enterprise risk management: taking the first steps...defining erm enterprise risk management...
TRANSCRIPT
© 2012 ARTHUR J. GALLAGHER & CO.
NOVEMBER 15, 2012
DOROTHY GJERDRUM, ARM, CIRM
Enterprise Risk
Management: Taking
the First Steps
TN PRIMA, 2012
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
AgendaGoal: To understand how to begin to implement
a broader approach to risk management
•Practice risk-based decision making
•Compare ERM & “traditional” RM
•Understand the framework
•Steps in the process
•Potential next steps for you
© 2012 ARTHUR J. GALLAGHER & CO.
Taking Risk – Hating Surprises
Who are the
risk takers?
Page | 3
Who hates surprises?
© 2012 ARTHUR J. GALLAGHER & CO.
Small Sized City
Mission: To provide quality services while
preserving and advancing the collective interests of
all the citizens and visitors of our community.
Potential Projects (pick one):
• Merge police force with county sheriff’s office & close jail
• Seek voter approval to issue bonds to build a new marina
and park
• Develop a mental health resource center
• Build a skateboard park
Page | 4
You only have 10 minutes!!
© 2012 ARTHUR J. GALLAGHER & CO.
Risk Management:
Getting to “Yes”
© 2012 ARTHUR J. GALLAGHER & CO.
• After full consideration of all risks, the community
college supported the trip.
• Six students & one faculty member participated.
• Downside risk was addressed through training, info
on cultural context & travel abroad insurance.
• Result: Awarded silver medal!
Getting to “Yes”
© 2012 ARTHUR J. GALLAGHER & CO.
Traditional ARM Model of Risk Management
© 2012 ARTHUR J. GALLAGHER & CO.
Traditional ARM Model of Risk Management• Values exposed to loss
• Perils (natural, human, economic)
• Consequences (freq & severity)
• Surveys, loss histories, financial
statements, inspections,
consultations
Risk Control
• Exposure avoidance
• Loss prevention
• Loss reduction
• Segregation
• Contractual transfer
Risk Financing
• Retention
• Insurance
• Contractual transfer
Considerations
• Political climate
• Legal obligations
• Tolerance for risk
• Budget
• Technical decisions
• Managerial decisions
• Review
against
objectives &
performance
standards
• Begin process
again as new
risks are
identified
© 2012 ARTHUR J. GALLAGHER & CO.
Risks Managed in “Silos”
© 2012 ARTHUR J. GALLAGHER & CO.
What’s Missing?
•A broad-based sustainable framework
•Linking risks to what matters most to the organization
•Holding risk owners accountable for treatment &
management of risks
•A clear and replicable prioritization process
•Links to decision making, budget questions, strategic
planning
•Risk can be a good thing!
© 2012 ARTHUR J. GALLAGHER & CO.
Differentiators
Traditional RM
• Focused on hazards & the
downside of risk
• Many risk management
“silos” – lack of integration
• Who’s responsible?
• Mitigation tools = insurance,
risk transfer, prevention
ERM
• Anything that can affect your
objectives
• Management of risk from top
down & all across the
organization
• Risk owners assigned
• Risk owners identify and track
mitigation
ERM requires risk leadership, not just management
© 2012 ARTHUR J. GALLAGHER & CO.
Why We Need to Manage Risk
The purpose of managing risk is to increase the
likelihood of an organization achieving its objectives
by being in a position to manage threats and adverse
situations and being ready to take advantage of
opportunities that may arise.
National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
© 2012 ARTHUR J. GALLAGHER & CO.
Defining ERM
Enterprise Risk Management describes a broader
approach to managing risk.
It is a coordinated effort to direct and control all
activities related to risk.
It defines risk as the effect of uncertainty on
objectives. It therefore ties the management of risk to
what is most important to the organization.
The responsibility for managing risk is spread across
the organization to those who have accountability and
authority – risk owners.
© 2012 ARTHUR J. GALLAGHER & CO.
What is “risk”??
•Risk is present in everything we do.
