Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Enterprise Risk Management (ERM) Framework
Written by: Trevor Bennet Mel Douglas
Appendix I
April 8, 2015 ERM Framework Page 2
Contents
1. Intro to Enterprise Risk Management (ERM) & Framework .................................................. 3
2. Enterprise Risk Management Philosophy ................................................................................ 3
3. Enterprise Risk Management Strategy .................................................................................... 3
4. Risk Management Principles ................................................................................................... 4
5. ERM Framework: Discussion & Diagram .............................................................................. 7
A. ERM Assessments ............................................................................................................ 8
B. Council Reporting ............................................................................................................ 9
C. Levels of Service & Risk ................................................................................................. 9
D. Insurance and Liability Risk Management ....................................................................... 9
E. Health & Safety Management .......................................................................................... 9
6. Measurement Criteria ............................................................................................................ 10
7. Risk Appetite & Risk Tolerance ............................................................................................ 12
8. Risk Management Process ..................................................................................................... 14
9. Risk Universe & Definitions ................................................................................................. 16
10. Governance Structure ......................................................................................................... 17
11. Risk Reporting ................................................................................................................... 20
12. Risk Monitoring ................................................................................................................. 20
13. Definitions ......................................................................................................................... 21
Appendix A .................................................................................................................................... 23
Measurement Criteria ................................................................................................................... 23
Appendix B .................................................................................................................................... 26
Risk Universe & Definitions ........................................................................................................... 26
April 8, 2015 ERM Framework Page 3
1. Intro to Enterprise Risk Management (ERM) & Framework
Given the wide range of services delivered by the Corporation from long-term care to park maintenance to major capital construction, it is necessary to find a tool that can compare risk across different services. Enterprise Risk Management (ERM) will give the Corporation the ability to understand and consistently measure its risks, and monitor and communicate them effectively across the organization.
The Enterprise Risk Management framework provides processes and tools to identify and manage risks faced by the Corporation. The framework establishes the structure needed to carry out the Enterprise Risk Management process.
2. Enterprise Risk Management Philosophy
ERM should not be a separate process. ERM should become an integral part of the decision making process.
It is important to assess the risks that will impede the achievement of the Corporation’s strategic goals and service delivery objectives, and to develop strategies to ensure that these goals & objectives can be met.
3. Enterprise Risk Management Strategy
The ERM strategy is to:
• Manage risks within a tolerable level to meet service level expectations. • Introduce incremental changes to the risk process and build upon existing risk
management activities. • Apply a consistent approach to risk management across the organization. • Ensure a solid base exists (i.e. critical mass of dept. risk assessments etc.) before full
corporate enforcement of policy. • Balance the cost and control of a risk to ensure the greatest value to the corporation.
April 8, 2015 ERM Framework Page 4
4. Risk Management Principles1
The following guiding principles are outlined in ISO 31000’s risk management guidelines and are integral to the framework:
a) Risk management creates and protects value
Risk management contributes to the achievement of objectives and performance improvement. Examples include: human health and safety, security, legislative compliance, environmental protection, program/process quality, project management, operational efficiency, governance and reputation.
b) Risk management is part of and supports all organizational processes
Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and supports all organizational processes, including strategic planning, operational and all project and change management processes.
c) Risk management is part of decision making
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action
d) Risk management addresses uncertainty and potential impacts
Risk management recognizes uncertainty, the nature of that uncertainty, the potential impacts and how they can be addressed.
e) Risk management is consistent
1 Adapted from AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
April 8, 2015 ERM Framework Page 5
Risk management is consistent and contributes to efficient, comparable and reliable results.
f) Risk management is based on the best available information.
Inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modeling used or the possibility of divergence among experts.
g) Risk management is tailored
Risk management is aligned with the organization's external and internal context and risk profile.
h) Risk management takes human and cultural factors into account
Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.
i) Risk management is transparent and inclusive
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
j) Risk management is dynamic, iterative and responsive to change
Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
k) Risk management supports continuous improvement
April 8, 2015 ERM Framework Page 6
Organizations should develop and implement strategies to improve their risk management process and practices alongside all other aspects of their organization.
April 8, 2015 ERM Framework Page 7
5. ERM Framework: Discussion & Diagram
The ERM framework, as outlined in this document, sets out all the necessary components to carry out the enterprise risk activities within the Corporation. It is important to note that this framework is not meant to supersede any of the existing processes but rather allow for a common frame of reference for risk.
