Building ERM Into Your Risk Management Program: A Practical Approach Sean Catanese, ARM, C31000...
-
Upload
godfrey-neal -
Category
Documents
-
view
215 -
download
0
description
Transcript of Building ERM Into Your Risk Management Program: A Practical Approach Sean Catanese, ARM, C31000...
Building ERM Into Your Risk Management Program: A Practical Approach
Sean Catanese, ARM, C31000Enterprise Risk Management Program Manager December 4, 2015
What is ERM?“Enterprise Risk Management (“ERM”) is a
- Risk & Insurance Management Society (RIMS)
strategic business discipline that supports theachievement of an organization's objectivesby andmanaging the combined impact of those risks
addressing the full spectrum of its risks
as an .”
interrelated risk portfolio
ISO 31000: PrinciplesHow ERM works and what it does:• Creates value• Integral to organizational processes• Part of decision making• Explicitly addresses uncertainty• Systematic, structured, and timely• Uses the best available information• Tailored• Includes human and cultural factors• Transparent and inclusive• Dynamic, iterative, and responsive• Facilitates continuous improvement
ISO 31000: Framework
Implement risk management
Monitor and review the framework
Continually improve the framework
Mandate and commitment
Risk assessment
(Identification)
(Analysis)
(Evaluation)Mon
itor a
nd re
view
Comm
unication and consultation
Establish the context
Risk treatment
ISO 31000: Process
COSO’s ERM Integrated Framework
Implementing COSO’s ERM Integrated Framework
1. Establish senior management’s investment2. Identify your ERM champion3. Create an effective working group4. Start with an enterprise-wide risk assessment5. Inventory your risk management practices6. Develop some basic risk reporting7. Build action plans based on identified needsAdapted from Embracing Enterprise Risk Management: Practical Approaches for Getting Started Written by Frigo and Anderson, published by COSO, 2011
What led King County to ERM?
2010 2012 2015$0.0
$1,000,000.0$2,000,000.0$3,000,000.0$4,000,000.0$5,000,000.0$6,000,000.0$7,000,000.0$8,000,000.0
$3,500,000.0
$7,500,000.0 $6.5*
King County’s ERM Framework
ERM Program Manager(Sean Catanese)
Risk Manager(Jennifer Hills)
County Executive(Dow Constantine)
County Administrative Officer(Caroline Whalen)
CC
RTM
E&O
Executive Priorities
County Council
Reporting
Budget
Duties
Provisos
Loss Control Fund
ERM Work GroupKing County Agencies
Electorate of King County
Wastewater
Sheriff
Roads Metro
Public Health
RiskBudget SafetyDetention
BRG
King County’s ERM ProcessGovernance
• Authority to act• Method of decision making• Context of operation• Relationships with policy making bodies• Accountability to public and stakeholders
Governance
Governance
Communication
King County’s ERM Process
Communication• Use direct, fact-based language• Avoid emotional language and hyperbole• Use technical language sparingly• Account for variance in perspectives and values• Protect sensitive information• Engage as peers with shared responsibilities
Risk Analysis- Estimate likelihood and impact- Describe impacts comprehensively- Understand system impacts- In context of assumptions and available intelligence
King County’s ERM ProcessRisk Assessment
Risk Identification- Describe risks as comprehensively as possible- Distinguish events (causes) from consequences- Identify potential failure points in existing controls- Open to opportunities as well as hazards
Risk EvaluationSet priorities based on results of analyses- Compared to risk appetite- In context of governance and capacity
•Financial•Operational•Strategic•Compliance•Reputational
Risk Treatment
If we miss it here, it may not get evaluated until the next iteration.
What is a risk?“Uncertainty affecting our objectives”
Failure to arrive on time.I rush and skip breakfast.
I am late and/or miss the meeting.
Heavy traffic causes me to be late.My car breaks down and causes me to miss the meeting.
Objective: Arrive in Renton on time for PRIMA’s meeting.
Which of these are risks?
