570 likes | 579 Views
Explore traditional risk management versus enterprise risk management, sample programs, tools, and ideas for better risk identification, ranking, response, and understanding across the organization. Learn how ERM can assess and address risks to achieve strategic objectives efficiently.
E N D
ERM:Are You Thinking BIG Enough? Betty Reed, State of WA Dorothy Gjerdrum, Arthur J. Gallagher STRIMA 2006 September 27, 2006
Agenda • Compare the Approach: Traditional RM & ERM • Sample Program: WA State • Tools & Ideas You Can Use
Compare the Approaches • Definitions • Risk Identification • Risk Ranking & Prioritization • Risk Response • Understanding Risk Across the Organization
ERM Defined: “…a process, effected by an entity’s top management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated Framework, 2004.
ERM Definition: “A rigorous approach to assessing and addressing the risks from all sources that threaten the achieve-ment of an organization’s strategic objectives. In addition, ERM identifies those risks that represent corresponding opportunities to exploit for competitive advantage.” Tillinghast-Towers Perrin Traditional Definition: “The process of planning, organizing, leading and controlling the activities of an organization in order to minimize the adverse effects of accidental losses on that organization at a reasonable cost.” Essentials of the RM Process ARM 54 Text Insurance Inst. of America ERM & TRM
Identifying Risk • Checklists of Operations & Property • Interviews with Key Staff • Inspections & Site Visits • Records of Incidents & Claims • Complaint Forms • Budgets, Financial Statements • Meeting Minutes • Property Records • Permits & Contracts
ERM Approach to Identifying Risk • Interviews with Key Staff • Risk Identification Process – Across the Organization • Risk Ranking – High/High to Low/Low • Performance Measures & Compliance Audits
TRM Risk Ranking & Prioritization Primary focus: • Reaction to bad press or catastrophic claim(s) • Compliance with laws, rules & regs • Activities and departments with high losses (frequency or severity or both) • Loss runs, complaint forms, etc.
ERM – Risk Ranking & Prioritization • Focus group identifies: • What are the biggest risks our agency is facing? • What internal and external events could affect the agency’s mission and the achievement of our goals? • Then evaluates and ranks them: • To what extent would these potential events impact our goals and what islikelihood that they will happen? • Use a rating scale for assessing impact and likelihood (1-3) with 1 low and 3 high
Event Identification • Differentiates risks and opportunities • Events that may have a negative impact represent risks • Events that may have a positive impact represent opportunities, which management channels back to strategy setting
Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.
TRM Risk Response • Avoid • Retain • Transfer
ERM Risk Response • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g., insurance) • Residual risk (unmitigated risk – e.g., unpredictable harm to vulnerable persons)
ERM Risk Response • Identifies and evaluates possible responses to risk • Evaluates options in relation to entity’s risk appetite, cost versus benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood • Selects and executes response based on evaluation of the portfolio of risks and responses
ERM Risk Response Control Activities: • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization at all levels and in all functions. • Include application and general information technology controls.
Understanding Risk Across the Organization – TRM • Risk is managed through separate “silos” • Lack of full coordination or accountability
Understanding Risk Across the Organization – ERM ERM takes a portfolio view of risk: • Risks considered during strategic planning • Determine the entity’s “risk appetite” – a high-level view of how much risk the entity is willing to accept • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite
The State Needs to Manage Its Risk Above the Line As Well As Below • Catastrophic risk • Non-tort litigation risk • Compliance risk • Reputational risk • Emerging/shifting risk • Systemic causes of incidents • Financial risk • Operational risk • Human capital risk • Liability, Negligence – GL/AL RISK: Any event that interferes with the state achieving its strategic objectives 22
ERM Innovation: Responsibility • Who “owns” the risk in your organization? (If the spit hits the fan, who will take a spit bath?) • CHALLENGE: What would it look like to have everyone in the organization take ownership?
ERM Innovation: Accountability • Some of the most successful ERM initiatives have been able to link risk mitigation & management to performance reviews – making managers responsible for risk control & measurement • CHALLENGE: What would be a reasonable measurement of compliance?
Innovation: Strategic Goals • ERM is linked to an entity’s strategic objectives & part of the strategic planning process. It goes beyond the protection of financial assets. • CHALLENGE: What would it take to get risk management to that table?