This framework outlines:
a) Philosophy, strategy and principles of ERM: These are the underlying values that direct how ERM will be conducted.
b) Tools to implement ERM: The measurement criteria, risk appetite, and risk process are provided to ensure a consistent approach and evaluation throughout all activities associated with risk.
c) Governance structure: A clear understanding of roles and responsibilities are required to ensure that identified risks are managed and communicated effectively.
d) Classification system for risks: The risk universe provides a method of classifying risks based on their impact to assist in the tracking and evaluation of risk.
The Framework is not a static document. Throughout the implementation of Enterprise Risk Management, the framework itself should be monitored and reviewed to ensure continual improvement.
April 8, 2015 ERM Framework Page 8
Figure 1- ERM Framework Diagram
As Figure 1 shows, there are 5 main areas within the Corporation that contribute to the management of risk.
A. ERM Assessments
This area deals with the assessment and evaluation of risks at various levels of the corporation. It helps facilitate:
• Enterprise Risk Assessment: Risks evaluated that are strategic in nature or cross multiple departments or affect the entire corporation.
• Department Risk Assessment: Risk assessment performed at the departmental level to identify and track risks to departmental objectives.
April 8, 2015 ERM Framework Page 9
B. Council Reporting
A Risk Analysis section is now a standard part of a council report. Guidelines for the information contained in this section are found in the Council Report Writing Guide. Critical and significant risks (as identified in the Risk Appetite section) are to be noted and discussed within the report.
C. Levels of Service & Risk
Levels of Service & Risk assessment will utilize the risk measurement criteria to assist in prioritization of asset planning and funding. Council will receive reports detailing the results.
D. Insurance and Liability Risk Management
Insurance & Liability Risk Management assists in mitigating risk of insurable loss to the corporation, including public hazard risk and risk of property loss. This is done by advising the Corporation on risk mitigation and risk financing options, investigating and resolving claims to reduce the consequence to the Corporation, and recovering losses from third parties. This division will provide feedback to areas of the Corporation to reduce risk of claims and litigation exposure.
E. Health & Safety Management
Health & Safety helps avoid risk in the corporation as a result of injury or illness.
April 8, 2015 ERM Framework Page 10
6. Measurement Criteria
The measurement criteria define the scale that is used to assess a risk.
The Measurement Criteria for Risk Assessment can be found in Appendix A. Most risk assessments (e.g. departmental risk assessment, council report risk analysis) will use the “Simple Measurement Criteria” . The more complex “Measurement Criteria for the Risk Assessment Tool” will be used for Levels of Service & Risk evaluation and major projects.
The two key factors in a risk assessment are:
PROBABILITY: The likelihood that the risk will occur.
&
CONSEQUENCE: The potential impact to the corporation if the risk occurred.
The consequence factor is further subdivided into different types of impacts but, ultimately, only the highest score in all the subcategories is used.
Both the Probability and Consequence are given a score from 1 to 5. Based on the two scores, a risk level is determined. The risk levels are shown in Figure 2 and are, as follows:
• Critical • Significant • Moderate • Low
As an example, a risk that has a probability score of 3 and a consequence score of 4 would be rated a “Significant” risk.
The Measurement Criteria is important because it allows every risk across the Corporation to be measured on the same scale and prioritized accordingly.
April 8, 2015 ERM Framework Page 11
Figure 2- Levels of Risk
Consequence
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Severe (5)
Prob
abili
ty
Almost Certain
(5)
Moderate Significant Significant Critical Critical
Likely (4)
Moderate Moderate Significant Significant Critical
Possible (3)
Low Moderate Moderate Significant Significant
Unlikely (2)
Low Low Moderate Moderate Significant
Rare (1)
Low Low Low Moderate Moderate
April 8, 2015 ERM Framework Page 12
7. Risk Appetite & Risk Tolerance
Risk appetite refers to the level of risk, set by Council, that the corporation is willing to accept, which influences how risks are assessed and treated.
The Corporation is most concerned with Significant and Critical risks. Any risk identified as significant or critical should have a:
a) Mitigating Strategy - A plan must be developed to mitigate, transfer or avoid the risk.
b) Risk Owner - The person responsible to ensure that the risk level is monitored and the mitigating strategy is carried out.
In reports to City Council, significant and critical risks must be identified within the risk analysis section of the report. Mitigating strategies and risk owners should also be included.
