enterprise risk management: taking the first steps...defining erm enterprise risk management...

© 2012 ARTHUR J. GALLAGHER & CO.

NOVEMBER 15, 2012

DOROTHY GJERDRUM, ARM, CIRM

Enterprise Risk

Management: Taking

the First Steps

TN PRIMA, 2012

© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.

AgendaGoal: To understand how to begin to implement

a broader approach to risk management

•Practice risk-based decision making

•Compare ERM & “traditional” RM

•Understand the framework

•Steps in the process

•Potential next steps for you


Taking Risk – Hating Surprises

Who are the

risk takers?

Page | 3

Who hates surprises?


Small Sized City

Mission: To provide quality services while

preserving and advancing the collective interests of

all the citizens and visitors of our community.

Potential Projects (pick one):

• Merge police force with county sheriff’s office & close jail

• Seek voter approval to issue bonds to build a new marina

and park

• Develop a mental health resource center

• Build a skateboard park

Page | 4

You only have 10 minutes!!


Risk Management:

Getting to “Yes”


• After full consideration of all risks, the community

college supported the trip.

• Six students & one faculty member participated.

• Downside risk was addressed through training, info

on cultural context & travel abroad insurance.

• Result: Awarded silver medal!

Getting to “Yes”


Traditional ARM Model of Risk Management


Traditional ARM Model of Risk Management• Values exposed to loss

• Perils (natural, human, economic)

• Consequences (freq & severity)

• Surveys, loss histories, financial

statements, inspections,

consultations

Risk Control

• Exposure avoidance

• Loss prevention

• Loss reduction

• Segregation

• Contractual transfer

Risk Financing

• Retention

• Insurance

• Contractual transfer

Considerations

• Political climate

• Legal obligations

• Tolerance for risk

• Budget

• Technical decisions

• Managerial decisions

• Review

against

objectives &

performance

standards

• Begin process

again as new

risks are

identified


Risks Managed in “Silos”


What’s Missing?

•A broad-based sustainable framework

•Linking risks to what matters most to the organization

•Holding risk owners accountable for treatment &

management of risks

•A clear and replicable prioritization process

•Links to decision making, budget questions, strategic

planning

•Risk can be a good thing!


Differentiators

Traditional RM

• Focused on hazards & the

downside of risk

• Many risk management

“silos” – lack of integration

• Who’s responsible?

• Mitigation tools = insurance,

risk transfer, prevention

ERM

• Anything that can affect your

objectives

• Management of risk from top

down & all across the

organization

• Risk owners assigned

• Risk owners identify and track

mitigation

ERM requires risk leadership, not just management


Why We Need to Manage Risk

The purpose of managing risk is to increase the

likelihood of an organization achieving its objectives

by being in a position to manage threats and adverse

situations and being ready to take advantage of

opportunities that may arise.

National Guidance

on Implementing ISO 31000:2009

From NSAI in Ireland


Defining ERM

Enterprise Risk Management describes a broader

approach to managing risk.

It is a coordinated effort to direct and control all

activities related to risk.

It defines risk as the effect of uncertainty on

objectives. It therefore ties the management of risk to

what is most important to the organization.

The responsibility for managing risk is spread across

the organization to those who have accountability and

authority – risk owners.


What is “risk”??

•Risk is present in everything we do.

•The definition from ISO 31000, the

international standard on risk management:

Risk = the affect of uncertainty on your

objectives.

•Risk can be a threat or an opportunity

Anything that could harm, prevent, delay or enhance

your ability to achieve your objectives = risk


The principlesprovide the foundation and describe the qualities of effective risk manage-ment in an organization

The frameworkmanages the

overall process and

its full integration into the

organization

The process for managing risk focuses on

individual or groups of risks,

their identification,

analysis, evaluation and

treatment

Monitoring & review, continual

improvement and communication

occur throughout

Overview of the Process from ISO 31000


• Creates value

• Part of org. processes

• Part of decision making

• Explicitly addresses uncertainty

• Systematic, structured & timely

• Based on best avail info

• Tailored

• Considers human & cultural factors

• Transparent & inclusive

• Dynamic, iterative & responsive to change

• Continual improvement

Principles

Mandate &

Commitment

Design

framework for

managing risk

Framework RM Process

Implement

risk

management

Monitor and

review the

framework

Continually

improve the

framework

Establish the

context

Communicate and consult

Monitor and review

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

ISO/ANSI/ASSE 31000:2009

Risk management – Principles and guidelines


• Creates value






• Tailored





Principles

Mandate &

Commitment

Design

framework for

managing risk


Implement

risk

management

Monitor and

review the

framework

Continually

improve the

framework

Establish the

context


Monitor and review

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment






The Internal Context

•Lots of conflicting interests

•Lots of RM silos

•Unique City Charter authorities

•Very small RM Dept

But also…

•Strong support from key players

•Enterprises issuing debt

•Willingness to utilize technology


•ERM – One Dept/Project at a Time

•Risk Management Division

•Public Utilities Commission

•Port of San Francisco

•Harvard “Acting in Time” Disaster Preparedness

Project

City-County of San Francisco


Emory University: “It started at the top”

Chair Audit Committee

President

Exec VP Finance & Administration

Internal Audit

22


Emory: Why did we implement ERM?