•The definition from ISO 31000, the
international standard on risk management:
Risk = the affect of uncertainty on your
objectives.
•Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or enhance
your ability to achieve your objectives = risk
© 2012 ARTHUR J. GALLAGHER & CO.
The principlesprovide the foundation and describe the qualities of effective risk manage-ment in an organization
The frameworkmanages the
overall process and
its full integration into the
organization
The process for managing risk focuses on
individual or groups of risks,
their identification,
analysis, evaluation and
treatment
Monitoring & review, continual
improvement and communication
occur throughout
Overview of the Process from ISO 31000
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value
• Part of org. processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored
• Considers human & cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate &
Commitment
Design
framework for
managing risk
Framework RM Process
Implement
risk
management
Monitor and
review the
framework
Continually
improve the
framework
Establish the
context
Communicate and consult
Monitor and review
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value
• Part of org. processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored
• Considers human & cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate &
Commitment
Design
framework for
managing risk
Framework RM Process
Implement
risk
management
Monitor and
review the
framework
Continually
improve the
framework
Establish the
context
Communicate and consult
Monitor and review
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
© 2012 ARTHUR J. GALLAGHER & CO.
© 2012 ARTHUR J. GALLAGHER & CO.
The Internal Context
•Lots of conflicting interests
•Lots of RM silos
•Unique City Charter authorities
•Very small RM Dept
But also…
•Strong support from key players
•Enterprises issuing debt
•Willingness to utilize technology
© 2012 ARTHUR J. GALLAGHER & CO.
•ERM – One Dept/Project at a Time
•Risk Management Division
•Public Utilities Commission
•Port of San Francisco
•Harvard “Acting in Time” Disaster Preparedness
Project
City-County of San Francisco
© 2012 ARTHUR J. GALLAGHER & CO.
Emory University: “It started at the top”
Chair Audit Committee
President
Exec VP Finance & Administration
Internal Audit
22
© 2012 ARTHUR J. GALLAGHER & CO.
Emory: Why did we implement ERM?
•Break through operational silos
• Identify key exposures
•Assess appetite for risk
• Identify best practices
•Plan proactively
•Prioritize resources
NO SURPRISES!
23
Can you use
these to develop
support for
ERM?
Can you use
these to develop
support for
ERM?
© 2012 ARTHUR J. GALLAGHER & CO.
Mission Statements From Around the State
•Dyersburg – The city’s mission is to provide and
maintain essential services that meet the basic
collective needs of the citizens of Dyersburg and to
identify and pursue opportunities for a higher quality
of life.
•First TN Human Resource Agency – Our mission is
to improve the quality of life for the people of Northeast
TN through effective delivery of social services.
© 2012 ARTHUR J. GALLAGHER & CO.
Connecting to What is Most Important
•Franklin – Long term, we see performance
measurements as a comprehensive program that will
lead to better management of the City’s resources,
more accountability, more productivity and specific
goal setting.
•Clarksville Mayor’s Priorities – Transparency in
government, continuing economic development,
maintaining and improving quality of life.
•Maryville – The City Government’s goal is to continue
to enhance the quality of life of our residents.
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value
• Part of org. processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored
• Considers human & cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate &
Commitment
Design
framework for
managing risk
Framework RM Process
Implement
risk
management
Monitor and
review the
framework
Continually
improve the
framework
Establish the
context
Communicate and consult
Monitor and review
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Components of the Framework
• Understanding the
organization & its context
• Establishing RM policy
• Accountability & authority
• Integration into organizational
processes
• Determining appropriate
resources
• Establishing internal
communication & reporting
mechanisms
• Establishing external
communication & reporting
mechanisms
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Framework Example: Benefits of RM
• Increase likelihood of achieving
objectives
• Encourage proactive management
• Be aware of the need to identify and
treat risk throughout the
organization
• Improve the identification of
opportunities & threats
• Effectively allocate and use
resources
• Comply with relevant legal and
regulatory requirements and
international norms
• Improve mandatory and voluntary
reporting
• Improve operational effectiveness &
efficiency
• Improve stakeholder confidence and
trust
• Establish a reliable basis for decision
making & planning
• Improve controls
• Improve governance
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Framework Example: Context
External Context
• Social, cultural, political, legal,
regulatory, financial, technological,
economic, natural and competitive
environment
• Key drivers and trends that will have
an impact on your organization
• Relationships with and perceptions
& values of external stakeholders
Internal Context
• Governance, organizational structure,
roles & accountabilities
• Policies, objectives & strategy
• Capabilities & resources
• Info systems
• Organizational culture
• Contractual relationships
• Relationships with, perceptions &
values of internal stakeholders
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Excerpt… Statement of Context
© 2012 ARTHUR J. GALLAGHER & CO.