Consequence
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Severe (5)
Prob
abili
ty
Almost Certain
(5)
Moderate Significant Significant Critical Critical
Likely (4)
Moderate Moderate Significant Significant Critical
Possible (3)
Low Moderate Moderate Significant Significant
Unlikely (2)
Low Low Moderate Moderate Significant
Rare (1)
Low Low Low Moderate Moderate
April 8, 2015 ERM Framework Page 13
Figure 3- Risk Appetite
Risk Tolerance refers to level of risk that the corporation decides is acceptable after the risk has been evaluated and all stakeholders have been consulted on possible treatments.
This framework and risk appetite are tools for risk management. Judgement should also be applied when evaluating risks at any level. Low and moderate risks may benefit from employing a mitigating strategy and risk owner. In some cases, after risk stakeholders are consulted, it may make sense for a significant risk to be tolerated because the mitigating strategies are more costly than the consequence of the risk.
April 8, 2015 ERM Framework Page 14
8. Risk Management Process
The Enterprise Risk Management Process is used to manage risks faced by the corporation. A visual representation of the process is shown in Figure 4. It includes five key components that can be integrated at any level of the organization: Establishing context, conducting a risk assessment, the treatment of risks, monitoring and reviewing risks, and communication of risks.
1) Establishing a context –The objectives of the service or project are identified. All risks that are identified within this process should have a direct affect on an identified objective. Also required to establish the context of the risk assessment is to understand the internal and external environment, and the use of corporate standardized risk evaluation criteria.
2) Risk Assessment – The heart of the process is the risk assessment. By determining levels of risk, treatment plans can be developed to influence risks to a more tolerable level. There are 3 steps in the process:
i. Identify risks ii. Analyse risks, and
iii. Evaluate risks.
3) Risk Treatment – Risks that are outside a tolerable level should be addressed through one of four approaches:
i. Treated by implementing controls and/or mitigation strategies, ii. Transferring the risk to a 3rd party (e.g. an insurance company),
iii. Tolerated (i.e. the Corporation assumes the risk), OR iv. Terminated (i.e. the Corporation discontinues current action or opts not to
take further action).
4) Monitoring and Reviewing Risks – Risks are a dynamic entity and change due to their nature, the environment surrounding them, and the enablers that impact them. Monitoring risks ensure risk owners are responsible for the prudent management of their risks. Reviewing risks involve a more collective process of ensuring risks still exist, are being accurately assessed, and the treatment plans are still relevant to mitigating them.
5) Communicate Risks – Timely and accurate communication of risks is a key element to the Enterprise Risk Management Framework. Communication takes place at all steps of the framework both horizontally across departments and vertical (bottom up & top down).
April 8, 2015 ERM Framework Page 15
Figure 4- Enterprise Risk Management Process
Establish Context
Identify Risks
Analyze Risks
Evaluate Risks
Treat RisksM
onit
or &
Rev
iew
Com
mun
icat
ion
Risk Assessment
April 8, 2015 ERM Framework Page 16
9. Risk Universe & Definitions
A Risk Universe is a list of different sources of risk that could potentially produce risks to the corporation. The complete list and the definitions assigned to them can be found in Appendix B. There are six main categories and each of those is further divided into subcategories. The six main categories are:
1) External 2) Strategic 3) Operational 4) Organizational 5) Financial 6) Legal/Compliance
The advantage to having the risk universe is that it allows for consistent reporting when consolidating types of risk across the corporation.
As the ERM program within the corporation matures, these definitions may need to be adjusted in order to accommodate additional risk events.
April 8, 2015 ERM Framework Page 17
10. Governance Structure
The following governance structure will assist senior management in ensuring appropriate management and mitigation of significant risks:
Figure 5- Enterprise Risk Management governance structure
Enterprise Risk Governance Committee
Enterprise Risk Management
Working Committee
Corporate Risk Register
Risk Treatment Plans
Department / Service Business Plans – Risk Registers
Manager of Corporate Initiatives
Service Owners / Risk Owners
April 8, 2015 ERM Framework Page 18
The following roles and responsibilities will support the ERM governance structure:
a) Enterprise Risk Management Governance Committee – Acts as a Steering Committee for the Enterprise Risk Management framework by providing support and direction to achieve the Corporate Enterprise Risk Management Strategy. The Committee will be comprised of the Chief Administrative Officer and the Corporate Leadership Team. Their responsibilities are to:
Review reports from the Enterprise Risk Management Working Committee and provide direction accordingly.
Provide direction for significant and critical risks elevated to the Committee and/or refer to Council.
