Building ERM Into Your Risk Management Program: A Practical Approach

Sean Catanese, ARM, C31000Enterprise Risk Management Program Manager December 4, 2015

What is ERM?“Enterprise Risk Management (“ERM”) is a

- Risk & Insurance Management Society (RIMS)

strategic business discipline that supports theachievement of an organization's objectivesby andmanaging the combined impact of those risks

addressing the full spectrum of its risks

as an .”

interrelated risk portfolio

ISO 31000: PrinciplesHow ERM works and what it does:• Creates value• Integral to organizational processes• Part of decision making• Explicitly addresses uncertainty• Systematic, structured, and timely• Uses the best available information• Tailored• Includes human and cultural factors• Transparent and inclusive• Dynamic, iterative, and responsive• Facilitates continuous improvement

ISO 31000: Framework

Implement risk management

Monitor and review the framework

Continually improve the framework

Mandate and commitment

Risk assessment

(Identification)

(Analysis)

(Evaluation)Mon

itor a

nd re

view

Comm

unication and consultation

Establish the context

Risk treatment

ISO 31000: Process

COSO’s ERM Integrated Framework

Implementing COSO’s ERM Integrated Framework

1. Establish senior management’s investment2. Identify your ERM champion3. Create an effective working group4. Start with an enterprise-wide risk assessment5. Inventory your risk management practices6. Develop some basic risk reporting7. Build action plans based on identified needsAdapted from Embracing Enterprise Risk Management: Practical Approaches for Getting Started Written by Frigo and Anderson, published by COSO, 2011

What led King County to ERM?

2010 2012 2015$0.0

$1,000,000.0$2,000,000.0$3,000,000.0$4,000,000.0$5,000,000.0$6,000,000.0$7,000,000.0$8,000,000.0

$3,500,000.0

$7,500,000.0 $6.5*

King County’s ERM Framework

ERM Program Manager(Sean Catanese)

Risk Manager(Jennifer Hills)

County Executive(Dow Constantine)

County Administrative Officer(Caroline Whalen)

CC

RTM

E&O

Executive Priorities

County Council

Reporting

Budget

Duties

Provisos

Loss Control Fund

ERM Work GroupKing County Agencies

Electorate of King County

Wastewater

Sheriff

Roads Metro

Public Health

RiskBudget SafetyDetention

BRG

King County’s ERM ProcessGovernance

• Authority to act• Method of decision making• Context of operation• Relationships with policy making bodies• Accountability to public and stakeholders

Governance

Governance

Communication

King County’s ERM Process

Communication• Use direct, fact-based language• Avoid emotional language and hyperbole• Use technical language sparingly• Account for variance in perspectives and values• Protect sensitive information• Engage as peers with shared responsibilities

Risk Analysis- Estimate likelihood and impact- Describe impacts comprehensively- Understand system impacts- In context of assumptions and available intelligence

King County’s ERM ProcessRisk Assessment

Risk Identification- Describe risks as comprehensively as possible- Distinguish events (causes) from consequences- Identify potential failure points in existing controls- Open to opportunities as well as hazards

Risk EvaluationSet priorities based on results of analyses- Compared to risk appetite- In context of governance and capacity

•Financial•Operational•Strategic•Compliance•Reputational

Risk Treatment

If we miss it here, it may not get evaluated until the next iteration.

What is a risk?“Uncertainty affecting our objectives”

Failure to arrive on time.I rush and skip breakfast.

I am late and/or miss the meeting.

Heavy traffic causes me to be late.My car breaks down and causes me to miss the meeting.

Objective: Arrive in Renton on time for PRIMA’s meeting.

Which of these are risks?

Governance

Communication

Risk IdentificationRisk Analysis

Risk Evaluation

Risk Assessment

King County’s ERM Process

Select- Simple, perfect solutions are rare- Decisions reflect priorities and data- Multiple controls can affect a single risk- A single control can affect multiple risks

Identify- Prospective new controls - Potential improvements to existing controls- Potential alternatives- Risk avoidance, transfer, or sharing options- Expected and probable outcomes- Potential externalities

Analyze- Cost-benefit- Multiple-criteria decision- Cost effectiveness

Plan & Implement- Reasoning for treatment selections- Responsibility assignments- Resource requirements- Contingencies- Performance measures- Timing and schedule- Reporting and monitoring requirements

Monitor & Review- Periodic or ad hoc- Compare reality to plan performance measures- Defined roles and responsibilities- Identify emerging risks- Lessons learned- Changes in context or environment

King County’s ERM ProcessRisk Treatment

Select

Identify

Analyze

Plan & Implement

Monitor & Review

Governance

Communication

Risk IdentificationRisk Analysis

Risk Evaluation

Risk Assessment

Risk Treatment

Select

Identify

Analyze

Monitor & Review

Plan & Implement

King County’s ERM Process

Delphi SurveyIterative method of data gathering and prioritization.