A Few Definitions – ISO 31000
Risk Owner = the person or entity with the accountability and
authority to manage risk
Stakeholder = any person or organization that can affect, be
affected by or perceive themselves to be affected by a decision
or activity. They are both internal and external. Stakeholders
are important to the process and key to activities like
communication, consultation and reporting. Stakeholders’
interests and fears should be taken into account
Risk management process is the systematic application of
management policies, procedures and practices to the tasks and
activities of communicating, consulting, establishing the context
and identifying, analyzing, evaluating, treating, monitoring and
reviewing risk.
© 2012 ARTHUR J. GALLAGHER & CO.
ISO: Establishing RM Policy
•Rationale for managing risk
•Links between objectives and policies and the RM
policy
•Accountabilities & responsibilities for managing risk
•How you’ll deal with conflicting interests
•Commitment to necessary resources
•How you’ll measure & report
•Commitment to review & revise
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value
• Part of org. processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored
• Considers human & cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate &
Commitment
Design
framework for
managing risk
Framework RM Process
Implement
risk
management
Monitor and
review the
framework
Continually
improve the
framework
Establish the
context
Communicate and consult
Monitor and review
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Risk Assessment
•Begin with communication & consultation
• Internal & external stakeholders
•Establish the context
•Objectives, internal & external context of operations, the
scope & context of RM process
•Define risk criteria
•Nature and types of causes & consequences
•How likelihood will be defined
•Level of risk – tolerance and acceptance
•Combinations
© 2012 ARTHUR J. GALLAGHER & CO.
Risk Identification, Analysis & Evaluation
•Sources of risk, areas of impact, events and potential
consequences
•Understanding the risk – considering causes, likelihood
and consequence and expressing that as a level of risk
•Evaluating which risks need further treatment;
prioritizing treatment decisions
© 2012 ARTHUR J. GALLAGHER & CO.
Treating Risks
Modifying risks through options such as:
•Avoiding the risk
•Taking or increasing the risk in order to pursue an
opportunity
•Removing the risk source
•Changing the likelihood
•Changing the consequence
•Sharing the risk with other parties
•Retaining the risk by informed choice
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value
• Part of org. processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored
• Considers human & cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate &
Commitment
Design
framework for
managing risk
Framework RM Process
Implement
risk
management
Monitor and
review the
framework
Continually
improve the
framework
Establish the
context
Communicate and consult
Monitor and review
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
ISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Monitoring and Review
Monitor and review all aspects of the risk management
process to:
•Ensure that controls are effective and efficient
•Obtain further information to improve risk assessment
•Analyze and learn lessons from events
•Detect changes in the environment
• Identify emerging risks
© 2012 ARTHUR J. GALLAGHER & CO.
© 2012 ARTHUR J. GALLAGHER & CO.
Growing into ERM
•Link the management of risk to what is most
important to the organization
•Make everyone responsible for risk
• Increase accountability
•Get serious about measurement and
communication
•Look for interrelated and emerging risks
•Keep your eye on the whole field and continue to
learn
© 2012 ARTHUR J. GALLAGHER & CO.