Perform annual review of enterprise risks. Approve changes, as necessary, to the Enterprise Risk Management
framework, risk measurement criteria, risk universe and definitions, and governance structure.
b) Enterprise Risk Management Working Committee – A working committee that regularly reviews the significant and critical risks from a corporate perspective. The Committee will be chaired by the Manager of the Corporate Initiatives, and comprised of the Corporate Initiatives Analyst, a representative from Legal’s Risk Management division, a representative from Asset Management division, a representative from Human Resources’ Corporate Health & Safety Division, and at least two other management representatives as directed by the CAO. Their responsibilities are to:
Review the Corporate Risk Register and risk treatment plans for significant and critical risks; and recommend further actions to mitigate risks, if necessary.
Provide quarterly reports (or as deemed necessary) to the Enterprise Risk Governance Committee regarding the Corporation’s risks and identify risk owners.
Elevate significant and critical risks, as necessary, to the Enterprise Risk Governance Committee for direction/action.
Develop procedures to ensure effective implementation of this framework.
c) Manager of Corporate Initiatives – Manages the Enterprise Risk Management framework. This includes developing the Enterprise Risk Management framework to support the Corporation’s Enterprise Risk Management strategy, implementing and monitoring the elements of the framework, and continuously improving the elements of the framework as required. Their responsibilities are to:
Provide training on the ERM framework & its processes. Facilitate risk assessments as directed.
April 8, 2015 ERM Framework Page 19
Manage the Corporate risk register, which includes significant & critical risks.
Monitor risk treatment plans that mitigate significant & critical risks. Assist in elevating significant & critical risks upward for direction/action.
d) Service Owners, Department Heads and Project Managers– Manage the risk
profile through the risk management process to achieve their objectives. Their responsibilities are to:
Understand and follow the Enterprise Risk Management process Maintain and monitor their service risk register Designate a primary person to act as a Risk contact to coordinate risk
monitoring & communication within designated service, department or project.
Establish the objectives for the service, department or major project being evaluated. Objectives must be developed in relation to the Corporate Strategic Action Plan.
Communicate significant & critical risks to the Manager of Corporate Initiatives; and where necessary request it to be elevated to the Enterprise Risk Governance Committee
Monitor changes of the risk profile and the planning & implementation of treatment plans
e) Risk Owners – Manages individual risks according to the mitigating strategies
developed for those risks. Their responsibilities are to:
Recommend a risk tolerance level for a risk through consultation of the risk’s stakeholders.
Develop and manage risk treatment plans to mitigate risk, specifically significant & critical risks.
Monitor changes of risks and the implementation of treatment plans
April 8, 2015 ERM Framework Page 20
11. Risk Reporting
The communication of risk is essential to the success of the Corporation’s governance of its risks. A Risk Reporting Procedure will be developed through the Manager of Corporate Initiatives and the Enterprise Risk Management Working Committee. The Risk Reporting procedure will be approved by the Enterprise Risk Governance Committee.
12. Risk Monitoring
Existing risks listed in a Risk Register should be monitored on a periodic basis that ensures prudent management of the risks. New risks need to be added and evaluated to the risk register upon their discovery. The following is a guideline for effective risk monitoring:
• Strategic level risks should be monitored quarterly and prior to the beginning of strategic planning exercises.
• Operational & process level risks should be monitored periodically by risk owners to ensure treatment plans for Significant or Critical level risks are mitigating as planned. Low or moderate level risks (particularly with upward trends) should be monitored to ensure they do not evolve into Significant or Critical level risks.
• Risks that become urgent and require an immediate treatment are elevated to the Manager of Corporate Initiatives, who will direct to Enterprise Risk Governance Committee.
April 8, 2015 ERM Framework Page 21
13. Definitions 2
• Risks – the likelihood that there will be a positive or negative deviation from the expected objective. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by likelihood or probability of occurrence and the impact or consequences to people or property should they occur. Risks will be classified as low, moderate, significant or critical.
• Enterprise Risk Management (ERM) – the coordinated activities to direct and control risks
within an organization.. This includes assessing risks, communicating risks, assigning responsibility for risks, identifying mitigating strategies to avoid or lessen risk, planning risk response strategies for reacting when risk occurs and reviewing and improving risk management based on lessons learned from risk experience.
• ERM Framework - the suite of policies, procedures, tools and training that support Enterprise Risk Management within the Corporation.
