IBHS  Annual  Conference  November  17,  2010  

Carol  Fox,  RIMS  

2  

Agenda

  Enterprise  risk  management  (ERM)    Evolution    Alignment  with  functional  areas    Alignment  with  standards    

  ERM  maturity  model  approach  to  resilience  

  Resilience  in  the  real  world    Questions  

3  

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  

Traditional  /  Defensive  

•   Silo  ad  hoc  approach  •   Focus  on  transferring  risks  

•   Protect  balance  sheet  through  •   Insurance  •   Hedging  •   Indemnifications  

•   Hazard  based  •   Pure  risk  –                            only  loss,  no  gain  

•   Not  linked  to  corporate  strategy  

Integrated  /  Advanced      

•   Business  risk  approach  •   Mitigate  controllable  risks  •   prevent  •   reduce  frequency  •   reduce  severity  

•   Focus  on  lowering  insurance  costs  and  retained  losses  

•   Collaborative  cross-­‐silo  interactions  

•   Linked  to  corporate  strategy    through  event  risks  and  financial  objectives  

ERM  

•   Portfolio  approach  •   Risk-­‐based  business  decisions  across  the  organization  

•   Address  potentially  devastating  threats  and  weaknesses  

•   Exploit  opportunities  and  strengths  

•   Manage  unwanted  variations  from  expected  outcomes  

•   Integrated  into  strategic  planning,  operational  planning,  and  day-­‐to-­‐day  activities  

Evolution in Approach

4  

SVP, Controller / Treasurer

Senior Director

5  

Alignment with Functional Areas

5

Board of Directors

Executive Management Team

Executive Sponsors: CFO and CLO

Business Units Lines of Business Human Resources Risk Management*

Business Continuity

Privacy and Security Internal Audit

Identified Risk Owners

Reports To Functional Lead

Senior Director, Risk Management

3 Certified BC Planning Managers

CEO President CEO Presidents CEO CLO CEO Executive

VP CFO Director

Compliance

CLO Chief

Compliance Officer

Risk Management Functional Areas

Privacy and Security

CLO Privacy and

Security Office

Top Five Risks

Risk 1 Risk 2 Risk 3

Risk 5

Risk 4

Executive Management Oversight – Risk Reporting Frequency

Risks 1 and 5

Monthly Monthly

Risk 2 Risk 3

Quarterly

Risk 4

Quarterly * ERM program lead

Illustration Purposes Only

IT Risk Management

CIO Director

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  5  

Standards Alignment with ERM

TOOLS

GUIDELINES

REQUIREMENTS

TERMINOLOGY

FRAMEWORK

RISK QUALITY TECHNOLOGY ENVIRONMENTAL

ISO GUIDE 73

ISO 14001

ISO/IEC 27001

ISO/IEC 15408

OHSAS 18001

ISO 31010

NFPA 101

NFPA 75 ANSI/ASHRAE 62

HB 436

AS/NZS 4360

ISO 9001

ISO GUIDE 14050

ISO/IEC 27002 ISO 10005

SAFETY

CSA Q850

SAQ ONR 49001

AFNOR CN FD_X50-252

ISO 31000 PRINCIPLES

Standards  and  

Frameworks  

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  6  

Mitigate or Exploit

  Risk Controls

Adhering to risk management

policies on risk tolerance,

risk authorities, etc.

Common Risks   Business Disruption

  Environmental

  Execution Failure

  Theft / Geopolitical

  Data Breach

  Regulatory

  IT Infrastructure

  Financial Risks

Management Control Options   Business Continuity Management

  Environmental Management

  Quality Assurance / Project Management

  Physical Security Management

  Privacy / Information Security Management

  Compliance Program Management

  IT Risk Management

  Financial Risk Management

Controls

Assessment

ERM Aligned with Recognized Standards

Measure uncertainties / deviations from plan

ISO 9001

ISO/IEC 27001

ISO 14001

ISO 28000

ISO 31010

ANSI / NFPA 1600

Root cause analyses

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  

7  

ERM Maturity Model Approach to Resilience

8  

Nonexistent  Limited  to    IT  infrastructure  orientation.  

Ad  hoc  Focused  on  infrastructure  rather  than  business.  Reactive.  

Initial  Incorporates  resiliency  in  each  process,  in  addition  to  mitigation  through  disaster  recovery.  

Business Resiliency and Sustainability using RIMS Risk Maturity Model©

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  

The  degree  of  business  ownership  and  planning  …  

9  

Repeatable    Business  models  include  resiliency  and  sustainability  aspects,  such  as  geography,  disruptive  technology,  competitors,  etc.  

