Aligning Key Enterprise Risk to Strategic Initiatives Using Metrics
SSF ID 218
Chrystina Howard, SVP, Willis Kenneth Felton, SVP, Willis
Learning Objectives(Ariel 44pt bold)
At the end of this session, you will: (list key learning objectives and takeaways that attendees will learn) • Learning Objective 1 Understand how to identify key risks that may have an
impact on the achievement of organizational goals
• Learning Objective 2 Understand how to identify relevant quantitative and qualitative metrics to monitor performance against plan
• Learning Objective 3 Understand how to map key relevant risks to core strategic initiatives in order to achieve enterprise objectives
Agenda
1. Outline the ERM process, benefits & output 2. Demonstrate the link between ERM success and strategic objecAves 3. Using KRIs, KPIs and strategic objecAves to opAmize achievement of
organizaAonal goals
Risk Evaluation
• Your presentation and handouts are due by April 10 – www.rims.org/upload – Once uploaded, changes are not permitted until onsite in New Orleans
• Update your profile TODAY – www.rims.org/myprofile
ERM Review Must Achieve the “Three Es” of Assessment
● Economy -‐ Controlling the cost of the assessment ● Efficiency -‐ CompleAng the assessment with minimum expenditure of effort ● EffecAveness – Achieving the results or benefits based on the stated scope and goals of the assessment
Risk IdenAficaAon: 80/20 Rule
OrganizaAons have a tendency to spend 80 percent of their Ame idenAfying risks and only 20 percent of their Ame doing something to develop risk miAgaAon strategies to reduce the impact on the organizaAon Flip the 80/20 Rule Spend 80 percent of your Ame fully arAculaAng, assessing impact and likelihood and developing risk miAgaAon strategies
Accelerated ERM Process Steps
1. Define the objecAves and Ame scale for assessment
2. Select the opAmal cross-‐funcAonal team for assessment acAviAes
3. Develop Universe of Risks
4. Develop broad prioriAzaAon of Universe of Risks
5. IdenAfy most relevant risks for deep analysis
6. Fully arAculate and assess risk
7. Develop Performance Improvement Plans
8. Execute Risk MiAgaAon plans
Risk Assessment
The objecAve is to idenAfy and arAculate the most relevant risks that could impact the organizaAons ability to achieve objecAves Don’t “Boil The Ocean” How is this accomplished:
Structured interviews Internal audits of risk assessments Public domain search Comprehensive on-‐line risk survey with write-‐ins Workshops
Define Assessment ObjecAves
Defines the premise on which the assessment is based.
To assess the major risks to Memorial Hospital achieving its strategic business objecAves over the next 3 years.
Action Required!
Risk PrioriAzaAon
IniAal objecAve to grossly prioriAze the top 20-‐25 risks Fully ArAculate each risk Assess Impact and Likelihood
Risk Assessment
Fully arAculate the risk into component parts:
Ø Most risk descripAons focus on triggering events Ø EssenAal to idenAfy key drivers or exisAng characterisAcs that
make the organizaAon vulnerable Ø List specific consequences that all stakeholders can understand Ø IdenAfy the controls currently in place to specifically address
each risk
Risk Register
Risk Assessment for :Date: 1-May-14Business Objective(s):Risk No.
Exposure & Drivers
Triggers Consequences Current Controls Category L I Gross Risk
Performance Improvement Plans
L I Gross Risk
1 Driver 1, driver 2, driver 3
Triggering event; future potential
Reduction in revenue; increase in expenses; reputation damage
Policy ABC, protocol XYZ, committee 123
IT 4 4 16 Action 1, item 2, measure 3
3 4 12
2 Drivers 7-12; driver 4
Loss event due to outside exposures; loss event due to internal exposures
Brand damage; loss of equity; rework; loss of customers
Gold standard; BCP and trial run off site; backups
IT 3 5 15 New protocols enacted by board and carried out by senior team
3 4 12
3 Driver 3, exposure to significant dependence on suppliers
External audit, internal audit or accounting discovery of material finding(s)
Legal action; higher expenses and lower profit margin; loss of market share
Substantial framework in place; management of risk; loss control steps
Regulatory 5 3 15 Incremental improvement steps; risk owners; time scale
2 3 6
XYZ Financial Institution
Identify and assess major risks to XYZ achieving its strategic objects over the next 3 years
Likelihood and Impact RaAngs
Impact Score Impact Financial Impact
5 Major / Catastrophic Financial impact greater than $10M
4 Significant Financial impact of more than $5M but less than $10M
3 Moderate Financial impact of more than $2M but less than $5M
2 Low Financial impact of more than $1M but less than $2M
1 Negligible Financial impact of less than $1M
Likelihood Rating Likelihood Frequency
5 Expected ( Annual or 2 year to 3 year type event )
4 Probable ( 5 year to 10 year event )
3 Moderate ( 10 year to 25 year event )
2 Unusual ( 25 year to 50 year event )
1 Remote ( 50+ year event )
The consequences of the risk materializing are severe but could be managed to some extent.
The consequences of the risk materializing are less severe and can be managed to a large extent.