The ERM Framework includes the ERM policy, ERM Assessments and supporting procedures, the Council Report Writing Guide with respect to the risk section of Council Reports, the evaluation and results from the Levels of Service & Risk assessment as directed by the Senior Manager of Asset Planning, the insurance policy or policies carried by the Corporation, the policies and procedures directed by the Manager of Risk and Insurance with respect to insurance risk management and the avoidance of loss or damage to people or property, health and safety policies and procedures as directed by the Executive Director of Human Resources and any other policies, procedures and tools implemented by Council or Administration to manage risk.
• Risk Appetite – the general amount of risk the Corporation is willing to accept, which has an influence how risks are assessed and treated. Knowing the Risk Attitude assists the Corporation in developing risk mitigation and risk response strategies appropriate to the Corporation’s needs.
2 Many of the definitions include parts that were adapted from ISO 31000: 2009 Risk Management – Principles and Guidelines – Definitions
April 8, 2015 ERM Framework Page 22
• Insurance & Liability Risk Management – A component of Enterprise Risk Management where the purchase and management of insurance is used to transfer the risk to a 3rd party. Insurance & Liability Risk Management is managed by the Risk and Insurance division.
• Service – The delivery of an output or benefit to a client as defined in the Inventory of
Programs and Services of the Corporation of the City of Windsor.
• Enterprise risks-: Risks that affect or are prevalent throughout the entire corporation. Succession might be an example of an enterprise risk. Enterprise risks are often strategic in nature.
• Departmental risks: Risks that affect a departments strategic or service objectives.
Departmental risks are often operational in nature. • Project risks: Risks that affect the objectives defined in the scope of the project. The risk
should be measured at an enterprise level as to how it will affect the organization or service objective..
April 8, 2015 ERM Framework Page 23
Appendix A
Measurement Criteria
• Simple Measurement Criteria (2 pages) • Measurement Criteria for the Risk Assessment Tool
April 8, 2015 ERM Framework Page 24
Financial Operational Reputational Health & Safety
Descriptions Cost to City Impact on the ability to sustain operations
Impact on the way stakeholders regard the City
Impact on any stakeholder
5SEVERE
> $3M Widespread or long-term shut down of
operations
Sustained, serious loss of confidence in management of City
Death
4MAJOR
$500k - $3M
Significant, sustained
operational issue
Major impact on public confidence that is difficult to
regain
Permanent disability or
Widespread Illness
3MODERATE
$250k - $500k
Moderate operational
challenge in size or duration
Significant impact on public confidence
that damages City’s image
Moderate health & safety
event
2MINOR
$25K -$250k
Modest operational inefficiency or
situation
Modest, localized impact on City image
Minor health & safety
event
1INSIGNIFICANT
< $25K Small operational inefficiency
Limited impact on City image
Low significance event
Simple Measurement Criteria
Simple Measurement Criteria (cont’d)
Scale % Factors to consider for Likelihood
5ALMOST CERTAIN
90 – 100% • Maturity / complexity of the process or system
• Past occurrences of the risk event• External factors• Experience of management / employees • Performance indicators / industry trends• Recent audit reports• Effectiveness of training• Adherence to policies & procedures• Current controls, or lack of controls• Management’s understanding of / focus on
the risk
4LIKELY
60 – 90%
3POSSIBLE
40 – 60%
2UNLIKELY
10 – 40%
1RARE
0 – 10%
Rating - Descriptor 1 - Rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost Certain
Description - Frequency or approximate probability
May only occur in certain conditions.Every 10 + years or 0% to 10%
Could occur some time.Every 5 to 10 years or 10% to 40%
Might occur at some time.Every 3 to 5 years or 40% to 60%
Will probably occur in most circumstances.
Every 2 to 3 years or 60% to 90%
Almost certain to occur.Annually or more frequently or 90% to
100%
Rating - Descriptor 1 - Insignificant 2 - Minor 3 - Moderate 4 - Major 5 - Severe
Health & Safety - injuries to staff, public or stakeholders
No treatment requiredMinor injury or illness requiring medical
treatmentSerious injury or illness requiring medical
treatmentPermanent disability or widespread
illness Death
Legal Liability - incur $ (claims, lawsuits, etc.)
