prima webinar 2013-erm final · 9/18/2013 · • the incorporation of a sophisticated risk...
TRANSCRIPT
9/18/2013
1
Implementing ERM in the Public Sector – Obstacles and
Opportunities
Matt Hansen – City-County of San Francisco &
Dorothy Gjerdrum – AJ Gallagher Public Sector
Session Objectives
• Understand the obstacles and barriers to ERM implementation
• Review how public entities with successful ERM programs have addressed obstacles
• Consider what you could learn from their stories to help you implement ERM in yourentity
Obstacles and Barriers
• Survey of public sector entities in some stage of implementation –
• 6 public universities and community colleges
• 5 cities or counties
• 1 K12 school district
• 2 pools
• Range of experience: 10 years to 2 years
9/18/2013
2
Obstacles & Barriers
1. Lack of senior management support and commitment
2. Lack of understanding about risk, traditional risk management
3. Lack of understanding of ERM
4. Lack of resources and time
5. Perception that it’s not needed; lack of strategic thinking
6. Competing initiatives
Obstacles & Barriers
7. Decentralized organizations
8. Fear! Reluctance to document problems; Identifying risk will = management failure
9. Lack of leadership
10.Derailed by lack of framework
11.Not tailoring ERM to the organization; ERM doesn’t fit the culture
12.Strategic goals & operational objectives not aligned; difficult to link to risks
#1: Lack of Senior Mgmt Support
• Lack of understanding and buy-in from entity management
• Senior leadership won’t mandate it or drive it
• Having an initial senior leader champion whose interest fades or who rotates out of power (or authority) without another equally supportive successor
• Failure to build a working risk management team and cultivating trust, clear roles and understanding
9/18/2013
3
• www.drjournal-digital.com/drjournal/spring2012#pg14
Strategies for #1
• Seek multiple champions
• Speak to what they care about – money, finance costs, efficiency, workplace culture…
• Educate your leaders (over and over again) and clarify roles
• Plan for change (build it in, expect it)
“Prove it!” ERM Increases Value & Resiliency
• Studies show that a strong ERM program is a factor in increasing revenue and shareholder value.
• The incorporation of a sophisticated risk management program yields increased resilience and agility:
– 80% Increased management accountability (shareholder confidence)
– 79% Smoother governance practices
– 59% Increased profitability
– 62% Reduced earnings volatility
– 86% Better informed decisions
Source: The Conference Board Study, 2005
9/18/2013
4
Standard and Poor’s recognized the University of CA for its ERM program.
“The UC has implemented a system-wide enterprise risk
management information system which, in our opinion, is a
credit strength.”
September 9, 2010 – Ratings Direct Global Credit Portal
The RIMS “State of ERM Report” validated that organizations with formalized ERM programs have higher credit ratings and make better risk-informed decisions – 2008
An example from a major Research University:
Risk, in one form or another,
is present in virtually all worthwhile endeavors.
12
We recognize that not all risk is bad,
and our goal is not to eliminate all risk,
for by doing so we would cease all productive activity.
Rather, our goal is to assume risk judiciously,
mitigate it when possible, and prepare ourselves
to respond effectively and efficiently when necessary.
To answer the question “Why?”
9/18/2013
5
Why did we implement?
• Break through operational silos
• Identify key exposures
• Assess appetite for risk
• Identify best practices
• Plan proactively
• Prioritize resources
NO SURPRISES!
13
Failing to Understand Risk Implications
Lebanese professor coordinates study abroad trip, leveraging personal knowledge and network
• Professor and students must be extracted from the country after the 2006 Israel-Lebanon conflict
University recruits star researcher, provides state-of-the-art lab and $$,$$$ professorship
• National Science &^Engineering Council bans researcher from receiving grants due to past
plagiarism and misappropriation of funds
University Business Executive Roundtable “A Practical Approach to Institutional Risk Management”The Education Advisory Board, 2012
© 2012 ARTHUR J. GALLAGHER & CO.
Interdependent Global Risks
Economic
Environmental
Technological
Societal
Geopolitical
Budget crisesUnfunded mandatesBanking & investment failuresSupply chain interdependencies
Climate changeNatural catastrophesGlobal pollutionExtinction of speciesDeforestation
Use of natural resourcesAccess to clean waterPolitical uprisings & changes
in governmentsTerrorism
Cyber warfareInformation infrastructurePublic data protectionPrivacy versus security
Religious conflictsAccess to educationPandemicsSpeed of changeAging infrastructure
9/18/2013
6
Roles
• Owns ERM• Department heads involved in operational risks
Senior Administration
• Understand programs and risks
Standing Board Committees
• Sets tone, addresses strategic risks and fills in gaps
Full Board/ Executive Committee
• Owns specific risks and process
Audit Committee
Excerpt, “Managing Institutional Risk” PPT presentation from March 12, 2013 to the AJG Higher Ed Think Tank, by Janice Abraham, CEO of United Educators
16
#2: Lack of Understanding of “Risk”
• There is a lack of appreciation for traditional risk practices, let alone for a new approach
• Leaders have little to no background in risk management
• Managers confuse insurance, safety, emergency management with risk management
• Risk is not understood as a concept
9/18/2013
7
#3: We Don’t Understand ERM
• How does it apply to my operations?
