Enterprise Risk Management Building Reflective Practices June 23, 2011

Michael Jordan Chief Operating Officer Director, DAS 2

Pamela J. Stroebel-Valencia Chief Audit Executive, DAS 3

Agency Risk Self-Assessment Three Value-Added Objectives: An opportunity to have an internal conversation about Enterprise Risk Management Provides a baseline for Cyber Security insurance needs Meet statewide policy requirements for an Information Security risk-assessment 4

Enterprise Risk Management For the State of Oregon, defined as: A systematic approach throughout all functional levels of an organization to continually identify, evaluate and effectively manage real or perceived barriers to the achievement of the organizations mission (purpose) and strategic goals (objectives). 5

ERM Roles & Responsibilities Governing or Advisory Board/Commission Management Internal Audit/Audit Committee Business Function Experts: Risk Management Coordinators, Information Security Officers All Employees 6

7 ERM Benefits Provide a simple, uniform methodology that is applicable in all environments Enhance accountability and communication Continuously eliminate unnecessary controls and add needed controls Reduce response time for emerging risks Focus efforts on important issues and concerns

Drew Zavatsky Risk Management Division, Washington State 8

Enterprise Risk Management in Washington State: Building Reflective Practices

Introductions Goals for this session ERM is not insurance learn how we started using ERM in Washington learn some ERM best practices learn from our missteps SO: to get where you want to go, know where youve been Office of Financial Management State of Washington Risk Management Division

History of Public Risk Management: growth from reactive to strategic practice Office of Financial Management State of Washington Risk Management Division 1978198819982008 Insurance Procurement Insurance Policy Admin. Risk Financing Loss Control Organizational RM Focus Claims Mgmt. Regulatory Compliance Public Safety RM Employee Benefits Risk Finance Cost Allocation Loss Control Contractual Risk Transfer Claims/Litigation Management Outcome Orientation and Benchmarking Integrated Disability Mgmt. Chief Risk Officer Enterprise RM Consultancy Risk Financing Multi- Jurisdictional Integration Loss Control Claims/Litigation Mgmt. Cost Allocation Bus./Govt. Partnerships Key change: culture shift from knowing to learning

Knowers and learners Knower: someone who cant admit they dont know something for fear that doing so will make them look bad. Knowers often pretend to know things that they dont (know-it-alls), and are unwilling to be influenced. Learner: someone who admits they could be wrong or uncertain. Learners are willing to be influenced. Office of Financial Management State of Washington Risk Management Division From The Learners Path, Brian Hinken (2007)

Typical tendencies Reacting --- Creating Compliance --- Commitment My part --- The whole Protection --- Reflection Debate --- Mutual Learning These tendencies apply to both behaviors and learning styles. Key question: which culture creates value? Office of Financial Management State of Washington Risk Management Division From The Learners Path, Brian Hinken (2007)

Self-test: knower/learner Are you getting what you want? Yes: non-learning situation No: will you do something about it? No: Non-Learner Yes: what will you try to change? Someone/something else Yourself If you said someone/something else - knower If you said yourself - learner Office of Financial Management State of Washington Risk Management Division From The Learners Path, Brian Hinken (2007)

Why create a learning, reflective culture? You only live once, but if you do it right, once is enough. - Mae West Everyone has a plan, until they get punched in the face. - Mike Tyson Planning without action is futile, action without planning is fatal. - Anonymous SO: with this background, lets talk about what were doing in Washington. Office of Financial Management State of Washington Risk Management Division

Washington State Facts Statehood in 1889 Per 2010 census: 13 th largest state FY09-FY11 Biennial budget: $30.97B Law passed in 1961: No sovereign immunity! Therefore, we have tort liability exposure. Then, 2001 happened. Office of Financial Management State of Washington Risk Management Division

2001: tort payouts nearly quadrupled Office of Financial Management State of Washington Risk Management Division