State of WA ERM Initiative 2001 • Risk Management Task Force • Risk Management Executive Order 2002 • RM Division moved to OFM 2003 • Budgeting through Priorities in Government • Policy Level Budget Proposal for Self-Insurance Premium
State of WA ERM Initiative 2004 • Risk Summits with key agencies 2005 • Gov’t Management and Accountability Program – risk focus • Strategic Planning must include risk focus • ERM introduced by Governor at new executive-level Risk Management Conference
State of WA ERM Initiative 2006 • Maturity Model adopted to assess and track agency progress • Risk Specialist positions created to move agencies toward ERM • ERM featured throughout 2006 monthly and quarterly risk publications and training
Sample ERM Criteria • Risk Manager reports to Director, Secretary or Deputy Director • Centralized RM responsibilities assigned as 100% of an FTE (where agency size or risk character warrants) • Agency performs annual risk assessment • Agency evaluates incidents using varying depth of analysis based on severity of outcome or potential outcome • Agency develops practice and process changes, or other corrections based on root cause analysis of identified incidents 30
Enterprise Risk Management Excerpts from a Presentation to the Washington State Investment Board
WSIB Overview The Washington State Investment Board manages investments for 14 separate retirement funds for public employees, teachers, school employees, law enforcement officers, firefighters, and judges. We also manage investments for 19 other public funds that support or benefit industrial insurance, colleges and universities, developmental disabilities, and wildlife protection. Our mission is to invest with integrity, prudence, and skill to meet or exceed the financial objectives of those we serve.
Enterprise Risk Management (ERM) – What is it? • A systematic process for identifying, assessing and prioritizing potential events that may affect the organization • Needs support and encouragement from executive management • Enterprise-wide participation of event identification and risk response • A tool to help management achieve its objectives • In short, it’s a process for identifying and managing what may happen that could prevent you from achieving the agency mission
ERM Roadmap • In 2003 • With a strong commitment from the Executive Director, Joe Dear, staff conducted an initial risk assessment which kicked-off the first discussion of enterprise risk management capabilities and effectiveness • In 2004 • The core of the new risk management strategy was the establishment of an ERM team tasked with defining the ERM key dimensions, principles, core business processes, and common ERM risks • In 2005 • Risk Director position was created • ERM team developed a risk management database system • Annual risk assessment questionnaire was developed • ERM education was provided to staff • In 2006 • ERM team benchmarked risk activities against COSO • Quantitative evaluation of risk impact and likelihood were added to the database • Risk heat map was developed • Agency key risks were summarized in a written document
ERM Structure Board Governance Audit Committee WSIB Board Executive Management and ERM Team Executive Management Team Deputy Director for Operations (Executive Sponsor) ERM Team ERM Framework and Tools Risk Assessment Board Policy Risk Management System COSO Framework Education Risk Management Principles Risk Reporting
WSIB Risk Management Principles – Our guide to track risk events
Risk Management System • Reporting Database • Tool to capture errors, incidents, or potential risks on a daily basis • Timely resolution of reported items, resulting in minimized business impact • Better understanding of the impact incidents/errors have on the overall agency • Accurate information on the incidents that are occurring • Increased availability of information for management review
2006 COSO* ERM Standard – Process & Categories • *Committee of Sponsoring Organizations of the Treadway Commission
2006 COSO* ERM Benchmarking Project • What we are doing well in relation to the COSO ERM Framework: • We have a strong ethical culture and internal environment, a commitment to competence, and a Board that provides oversight • We have an established mission with strategic objectives so that all staff are working towards a common goal • We have an established process to identify events, assess risk, and respond • We have strong control activities • Our ERM process is dynamic and constantly changing ensuring that it remains relevant to the business of the agency • *Committee of Sponsoring Organizations of the Treadway Commission
2006 COSO ERM Benchmarking Project (cont’d.) • What we want to improve on: • Be more explicit in our risk management philosophy • Establish succinct risk appetite and tolerance levels • Analyze likelihood and impact – then assign risk level • Assign risk responses into one of four categories • Avoidance • Reduction • Sharing • Acceptance • Increase staff participation on risk identification • Education on risk terminology, risk assessment, and risk response
ERM Tools • Risk Rating Tool • Raise Risk Awareness – Across the Organization • Facilitated Discussion of Risk • Discussion of the “Upside” of Risk – Opportunities! – and a Wider Discussion Involving Your Community
Risk Assessment Wallet Tool – Maricopa County (AZ) Community College District MIRA Project
Facilitated Discussion of Risk Before you begin: • Make a list of risks you currently don’t manage – include those SMEs • Make a list of key players and SMEs representing all areas of operation & functionality – Who should be at the table? • List the barriers to conducting this discussion
ERM Tools Facilitated Discussion of Risk • Cross section of personnel • Subject matter experts (SMEs) • “What’s the worst that could happen?” “What is it that we cannot allow to happen?” • What we learn from school shootings – someone always knows that “something’s not right”
Upside Risks/Wider View Identify: • Current or new projects – your entity • Current or new projects – your community • Social trends in your community • Economic development in your community – is it booming? – faltering? (Within a crisis, there is opportunity for change)