< $25K $25K-250K $250K-500K $500K-3M > $3M
Physical Assets - replacement of Replaceable worth < $25k Replaceable worth $25k-250k Replaceable worth $250k-500k Replaceable worth $500k-3M Replaceable worth over $3M or significant asset is irreplaceable
Environment - damage toNegligible event, non-permanent impact requiring no clean-up measures @ ($0-25K)
Minor event, non-permanent impact requiring very little clean up effort @ ($25-250k)
Major event, some permanent impact requiring moderate clean-up effort @ ($250k-500k)
Major event, some permanent impact requiring extensive clean-up effort @ ($500k-3M)
Severe event, permanent impact requiring significant clean-up @ (> $3M)
Availability - number of people impacted by service failure
Under 1% of customers 2%-25% of customers 26%-50% of customers 51%-100% of customers 100% of customers for sustained period of time
Limited impact to overall quality of discretionary service
Moderate or localized impact to overall quality of discretionary service OR
Serious or widespread disruption to overall quality of discretionary service OR
Inability to provide an discretionary service OR
Limited impact to overall quality of essential service
Moderate or localized impact to overall quality of essential service
Serious or widespread impact to overall quality of essential service
Inability to provide an essential service
Budget - cost overuns or reallocation of funds for service or project
< $25K $25K-250K $250K-500K $500K-3M > $3M
Funding - loss of external funding or revenue (e.g. grants, leasing revenue, user fees)
< $25K $25K-250K $250K-500K $500K-3M > $3M
Public Trust / Media Attention - negative attention
Limited attention by media, limited impact on public confidence
Local media coverage, department official fielding media questions, moderate impact on public confidence
Regional media coverage, significant impact on public confidence that damages City's image
National or Provincial media coverage, external agency inquiry, major impact on public confidence that is difficult to regain
Significant National or Provincial media coverage, external agency criminal investigation, sustained serious loss of confidence in management of City
Governance - management oversightSome unfavourable comments by governing body (I.e. Management or Council)
Request for change recommendations by governing body (I.e. Management or Council)
Senior governing body issues reccomendations for change (I.e. Federal or Provincial)
Senior governing body demanding immediate changes to status quo (I.e. Federal or Provincial)
Senior governing body imposing temporary leadership (I.e. Federal or Provincial)
Legislative - violation of legislation Infraction of legislation with limited penalties (under $25k)
Minor infraction of legislation with penalties ($25k-$250k)
Moderate infraction of legislation with penalties ($250k-$500k)
Major violation of legislation with signficant penalties ($500k-$3M), high profile trial
Multiple major violations of legislation with significant penalties (over $3M), public inquiry & high profile trial
Strategic - negative effect on corporate strategic goals
Impairment of 1 corporate strategic goal Failure of 1 corporate strategic goal Failure of 2 or more corporate strategic goals.
Majority of corporate strategic goals fail. Failure of corporate strategic goals.
Note: Evaluate project risks based on impact to affected discretionary or essential service.
Measurement Criteria for the Risk Assessment Tool - DRAFT March 31, 2015
Consequence
Probability
Quality -impact or disruption to overall quality of service delivered
Appendix B
Risk Universe & Definitions
• Risk Universe (1 page) • Risk Universe Definitions
City of Windsor Enterprise Risk Management – Draft Risk Universe
External Strategic
Operational Organizational Financial Legal/Compliance 1. Legislative &
Regulatory 2. Funding 3. Socio-Cultural 4. Economic Factors 5. Terrorism 6. Vandalism 7. Health Epidemic 8. Natural Disaster 9. External Technology
Changes
10. Changes in Strategy 11. Governance 12. Planning & Resource
Allocation 13. Conflicting Priorities/
Demands 14. Transparency
15. Service Failure 16. Substandard Service
Delivery 17. Technology Fails 18. Privacy/Security
Breach 19. Third-Party
Performance 20. Infrastructure 21. Material Resources 22. Implementation/
Transition
23. Inter-Departmental Coordination
24. Organizational Culture
25. Employee Turnover 26. Health & Safety
Incident 27. Human Resources
Capacity 28. Labour Relations
29. Treasury/Liquidity 30. Accounting &
Reporting 31. Fraud & Corruption 32. Budget Breach
33. Compliance 34. Litigation
Enterprise Risk Management - Universe Definitions
# Risk Label Risk Name Risk Context Impact
EXTERNAL
1
Legislative & Regulatory
Changes in legislation/regulations significantly change the City's operations
Operations include: -Mandate -Financial Models
-Service Operations
-City has to redirect resources
2 Funding Funding is significantly cut Funding models and allocations can change. -Unplanned reductions in services -Inability to react in a timely manner
3 Socio-Cultural Significant socio-cultural changes occur in the City
Socio-cultural factors include: -Unemployment -Migration of workers -Demographics
-Society/citizen/business expectations
-Required redirection in public policy, funding and management attention
4 Economic Factors
Significant changes in economic factors occur
Economic factors include: -inflation
-foreign exchange
-Current and future revenue streams and public needs change
# Risk Label Risk Name Risk Context Impact
-interest rates
-employment rates, and
-business start-up/creation/departure rates
5 Terrorism Significant acts of terror occur Potential targets could include international border crossings - Ambassador Bridge and Detroit-Windsor Tunnel
-Harm to citizens -Increased need for emergency services and funding from City sources
6 Vandalism Significant acts of vandalism occur City experiences significant incidence of vandalism that causes damage to property or assets and/or detracts from public image.