Statewide Leadership on Risk Management Issues Message was immediate and compelling Easy to get leadership buy-in The Governor and Legislature acted: 2001Executive order on risk management 2002-03Legislature wrote laws that expanded loss prevention programs, moved statewide risk management into the Office of Financial Management, and added funding 2005Governor Gregoire declared ERM is a best practice of state government Office of Financial Management State of Washington Risk Management Division

Washington State Risk Management Division (RMD) RMD undertakes two major initiatives: 1. Administer the State Insurance Liability Fund (self- insurance) 2. Administer the State Loss Prevention Program RMD is responsible for ERM implementation statewide Office of Financial Management State of Washington Risk Management Division

Barriers to Implementing ERM Our mission was daunting: 165 separate state agencies, many with their own risk management offices Subject matter experts across the board (DOT, DSHS, WSP, DOC) Staff of 4! Helpful fact: 95% liability from 32 agencies Office of Financial Management State of Washington Risk Management Division

Fortunately, we had help Many available resources were incredibly useful: - Support from the top - Some key people are learners, not knowers - Existing systems were ERM-compatible POG Governors Management System GMAP Office of Financial Management State of Washington Risk Management Division

Priorities of Government (POG) Begun in 2002, state budget office started a process (POG) that canvasses a cross-section of citizens to arrive at statewide service priorities POG aids budget development by providing a portfolio view of government priorities as determined by our citizens Added benefit: agencies use a uniform management tool. Office of Financial Management State of Washington Risk Management Division

Governors Management Tool Office of Financial Management State of Washington Risk Management Division

Government Management, Performance, and Accountability (GMAP) Requires agencies to create performance measures around priorities of government established through the POG process Governor meets each month with Agency Directors in GMAP forums to candidly evaluate the results that agencies are delivering These discussions address what is working, what is not, and how to improve results In this context, we came up with a plan Office of Financial Management State of Washington Risk Management Division

Our plan: first steps 1. Trained ourselves (RIMS, internet research) 2. Reviewed what others were doing (UC system, BC government) 3. Happy discovery: the Washington State Investment Board was already using COSO-ERM! 4. But: COSO, or... ? Office of Financial Management State of Washington Risk Management Division

Next steps 5. Which model? 6. Appeared that no state in the US was using ERM 7.Looked abroad the AS/NZ 4360:2004 standard was everywhere 8. Found a training program one that had already trained hundreds of government personnel (in Canada...) in AS/NZ Office of Financial Management State of Washington Risk Management Division

How we met the challenge Purchased ERM training for agency executives Developed in-house a prototype of a flexible 7-Step ERM method designed to work for agencies regardless of their business functions Saved >$500k Pilot Training Program - State Parks - Special Commitment Center - Health & Recovery Services Office of Financial Management State of Washington Risk Management Division

Then things got rolling We formalized our training program and rolled it out statewide (32 agencies first) We created a Maturity Model for agencies to use GMAP began to monitor agency implementation of ERM We used our performance measures to create dashboards of our activities. Example: Logic Model Office of Financial Management State of Washington Risk Management Division

Then things got rolling We formalized our training program and rolled it out statewide. We formalized our training program and rolled it out statewide. We created a Maturity Model for agencies to use. We created a Maturity Model for agencies to use. GMAP began to monitor agency implementation of ERM. ERM became a budget reporting item We used our performance measures to create dashboards of our activities. Example: Logic Model Office of Financial Management State of Washington Risk Management Division

Then things got rolling We formalized our training program and rolled it out statewide. We formalized our training program and rolled it out statewide. We created a Maturity Model for agencies to use. We created a Maturity Model for agencies to use. GMAP began to monitor agency implementation of ERM. GMAP began to monitor agency implementation of ERM. ERM became a budget reporting item We used our work flow to create performance measures. Example: Logic Model Office of Financial Management State of Washington Risk Management Division