Managed    Comprehensive.  Considers  internal  and  external  contexts  /  relationships.  Focused  on  operational    objectives  outcomes  and  delivering  value.  Visible  at  board  level.  

Leadership  Framed  within  the  context  of  service  continuity  to  all  stakeholders.  Dynamic  and  evolving  system.  Sustainability  derived  from  continual  adaptation.  Interwoven  with  strategy  and  strategic  objectives.  

©  2010  Risk  and  Insurance  Management  Society,  Inc.  All  rights  reserved.  

Business Resiliency and Sustainability using RIMS Risk Maturity Model©

10  

11  

Training, Exercise and Testing = Corrective Actions / Continuous Process Improvement

Emergency Response,

Management and Logistics

Health & Safety •   Employees

•   Public

•   Property •   Facilities

•   Infrastructure •   Environment

•   Network

•   Processes

•   Information Systems

•   Product / Services Delivery

•   Regulatory / Contract

Compliance

Incident Management

Communications, Procedures, Tools

BCP Policy and Program Structure

Leadership

Disaster Recovery Plans Address Immediate Needs People Business Operations Technology

•   Planning •   Prevention •   Preparedness •   Recovery •   Restoration

Building Resilience in the Real World

Resilience at Work: Typhoon Ketsana / Ondoy

  Storm  monitoring  gave  advanced  warning  

  All  seven  sites  continued  operations  

  Personal  impact  to  employees  

  Rerouted  call  to  other  sites  

  “Business  as  usual”  next  day  

12  

©Copyright 2010 by the Risk and Insurance Management Society, Inc.

Carol  Fox  

Director  of  Strategic  and  Enterprise  Risk  Practice  

cfox@rims.org  

Questions? Contact:

www.rims.org

13  

ISO 31000: 2009 Risk Management – Principles and Guidelines

AS/NZS 4360:2004 Risk Management Australian/New Zealand Standard

ISO GUIDE 73:2009 Risk Management – Vocabulary

HB 436:2004 Risk Management Guidelines: a Companion to AS/NZS 4360:2004

ISO 31010:2009 Risk Management – Risk Assessment

NFPA 101:2009 Life Safety Code®

ANSI/ASHRAE 62.1-2007 Standard on Ventilation for Acceptable Indoor Air Quality

OHSAS 18001:2007 Occupational Health and Safety

ISO 9001:2008 Quality Management Systems – Requirements

NFPA 75:2009 Standard for the Protection of Information Technology Equipment

ISO/IEC 27001:2005 Information Security Management Systems – Requirements

ISO/IEC 27002:2005 Information Technology – Code of Practice

ISO/IEC 15408:2005/2008 (3 parts) Evaluation Criteria for IT Security

ISO 14001:2004 Environmental Management Systems - Requirements

ISO 14050:2009 Environmental - Vocabulary

CSA Q850-10 Risk Management – Implementation of CAN/CSA-ISO 31000

ISO 10005:2005 Quality Management Systems – Guidelines for Quality Plans

ISO 28000:2007 Security Management Systems for the Supply Chain

ANSI / ASIS SPC.1:2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems – Requirements with Guidance for Use

Referenced Recognized Standards

  A  988-­‐bed  Ter5ary  Hospital  serving  a  14-­‐coun5es  with  a  popula5on  in  excess  of  4  million  in  West  Central  Florida.  

  The  primary  teaching  affiliate  for  USF’s  College  of  Medicine.     Region’s  only  Level  I  Trauma  Center.  

  Region’s  only  Burn  Center     Tier  1  Hospital  for  the  Regional  Domes5c  Security  Task  Force    

  Primary  receiving  hospital  for  Tampa  Bay  Metropolitan  Medical  Response  System  

  A  leading  organ  transplant  center     State-­‐cer5fied  comprehensive  stroke  center     Region’s  leading  safety  net  hospital.  

