Embed Size (px)
Citation preview
Innovative ERM
Programming for th
e
Public Secto
r
Sep tem
be r 18 ,
2014
A l bany ,
NY
Agenda• What is ERM anyway? • Why do we need a broader approach?• Overview of the process• Working examples• What could you do – right now??• Resources and opportunities
Defining ERMEnterprise Risk Management describes a broader approach to managing risk.
It is a coordinated effort to direct and control all activities related to risk.
It defines risk as the effect of uncertainty on objectives. It therefore ties the management of risk to what is most important to the organization.
From ANSI/ASSE/ISO 31000: 2009
The responsibility for managing risk is spread across the organization to those who have accountability and authority – risk owners.
In a Nutshell…
All organizations exist to achieve their objectives.
The purpose of risk management is to manage the barriers and support the opportunities to achieve those objectives.
Risk Management
helps you discover both threats and
opportunities
What is “risk”??Risk is present in everything we do.The definition from ISO 31000, the international
standard on risk management:
Risk = the affect of uncertainty on your objectives.
Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk
© 2012 ARTHUR J. GALLAGHER & CO.
Key outcomes:The organization has a current, correct and comprehensive understanding of its risksThe organization’s risks are within its risk criteria
Attributes:• Continual improvement• Full accountability for risks• Application of risk mgmt in
all decision making
• Continual communication• Full integration into the
organization’s governance structure
Annex A of ANSI/ASSE/ISO 31000: 2009
At a Glance – Price Waterhouse Coopers
ERM is a comprehensive, systematic approach for helping all organizations, regardless of size or mission, to identify events and measure, prioritize, and respond to the risks challenging its most critical objectives and related projects, initiatives, and day-to-day operating practices.
pwc – www.pwc.com/us/en/public-sector-enterprise-risk-solutions.jhtml
ERM – Distinguishing Characteristics
• Consideration of all risks, strategic and operational – as well as projects and decision making – linked to what is most important to the organization
• A systematic and consistent approach that is communicated broadly and supported by leaders
• Risk owners & stakeholders are explicitly included• Built on a continual improvement model
Sample “Elevator Speech” on ERM• ERM is about supporting opportunities as well as
preventing problems• It is tied to business objectives and strategies –
and supports them• It works within the entity’s culture and will
become integral to decision making• It will ensure that risk management is applied to all
levels of the organization and to all activities
ERM versus Risk Management: What’s in
a Name?
Does it Matter What We Call It?
• We’re already “doing” ERM, we just don’t call it that• ERM vs “Strategic Risk Management” • Is ERM just “bigger” risk management??
Implementing ERM – Sources • ANSI/ASSE/ISO 31000 – the only international
standard on risk management – 2009 • COSO ERM Framework – 2004 • Consulting firms – KPMG, Protiviti, Deloitte, PwC &
brokerage firms, too• GRC – Governance, Risk & Compliance• “Risk Management – An Accountability Guide for
University and College Boards” by Janice Abraham – AGB & UE – 2013
12
Who is Interested in ERM?Board of Directors – Board members from private industry understand how ERM supports an organization’s objectives; the Board’s oversight role requires evidence that risks are identified, prioritized and managed within tolerance levelsStakeholders – The broad management of risk includes stakeholder input, values and needs and builds in appropriate communication about riskCredit and Rating Agencies – Seek evidence of a comprehensive and forward-looking risk management programPeers – As the practice of ERM grows across a sector, it pushes innovation & drives leadership
Who is Interested in ERM?International Community – ISO 31000 is the guide for standardized risk management practices; its widespread adoption across the globe will affect business operations everywhere
Why does this matter?The ISO framework is not going away.
The question is this…
How will you and your organization
prepare for the future of
risk management?
From standardandpoors.com Standard & Poors Ratings Services has expanded its review of the financial service industry’s enterprise risk management (ERM) practices. This ERM initiative is an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness.This enhancement is part of Standard & Poor’s holistic assessment ERM of corporations and financial institutions. Standard & Poors is continually enhancing its ratings process to respond to the emergence of new risks and marketplace needs and conditions.