• Fundamental lack of risk awareness
• It’s hard to understand what it is
• Preconceived notions impair understanding
– “We’re already doing ERM”
– ERM is a concept for business, not the public sector
– ERM is a “fuzzy concept” that is difficult to implement
ERM Models
• ISO 31000 – International Standard on the Practice of Risk Management (2009)
• ISO 31004 – Implementation Guide (fall of 2013)
• COSO ERM Framework (2004)
• IIA Controlled Self Assessments & Internal Controls
• Big Audit and Consulting Firms – their own version of ERM
Strategies for #2 and #3
• Educate yourself – what’s your frame of reference?
• Define ERM
• Develop your “30 second pitch”
• Use peer pressure/influence
9/18/2013
8
(Enterprise) Risk Management is a coordinated effort to direct and control all activities related to risk.
It defines risk as the effect of uncertainty on objectives. It therefore ties the management of risk to what is most important to the organization.
The responsibility for managing risk is spread across the organization to those who have accountability and authority – risk owners.
ANSI/ASSE/ISO 31000:2009
Example from a Community CollegeThe Intent of ERM
• To manage risk better to support opportunities
• To identify, assess and prepare for what could go wrong
• To focus on what’s most important to the organization and its stakeholders – and link key risks to key goals & objectives
What is “risk”??
• Risk is present in everything we do.
• The definition we use is that risk = the affect of uncertainty on our objectives.
• Risk can be a threat or an opportunity
• Anything that could harm, prevent, delay or enhance our ability to achieve our objectives = risk
9/18/2013
9
© 2012 ARTHUR J. GALLAGHER & CO.
Risk is NOT just –
• An event
• A consequence
• A likelihood
• A vulnerability
• An exposure
• A risk source
• A hazard, threat or opportunity
But rather, theeffect of these upon
your objectives
ISO (International Organization for Standardization) is the world's largest
developer and publisher of
International Standards.
Established in 1947, ISO is a network
of the national standards institutes of
159 countries, one member per
country, with a Central Secretariat in
Geneva, Switzerland, that coordinates
the system.
Framing the Process
ISO 31000:2009International Standard on the Practice of Risk Management
Critical Components of ERM
The principlesprovide the foundation
and describe the qualities of effective
risk management
in an organization
The frameworkmanages the overall
process and its full
integration into the
organization
The process for managing risk
focuses on individual or
groups of risks, their
identification, analysis,
evaluation and treatment
Monitoring & review, continual improvement and communication occur
throughout
From ANSI/ASSE/ISO 31000
9/18/2013
10
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk management
Monitor and review the
framework
Continually improve the
framework
Establish the context
Com
munic
ate
and c
onsult
Monito
r and r
evi
ew
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• Creates value
• Integral part of organizational processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best available info
• Tailored
• Takes human & cultural factors into account
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Facilitates continual improvement & enhancement of the org
“Failures” in ERM Implementation
• Rushing to the Risk Register
– Competing risk registers: compliance, audit, risk mgmt
– 500+ risks = paralysis!
• Underdevelopment of the Framework
– How do you define “risk?”
– Communication and training often overlooked
• Lack of high-level support or mixed messages
• Failure of project leadership
• Failure to continually improve
– “That didn’t work. Now what?”
Components of the Framework
• Understanding the organization & its context
• Establishing RM policy
• Accountability & Authority
• Integration into organizational processes
• Determining appropriate resources
• Establishing internal communication & reporting mechanisms
• Establishing external communication & reporting mechanisms
ISO 31000:2009Risk management – Principles and guidelines
9/18/2013
11
Framework Example: Context
External Context
• Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment
• Key drivers and trends that will have an impact on your organization
• Relationships with and perceptions & values of external stakeholders
Internal Context
• Governance, organizational structure, roles & accountabilities
• Policies, objectives & strategy
• Capabilities & resources
• Info systems
• Organizational culture
• Contractual relationships
• Relationships with, perceptions & values of internal stakeholders
ISO 31000:2009Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
Page | 33
External
ContextLocal, Regional, National & International Environment
Social & cultural environment
Situated in the midst of an agricultural state, the college is a focal point for social and cultural activities. The city is more liberal and culturally diverse than surrounding areas. There are two primary cultures in town – Hispanic and Anglo American.
Legal environmentThe City operates within a conservative legal environment, supported by a strong Anglo-Saxon work ethic. There have been no damaging legal verdicts against the City.
Regulatory environment
The State transferred port property to the City in 1952 via legislative act. The City/Port is subject to the State's Public Trust Doctrine. This Doctrine, administered through the State Lands Commission, restricts certain private uses. The Conservation and Development Commission, a State regulatory agency, promotes public access to the waterfront and issues permits for development projects. Multiple federal and state regulatory agencies have oversight authority including the EPA, Coast Guard, OSHA and Homeland Security.
Financial environment
The airport is an enterprise agency that derives its income from tenants and users; it does not receive any General Fund revenue from the City. A decrease in tourism has weakened financial stability. The airport recently developed a 10-year Capital Plan which includes pursuing public funding (through revenue bond issuances) and public-private partnerships to address critical capital needs.
