Implementing Enterprise Risk Management

A Practical Approach

May 14th 2014

Keith W. OldManaging DirectorRiskwide Consulting Services

Page 2

Agenda

Riskwide Consulting Services, British Columbia, Canada

What is a Risk? What is ERM?

Features of ERM

History

Case Studies

Questions

Page 3

What is a risk? – What is ERM? According to ISO 31000, risk is the “effect of uncertainty

on objectives” and an effect is a positive or negative deviation from what is expected.

Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

Page 4

Features of ERM • Formalized approach to risk applied throughout

• Common language• Focused discussion forums• Reporting timely information to people in a format they require• Common measurement of risk (qualitative and quantitative)

• It is about being proactive rather than reactive• The prime focus on improving controls (risk mitigation) over time

• It is continuous rather than ad hoc• Not a one off or annual exercise only

• It is broadly focused• Involves all areas• All risks are considered (not just financial risks)• Looks at inter-linkages between risks

Page 5

History In Australia - Public Sector In Canada - Corporate

“The board of directors of every corporation should explicitly assume responsibility for the identification of the principal risks of the corporation’s business and ensuring the implementation of appropriate systems to manage these risks.”

TSX Guidelines for Corporate Governance

Case Studies1. City of Surrey Jeff Schaafsma

2. Queen’s University Kim Murphy

3. Seaspan ULC Chris Hext

Page 7

City of Surrey One of the fastest growing cities in Canada and the

fastest growing city in Metro Vancouver Population of over 468,000 (2011 census) and adding

approximately 800 new residents each month Manage risks associated with providing services as

diverse as fire services, library, RCMP, planning and development, parks and recreational, infrastructure

Manage all the risks that come from having 3400 employees

Page 8

City of Surrey - ERM Program The Risk Manager and Internal Audit wanted a clearer and

more holistic view of the risks facing the City To accurately target risk mitigation activity and reduce the number and size of claims Inform the annual internal audit plan

Bottom up approach Municipalities don’t necessarily have to drive from top levels to establish ERM as a

governance tool Desire to embed the culture at the lower levels first

Challenges Very diverse functions within the municipality - different understanding what risk

management is within various groups Time – getting in people’s calendars Convincing people to participate Reasonable amount of change happening

Page 9

City of Surrey - Lessons Learned Double the timeline that you think you will need

Focus on quality rather than quantity

Get your framework right first Sell value to participants – what’s in it for them? Fit into existing schedules as much as possible Make sure you cycle back to all participants Look for opportunity to incorporate other risk

management activity E.g. climate adaptation

Page 10

Queen’s University One of Canada’s oldest degree-granting institutions

(1841) A full-spectrum, research-intensive university 24,582 students - 7,254 staff and faculty Queen’s University has grown substantially since 2001-02

Total enrolment has increased 32% and graduate enrolment 48% Government grants and contracts have increased 26%

Unique characteristics of student cohort 95% of the student population from outside Kingston 85% of students living within a 15-minute walk to campus 90% of first-year students live in residence Queen’s is home to students from more than 120 different countries

Page 11

Queen’s University - ERM Program Driven by directive from board level to implement ERM Top down approach

Management decision to implement at senior levels first Important to establish ownership at senior levels before attempting to drive

downwards

Challenges Very diverse functions within the university – a lot of ground to cover to get a

holistic view of risk in a compact time frame Academic view versus administration view Reviving a previously stalled project Limited resources to implement (1/2 person) Fitting into an already complex governance structure

Page 12

Lessons Learned – Queen’s Get the Committee structure right Plan well in advance Asked Committee what kind of reporting they wanted to

see rather than telling them what reporting was available and asking for feedback

Show relevance Promote discussion as much as possible

E.g. Ranking focus groups rather than online surveys

Page 13

Seaspan ULC An association of Canadian companies primarily involved

in coastal and deep sea transportation, bunkering, ship repair and shipbuilding services in Western North America

Some services offered directly through Seaspan – others provided via affiliate companies: Marine Petrobulk, Seaspan Ferries, Vancouver Drydock, Vancouver Shipyards and Victoria Shipyards

National Shipbuilding Procurement Strategy Secretariat announces Vancouver Shipyards to build the Joint Support Ships in 2016

Seaspan ULC – ERM Program Driven by Board’s desire to understand risks and the

mitigation work that was being undertaken Top down and across approach

Establishing a strategic risk register and then linking in operation risk management

Challenges Many long established and very silo based risk

management methods and attitudes Change fatigue Whole corporation was extremely busy

Page 15

Lessons Learned – Seaspan ULC Process needs to be simple and streamlined

Establish good clear reporting Robust system with good usability (if needed)

Focus heavily on risk education Ensure people understand what a risk is and how to develop good mitigation plans

Make sure that the steering committee: Is aware of their role Is composed of the right people Has time and enthusiasm

Link the strategic level (50,000 ft) to the operational mitigation work that is happening

Be patient

Page 16

Additional Suggestions (Riskwide) Perform a risk assessment on your own ERM project Seek advice from others

Similar projects within your organisation Externals

Establish internal champions Think about the right pace for your organization

Page 17

Contact Details

Keith W. OldManaging Director

Riskwide Consulting Services Inc.

Office: (+1) 604 727 9757 Cell: (+1) 778 386 0756

Email: keithold@riskwide.com www.riskwide.com

Page 18

Wise words The biggest risk is a missed opportunity Exchanging ideas – the way to better risk management There is no learning without risks Things that don’t normally happen, happen all the time Risk is an essential precursor for reward. It’s the natural

context for any great endeavor, and nothing that matters was ever built without risk.

Your biggest risk is that you will underestimate your potential Understanding risk allows you to make better decisions