Then things got rolling We formalized our training program and rolled it out statewide. We formalized our training program and rolled it out statewide. We created a Maturity Model for agencies to use. We created a Maturity Model for agencies to use. GMAP began to monitor agency implementation of ERM. GMAP began to monitor agency implementation of ERM. ERM became a budget reporting item ERM became a budget reporting item We used our work flow to create performance measures. Example: Logic Model Office of Financial Management State of Washington Risk Management Division

Intermediate OutcomeUltimate Outcome... so that... GOAL: Improve health and safety for all citizens... so that... Resources are efficiently used to further program goals PERFORMANCE MEASURES: Risk analysis integrated into agencies strategic and budget planning Risk register integrated into agency operations We reduce deaths, serious injuries and other substantial loss statewide PERFORMANCE MEASURES: % decrease in claims and lawsuits % decrease in reported incidents Ultimate Intent Degree of Control and Influence Output ACTIVITY: We implement Enterprise Risk Management (ERM) in state agencies PERFORMANCE MEASURE: Increased Maturity Model Scores in Target Agencies Immediate Outcome Agencies can identify, evaluate and mitigate risks by concentrating scarce resources in the areas of most need to reduce losses PERFORMANCE MEASURE: % of agencies that have fully implemented risk analysis and mitigation practices OBJECTIVE: Implement effective enterprise risk management practices Enterprise Risk Management Logic Model Office of Financial Management State of Washington Risk Management Division

Ongoing assessment of ERM implementation Agencies complete the maturity model every fall Agencies provide ERM & Safety Updates every Spring We publish ERM best practice reports Benefit of program: actuary estimates a 17% reduction of outstanding liability for FY09-FY11 Office of Financial Management State of Washington Risk Management Division

It also helps to get lucky 2009: ISO 31000 promulgated 2011: ANSI adopts ISO 31000 as the American standard for risk management BUT ISO 31000 is nearly identical to AU/NZ 4360:2004 SO: Washington risk management practices are fully consistent with ISO 31000! Office of Financial Management State of Washington Risk Management Division

The Washington ERM Tool Well review certain key elements: Definition of risk/opportunity Steps of the ERM process Specific examples of how the tool has been used in Washington (HIPAA/HITECH, ARRA) Office of Financial Management State of Washington Risk Management Division

The Washington ERM Tool Risk: anything that can interrupt the achievement of your goal on time. Opportunity: the flip side of risk anything that results in over-achievement of your goal Office of Financial Management State of Washington Risk Management Division Definitions of Risk and Opportunity:

The Washington ERM Tool Seven Steps of ERM (ISO 31000) 1.Define your goal(s) 2.Identify risks/opportunities 3.Analyze risks/opportunities 4.Prioritize risks/opportunities 5.Respond to risks/opportunities 6.Make a risk/opportunity register 7.Monitor/communicate results Office of Financial Management State of Washington Risk Management Division

Our register template Office of Financial Management State of Washington Risk Management Division GOAL: Priority Risk/ Opportunity (Briefly describe) Root Cause(s) Risk/Opportunity Response (Check type and briefly describe) How will we know the risk or opportunity was successfully handled? (What are the measures?) Response Review Date Person Responsible Exploit Avoid Accept & Monitor Change frequency Change impact Transfer Exploit Avoid Accept & Monitor Change frequency Change impact Transfer

ERM in action Well be reviewing two examples of how we used ERM recently: HIPAA/HITECH (w/State Attorney Generals Office) ARRA (the American Recovery and Reinvestment Act) Office of Financial Management State of Washington Risk Management Division

Seven steps in practice goal definition HIPAA/HITECH 1. Requires agencies that obtain medical information about individuals to preserve the security of the data 2. Severe penalties where there is failure in security 3. Requires periodic risk assessments of security system 4. Rules about training, procedures in response to a breach, documenting security processes, etc. What would be a meaningful goal statement? Office of Financial Management State of Washington Risk Management Division

Example: goal statement Office of Financial Management State of Washington Risk Management Division