Hurricanes  

-­‐  Emergency  Management  -­‐  Hazard  Vulnerability  Analysis  2009-­‐2010

Type Event Probability Risk Prepara5on  Level sc P

Event  and  *  if  a  plan  is    currently  being  reviewed

has  occurred        

4 high  3

med  2

low  1  

To  Life      5  

To  Health    4

Major  Disrup5o

n    3

Med  Disrup5o

n    2

Low  

Disrup5on      1

Poor    3

Fair    2  

Good  1  

Mass  Casualty  in  region 2 5 2 9 3

Anthropological

MC-­‐Terrorism-­‐chm/nuc/rad 1 5 2 8

MC-­‐Terrorism-­‐biological 2 4 2 8

MC-­‐Explosion-­‐external 3 5 1 9

Bomb  threat 2 3 3 8

Hostage  situa5on  * 2 5 2 9 3 Mass  Migra5on 1 3 2 6

Schools  Closed 4 3 1 8

Civil  disturbance 2 1 1 4

VIP-­‐situa5on 4 1 1 6

Infant  abduc5on  * 3 4 2 9 3

Labor  ac5on   2 1 3 6

Internal  violence  * 4 5 2 11 1

Suicide 4 5 2 11 1

Internal  chemical  spill  * 4 4 8

Coastal  oil  spill 2 3 3 8

Gas  release  at  port  * 1 5 3 9 3

Accident  blocking  bridge 4 2 1 7

Natural  

Hurricane 3 5 2 10 2

Tornado  * 3 5 2 10 3

Severe  thunderstorm 4 1 1 6

Earthquake 1 5 3 9 3

Epidemic 4 4  2 10  1

Ice-­‐ 1 3 3 7

Flooding 3 3 1 7

Temperature  extreme 1 1 3 5

Drought 3 1 1 5

Wild  fires 4 1 1 6

Fire,  Internal 4 5 1 10 2

Hazard  Vulnerability  Analysis  

Emergency  Management  Commicee  with  our  partners    Recognize  and  analyze  our  risks  HVA  

Annual Update to the Citizens Advisory Committee on Mitigation Activities

Hazard Mitigation Grant Program 2005 Submittals

•   Met with Local Mitigation Strategy Representatives

–   County, Cities, SWFWMD, Hospitals, etc. –   Initial List Submitted by Reps in October

2004 •   Approximately 30 Projects

–   List Refined For Funding Constraints (January – April 2004)

•   Approximately 15 Projects –   Final Submittal May 2nd, 2005

•   7 Projects

•   Final Projects Submitted –   Duck Pond Area Flood Protection (City of

Tampa and County) –   Tampa General Wind Retrofit –   Plant City Retrofits (Fire and Police Stations)

Presented by the Hillsborough County Building Services Division, Hazard Mitigation Section August 26, 2005

Mi7ga7on  and  Prepara7on  Efforts  •   Hurricane  Mi7ga7on  

•   Window  Shields    

•   Electrical  /  Red  Outlets  •   A/C  

•   Suc7on  

•   Medical  Gas  –  Air  and  Oxygen  

•   Boiler  

•   Roofs  •   Louvers  

•   Pa7ent  reloca7on  plans  

•   Helo  landing  on  garage  

•   Flooding  protec7on  (Sub  doors)  

•   Security  weapons  

Mass  Casualty  Preparedness  

 Treatment  Surge  Capacity     60  Exam  Rooms  

  Double  Headwall  +  60  =  120     6  Trauma  Bays  

  Double  Gas  Booms  =  6  =  12  

  6  Behavioral  Exam  Rooms     Surge  Cabinets  =  71  

  Total  Surge  Capacity  is  200+     Triage  at  S

urge  

Incremental Costs •   Size  of  ED  is  approximately  65,000  sq.  e.  

•   ED  construc5on  cost=  approximately  $24,000,000  •   Approximate  cost  per  square  foot  of  $374  •   Incremental  costs  for  isola5on  pod  HVAC  $50,000  

•   Incremental  costs  for  surge  capacity  headwalls  $355,000  

•   Duel  headwalls  in  each  treatment  room  $450,000  

•   Decontamina5on  facili5es  and  storage  $15,000  •   Addi5onal  costs  per  square  foot  for  ER  One  concepts      was    approximately  $13.40  a  square  foot  

Intangible  Benefits  

•   Free  Publicity  •   Improvement  of  reputa5on  

•   Employee  pride  

•   Community  pride  

•   Sleeping  becer  at  night  

Community Resilience in the Real World

IBHS Conference

November 17, 2010

Tim Lovell

Executive Director

Tulsa Partners, Inc.

Background

Community Partnerships-Local and State

•   Chambers of Commerce

•   State/County/Local Gov.

•   Corporate entities

•   Nonprofit entities

Community Partnerships-From National to Local

Community Partnerships and the Insurance Industry

Structural and Nonstructural Mitigation

•   Community Emergency Response and Hazard Mitigation Processes

•   Employee Preparedness

•   Millennium Center

•   Workshops

Open for Business® Training

Tulsa Partners, Inc.

Questions?

Tim Lovell

Executive Director

Tulsa Partners, Inc.

www.tulsapartners.org

tulsapartners@gmail.com

918-632-0044