-Negative public reaction -Increased need for social services and funding from City sources to clean it up
7 Health Epidemic A significant health epidemic occurs Health epidemics include: -contagious disease -widespread contamination occurrence
-Harm to citizens -Trigger emergency plan response and associated costs -Potential impact to city staff and service delivery protocols -Negative public reaction
8 Natural Disaster A significant natural disaster occurs Significant natural disasters include: -Environmental degradation -Environmental spillage
-Flooding
-Negative public reaction -Trigger emergency plan response and associated costs -Harm to citizens
# Risk Label Risk Name Risk Context Impact
-Earthquake
-Severe storm events
9 Technology Changes
Significant external technological change occurs
Significant technological changes could include advancements in software and/or hardware that lead to obseletion.
-Unplanned replacement costs and/or process changes
# Risk Label Risk Name Risk Context Impact
STRATEGIC
10 Changes in Strategy
Unexpected change in strategic direction occurs
Frequent or unexpected change in strategic direction.
-City has to redirect resources -Strategic goal impairment
-Change in strategic goals
11 Governance City governance mechanisms fail Governance failure includes: -improper controls
-inefficiency -poor financial management, and -nepotism
-Culture of awareness decreased -Cost of remedial actions -Potential costs of response (e.g. Increased oversight) -Inconsistent values exhibited -Impairment of reputation -Negative public reaction
# Risk Label Risk Name Risk Context Impact
12 Planning & Resource Allocation
Poor planning and resource allocation decisions are made
Planning activities and/or allocation of resources inhibit achievement of operational and strategic objectives. Includes situations where value creation/enhancement opportunities are not known, missed or under exploited. City finances are run based on budgets set at the beginning of the year.
-Unnecessary expenditures -Impairment of value -Misalignment of resources from priorities
-Strategic goal impairment
13 Conflicting Priorities/ Demands
A significant conflict occurs between stakeholders
Differing priorities and demands between citizen, council, administration as well as federal and provincial bodies
-Stalemate, inability to act
-Lost resources -Delayed project delivery
-Delayed service delivery
-Strategic goal impairment
14 Transparency Accusation of a lack of transparency Citizen, federal, provincial and business partner expectations of transparency are difficult to meet. Citizenry is sensitive to potential breaches of transparency, corruption and misappropriation of assets.
-Potential costs of response (e.g. Increased oversight) -Impairment of reputation
# Risk Label Risk Name Risk Context Impact
OPERATIONAL
15 Service Failure Significant failure of City services City Services include: -public services
-policies -administrative directives
-Negative public reaction -City has to react with unplanned attention and resource deployment -Public safety incident
-Strategic goal impairment
16 Substandard Service Delivery
City service delivery does not meet agreed upon standards
City's delivery of services is faulty, delayed and/or ineffective.
-Failed projects -Cost and time overruns -Recurring scope/cost/timing changes -Increased costs -Impairment of reputation -Increased scrutiny
17 Technology Fails City's technology fails to meet needs Choice and implementation; failure could be in relation to needs or expectations
-Business process efficiencies are not realized
18 Privacy / Security Breach
Confidential information is publicly released
Confidential information made available to the public /media Information is improperly accessed, modified or disclosed Citizenry is sensitive to potential breaches, corruption and misappropriation of assets
-Unnecessary resource allocation and costs to fix -Public scrutiny -Legal action -Impairment of reputation -Increased oversight required -Operational costs
# Risk Label Risk Name Risk Context Impact
19 Third Party Performance
Third party service providers fail to perform
Failure can include: -missing agreed to services levels
-not rendering service in time
-not rendering the correct service
-inadequate/poor service delivery -misalignment of public service needs and private sector profits.