Who is Interested in ERM?•Boards of Directors – Board members from private industry understand how ERM supports an organization’s objectives; the Board’s oversight role requires evidence that risks are identified, prioritized and managed within tolerance levels
•Stakeholders – The broad management of risk includes stakeholder input, values and needs and builds in appropriate communication about risk
•Credit and Rating Agencies – Seek evidence of a comprehensive and forward-looking risk management program
•Peers – As the practice of ERM grows across a sector, it pushes innovation & drives leadership
•International Community – ISO 31000 is the guide for standardized risk management practices; its widespread adoption across the globe will affect business operations everywhere
© 2012 ARTHUR J. GALLAGHER & CO.
© 2012 ARTHUR J. GALLAGHER & CO.
Standard and Poor’s recognized the University of CA for
its ERM program.
“The UC has implemented a system-wide
enterprise risk management information system
which, in our opinion, is a credit strength.”
September 9, 2010 – Ratings Direct Global Credit Portal
© 2012 ARTHUR J. GALLAGHER & CO.
Sample Rating Agency Classifications
Excellent • Advanced capabilities to identify, measure & manage all risks within
tolerances
• Advanced implementation, development & execution of ERM
parameters
• Consistently optimizes risk adjusted returns throughout organization
Strong • Clear vision of risk tolerance and overall risk profile
• Risk Control exceeds adequate for most major risks
• Has robust processes to identify and prepare for emerging risks
• Incorporates risk management & decision making to optimize risk
adjusted returns
Adequate • Has fully functioning control systems in place for all major risks
• May lack a robust process for identifying and preparing for emerging
risks
• Not fully developed process to optimize risk adjusted returns
Weak • Incomplete control process for one or more major risks
• Inconsistent or limited capabilities to identify, measure or manage major
risk exposures
© 2012 ARTHUR J. GALLAGHER & CO.
Traditional Risk Management
• Purchase insurance to cover risks
• Hazard-based risk identification
and controls
• Compliance issues addressed
separately
• Safety & emergency mgmt
handled separately
• “Silo” approach – risk mgmt is not
integrated across the organization
• Risk Manager is the insurance
buyer
Advanced Risk Management
• Greater use of alternative risk
financing techniques
• More proactive about
preventing and reducing risks
• Integrates claims mgmt,
contracts review, special
event RM, insurance and risk
transfer techniques
• Cost allocation used for
education and accountability
• More collaboration – as depts
are willing
• Risk Manager may be the
risk owner
Enterprise-wide Risk Management
• A wide range of risks are
discussed and reviewed, including
reputational, human capital,
strategic and operational
• Aligns RM process with strategy
and mission
• May include “upside risks”
(opportunities)
• Helps manage growth, allocate
capital & resources
• Risks are owned by all & mitigated
at the department level
• Many risk mitigation & analytical
tools available
• Risk Manager is the risk
facilitator and leader
Transacti
onal
Strategi
c
Risk is bad – focus is on
transferring riskRisk is an expense – focus is
on reducing cost-of-risk
Risk is uncertainty – focus
is on optimizing risk to
achieve goals
Integrated
Risk Management
is Evolving
© 2012 ARTHUR J. GALLAGHER & CO.
Implementation Tips
•Educate yourself
•Develop talking points, find your champions;
develop your “pitch”
•Consider the barriers & challenges up front
•Expect the process to be messy (so have a plan)
•Take the long view
•Build your support network
© 2012 ARTHUR J. GALLAGHER & CO.
Why is Risk Management Important?
All organizations exist to achieve their
objectives.
The purpose of risk management is to manage
the barriers and exploit opportunities to
achieve those objectives.
© 2012 ARTHUR J. GALLAGHER & CO.
Before embarking on his trip around the
world, Portuguese explorer Ferdinand
Magellan said,
“The task is not to make sure that the sea is
calm, but to prepare oneself to sail in stormy,
unknown waters.”
© 2012 ARTHUR J. GALLAGHER & CO.
NOVEMBER 15, 2012
DOROTHY GJERDRUM
Page | 49
651.642.2999