500 likes | 816 Views
Managing Risk Every Day. OPENING SESSION:. Dorothy M. Gjerdrum, ARM-P, CIRM Executive Director & Risk Consultant. Agenda. What is “risk” ?? Why we need to expand our perspective Implications for your operations A new framework for managing risk. Managing Risk Every Day.
E N D
Managing Risk Every Day OPENING SESSION: Dorothy M. Gjerdrum, ARM-P, CIRM Executive Director & Risk Consultant
Agenda What is “risk” ?? Why we need to expand our perspective Implications for your operations A new framework for managing risk Managing Risk Every Day
Definition of risk (n) Bing Dictionary Risk [ risk ] Chance of something going wrong: the danger that injury, damage or loss will occur Hazard: somebody or something likely to cause injury, damage or loss Chance of loss to insurer: the probability of loss to an insurer or the amount that an insurer is in danger of losing Synonyms: danger, jeopardy, peril, hazard, menace, threat
Risk (n) Concise Encyclopedia In economics and finance… Trading or variability risk is the amount that the return may vary, up or down, from the expected return on investment.
Risk (n) Concise Encyclopedia In economics and finance… Trading or variability risk is the amount that the return may vary, up or down, from the expected return on investment.
Risk (n) Concise Encyclopedia In economics and finance… Trading or variability risk is the amount that the return may vary, up or down, from the expected return on investment. And what happens when you “take a risk?”
Risk, in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad, and our goal is not to eliminate all risk, for by doing so we would cease all productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary.
What is “risk?” ISO/ANSI/ASSE 31000:2009 Risk management – Principles and Guidelines • Risk = the effect of uncertainty on your objectives • Objectives = the outcomes you seek, the highest expression of intent and purpose • Uncertainty = the state of not knowing, a deficiency of information
A closer look at “Uncertainty” Makes a clear connection to the environment, the world – and your context There are many causes and sources, internal and external It recognizes that some/much is out of your direct control It’s a broader view – implying both positive and negative consequences are possible
Global Uncertainties Technological Cyber warfare Information infrastructure Public data protection Privacy versus security New/emerging technology Economic Budget crises Unfunded mandates Aging infrastructure Banking & investment failures Supply chain interdependencies Geopolitical Use of natural resources Access to clean water Political uprisings & changes in governments Terrorism Societal Environmental Religious conflicts Access to education Pandemics Speed of change Migration Climate change Natural catastrophes Global pollution Extinction of species Deforestation
World Economic Forum Global Risks Landscape 2013
Global Uncertainties Technological Cyber warfare Information infrastructure Public data protection Privacy versus security New/emerging technology Economic Budget crises Unfunded mandates Aging infrastructure Banking & investment failures Supply chain interdependencies Geopolitical Use of natural resources Access to clean water Political uprisings & changes in governments Terrorism Societal Environmental Religious conflicts Access to education Pandemics Speed of change Migration Climate change Natural catastrophes Global pollution Extinction of species Deforestation
Risk is NOT just – But rather, the effect of these upon your objectives An event A consequence A likelihood A vulnerability An exposure A risk source A hazard, threat or opportunity
What is “risk?” ISO/ANSI/ASSE 31000:2009 Risk management – Principles and Guidelines • Risk = the effect of uncertainty on your objectives • Objectives = the outcomes you seek, the highest expression of intent and purpose • Uncertainty = the state of not knowing, a deficiency of information • Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk
An Example… a New Way to Consider Risk An opportunity for grant money for a new curriculum… Traditional RM – review the contract (indemnification, hold harmless, waiver, etc.) and place insurance ERM (or a broader approach to risk) – gather stakeholders, assess risks, make decision, then manage risks
Risk Assessment Process After several years of their varsity football team winning “state,” high school coaches create a series of summer camps – for both players and other coaches Will use school facilities for sleepovers, food service and sports fields Camp will include an outing to visit the professional team facility Teaching coaches will be paid by camp fees and school contract District will receive some money for facility use A Fictitious Scenario re School Facility Use
Opportunities/Benefits Good exposure of the school and district to prospective students and parents Revenue generator (and could bring increased enrollment) It will enhance the athletic program Good for kids; a good summer activity Support kids’ athletic development Increased school activity would reduce vandalism and graffiti opportunities Reasons to Pursue the Activity
Threats Potential Damage to School & Program Objectives Unqualified drivers Who will chaperone? Food allergies What if canceled? 504 and IEP issues Student injury Who’s responsible? Reputation risk (if bad) Insurance coverage? Equipment & facility – ready for this? District will get blamed if something bad happens Potential damage to facility Custodial & logistics support Conflicts with facility use, scheduled repair, construction What if school was needed for an emergency purpose?
