance 102
Slide 103
Jen Coney Manager - DAS Risk Management 103
Slide 104
Risk Considerations In the US Average $6.75M per data loss
incident $204 per compromised record 104
Slide 105
Supplemental Insurance Significant information breach would
have a major impact on the state Require feedback from agencies on
the states information security posture State will assess cost to
purchase supplemental insurance 105
Slide 106
Survey Wrap-Up Copy of the survey spreadsheet is available on
the registration tables Presentations will be posted on the ERM
website URL on the bottom of the agenda Submit only one survey per
agency deadline July 29th Survey will be: distributed within a week
sent directly and only to agency heads 106
Slide 107
Contact Information Pamela J. Stroebel Valencia, Chief Audit
Executive [email protected] (503) 378-4037 Theresa A.
Masse, State Chief Information Security Officer
[email protected] 503-378-4896 Jen Coney, Risk Management
Manager [email protected] 503-373-1585 Enterprise Risk
Management web site
http://www.oregon.gov/DAS/ERM/http://www.oregon.gov/DAS/ERM/ Risk
Assessment Resources
http://www.oregon.gov/DAS/ERM/self_assessment_resources.shtml
http://www.oregon.gov/DAS/ERM/self_assessment_resources.shtml
107