Governance
Communication
Risk IdentificationRisk Analysis
Risk Evaluation
Risk Assessment
King County’s ERM Process
Select- Simple, perfect solutions are rare- Decisions reflect priorities and data- Multiple controls can affect a single risk- A single control can affect multiple risks
Identify- Prospective new controls - Potential improvements to existing controls- Potential alternatives- Risk avoidance, transfer, or sharing options- Expected and probable outcomes- Potential externalities
Analyze- Cost-benefit- Multiple-criteria decision- Cost effectiveness
Plan & Implement- Reasoning for treatment selections- Responsibility assignments- Resource requirements- Contingencies- Performance measures- Timing and schedule- Reporting and monitoring requirements
Monitor & Review- Periodic or ad hoc- Compare reality to plan performance measures- Defined roles and responsibilities- Identify emerging risks- Lessons learned- Changes in context or environment
King County’s ERM ProcessRisk Treatment
Select
Identify
Analyze
Plan & Implement
Monitor & Review
Governance
Communication
Risk IdentificationRisk Analysis
Risk Evaluation
Risk Assessment
Risk Treatment
Select
Identify
Analyze
Monitor & Review
Plan & Implement
King County’s ERM Process
Delphi SurveyIterative method of data gathering and prioritization.
Creating Our Risk Register
Delphi Phase 1 – Risk Identification Keep it brief and open-ended Solicit data from all Departments/Divisions Identify opportunities for action
Commonly recurring issues High-impact issues Weird and unusual risks Easy risks to address
Creating Our Risk Register
Delphi Phase I Survey1. What risk do you spend the most time
managing?
2. What do you think is the most important risk you are responsible for managing?
3. What risk do you wish you had more time, money, or resources to manage, but can't given the current environment?
Delphi Phase I Survey
4. What is the main reason you are unable to devote time to the risk identified in question #3?
5. From your perspective, what are the three most important risk issues facing the County as a whole?
Delphi Phase 2 – Risk Prioritization Limit and consolidate risks by description Frame in terms of risks (not consequences) Basic estimates of likelihood and impact Target Phase 1 participants ERM Work Group owns and maintains
Creating Our Risk Register
Delphi Phase II Survey Results
0 50 100 150 200 250 300
Challenge related to financial stability and long-term funding
Earthquake greater than 7.0 near downtown Seattle
Loss of data and liability due to electronic security breach
Earthquake greater than 7.0 in an outlying County area
Challenge of long-term recovery from a large-scale emergency
Improper use of force by a County Sheriff ’s Deputy
Terrorist attack in downtown Seattle
Loss of key personnel through retirement
Power outage due to a weather event or solar flare
"Should this risk be included in the top 10 for the County as a whole?"
Yes! No.1
2
3
4
5
6
7
8
9
Impa
ctLo
wM
oder
ate
High
Low Moderate HighLikelihood
Delphi Phase II Survey Results
0 50 100 150 200 250 300
Challenge related to financial stability and long-term funding
Earthquake greater than 7.0 near downtown Seattle
Loss of data and liability due to electronic security breach
Earthquake greater than 7.0 in an outlying County area
Challenge of long-term recovery from a large-scale emergency
Improper use of force by a County Sheriff’s Deputy
Terrorist attack in downtown Seattle
Loss of key personnel through retirement
Power outage due to a weather event or solar flare
"Should this risk be included in the top 10 for the County as a whole?"
Yes! No.1
2
3
4
5
6
7
8
9
Impa
ctLo
wM
oder
ate
High
Low Moderate HighLikelihood
Change the County’s stance relative to its risksSupport intentional, informed decision makingGuide decision making to stay within the County’s risk toleranceHelp our agencies understand risks as opportunitiesShare best practices and lessons learnedUnderstand and address the County’s risks beyond our loss historyAssist with controls (identification, funding, implementation, evaluation)Demonstrate the County’s efforts to risk sharing partners
How are we getting there?• Enterprise Risk Management Work Group• Risk identification and prioritization exercises• Collaboration with risk owners (business units)• Agency risk profiling and • Risk assessment tools • Enterprise Risk Register
Risk (abbreviated) Likelihood Impact Score1 Metro Transit coach strikes a pedestrian Extreme High 642 Employment-related conflicts Extreme Medium 523 Retirement and succession planning Extreme Medium-High 484 Public records and discovery requests Extreme Low-Medium 485 Road design and maintenance Very Medium-High 456 Electronic security breach Somewhat High 387 Use of force by law enforcement Somewhat High 388 Labor contract-related conflicts Somewhat Medium-High 369 Metro Transit coach strikes a vehicle Extreme Medium 36
10 Severe weather disruption/damage Somewhat Medium-High 3411 Long-term recovery from disaster Unlikely High 3012 Failure to comply with regulations Unlikely Medium-High 29
Enterprise Risk Register
Additional ResourcesUniversity of California ERM Toolbox
Several free tools, Excel-based, with webinars and documentation to explain their use.– Risk Ranking Tool– Budget Changes Tool– Risk Appetite Definition
Google: UC ERM toolboxwww.ucop.edu/enterprise-risk-management