1 / 55

Innovative ERM Programming for the Public Sector

Innovative ERM Programming for the Public Sector. September 18, 2014 Albany, NY. Agenda. What is ERM anyway? Why do we need a broader approach? Overview of the process Working examples What could you do – right now?? Resources and opportunities. Defining ERM.

tyler
Download Presentation

Innovative ERM Programming for the Public Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Innovative ERM Programming for the Public Sector September 18, 2014 Albany, NY

  2. Agenda • What is ERM anyway? • Why do we need a broader approach? • Overview of the process • Working examples • What could you do – right now?? • Resources and opportunities

  3. Defining ERM From ANSI/ASSE/ISO 31000: 2009 Enterprise Risk Management describes a broader approach to managing risk. It is a coordinated effort to direct and control all activities related to risk. It defines risk as the effect of uncertainty on objectives. It therefore ties the management of risk to what is most important to the organization. The responsibility for managing riskis spread across the organization to those who have accountability and authority – risk owners.

  4. In a Nutshell… All organizations exist to achieve their objectives. The purpose of risk management is to manage the barriers and support the opportunities to achieve those objectives.

  5. Risk Management helps you discover both threats and opportunities

  6. What is “risk”?? • Risk is present in everything we do. • The definition from ISO 31000, the international standard on risk management: Risk = the affect of uncertainty on your objectives. • Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

  7. Key outcomes: • The organization has a current, correct and comprehensive understanding of its risks • The organization’s risks are within its risk criteria Attributes: • Continual improvement • Full accountability for risks • Application of risk mgmtin all decision making • Continual communication • Full integration into the organization’s governance structure Annex A of ANSI/ASSE/ISO 31000: 2009

  8. At a Glance – Price Waterhouse Coopers ERM is a comprehensive, systematic approach for helping all organizations, regardless of size or mission, to identify events and measure, prioritize, and respond to the risks challenging its most critical objectives and related projects, initiatives, and day-to-day operating practices. pwc – www.pwc.com/us/en/public-sector-enterprise-risk-solutions.jhtml

  9. ERM – Distinguishing Characteristics • Consideration of all risks, strategic andoperational – as well as projects and decision making – linked to what is most important to the organization • A systematic and consistent approach that is communicated broadly and supported by leaders • Risk owners & stakeholders are explicitly included • Built on a continual improvement model

  10. Sample “Elevator Speech” on ERM • ERM is about supporting opportunities as well as preventing problems • It is tied to business objectives and strategies – and supports them • It works within the entity’s culture and will become integral to decision making • It will ensure that risk management is applied to all levels of the organization and to all activities ERM versus Risk Management: What’s in a Name?

  11. Does it Matter What We Call It? • We’re already “doing” ERM, we just don’t call it that • ERM vs “Strategic Risk Management” • Is ERM just “bigger” risk management??

  12. Implementing ERM – Sources • ANSI/ASSE/ISO 31000 – the only international standard on risk management – 2009 • COSO ERM Framework – 2004 • Consulting firms – KPMG, Protiviti, Deloitte, PwC & brokerage firms, too • GRC – Governance, Risk & Compliance • “Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham – AGB & UE – 2013

  13. Who is Interested in ERM? • Board of Directors – Board members from private industry understand how ERM supports an organization’s objectives; the Board’s oversight role requires evidence that risks are identified, prioritized and managed within tolerance levels • Stakeholders – The broad management of risk includes stakeholder input, values and needs and builds in appropriate communication about risk • Credit and Rating Agencies – Seek evidence of a comprehensive and forward-looking risk management program • Peers – As the practice of ERM grows across a sector, it pushes innovation & drives leadership

  14. Who is Interested in ERM? • International Community– ISO 31000 is the guide for standardized risk management practices; its widespread adoption across the globe will affect business operations everywhere • Why does this matter? • The ISO framework is not going away. • The question is this… How will you and your organizationprepare for the future of risk management?

  15. From standardandpoors.com • Standard & Poors Ratings Services has expanded its review of the financial service industry’s enterprise risk management (ERM) practices. This ERM initiative is an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness. • This enhancement is part of Standard & Poor’s holistic assessment ERM of corporations and financial institutions. Standard & Poors is continually enhancing its ratings process to respond to the emergence of new risks and marketplace needs and conditions.