Sample Rating Agency ClassificationsExcellent • Advanced capabilities to identify, measure & manage all risks within
tolerances• Advanced implementation, development & execution of ERM
parameters• Consistently optimizes risk adjusted returns throughout organization
Strong • Clear vision of risk tolerance and overall risk profile• Risk Control exceeds adequate for most major risks• Has robust processes to identify and prepare for emerging risks• Incorporates risk management & decision making to optimize risk
adjusted returns
Adequate • Has fully functioning control systems in place for all major risks• May lack a robust process for identifying and preparing for emerging
risks• Not fully developed process to optimize risk adjusted returns
Weak • Incomplete control process for one or more major risks• Inconsistent or limited capabilities to identify, measure or manage major
risk exposures
Standard and Poor’s recognized the University of CA for its ERM program.
“The UC has implemented a system-wide enterprise risk management information system which, in our opinion, is a credit strength.”
September 9, 2010 – Ratings Direct Global Credit Portal
S&P Raises ACE’s Financial Strength Ratings to AA-
Standard & Poor’s (S&P) has upgraded the financial strength ratings for ACE’s core operating insurance companies to “AA-” (Very Strong). The new rating applies to ACE’s core North America, Europe and Bermuda operating companies…
In upgrading the financial strength rating, S&P cited ACE’s “very strong and consistent operating performance, very strong competitive position, positive management and corporate strategy, and very strong and improved capital adequacy.” In its announcement, S&P said ACE’s “top managers are actively involved in the operations of the business, backed by a strong staff with significant depth and breadth” and also noted that the ratings reflect the company’s “strong enterprise risk management practices.”
While S&P currently rates ACE’s ERM as “Strong,” it noted in its full rating report on ACE that “the firm's ERM appears on course to eventually transition to an excellent ERM score.”
Emphasis added
Why do we need a broader approach?• Bond rating and financial review• Better decision making• Governing board influence• Regulatory oversight• Peer influence• Desire to be a leader, forward thinking• More effective management of resources
Insurable Risks
Financial Risks
Strategic Risks
Bank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond rating
Retirement funding
Capital availability
Credit markets stability
Currency & foreign exchange rate fluctuations Unexpected
loss of revenueHealth care
costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violations
Negative media coverage
Stakeholders’ interests
Strategy & initiatives
Meeting public expectations
Union relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel actions
Utilities failure
Workplace violence
Public support
Theft
Gov’t sanctionsAccounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure Business interruption
Loss of key suppliers
Mandated public services
Code violations
Operational
Risks
Workers’ comp
Building securityPublic safety
LawsuitsWar
Natural events & catastrophes
Terrorism
Fraud
Governance
Disease & epidemics
Mold exposure
Asbestos exposure
Student activities
Public Official & D & O liability
Geopolitical risks
Animal or insect infestation
Pollution
Contractual liability
Building subsidence or collapse
Hazard & 3rd Party Risks
Labor practices
Procurement
Unfunded mandates
Internal RisksExternalRisks
Energy costs
Typical purview of RM
Code of Conduct
Reputation
Sept. 14, 2010: Suspect in Custody Following Knife Attack
The Penn Valley Dean of Student Instruction was attacked and slashed in the throat by a mentally ill student. The attacker meant to stab the governor of Missouri.
www.fox4kc.com/newsSeptember 14, 2010
Financial Risks
Strategic Risks
Bank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond rating
Retirement funding
Capital availability
Credit markets stability
Currency & foreign exchange rate fluctuations Unexpected
loss of revenueHealth care
costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violations
Negative media coverage
Stakeholders’ interests
Strategy & initiatives
Meeting public expectations
Union relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel actions
Utilities failure
Workplace violence
Public support
Theft
Gov’t sanctionsAccounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure Business interruption
Loss of key suppliers
Mandated public services
Code violations
Operational
Risks
Workers’ comp
Building securityPublic safety
LawsuitsWar
Natural events & catastrophes
Terrorism
Fraud
Governance
Disease & epidemics
Mold exposure
Asbestos exposure
Student activities
Public Official & D & O liability
Geopolitical risks
Animal or insect infestation
Pollution
Contractual liability
Building subsidence or collapse
Hazard & 3rd Party Risks
Labor practices
Procurement
Unfunded mandates
Internal RisksExternalRisks
Energy costs
Typical purview of RM
Code of Conduct
Reputation
What Is Your Mission? Vision? Values?Online research, City of Albany:• Tivoli Lake Preserve Community Engagement and
Visioning Plan• openAlbany – easy access to data by various city
agencies, answers to questions about city services, public safety and quality of life
• Albany has always been a city that proudly celebrates its heritage
What’s Most Important to Your Entity?