The consequences of the risk materializing are considered relatively unimportant.
There are no meaningful consequences if this risk materializes.
Could conceivably occur but would be extremely remote
Description
If this risk were to materialize, the company would find it almost impossible to recover financially. Reputational impact would almost certainly occur.
Description
Occurs often / is to be expected
Known to occur / would not be surprising
Could occur but infrequently
Could possibly occur but would be rare
LOW MODERATE HIGH LOW MODERATE HIGH
SEVERITYFREQUENCY
ImpactLow 1Med 2High 3
ProbabilityLow 1Med 2High 3
Risk Map
Likelihood / Impact Risk DistributionCurrent Controls After Additional Controls
N.B. - Bubble size shows how many risks intersect at that point N.B. - Bubble size shows how many risks intersect at that point
1 1
2 4 2 1
2 2 1
1
0
1
2
3
4
5
6
0 1 2 3 4 5 6Impact
Like
lihoo
d
1
1 2
1 2 4 2
1 1 2 1
0
1
2
3
4
5
6
0 1 2 3 4 5 6Impact
Like
lihoo
d
Likelihood
Expected 5 2, 3 1
Probable 4 18 10, 11, 12, 13, 14 4, 5
Possible 3 16 7, 8, 9 6
Unusual 2 17 15
Remote 1
1 2 3 4 5 ImpactNegligible Low Moderate Significant Catastrophic
Contingency Plans
Control Causes Immediate Action
Monitor
RISK LOW MOD HIGH LOW MOD HIGH
Risk 1 Risk 1Financial Risk 2 Risk 2
Research Risk 5 Risk 8 Risk 5 Risk 8Center Risk 6 Risk 6
Risk 7 Risk 7
Employment Risk 3 Risk 3Practices
Green Risk 4 Risk 4Lab Risk 9 Risk 9
Risk 10 Risk 10Risk 11 Risk 11
Patient- Risk 12 Risk 13 Risk 15 Risk 15 Risk 16 Risk 12Oriented Risk 14 Risk 16 Risk 13 Risk 17Research Risk 17 Risk 14
Commodity Risk 19 Risk 18 Risk 18Risk 19
Source of Risk
0 1 2 3 4 5
Economic
Investments
Natural events
People
Political / Social
Processes
Products / Services
Strategy and policy
Technology / Industry change
Analysis by Source of Riskand Stratified by Risk Rank
20<RR<=25 15<RR<=20 10<RR<=15 5<RR<=10 RR<=5
Category Count Average ScoreEconomic 5 8Investments 2 5Natural Events 0 6People 7 10Political / Social 6 10Processes 2 6Products / Services 2 8Strategy and Policy 2 15Technology / Industry change 4 12
Performance Improvement Plan
Risk No.: 4 Risk Scores Likelihood Impact Gross Risk Risk Rank
Before Improvement 4 4 16
After Improvement
Triggers:
Consequences:
Current Controls:
Risk Number:4
Allocated to Target Date
John Completed / Ongoing
Tom / ED Nurse Manager Ongoing
Kathy 9/1/2013
Tom / ED Nurse Manager Ongoing
Kathy 9/1/2013
Underlying Vulnerabilities:
Critical patient wait time in ED for room assignment/treatment; Excessive length of stay across hospital; CMS core measure; Appropriate and competent staffing
ER Service line / Patient flow
Risk Description: Responsible:
Decreased percent of patients leaving without being seen (LWBS)
Decreased RN and PCA turnover
Lab results delivered prior to 9:00 A.M. / Analysis of results
Re-education for appropriate assignment of patient intensity
Implement Program (including Orienting of 2.0 FTEs and Redesign patient throughput plan)
Physician extenders available (Pending approval)
Recruit and retain / Increase RN and PCA staffing ratios
Increase in Provider FTEs
Continue RN and Patient Care Associate (PCA) Staffing
Jake
Lean Six Sigma; Monitor ED Throughput; Data Transparency; Rounding
Extended stay in the ER; Overcrowding
Patient safety; Lost revenue; Clinical and patient dissatisfaction; Poor patient outcome; ED diversion; Increased costs; Damaged relationship with FD and EMS; Reputation damage
Measure of Success
Documented proof that 90% of A.M. labs by 9:00 A.M.
Reduced treat and release times
Decreased holding times (DTA to Depart)
Action
Early phlebotomy and lab results
Continue Current Patient Assignment Program
New Clinical Bed Management Program
Deliverables
1: 2: 3: 4: 5:
1:
2:
3:
4:
5:
Before
Like
lihoo
d
Impact
• PracAcal • RealisAc • Impaccul • Measurable
What ERM Achieves
• SystemaAc & objecAve management of mulAple and cross-‐enterprise risks
• Reduce operaAonal surprises to beder seize opportuniAes • Improves business performance • Links risk management to organizaAonal performance and
aligns with strategic planning • Increases risk awareness throughout the organizaAon
What ERM Achieves
• Increased decision support for resource allocaAon • ReducAon in the total cost of risk • OpAmizes capital efficiency • Improves organizaAonal value and sustainable
compeAAve advantage • ERM aligns strategy, people, processes, technology,
knowledge, with the objecAve of conAnuously improving the organizaAons risk management capabiliAes over Ame
OrganizaAonal ObjecAve Seeng
“If you don’t know where you’re going, then any road will get you there.” This line from Alice in Wonderland is true for many organizaAons 1 The importance of seeng appropriate objecAves is itself an organizaAonal objecAve. Strategy seeng is a fluid and dynamic process. The Importance and Value of OrganizaAonal Goal Seeng, Managing and Achieving OrganizaAonal Goals, pg. 1.