Third party service providers include vendors, agencies, boards, commissions and partnerships.
Examples of major contracts include: Garbage collection, Winter Control
-Lost revenues
-Increased operational costs
-Lost time -Negative public reaction -Increased oversight -Impairment of reputation
20 Infrastructure Infrastructure fails to meet the City’s needs Infrastructure is not available, able to be maintained or suitable for current and operational needs
-Impairment of reputation -Reduced business investments
# Risk Label Risk Name Risk Context Impact
21 Material Resources
Material resources are unavailable when required
Material resources needed to enable operations: -are not available
-are costly to attain
-cannot be acquired in a timely manner
-are wasted Material refers to tangible resources
-Wasted costs -Project delays -Impaired or delayed service delivery
22 Implementation/ Transition
Program change management fails Even if program delivery is successful, there could be a failure to implement the end result as a sustainable solution that realize the original business case due to:
-poor change management
-adoption challenges
-inadequate functionality
-transition failure from project to ongoing process/program.
-Business case of programs not met
-Deficient service delivery
ORGANIZATIONAL
# Risk Label Risk Name Risk Context Impact
23 Inter-Departmental Coordination
Cross-departmental coordination is delayed or ineffective
Departments need to work together in a seamless manner to enable effective and efficient service delivery. Structure is not conducive to service delivery
-Deficient or ineffective service delivery -Project delays -Increased costs -Impairment of reputation
-Strategic goal impairment
24 Organizational Culture
City's corporate culture inhibits the achievement of strategic objectives
Strategic objectives include corporate values or use of resources. Factors to consider include: -communication channels and effectiveness -cultural integration -ethics and values -goal alignment -management style -tone at the top -organization structure
-Strategic goal impairment
-Elevated employee turnover
-Impairment of reputation
25 Employee Turnover
Employee turnover rate increases above generally accepted level
Employee turnover increases (including staff retirements)
-Service delivery deficiencies
-Loss of key competencies and skills -Knowledge loss
26 Health & Safety Incident
Abnormal health and safety incident occurs Health and safety incident occurs leading to injury, illness or death.
-Impairment of reputation -Exposure to liability
# Risk Label Risk Name Risk Context Impact
27 Human Resources Capacity
City does not have proper human resources to fill key positions
Management resources could fail to meet strategic and operational requirements due to limited capacity, departures and retirements with limited to no backup or alternative plans (i.e. Succession Planning)
-Loss of key competencies and skills -Knowledge loss
-Cost or time overruns (additional training, project delays, etc.)
-Impaired or delayed service delivery
28 Labour Relations Labour relations action occurs Dispute between employees and City. Labour relations actions include: -strikes -lockouts -other activities that disrupt service
-Impaired or delayed service delivery
-Impairment of reputation
-Service delivery failure
-Financial impact -Increased scrutiny
FINANCIAL
29 Treasury/ Liquidity
City experiences cash flow shortage Inadequate cash flow due to improper management, investment, collection, planning or wasteful spending.
-Inability to deliver services -Impairment of reputation -Increased carrying costs
# Risk Label Risk Name Risk Context Impact
30 Accounting & Reporting
Financial reporting errors occur Impairment in financial statements or public reporting integrity.
-Impairment of reputation -Restricted ability to borrow
31 Budget Breach Department or project exceeds budget dramatically
Department or project budget exceeded dramatically
-Impairment of reputation -Financial impact
32 Fraud & Corruption
Publicized Illegal or improper acts by employees occur
Includes theft or loss of assets -Loss of City's assets or resources -Impairment of reputation
LEGAL / COMPLIANCE
# Risk Label Risk Name Risk Context Impact
33 Compliance Compliance breach occurs Failure to maintain an awareness of compliance requirements, monitor compliance, enforce compliance, implement and maintain enabling mechanisms Failure to maintain awareness and compliance with provincial or federal public policy requirements
-Consequences of non-compliance – reputation, funding, fines, penalties -Increased costs
-Impairment of reputation
-Loss of resources -Increased scrutiny
34 Litigation City involved in a lawsuit that has a significant impact
Losses may emanate from: -Claims by employees, the public, service providers and other third parties -Expenses associated with participation in a lawsuit -Failure by the City to exercise certain rights to its advantages
-Significant lawsuit involves uninsured risks & reputational impacts
-Financial impact -Impairment of reputation