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk management
Monitor and review the framework
Continually improve the framework
Establish the context
Co
mm
un
ica
te a
nd
co
nsu
lt
Mo
nito
r a
nd
re
vie
wRisk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Creates value
Integral part of organizational processes
Part of decision making
Explicitly addresses uncertainty
Systematic, structured & timely
Based on best available info
Tailored
Takes human & cultural factors into account
Transparent & inclusive
Dynamic, iterative & responsive to change
Facilitates continual improvement & enhancement of the organization
From ANSI/ASSE/ISO 31000
Principles
•Creates & protects value• Integral part of organizational processes
•Part of decision making•Explicitly addresses uncertainty•Systematic, structured & timely•Based on best available info•Tailored•Takes human & cultural factors into account
•Transparent & inclusive•Dynamic, iterative & responsive to change
•Facilitates continual improvement & enhancement of the organization
The principles provide guidance on the
rationale for managing risk and the
characteristics of effective risk management
These shape the design and structure of your
framework for managing risk
The principles can assist in continual improvement and
serve as a “maturity model” for
implementation
Using Principles to Measure ERM
Principle
1 = Not at all, no evidence or no known2 = Partially implemented or planned3 = Largely implemented, clearly evident4 = Fully implemented, auditable
Risk management creates and protects value – RM contributes to the demonstrable achievement of objectives and improvement of performance (e.g., human health & safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation)
Score = ___
Describe evidence; this may include policies, reports, audits, reviews, etc.
Risk management is part of decision making – RM helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action
Score = ___
Describe evidence; this may include policies, reports, audits, reviews, etc.
Mandate & Commitment
Design framework for managing risk
Framework
Implementrisk management
Monitor and review the framework
Continually improve the framework
Based upon a model of continual improvement, the framework is
what will sustain your risk management efforts
This assures that you are consistent, process-focused
and held accountable
Building the framework includes planning for
implementation, monitoring & review and
communication
ANSI/ASSE/ISO 31000:2009Risk management – Principles and guidelines
Components of the Framework• Understanding the
organization & its context• Establishing RM policy• Accountability & Authority• Integration into
organizational processes• Determining appropriate
resources
• Establishing internal communication & reporting mechanisms
• Establishing external communication & reporting mechanisms
ANSI/ASSE/ISO 31000:2009Risk management – Principles and guidelines
Components of the Framework• Understanding the
organization & its context• Establishing RM policy• Accountability & Authority• Integration into
organizational processes• Determining appropriate
resources
• Establishing internal communication & reporting mechanisms
• Establishing external communication & reporting mechanisms
Framework Example: ContextExternal Context
• Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment
• Key drivers and trends that will have an impact on your organization
• Relationships with and perceptions & values of external stakeholders
Internal Context
• Governance, organizational structure, roles & accountabilities
• Policies, objectives & strategy
• Capabilities & resources
• Info systems
• Organizational culture
• Contractual relationships
• Relationships with, perceptions & values of internal stakeholders
ANSI/ASSE/ISO 31000:2009Risk management – Principles and guidelines
External Context ExampleThe External Context: Local, regional, national & international influences
Social, cultural and legal environment
The Port has one of the most diverse portfolios in the nation, including 25 miles of prime waterfront property that hosts restaurants, retail, professional sports and diverse maritime operations as well as regional transportation facilities. Port assets include 50 pile-supported pier structures, 80 substructures, 285 commercial and industrial buildings, 25 miles of streets and sidewalks, and other assets such as historic structures, dry docks and a railroad track.
Regulatory environment
The State transferred port property to the City in 1952 via legislative act. The City/Port assumed $55 million of the State's bond debt and use of the waterfront is subject to the State's Public Trust Doctrine. This Doctrine, administered through the State Lands Commission, restricts certain private uses. The Conservation and Development Commission, a State regulatory agency, promotes public access to the waterfront and issues permits for development projects.
Financial environment
The Port is an enterprise agency and derives its income from Port tenants; it does not receive any General Fund revenue from the City. The Port recently developed a 10 year Capital Plan which includes pursuing public funding (through revenue bond issuances) and public-private partnerships to address the Port's critical capital needs.