•Break through operational silos

• Identify key exposures

•Assess appetite for risk

• Identify best practices

•Plan proactively

•Prioritize resources

NO SURPRISES!

23

Can you use

these to develop

support for

ERM?

Can you use

these to develop

support for

ERM?


Mission Statements From Around the State

•Dyersburg – The city’s mission is to provide and

maintain essential services that meet the basic

collective needs of the citizens of Dyersburg and to

identify and pursue opportunities for a higher quality

of life.

•First TN Human Resource Agency – Our mission is

to improve the quality of life for the people of Northeast

TN through effective delivery of social services.


Connecting to What is Most Important

•Franklin – Long term, we see performance

measurements as a comprehensive program that will

lead to better management of the City’s resources,

more accountability, more productivity and specific

goal setting.

•Clarksville Mayor’s Priorities – Transparency in

government, continuing economic development,

maintaining and improving quality of life.

•Maryville – The City Government’s goal is to continue

to enhance the quality of life of our residents.


• Creates value






• Tailored





Principles

Mandate &

Commitment

Design

framework for

managing risk


Implement

risk

management

Monitor and

review the

framework

Continually

improve the

framework

Establish the

context


Monitor and review

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment




Components of the Framework

• Understanding the

organization & its context

• Establishing RM policy

• Accountability & authority

• Integration into organizational

processes

• Determining appropriate

resources

• Establishing internal

communication & reporting

mechanisms

• Establishing external

communication & reporting

mechanisms




Framework Example: Benefits of RM

• Increase likelihood of achieving

objectives

• Encourage proactive management

• Be aware of the need to identify and

treat risk throughout the

organization

• Improve the identification of

opportunities & threats

• Effectively allocate and use

resources

• Comply with relevant legal and

regulatory requirements and

international norms

• Improve mandatory and voluntary

reporting

• Improve operational effectiveness &

efficiency

• Improve stakeholder confidence and

trust

• Establish a reliable basis for decision

making & planning

• Improve controls

• Improve governance




Framework Example: Context

External Context

• Social, cultural, political, legal,

regulatory, financial, technological,

economic, natural and competitive

environment

• Key drivers and trends that will have

an impact on your organization

• Relationships with and perceptions

& values of external stakeholders

Internal Context

• Governance, organizational structure,

roles & accountabilities

• Policies, objectives & strategy

• Capabilities & resources

• Info systems

• Organizational culture

• Contractual relationships

• Relationships with, perceptions &

values of internal stakeholders




Excerpt… Statement of Context


A Few Definitions – ISO 31000

Risk Owner = the person or entity with the accountability and

authority to manage risk

Stakeholder = any person or organization that can affect, be

affected by or perceive themselves to be affected by a decision

or activity. They are both internal and external. Stakeholders

are important to the process and key to activities like

communication, consultation and reporting. Stakeholders’

interests and fears should be taken into account

Risk management process is the systematic application of

management policies, procedures and practices to the tasks and

activities of communicating, consulting, establishing the context

and identifying, analyzing, evaluating, treating, monitoring and

reviewing risk.


ISO: Establishing RM Policy

•Rationale for managing risk

•Links between objectives and policies and the RM

policy

•Accountabilities & responsibilities for managing risk

•How you’ll deal with conflicting interests

•Commitment to necessary resources

•How you’ll measure & report

•Commitment to review & revise


• Creates value






• Tailored





Principles

Mandate &

Commitment

Design

framework for

managing risk


Implement

risk

management

Monitor and

review the

framework

Continually

improve the

framework

Establish the

context


Monitor and review

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment




Risk Assessment

•Begin with communication & consultation

• Internal & external stakeholders

•Establish the context

•Objectives, internal & external context of operations, the

scope & context of RM process

•Define risk criteria

•Nature and types of causes & consequences

•How likelihood will be defined

•Level of risk – tolerance and acceptance

•Combinations


Risk Identification, Analysis & Evaluation

•Sources of risk, areas of impact, events and potential

consequences

•Understanding the risk – considering causes, likelihood

and consequence and expressing that as a level of risk

•Evaluating which risks need further treatment;

prioritizing treatment decisions


Treating Risks

Modifying risks through options such as:

•Avoiding the risk

•Taking or increasing the risk in order to pursue an

opportunity

•Removing the risk source

•Changing the likelihood

•Changing the consequence

•Sharing the risk with other parties

•Retaining the risk by informed choice


• Creates value






• Tailored





Principles

Mandate &

Commitment

Design

framework for

managing risk


Implement

risk

management

Monitor and

review the

framework

Continually

improve the

framework

Establish the

context


Monitor and review

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment




Monitoring and Review

Monitor and review all aspects of the risk management

process to:

•Ensure that controls are effective and efficient

•Obtain further information to improve risk assessment

•Analyze and learn lessons from events

•Detect changes in the environment

• Identify emerging risks



Growing into ERM

•Link the management of risk to what is most

important to the organization

•Make everyone responsible for risk

• Increase accountability

•Get serious about measurement and

communication

•Look for interrelated and emerging risks

•Keep your eye on the whole field and continue to

learn


Who is Interested in ERM?•Boards of Directors – Board members from private industry understand how ERM supports an organization’s objectives; the Board’s oversight role requires evidence that risks are identified, prioritized and managed within tolerance levels

•Stakeholders – The broad management of risk includes stakeholder input, values and needs and builds in appropriate communication about risk

•Credit and Rating Agencies – Seek evidence of a comprehensive and forward-looking risk management program

•Peers – As the practice of ERM grows across a sector, it pushes innovation & drives leadership

•International Community – ISO 31000 is the guide for standardized risk management practices; its widespread adoption across the globe will affect business operations everywhere



Standard and Poor’s recognized the University of CA for

its ERM program.

“The UC has implemented a system-wide

enterprise risk management information system

which, in our opinion, is a credit strength.”

September 9, 2010 – Ratings Direct Global Credit Portal


Sample Rating Agency Classifications

Excellent • Advanced capabilities to identify, measure & manage all risks within

tolerances

• Advanced implementation, development & execution of ERM

parameters

• Consistently optimizes risk adjusted returns throughout organization

Strong • Clear vision of risk tolerance and overall risk profile

• Risk Control exceeds adequate for most major risks

• Has robust processes to identify and prepare for emerging risks

• Incorporates risk management & decision making to optimize risk

adjusted returns

Adequate • Has fully functioning control systems in place for all major risks

• May lack a robust process for identifying and preparing for emerging

risks

• Not fully developed process to optimize risk adjusted returns

Weak • Incomplete control process for one or more major risks

• Inconsistent or limited capabilities to identify, measure or manage major

risk exposures


Traditional Risk Management

• Purchase insurance to cover risks

• Hazard-based risk identification

and controls

• Compliance issues addressed

separately

• Safety & emergency mgmt

handled separately

• “Silo” approach – risk mgmt is not

integrated across the organization

• Risk Manager is the insurance

buyer

Advanced Risk Management

• Greater use of alternative risk

financing techniques

• More proactive about

preventing and reducing risks

• Integrates claims mgmt,

contracts review, special

event RM, insurance and risk

transfer techniques

• Cost allocation used for

education and accountability

• More collaboration – as depts

are willing

• Risk Manager may be the

risk owner

Enterprise-wide Risk Management

• A wide range of risks are

discussed and reviewed, including

reputational, human capital,

strategic and operational

• Aligns RM process with strategy

and mission

• May include “upside risks”

(opportunities)

• Helps manage growth, allocate

capital & resources

• Risks are owned by all & mitigated

at the department level

• Many risk mitigation & analytical

tools available

• Risk Manager is the risk

facilitator and leader

Transacti

onal

Strategi

c

Risk is bad – focus is on

transferring riskRisk is an expense – focus is

on reducing cost-of-risk

Risk is uncertainty – focus

is on optimizing risk to

achieve goals

Integrated

Risk Management

is Evolving


Implementation Tips

•Educate yourself

•Develop talking points, find your champions;

develop your “pitch”

•Consider the barriers & challenges up front

•Expect the process to be messy (so have a plan)

•Take the long view

•Build your support network


Why is Risk Management Important?

All organizations exist to achieve their

objectives.

The purpose of risk management is to manage

the barriers and exploit opportunities to

achieve those objectives.


Before embarking on his trip around the

world, Portuguese explorer Ferdinand

Magellan said,

“The task is not to make sure that the sea is

calm, but to prepare oneself to sail in stormy,

unknown waters.”


NOVEMBER 15, 2012

DOROTHY GJERDRUM

Page | 49

[email protected]

651.642.2999

enterprise risk management: taking the first steps...defining erm enterprise risk management...

Documents