HIPAA/HITECH risk analysis Risk identification driven by goal statement 41 sub-goals described 288 risks identified All risks identified in two 3-hour work sessions Eight priority risks established Heres how it looks in the register: Office of Financial Management State of Washington Risk Management Division ERM Steps Goal definition Risk id Risk analysis Risk prioritization Risk response Risk register Communicate results

Example: priority risk and root cause Office of Financial Management State of Washington Risk Management Division

HIPAA/HITECH risk response A combination of risk acceptance, likelihood reduction, and impact reduction strategies. Arguably, one of the best most cost-effective strategies is to stop using unencrypted data devices. Most interesting innovation: business rules requiring all associate agencies/companies to provide data in encrypted formats. Unencrypted data is no longer accepted by the agency. If not treated Cignet Health, $4.3 million penalty Office of Financial Management State of Washington Risk Management Division

Example: completed register Office of Financial Management State of Washington Risk Management Division

Communicate results Report to agency executive committee and stakeholders Demonstrate value our agency received xx million HIPAA records in the past 6 months; zero improper disclosures we avoided millions in penalties and loss of reputation. Office of Financial Management State of Washington Risk Management Division

Creating value with ERM Risk registers create value statements Improved internal communication about risk Anyone believe Lehman excelled here? Efficiency Choose the right risk treatment, at the right time, in the most cost effective way Registers help track the value of opportunities harvested through the ERM process Office of Financial Management State of Washington Risk Management Division

Seven steps in practice - ARRA The American Recovery and Reinvestment Act 1. Brought over $8B to Washington State 2. Requires agencies to account for all funds granted 3. Agencies must account for all funds used by grantees 4. Severe penalties where there is failure in security 5. Requires use of ERM What would be a meaningful goal statement? Office of Financial Management State of Washington Risk Management Division

Example: goal statement Office of Financial Management State of Washington Risk Management Division Another way to express a goal statement is through using a logic model.

Office of Financial Management State of Washington Risk Management Division Intermediate OutcomeUltimate Outcome... so that... Logic Model for ERM and the Recovery Act GOAL: Use ERM to analyze each of the national and state goals for the Act... so that... Resources are used efficiently to effectively implement the Recovery Act PERFORMANCE MEASURES: % of funds used by state agencies to administer the Recovery Act Agencies achieve the goals of the Recovery Act: create and save jobs, jumpstart our economy and promote economic recovery and growth PERFORMANCE MEASURES: # of jobs created % increase in state revenue Ultimate Intent Degree of Control and Influence Output ACTIVITY: We use ERM in state agencies to identify, evaluate, and plan how to mitigate risks associated with the Recovery Act PERFORMANCE MEASURE: % of agencies that have identified and analyzed Recovery Act-related priority risks Immediate Outcome Agencies create risk registers that include their risk mitigation plans, procedures and controls of priority Recovery Act risks PERFORMANCE MEASURES: % of risk mitigation plans that are successful OBJECTIVE: Superb stewardship of all Federal funds received by the State of Washington

Sample ARRA risk register Office of Financial Management State of Washington Risk Management Division Goal #1: The agency will implement this program timely and accurately through June 30, 2013. Risk (Briefly describe) Risk Mitigation (Check type and briefly describe) How will we know when we succeed? (What are the measures?) Target Date Person Responsible Current Status of the Mitigation Effort 1. Sub-recipients and vendors may lack the needed sense of urgency regarding the timely completion of all aspects of an ARRA funded project because of past dealings with the agency (i.e. contract extensions) that are not available under the ARRA rules. Likelihood: Medium Severity: High ReduceAgency staff will monitor ARRA funds and ensure compliance with contractual deadlines. Agency staff will communicate with ARRA fund recipients the need to comply with contractual timelines and hold the sub- recipients to those timelines. ARRA program recipients are met by sub-recipients through Agency contracting processes. QuarterlySue SmithOn target