StakeholdersThose who can affect, be affected by – or perceive themselves to be affected by – decisions and actions of the public entity
Stakeholders are both internal and external to the organization
How Do We Use This Information?This informs the framework for managing risk:• Implementation plan• Policy and accountability• How, when & to whom you will report• How to incorporate stakeholders• Identifies potential need for the risk
management process
Establish the context
Co
mm
un
ica
te a
nd
co
nsu
lt
Mo
nito
r a
nd
re
vie
w
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• The context applies to both the organization as a whole and the specific project, risk or portfolio of risks
• Several elements take stakeholder interest and perceptions into account
• Monitor and review – continually asks: “Do we have this right?”
• Communication and consultation is how the management of risk stays connected and relevant
• The same consistent process used across the organization, over and over again
RM Process
The Language of Risk
• Risk• Risk identification• Source, trigger• Consequence• Risk owner
• Risk management process
• Stakeholder• Risk appetite• Tolerance
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk management
Monitor and review the framework
Continually improve the framework
Establish the context
Co
mm
un
ica
te a
nd
co
nsu
lt
Mo
nito
r a
nd
re
vie
wRisk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Creates value
Integral part of organizational processes
Part of decision making
Explicitly addresses uncertainty
Systematic, structured & timely
Based on best available info
Tailored
Takes human & cultural factors into account
Transparent & inclusive
Dynamic, iterative & responsive to change
Facilitates continual improvement & enhancement of the organization
From ANSI/ASSE/ISO 31000
Working Examples – K12 DistrictDemonstrating the Value of ERM • Community Based Organizations use of school
facilities and access to students• Compliance approach didn’t work• Reviewed key risks – both threats and opportunities• Cross section of key personnel – first time together!• Created action plans that were realistic and timely
Working Examples – Decision Making
Create new curriculum?• Reviewed the upside – and potential downside• Measured and evaluated risks, to inform
decision• Engaged stakeholders in the process
Working Examples – Large City/County“Stealth ERM”• Worked with key enterprises, motivated by bond
rating, business model and strong leadership• Developed the framework, provided assistance
with implementation• Each enterprise responsible for identifying,
analyzing and managing risk – and reporting
Tip: Don’t try to move the mountain. What can you change?
Working Examples – Pool #1At Pool Level• Integrated discussion of risk into strategic planning• Identified key risks to mission, prioritized them• Staff responsible for creating action plans and
reporting to the board• Revived planning process and engaged board
members
Working Examples – Pool #1At Member Level• Pool trained staff and developed process• Demo at member conference – five hot topics• Deep discussions in small groups• Report to large group, ranking of key risks• A “template” for members to use
Working Examples – Pool #2At Pool Level• Integrated discussion of risk into capital planning• Review of internal and external context• Brainstormed emerging trends and risks• Identified key risks to strategy – discussion of how
to monitor and respond
Recommendations• Find your champions and skeptics• Tailor the structure and process to your operations• Build a common language• Create a consistent process• Communicate with and engage stakeholders• Continually improve and build upon successes
Tip: Learn to speak the language of your decision makers – what matters to them??
The Benefits of (Enterprise) Risk Management• Increase likelihood of achieving
objectives
• Encourage proactive management
• Be aware of the need to identify and treat risk throughout the organization
• Improve the identification of opportunities & threats
• Effectively allocate and use resources
• Improve governance
• Comply with relevant legal and regulatory requirements and international norms
• Improve mandatory and voluntary reporting
• Improve operational effectiveness & efficiency
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making & planning
• Improve controls
ISO/ANSI/ASSE 31000:2009Risk management – Principles and Guidelines
What Could You Do – Right Now??• Create a risk management study group• Talk to people of influence – “What
opportunities are we missing?”• Connect with your peers – what can we learn
from each other?• Create a risk assessment tool – and train
people to use it
Back to the Worksheet – Make a plan for yourself!
“Change before you have to.”Jack Welsh
Resources and Opportunities• PRIMA Institute• PRIMA/PERI trainings on Implementing ISO
31000 in the public sector/higher education• ERM track at the annual conference• Peer groups – through PRIMA, NACUBO, AGB,
UE, Council of Great City Schools or others • Internal auditors
PRIMA/PERI Training
Implementing ISO 31000 – Public Sector & Higher Ed• Intro Webinar• Introductory Course (1 day)• Implementation Course (1.5 days)
53
www.nacubo.orgwww.coso.org (Download this one free)$$ (Download this one free)
Resources – free and otherwise
54
Published in 2013 by AGB Press, the Association of Governing Boards of Universities and Colleges and United Educators Insurance, a Reciprocal Risk Retention Group
www.agb.org or 800.356.6317
$$
Resources – free and otherwise