Risk Management helps you discover both threats and opportunities
The intent of ERM To manage risk more effectively to support opportunities To identify, assess and prepare for what could go wrong To focus on what’s most important to the organization and its stakeholders – and link key risks to key goals & objectives (Or a Broader Approach to Managing Risk)
Why we need to manage risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidanceon Implementing ISO 31000:2009From NSAI in Ireland
Framing the Process ISO 31000:2009 International Standard on the Practice of Risk Management ISO 31004: 2013 Technical Report on the Implementation of ISO 31000 ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
Adopted as the US Standard by ANSI Available from ASSE at www.asse.org
ANSI/ASSE/ISO 31000 Risk Management Principles and Guidelines Introduction Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objectives is “risk.” All activities of an organization involve risk… Managing Risk Every Day
Making Risk Management Effective Benefits to Implementing ISO 31000 You engage stakeholders (internal & external) You focus on objectives or key strategies You consider opportunities as well as threats Communication is consistent and constant You continually learn – and improve Everyone is a risk manager!
Components of the ISO standard The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment Monitoring & review, continual improvement and communication occur throughout
Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the org Principles Framework RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Risk identification Implement risk management Continually improve the framework Risk analysis Monitor and review Communicate and consult Risk evaluation Monitor and review the framework Risk treatment From ANSI/ASSE/ISO 31000
Why ISO Specifies the Framework • Maps out how the management of risk will be integrated across the organization • Assures that the corporate-wide process is supported, iterative and effective • Details how risk management will be an active component in governance, strategy and planning, management, reporting processes, policies, values and culture • Provides for reporting & accountability
The Framework Includes: • The organization & its context • Risk Management Policy • Accountability • Integration into organizational processes • Resources • Communication & reporting – internal • Communication & reporting - external
Components of the Framework • Understanding the organization & its context • Establishing RM policy • Accountability & Authority • Integration into organizational processes • Determining appropriate resources • Establishing internal communication & reporting mechanisms • Establishing external communication & reporting mechanisms ISO 31000:2009 Risk management – Principles and guidelines
Framework Example: Context External Context • Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment • Key drivers and trends that will have an impact on your organization • Relationships with and perceptions & values of external stakeholders Internal Context • Governance, organizational structure, roles & accountabilities • Policies, objectives & strategy • Capabilities & resources • Info systems • Organizational culture • Contractual relationships • Relationships with, perceptions & values of internal stakeholders ISO 31000:2009 Risk management – Principles and guidelines
Example of Framework - External • Uncertain funding sources • Affluent county but revenue is low • New state mandates (re students and teachers) but no new funding • Teacher associations & NEA are strong • Diversified geography • State politics: a “purple” state • Large exodus of knowledge with retirements • Active and aggressive community population • PERA • Poverty vs wealth – lots of variation by district • Emerging trend: fee for service • Influence of the media • Increase in construction • A “pro-charter” school state
Example of Framework - Internal • Each school district is different • Districts compete with each other – for teachers, students, etc. • NEA • The pool has both very large and very small districts • Decision making is affected by public perception (e.g. reactions after Sandy Hook) • When budgets get tight, safety & maintenance get cut • Constant leadership changes • Only some districts do strategic planning; we need more strategic thinking • Long-term planning is difficult • A push for innovations re learning – lots happening • Unpredictable school boards • Keeping up with changing technology is a challenge (both infrastructure & skills)
The Risk Management Process • Applies to portfolio of risks and individual risks • Begins with the context – always tailored to the organizational environment • Emphasizes continual: • Communication & consultation • Monitoring & review Establish the context Risk assessment Risk identification Risk analysis Monitor and review Communicate and consult Risk evaluation Risk treatment
Select Definitions Risk management = the coordinated activities to direct and control an organization with regard to risk Risk owner = the person with the accountability and authority to manage the risk Stakeholder = Person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
Risk Mgmt & Other Initiatives • RM supports strategic initiatives, mission and goals and links to them • RM can support management processes (e.g. balanced scorecard, performance management measures) • RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them Managing Risk Every Day
Key concepts of ISO 31000 Risk Management is about supporting opportunities as well as preventing problems It is tied to business objectives & strategies – and supports them It works within the entity’s culture and will become integral to decision making It will ensure that Risk Management applies to all levels of the organization and to all activities
The Benefits of (Enterprise) Risk Management • Increase likelihood of achieving objectives • Encourage proactive management • Be aware of the need to identify and treat risk throughout the organization • Improve the identification of opportunities & threats • Effectively allocate and use resources • Comply with relevant legal and regulatory requirements and international norms • Improve mandatory and voluntary reporting • Improve operational effectiveness & efficiency • Improve stakeholder confidence and trust • Establish a reliable basis for decision making & planning • Improve controls • Improve governance ISO/ANSI/ASSE 31000:2009 Risk management – Principles and Guidelines
In a nutshell… All organizations exist toachieve their objectives. The purpose of risk management is to manage the barriers to those objectives and support their achievement.
Questions? Dorothy Gjerdrum, ARM-P, CIRMExecutive DirectorArthur J. Gallagher & Co.Public Sector 651.642.2999 dorothy_gjerdrum@ajg.com