Some lessons learned Support from top management is essential Each iteration produced stronger results Essential to have clarity around who the risk owner is its not the Risk Management Dept. Start where you are, use what youve got, do what you can, measure results Office of Financial Management State of Washington Risk Management Division

Also: ERM is an iterative process no such thing as graduating and definitely not a box-check exercise To be truly successful, risk management must become embedded in your organization, with ownership and implementation at every level This is only possible in a learning organization Office of Financial Management State of Washington Risk Management Division

For your consideration: Joe from operations comes to you for help because hes recently heard you attended the state risk summit and learned about ERM His boss Cindy wants him to solve their budget issue by reducing the costs of their earthquake preparedness measures at work Using ERM, how would you advise Joe? Office of Financial Management State of Washington Risk Management Division ERM Steps Goal definition Risk id Risk analysis Risk prioritization Risk response Risk register Communicate results

Some reflections No such thing as the right standard The correct ERM approach is the one that fits the complexity, culture, and yes, risk appetite of your organization Risk appetite, risk tolerance, risk aversion the long road trip to Disneyland Office of Financial Management State of Washington Risk Management Division

Where is ERM headed? State risk register Bond issues (pun intended) Strategy, strategy, strategy Office of Financial Management State of Washington Risk Management Division

Just in case youre not convinced Brand-new study of Washingtons risk management practices Brand-new audit of Washingtons risk management practices The auditors used ERM principles to determine the quality of risk management practices. This practice is becoming more widespread (IIA, AICPA) Office of Financial Management State of Washington Risk Management Division

Impact of statewide enterprise risk management Office of Financial Management State of Washington Risk Management Division

What we covered today Learned about ERM Learned how Washington undertook ERM implementation Heard about some best practices and lessons learned. Thank you for participating! Drew Zavatsky Loss Prevention Program Coordinator Risk Management Division, Office of Financial Management 210 11 th Avenue SW Olympia, WA 98504 (360) 902-9813 [email protected] Office of Financial Management State of Washington Risk Management Division

ODOT Enterprise Risk Management (ERM) The Journey Begins

cc marfis75 flickr

cc Alaskan Dude flickr

Erica_Marshall flickr

Getting Started Presented ERM process to Executive staff in November 2010. ODOT Internal Audits supported Executive staff in the process. Used four basic steps of risk mapping: Identify the risk Assess the risk Rate the risk Manage the risk

Common Categories of Risk External Operational Financial People Regulatory Governance

Blank Template

What keeps you up at night? Brainstorm at the Executive Staff level. List vetted and refined at the division and unit level.

Support Services Branch Matrix

Central Services Division Matrix

ODOT Matrix

Prioritizing Risk Manage top 3 at Executive level. Manage others at a division specific level. Identify risks to consider in the internal audit plan.

Work plan Template

Funding Pace of expenditures compared to revenue Funding direction from Governor and legislature to shift a significant amount of funding to OWIN, OSP, CRC etc Organizational funding, ability to achieve and implement business goals and functions etc The economy, budget cuts and insufficient amount of permanent full time resources leads to delays and inability to deliver to the customer

Succession Planning Succession planning and business continuity Diminishing levels of institutional knowledge: salary and benefit cuts, PERS changes, workforce trends etc Documenting procedures and knowledge base for key positions High rate of retirements

State Data Center Disaster recovery planning and maintaining high availability of the critical systems in the event of a disaster Loss of data network Lack of data recovery SDC services do not always meet SLAs/ODOTs needs and expectations

More Info Clyde Saiki, Deputy Director Central Services Division [email protected] 503-986-4399 Marlene Hartinger, Chief Auditor Audit Services Branch [email protected] 503-986-4177

Kathy Ortega Chief Financial Officer, Lottery 77

The Lottery ERM Story 78

Kris Kautz Deputy Director, DAS 79

ERM at DAS 80

Questions? 81

Theresa A. Masse State Chief Information Security Officer 82

Enterprise Risk Management Agency Self Assessment Survey Information Security June 23, 2011