Creating Our Risk Register

Delphi Phase 1 – Risk Identification Keep it brief and open-ended Solicit data from all Departments/Divisions Identify opportunities for action

Commonly recurring issues High-impact issues Weird and unusual risks Easy risks to address

Creating Our Risk Register

Delphi Phase I Survey1. What risk do you spend the most time

managing?

2. What do you think is the most important risk you are responsible for managing?

3. What risk do you wish you had more time, money, or resources to manage, but can't given the current environment?

Delphi Phase I Survey

4. What is the main reason you are unable to devote time to the risk identified in question #3?

5. From your perspective, what are the three most important risk issues facing the County as a whole?

Delphi Phase 2 – Risk Prioritization Limit and consolidate risks by description Frame in terms of risks (not consequences) Basic estimates of likelihood and impact Target Phase 1 participants ERM Work Group owns and maintains

Creating Our Risk Register

Delphi Phase II Survey Results

0 50 100 150 200 250 300

Challenge related to financial stability and long-term funding

Earthquake greater than 7.0 near downtown Seattle

Loss of data and liability due to electronic security breach

Earthquake greater than 7.0 in an outlying County area

Challenge of long-term recovery from a large-scale emergency

Improper use of force by a County Sheriff ’s Deputy

Terrorist attack in downtown Seattle

Loss of key personnel through retirement

Power outage due to a weather event or solar flare

"Should this risk be included in the top 10 for the County as a whole?"

Yes! No.1

2

3

4

5

6

7

8

9

Impa

ctLo

wM

oder

ate

High

Low Moderate HighLikelihood

Delphi Phase II Survey Results

0 50 100 150 200 250 300

Challenge related to financial stability and long-term funding

Earthquake greater than 7.0 near downtown Seattle

Loss of data and liability due to electronic security breach

Earthquake greater than 7.0 in an outlying County area

Challenge of long-term recovery from a large-scale emergency

Improper use of force by a County Sheriff’s Deputy

Terrorist attack in downtown Seattle

Loss of key personnel through retirement

Power outage due to a weather event or solar flare

"Should this risk be included in the top 10 for the County as a whole?"

Yes! No.1

2

3

4

5

6

7

8

9

Impa

ctLo

wM

oder

ate

High

Low Moderate HighLikelihood

Change the County’s stance relative to its risksSupport intentional, informed decision makingGuide decision making to stay within the County’s risk toleranceHelp our agencies understand risks as opportunitiesShare best practices and lessons learnedUnderstand and address the County’s risks beyond our loss historyAssist with controls (identification, funding, implementation, evaluation)Demonstrate the County’s efforts to risk sharing partners

How are we getting there?• Enterprise Risk Management Work Group• Risk identification and prioritization exercises• Collaboration with risk owners (business units)• Agency risk profiling and • Risk assessment tools • Enterprise Risk Register

Risk (abbreviated) Likelihood Impact Score1 Metro Transit coach strikes a pedestrian Extreme High 642 Employment-related conflicts Extreme Medium 523 Retirement and succession planning Extreme Medium-High 484 Public records and discovery requests Extreme Low-Medium 485 Road design and maintenance Very Medium-High 456 Electronic security breach Somewhat High 387 Use of force by law enforcement Somewhat High 388 Labor contract-related conflicts Somewhat Medium-High 369 Metro Transit coach strikes a vehicle Extreme Medium 36

10 Severe weather disruption/damage Somewhat Medium-High 3411 Long-term recovery from disaster Unlikely High 3012 Failure to comply with regulations Unlikely Medium-High 29

Enterprise Risk Register

Additional ResourcesUniversity of California ERM Toolbox

Several free tools, Excel-based, with webinars and documentation to explain their use.– Risk Ranking Tool– Budget Changes Tool– Risk Appetite Definition

Google: UC ERM toolboxwww.ucop.edu/enterprise-risk-management