  16. Sample Rating Agency Classifications

  17. Standard and Poor’s recognized the University of CA for its ERM program. • “The UC has implemented a system-wide enterprise risk management information system which, in our opinion, is a credit strength.” • September 9, 2010 – Ratings Direct Global Credit Portal

  18. S&P Raises ACE’s Financial Strength Ratings to AA- Standard & Poor’s (S&P) has upgraded the financial strength ratings for ACE’s core operating insurance companies to “AA-” (Very Strong). The new rating applies to ACE’s core North America, Europe and Bermuda operating companies… In upgrading the financial strength rating, S&P cited ACE’s “very strong and consistent operating performance, very strong competitive position, positive management and corporate strategy, and very strong and improved capital adequacy.” In its announcement, S&P said ACE’s “top managers are actively involved in the operations of the business, backed by a strong staff with significant depth and breadth” and also noted that the ratings reflect the company’s “strong enterprise risk management practices.” While S&P currently rates ACE’s ERM as “Strong,” it noted in its full rating report on ACE that “the firm's ERM appears on course to eventually transition to an excellent ERM score.” Emphasis added

  19. Why do we need a broader approach? • Bond rating and financial review • Better decision making • Governing board influence • Regulatory oversight • Peer influence • Desire to be a leader, forward thinking • More effective management of resources

  20. Insurable Risks

  21. External Risks Geopolitical risks Internal Risks Unemployment Mergers & Acquisitions of key partners or vendors Credit markets stability Currency & foreign exchange rate fluctuations Meeting public expectations Financial Risks Strategic Risks Public support Unexpected loss of revenue Bank failures Ethics violations Stock market performance Health care costs Tax caps Reputation Budget cuts Long-term planning vs. budget limitations Stakeholders’ interests Energy costs Financial reporting Capital availability Unfunded mandates Union relations Strategy & initiatives Interest rates Bond rating Retirement funding Governance Public-private partnerships Counterparty risk Revenue & grant $$ management Code of Conduct Investment limitations Negative media coverage Building subsidence or collapse Terrorism Aging infrastructure Student activities Procurement Contractual liability Facilities maintenance Theft Code violations Workers’ comp Natural events & catastrophes Labor practices Fraud Mold exposure Accounting or internal controls failures Gov’t sanctions War Lawsuits Business interruption IT system failure Asbestos exposure Public Official & D & O liability Pollution Workplace violence Hazard & 3rd Party Risks Public safety Building security HR & personnel actions Loss of key suppliers Operational Risks Animal or insect infestation Disease & epidemics Utilities failure Health & safety violations Mandated public services Typical purview of RM

  22. Sept. 14, 2010: Suspect in Custody Following Knife Attack The Penn Valley Dean of Student Instruction was attacked and slashed in the throat by a mentally ill student. The attacker meant to stab the governor of Missouri. www.fox4kc.com/news September 14, 2010

  23. External Risks Geopolitical risks Internal Risks Unemployment Mergers & Acquisitions of key partners or vendors Credit markets stability Currency & foreign exchange rate fluctuations Meeting public expectations Financial Risks Strategic Risks Public support Unexpected loss of revenue Bank failures Ethics violations Stock market performance Health care costs Tax caps Reputation Budget cuts Long-term planning vs. budget limitations Stakeholders’ interests Energy costs Financial reporting Capital availability Unfunded mandates Union relations Strategy & initiatives Interest rates Bond rating Retirement funding Governance Public-private partnerships Counterparty risk Revenue & grant $$ management Code of Conduct Investment limitations Negative media coverage Building subsidence or collapse Terrorism Aging infrastructure Student activities Procurement Contractual liability Facilities maintenance Theft Code violations Workers’ comp Natural events & catastrophes Labor practices Fraud Mold exposure Accounting or internal controls failures Gov’t sanctions War Lawsuits Business interruption IT system failure Asbestos exposure Public Official & D & O liability Pollution Workplace violence Hazard & 3rd Party Risks Public safety Building security HR & personnel actions Loss of key suppliers Operational Risks Animal or insect infestation Disease & epidemics Utilities failure Health & safety violations Mandated public services Typical purview of RM

  24. What Is Your Mission? Vision? Values? • Online research, City of Albany: • Tivoli Lake Preserve Community Engagement and Visioning Plan • openAlbany – easy access to data by various city agencies, answers to questions about city services, public safety and quality of life • Albany has always been a city that proudly celebrates its heritage

  25. What’s Most Important to Your Entity?

  26. Principles Framework RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Risk identification Monitor and review Communicate and consult Implement risk management Continually improve the framework Risk analysis Risk evaluation Monitor and review the framework Risk treatment Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization From ANSI/ASSE/ISO 31000

  27. Principles The principles provide guidance on the rationale for managing risk and the characteristics of effective risk management • Creates & protects value • Integral part of organizational processes • Part of decision making • Explicitly addresses uncertainty • Systematic, structured & timely • Based on best available info • Tailored • Takes human & cultural factors into account • Transparent & inclusive • Dynamic, iterative & responsive to change • Facilitates continual improvement & enhancement of the organization These shape the design and structure of your framework for managing risk The principles can assist in continual improvement and serve as a “maturity model” for implementation

  28. Using Principles to Measure ERM

  29. Framework Based upon a model of continual improvement, the framework is what will sustain your risk management efforts Mandate & Commitment Design framework for managing risk This assures that you are consistent, process-focused and held accountable Implement risk management Continually improve the framework Building the framework includes planning for implementation, monitoring & review and communication Monitor and review the framework