Background Statewide Information Security Plan requires agencies to conduct an annual risk assessment Provide a tool for standard, consistent responses that can be aggregated Identify general areas of concern Business driven 84

Implementation Identify a coordinator/facilitator Involve cross-functional staff Enhance communication across the organization Results inform agency leadership of greatest risk to make strategic business decisions Use supplemental spreadsheet to document internal discussions 85

Agency Workshops Whats the value: ask questions discuss issues or concerns Who should attend: Business representatives IT Representatives 86

Agency Workshops Three (3) identical workshops: Salem: June 28, 2011 1:30-3:30pm Revenue Building Fishbowl Portland: June 30, 2011 9:30-11:30am Portland State Office Bldg. - Room 1C Please register for a workshop using iLearn June 29, 2011 9:30-11:30am Revenue Building - Fishbowl 87

Survey Tool Main Survey Categories: Organization Characteristics Risk Management People Technology Links are inserted to definitions and examples 88

Survey Tool 89

Survey Tool Processes: Technology Policy Development and Enforcement Governance Information Security Policy and Procedures Physical Security Program Administration 90

Survey Tool 91

Confidentiality/Protection of Survey Results Agencies have noted concerns about public records requests DOJ identified two exemptions that conditionally protect agency responses to this survey from disclosure. 1. Public Records Law does recognize a valid public interest in encouraging frank communication between agencies 92

Protecting Agency Results The protection from disclosure here does not apply to any purely factual material contained within an agency response, which could be redacted from responses, if such a redacted response remains of interest to the requestor of the information. 93

Protecting Agency Results 2. Public Records Law protects information from disclosure that identifies "security measures, or weaknesses or potential weaknesses in security measures, taken or recommended to be taken to protect" state computer systems. 94

Protecting Agency Results The more obvious the security risk that would be posed by disclosure the more likely an agency will be able to successfully assert this exemption, subject to the public interest balancing. 95

Protecting Agency Results Based on DOJ guidance: 17 questions have been identified as non- exempt These questions are noted in bold and underlined 96

Agency Results Each agency director will receive: A report including: individual agency results with a related risk score statewide aggregate results comparison Formats: Graphics Data only 97

Maturity Model 98

Results - Sample Graphic 99

Results Sample Data 100

Results Agency Management Use results to determine appropriate/desired maturity level (goal) based on agency risk Develop an ERM plan analysis of gaps of current state and to-be state and prioritization of objectives 101

Results DAS Enterprise Security Office Identify Common Gaps Evaluate Guidance & Training Opportunities DAS Risk Management Assess the potential purchase of supplemental cyber security insurance 102

Jen Coney Manager - DAS Risk Management 103

Risk Considerations In the US Average $6.75M per data loss incident $204 per compromised record 104

Supplemental Insurance Significant information breach would have a major impact on the state Require feedback from agencies on the states information security posture State will assess cost to purchase supplemental insurance 105

Survey Wrap-Up Copy of the survey spreadsheet is available on the registration tables Presentations will be posted on the ERM website URL on the bottom of the agenda Submit only one survey per agency deadline July 29th Survey will be: distributed within a week sent directly and only to agency heads 106

Contact Information Pamela J. Stroebel Valencia, Chief Audit Executive [email protected] (503) 378-4037 Theresa A. Masse, State Chief Information Security Officer [email protected] 503-378-4896 Jen Coney, Risk Management Manager [email protected] 503-373-1585 Enterprise Risk Management web site http://www.oregon.gov/DAS/ERM/http://www.oregon.gov/DAS/ERM/ Risk Assessment Resources http://www.oregon.gov/DAS/ERM/self_assessment_resources.shtml http://www.oregon.gov/DAS/ERM/self_assessment_resources.shtml 107

Questions? 108

Documents

Enterprise Risk Management Building Reflective Practices June 23, 2011