9/18/2013
12
Framework Example: Benefits
• Increase likelihood of achieving objectives
• Encourage proactive management
• Be aware of the need to identify and treat risk throughout the organization
• Improve the identification of opportunities & threats
• Effectively allocate and use resources
• Comply with relevant legal and regulatory requirements and international norms
• Improve mandatory and voluntary reporting
• Improve operational effectiveness & efficiency
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making & planning
• Improve controls
• Improve governanceISO 31000:2009Risk management – Principles and guidelines
Why the Pool is Implementing ERM
• As a reliable basis for decision making
• For operational effectiveness
• To wisely use and allocate resources and minimize surprises
• To maintain and grow stakeholder confidence
• Be a leader, be forward thinking and responsive to change
“To be the best organization possible”
Example from a Community College ERM Supports Opportunities
A Potential International Culinary Competition:
• A key “ingredient” in a culinary arts training program
• An important opportunity for students, but the event occurred during uprisings in Egypt
9/18/2013
13
But! …Scheduled During the “Arab Spring”
Results of the Discussion of the Opportunity and Key Risks
• The college decided to support the trip
• Six students & one faculty member participated
• Plans were developed to minimize the threats, including training on the appropriate code of conduct and cultural context, supervision by an experienced traveler & the purchase of travel abroad insurance
• Result: Awarded silver medal!
Risk Management helps you discover both threats and opportunities
A poster from a public agency in England educating both employees and the general public about their new approach to risk.
9/18/2013
14
Example from Abroad
Why We Need to Manage Risk
The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.
National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
© 2012 ARTHUR J. GALLAGHER & CO.
A Vision for Enhanced Risk Management
Key Outcomes• Public Entity has a current, correct and comprehensive
understanding of its risks.
• Public Entity's risks are managed to an acceptable level of
tolerance.
Page | 41
Attributes
• Continual improvement
• Full accountability for risks
• Application of risk management in all decision making
• Continual communications
• Full integration into the organization’s governance structure
Excerpt from Annex A: ISO/ANSI/ASSE 31000: 2009
Confusing the Key Concepts
• Focus is on “reducing costs” versus “reducing the Total Cost of Risk”
• We praise “taking risks” in certain circumstances but define risk as “adverse”
• One unit may take risks that are detrimental to the whole – lack of enterprise-wide review
• Leadership and accountability
• Alignment with key strategies & objectives
9/18/2013
15
#4: Lack of Resources & Time
• ERM takes a great deal of resources and time to implement; it’s expensive
• Resources are limited and already stretched thin – ERM would add to this burden
• “Our plates are already full”
• Lack of stakeholder who could manage risk (are some risks just “unmanageable?”)
• Cultural change takes time and energy
Strategies for #4
• Spread the work – Advisory Committee and subcommittees
• Make a plan; implement gradually
• Involve people and expect slow progress
• Don’t throw money at it!
Strategies for Success
• Build a strong framework
– Consistent process, language, understanding
– Plan for communication and training
– Continual improvement
• Build a team, an advisory group
– Many cheerleaders
– Cross section of leaders and thought
– Engage skeptics
9/18/2013
16
Strategies for Success
• Keep it as simple as possible (but not stupid)
– Understand your “context”
– Develop a realistic road map
– Implementation timeframe – 5 years
• Communicate, communicate, communicate
– What are key concepts to “sell” this?
– Spread the success
– Challenges help build improvements & resiliency
– What’s your “elevator speech?”
Non-conventionalAttacks (NCBR)
Relative Impact ($$)
MajorTransport
Accidents
AnimalDisease
SevereWeather
ElectronicAttacks
Attacks on Transport
Attacks on Crowded
Places
PandemicInfluenza
CoastalFlooding
InlandFlooding
Major IndustrialAccidents
Attacks onCritical Infrastructure
Risk Register for a Country
Relative Likelihood (Frequency)
APQC Best Practices re ERM
• Clarity of purpose – ERM increases and protects value
• Understand that the pursuit of strategy carries risk – ERM assists in making good choices and managing risk
• Effective risk management is a competitive advantage
American Productivity & Quality Center – www.apqc.org
9/18/2013
17
What Best Practice Organizations Do
• Risk assessment process is robust, with clear criteria, guidelines for escalation, inclusion of dissenting opinions & “thinking the unthinkable”
• Use standardized language and processes
• Use simple, user friendly tools to encourage adoption
• Integrate ERM with strategic planning and existing processes
• Embrace continuous improvement & communication
Specific Action Plan For You
• Educate yourself, develop your “elevator speech”, build your network of peers
• Create an inventory of risk management practices across all operations; can you build support for integration?
• Seek opportunities for a broader approach to risk; can you help with decision making?
• Develop tools and resources – and develop your leadership skills
• Be patient – it’s a journey, not a destination!
Dorothy Gjerdrum, ARM, CIRM
Executive Director, Gallagher Public Sector
651.642.2999
Matt Hansen
Director of Risk Management, City County of San Francisco
415.554.2300
Thank You!