  30. Components of the Framework • Understanding the organization & its context • Establishing RM policy • Accountability & Authority • Integration into organizational processes • Determining appropriate resources • Establishing internal communication & reporting mechanisms • Establishing external communication & reporting mechanisms ANSI/ASSE/ISO 31000:2009 Risk management – Principles and guidelines

  31. Components of the Framework • Understanding the organization & its context • Establishing RM policy • Accountability & Authority • Integration into organizational processes • Determining appropriate resources • Establishing internal communication & reporting mechanisms • Establishing external communication & reporting mechanisms ANSI/ASSE/ISO 31000:2009 Risk management – Principles and guidelines

  32. Framework Example: Context External Context • Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment • Key drivers and trends that will have an impact on your organization • Relationships with and perceptions & values of external stakeholders Internal Context • Governance, organizational structure, roles & accountabilities • Policies, objectives & strategy • Capabilities & resources • Info systems • Organizational culture • Contractual relationships • Relationships with, perceptions & values of internal stakeholders ANSI/ASSE/ISO 31000:2009 Risk management – Principles and guidelines

  33. External Context Example

  34. Stakeholders • Those who can affect, be affected by – or perceive themselves to be affected by – decisions and actions of the public entity • Stakeholders are both internal and external to the organization

  35. How Do We Use This Information? • This informs the framework for managing risk: • Implementation plan • Policy and accountability • How, when & to whom you will report • How to incorporate stakeholders • Identifies potential need for the risk management process

  36. RM Process • The context applies to both the organization as a whole and the specific project, risk or portfolio of risks • Several elements take stakeholder interest and perceptions into account • Monitor and review – continually asks: “Do we have this right?” • Communication and consultation is how the management of risk stays connected and relevant • The same consistent process used across the organization, over and over again Establish the context Risk assessment Risk identification Monitor and review Communicate and consult Risk analysis Risk evaluation Risk treatment

  37. The Language of Risk • Risk • Risk identification • Source, trigger • Consequence • Risk owner • Risk management process • Stakeholder • Risk appetite • Tolerance

  38. Principles Framework RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Risk identification Monitor and review Communicate and consult Implement risk management Continually improve the framework Risk analysis Risk evaluation Monitor and review the framework Risk treatment Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization From ANSI/ASSE/ISO 31000

  39. Working Examples – K12 District • Demonstrating the Value of ERM • Community Based Organizations use of school facilities and access to students • Compliance approach didn’t work • Reviewed key risks – both threats and opportunities • Cross section of key personnel – first time together! • Created action plans that were realistic and timely

  40. Working Examples – Decision Making • Create new curriculum? • Reviewed the upside – and potential downside • Measured and evaluated risks, to inform decision • Engaged stakeholders in the process

  41. Working Examples – Large City/County • “Stealth ERM” • Worked with key enterprises, motivated by bond rating, business model and strong leadership • Developed the framework, provided assistance with implementation • Each enterprise responsible for identifying, analyzing and managing risk – and reporting Tip: Don’t try to move the mountain. What can you change?

  42. Working Examples – Pool #1 • At Pool Level • Integrated discussion of risk into strategic planning • Identified key risks to mission, prioritized them • Staff responsible for creating action plans and reporting to the board • Revived planning process and engaged board members

  43. Working Examples – Pool #1 • At Member Level • Pool trained staff and developed process • Demo at member conference – five hot topics • Deep discussions in small groups • Report to large group, ranking of key risks • A “template” for members to use

  44. Working Examples – Pool #2 • At Pool Level • Integrated discussion of risk into capital planning • Review of internal and external context • Brainstormed emerging trends and risks • Identified key risks to strategy – discussion of how to monitor and respond

  45. Recommendations • Find your champions and skeptics • Tailor the structure and process to your operations • Build a common language • Create a consistent process • Communicate with and engage stakeholders • Continually improve and build upon successes Tip: Learn to speak the language of your decision makers – what matters to them??

  46. The Benefits of (Enterprise) Risk Management • Increase likelihood of achieving objectives • Encourage proactive management • Be aware of the need to identify and treat risk throughout the organization • Improve the identification of opportunities & threats • Effectively allocate and use resources • Improve governance • Comply with relevant legal and regulatory requirements and international norms • Improve mandatory and voluntary reporting • Improve operational effectiveness & efficiency • Improve stakeholder confidence and trust • Establish a reliable basis for decision making & planning • Improve controls ISO/ANSI/ASSE 31000:2009 Risk management – Principles and Guidelines

  47. What Could You Do – Right Now?? • Create a risk management study group • Talk to people of influence – “What opportunities are we missing?” • Connect with your peers – what can we learn from each other? • Create a risk assessment tool – and train people to use it Back to the Worksheet – Make a plan for yourself!

  48. “Change before you have to.” Jack Welsh

  49. Resources and Opportunities • PRIMA Institute • PRIMA/PERI trainings on Implementing ISO 31000 in the public sector/higher education • ERM track at the annual conference • Peer groups – through PRIMA, NACUBO, AGB, UE, Council of Great City Schools or others • Internal auditors

More Related