1 / 57

ERM: Are You Thinking BIG Enough?

Explore traditional risk management versus enterprise risk management, sample programs, tools, and ideas for better risk identification, ranking, response, and understanding across the organization. Learn how ERM can assess and address risks to achieve strategic objectives efficiently.

wasson
Download Presentation

ERM: Are You Thinking BIG Enough?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ERM:Are You Thinking BIG Enough? Betty Reed, State of WA Dorothy Gjerdrum, Arthur J. Gallagher STRIMA 2006 September 27, 2006

  2. Agenda • Compare the Approach: Traditional RM & ERM • Sample Program: WA State • Tools & Ideas You Can Use

  3. Compare the Approaches • Definitions • Risk Identification • Risk Ranking & Prioritization • Risk Response • Understanding Risk Across the Organization

  4. ERM Defined: “…a process, effected by an entity’s top management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated Framework, 2004.

  5. ERM Definition: “A rigorous approach to assessing and addressing the risks from all sources that threaten the achieve-ment of an organization’s strategic objectives. In addition, ERM identifies those risks that represent corresponding opportunities to exploit for competitive advantage.” Tillinghast-Towers Perrin Traditional Definition: “The process of planning, organizing, leading and controlling the activities of an organization in order to minimize the adverse effects of accidental losses on that organization at a reasonable cost.” Essentials of the RM Process ARM 54 Text Insurance Inst. of America ERM & TRM

  6. Identifying Risk • Checklists of Operations & Property • Interviews with Key Staff • Inspections & Site Visits • Records of Incidents & Claims • Complaint Forms • Budgets, Financial Statements • Meeting Minutes • Property Records • Permits & Contracts

  7. ERM Approach to Identifying Risk • Interviews with Key Staff • Risk Identification Process – Across the Organization • Risk Ranking – High/High to Low/Low • Performance Measures & Compliance Audits

  8. TRM Risk Ranking & Prioritization Primary focus: • Reaction to bad press or catastrophic claim(s) • Compliance with laws, rules & regs • Activities and departments with high losses (frequency or severity or both) • Loss runs, complaint forms, etc.

  9. ERM – Risk Ranking & Prioritization • Focus group identifies: • What are the biggest risks our agency is facing? • What internal and external events could affect the agency’s mission and the achievement of our goals? • Then evaluates and ranks them: • To what extent would these potential events impact our goals and what islikelihood that they will happen? • Use a rating scale for assessing impact and likelihood (1-3) with 1 low and 3 high

  10. Event Identification • Differentiates risks and opportunities • Events that may have a negative impact represent risks • Events that may have a positive impact represent opportunities, which management channels back to strategy setting

  11. Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.

  12. Risk Register/ Best Practices

  13. Risk Mapping

  14. 2006 Heat Map Project – Core Business Processes 14

  15. TRM Risk Response • Avoid • Retain • Transfer

  16. ERM Risk Response • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g., insurance) • Residual risk (unmitigated risk – e.g., unpredictable harm to vulnerable persons)

  17. ERM Risk Response • Identifies and evaluates possible responses to risk • Evaluates options in relation to entity’s risk appetite, cost versus benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood • Selects and executes response based on evaluation of the portfolio of risks and responses

  18. ERM Risk Response Control Activities: • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization at all levels and in all functions. • Include application and general information technology controls.

  19. Understanding Risk Across the Organization – TRM • Risk is managed through separate “silos” • Lack of full coordination or accountability

  20. Risk Silos

  21. Understanding Risk Across the Organization – ERM ERM takes a portfolio view of risk: • Risks considered during strategic planning • Determine the entity’s “risk appetite” – a high-level view of how much risk the entity is willing to accept • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite

  22. The State Needs to Manage Its Risk Above the Line As Well As Below • Catastrophic risk • Non-tort litigation risk • Compliance risk • Reputational risk • Emerging/shifting risk • Systemic causes of incidents • Financial risk • Operational risk • Human capital risk • Liability, Negligence – GL/AL RISK: Any event that interferes with the state achieving its strategic objectives 22

  23. ERM Innovation: Responsibility • Who “owns” the risk in your organization? (If the spit hits the fan, who will take a spit bath?) • CHALLENGE: What would it look like to have everyone in the organization take ownership?

  24. ERM Innovation: Accountability • Some of the most successful ERM initiatives have been able to link risk mitigation & management to performance reviews – making managers responsible for risk control & measurement • CHALLENGE: What would be a reasonable measurement of compliance?

  25. Innovation: Strategic Goals • ERM is linked to an entity’s strategic objectives & part of the strategic planning process. It goes beyond the protection of financial assets. • CHALLENGE: What would it take to get risk management to that table?