Links Between Strategy and Risk
The company’s management and its board of directors should analyze the links between various strategic opAons and the risks they entail when entering into a strategic planning process (Smith,2012). Risks are constantly changing there is an increasing demand for Amely and relevant informaAon
Walid Ben-‐Amar1, Ameur Boujenoui1 & Daniel Zéghal1 , The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1
Goals
1. Understand the relaAonships between objecAve-‐seeng, the management of risks to those objecAves, and the internal controls that manage those risks to acceptable levels.
2. Understand that it is important to idenAfy, understand, and manage risks to the seeng of objecAves, and that is achieved by effecAve related internal control.
3. Ensure you have an effecAve set of processes for idenAfying, understanding, and assessing risks to the seeng and achievement of objecAves.
EffecAve KRIs
The selecAon of effecAve (KRIs) Key Risk Indicators starts with a firm understanding of organizaAonal objecAves and risks related events and uncertainAes that may affect the achievement of those objecAves.
KRIs (Key Risk Indicators) v. KPIs ( Key Performance Indicators)
The two types of indicators should be implemented by any enterprise that wants to be effecAve in its management KPIs are key performance indicators focused especially on the historical performance of the enterprise or its key operaAons. KPIs tell us if we will achieve our goals KRIs provide a real-‐Ame indicators that offers informaAon about emerging risks. KRIs help us understand changes in risk profile, impact and likelihood to achieve our goals. Emil Scarlat, PhD, Nora CHIRITA, PhD Indicators and Metrics used in the Enterprise Risk Management(ERM),
Four Categories of Indicators
• Coincident indicators can be thought of as a proxy measure of a loss event and can include internal error metrics or near misses. • Causal indicators are metrics that are aligned with root causes of the risk event, such as system down Ame • Control effecAveness indicators provide ongoing monitoring of the performance of controls. Measures may include control effecAveness, such as percent of supplier base bypassing controls, such as dollars spent with non approved suppliers. • Volume indicators (someAmes called inherent risk indicators) frequently are tracked as key performance indicators; however, they also can serve as a KRI. As volume indicators change, they can increase the likelihood and/or impact of an associated risk event. Aravind Immaneni, Chris Mastro and Michael Haubenstock, A Structured Approach to Building Predictive Key Risk Indicators, Operational Risk: A Special Edition of The RMA Journal May 2004, pg. 42.
OrganizaAonal Efficiency
OrganizaAons Exist to create value
1. When an organizaAon adds value with minimal resources it becomes efficient 2. Six Sigma is a quality management process to control defects and produces an efficiency of 99.9997% 3. Six–Sigma is when the upper and lower specificaAon limits are at a distance 6 (σ) Standard DeviaAons from the (µ)mean 4. Normal distribuAon -‐ values lying that far from the mean are considered very unlikely to occur 5. DMAIC (Define-‐Measure-‐Analyze-‐Improve-‐Control)
CQI and Your Metrics
Use a six-‐step process that incorporates various Six Sigma tools: 1. IdenAfy exisAng metrics. 2. Assess gaps. 3. Improve metrics. 4. Validate and determine trigger levels. 5. Design dashboard. 6. Establish control plan. Aravind Immaneni, Chris Mastro and Michael Haubenstock, A Structured Approach to Building Predictive Key Risk Indicators by Operational Risk: A Special Edition of The RMA Journal May 2004, pg. 43.
Action Required!
Action Required!
Maximo Schliemann, Establishing Key Risk Indicators for IT,, July 31, 2012, slide 25.
Action Required!
COSO Developing Key Risk Indicators to Strengthen Enterprise Risk Management, December 2010, pg. 5.
Strategic Risk Model
Metrics offers mulAple benefits
• Early idenAficaAon of trends and issues • Represents a source of criAcal informaAon for control • Provides informaAon about the likelihood of achieving target
sites, • Helps to make decisions based on informaAon • Helps in evaluaAng performance
Walid Ben-‐Amar1, Ameur Boujenoui1 & Daniel Zéghal1 , The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1
Metrics offers mulAple benefits
• Leads to a proacAve management
• Improves future esAmates and performance • Evaluates success and failure • Improves customer saAsfacAon.
Walid Ben-‐Amar1, Ameur Boujenoui1 & Daniel Zéghal1 , The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1
The Value of Metrics on ERM
Conclusion: Organizing, monitoring, reviewing and communicaAng KRIs progress and their impact on KPIs provide a holisAc risk management strategy which increases the value of the business. These metrics align performance with Amely decision making, resource allocaAon and the achievement of strategic iniAaAves.
Just in Case
Top Related