  26. How does this work in the real world?

  27. State of WA ERM Initiative 2001 • Risk Management Task Force • Risk Management Executive Order 2002 • RM Division moved to OFM 2003 • Budgeting through Priorities in Government • Policy Level Budget Proposal for Self-Insurance Premium

  28. State of WA ERM Initiative 2004 • Risk Summits with key agencies 2005 • Gov’t Management and Accountability Program – risk focus • Strategic Planning must include risk focus • ERM introduced by Governor at new executive-level Risk Management Conference

  29. State of WA ERM Initiative 2006 • Maturity Model adopted to assess and track agency progress • Risk Specialist positions created to move agencies toward ERM • ERM featured throughout 2006 monthly and quarterly risk publications and training

  30. Sample ERM Criteria • Risk Manager reports to Director, Secretary or Deputy Director • Centralized RM responsibilities assigned as 100% of an FTE (where agency size or risk character warrants) • Agency performs annual risk assessment • Agency evaluates incidents using varying depth of analysis based on severity of outcome or potential outcome • Agency develops practice and process changes, or other corrections based on root cause analysis of identified incidents 30

  31. 31

  32. Enterprise Risk Management Excerpts from a Presentation to the Washington State Investment Board

  33. WSIB Overview The Washington State Investment Board manages investments for 14 separate retirement funds for public employees, teachers, school employees, law enforcement officers, firefighters, and judges. We also manage investments for 19 other public funds that support or benefit industrial insurance, colleges and universities, developmental disabilities, and wildlife protection. Our mission is to invest with integrity, prudence, and skill to meet or exceed the financial objectives of those we serve.

  34. Enterprise Risk Management (ERM) – What is it? • A systematic process for identifying, assessing and prioritizing potential events that may affect the organization • Needs support and encouragement from executive management • Enterprise-wide participation of event identification and risk response • A tool to help management achieve its objectives • In short, it’s a process for identifying and managing what may happen that could prevent you from achieving the agency mission

  35. ERM Roadmap • In 2003 • With a strong commitment from the Executive Director, Joe Dear, staff conducted an initial risk assessment which kicked-off the first discussion of enterprise risk management capabilities and effectiveness • In 2004 • The core of the new risk management strategy was the establishment of an ERM team tasked with defining the ERM key dimensions, principles, core business processes, and common ERM risks • In 2005 • Risk Director position was created • ERM team developed a risk management database system • Annual risk assessment questionnaire was developed • ERM education was provided to staff • In 2006 • ERM team benchmarked risk activities against COSO • Quantitative evaluation of risk impact and likelihood were added to the database • Risk heat map was developed • Agency key risks were summarized in a written document

  36. ERM Structure Board Governance Audit Committee WSIB Board Executive Management and ERM Team Executive Management Team Deputy Director for Operations (Executive Sponsor) ERM Team ERM Framework and Tools Risk Assessment Board Policy Risk Management System COSO Framework Education Risk Management Principles Risk Reporting

  37. WSIB Risk Management Principles – Our guide to track risk events

  38. Risk Management System • Reporting Database • Tool to capture errors, incidents, or potential risks on a daily basis • Timely resolution of reported items, resulting in minimized business impact • Better understanding of the impact incidents/errors have on the overall agency • Accurate information on the incidents that are occurring • Increased availability of information for management review

  39. Annual Risk Assessment Questionnaire Example

  40. 2006 Heat Map Project – Core Business Processes

  41. 2006 COSO* ERM Standard – Process & Categories • *Committee of Sponsoring Organizations of the Treadway Commission

  42. 2006 COSO* ERM Benchmarking Project • What we are doing well in relation to the COSO ERM Framework: • We have a strong ethical culture and internal environment, a commitment to competence, and a Board that provides oversight • We have an established mission with strategic objectives so that all staff are working towards a common goal • We have an established process to identify events, assess risk, and respond • We have strong control activities • Our ERM process is dynamic and constantly changing ensuring that it remains relevant to the business of the agency • *Committee of Sponsoring Organizations of the Treadway Commission

  43. 2006 COSO ERM Benchmarking Project (cont’d.) • What we want to improve on: • Be more explicit in our risk management philosophy • Establish succinct risk appetite and tolerance levels • Analyze likelihood and impact – then assign risk level • Assign risk responses into one of four categories • Avoidance • Reduction • Sharing • Acceptance • Increase staff participation on risk identification • Education on risk terminology, risk assessment, and risk response

  44. ERM Tools • Risk Rating Tool • Raise Risk Awareness – Across the Organization • Facilitated Discussion of Risk • Discussion of the “Upside” of Risk – Opportunities! – and a Wider Discussion Involving Your Community

  45. A Simple Risk Rating Tool

  46. Risk Assessment Wallet Tool – Maricopa County (AZ) Community College District MIRA Project

  47. Risk Assessment Tool

  48. Facilitated Discussion of Risk Before you begin: • Make a list of risks you currently don’t manage – include those SMEs • Make a list of key players and SMEs representing all areas of operation & functionality – Who should be at the table? • List the barriers to conducting this discussion

  49. ERM Tools Facilitated Discussion of Risk • Cross section of personnel • Subject matter experts (SMEs) • “What’s the worst that could happen?” “What is it that we cannot allow to happen?” • What we learn from school shootings – someone always knows that “something’s not right”

  50. Upside Risks/Wider View Identify: • Current or new projects – your entity • Current or new projects – your community • Social trends in your community • Economic development in your community – is it booming? – faltering? (Within a crisis, there is opportunity for change)

More Related