Enterprise Risk Management A “How To” Guide for using the Washington State ERM Tool
Introductions • Who is the biggest risk taker you know?
Place Your Bets! • What can we learn from a couple of cards? • ‘Risk appetite’ varies • At play • At home • In the community • At work • How we respond to risk depends on our tolerance and personal history • Different risk appetites can cause conflict!
What Is ‘Risk’? • Most of us have a limited risk vocabulary even though we deal with risk everyday: • The yellow light • Asking for a raise • Noisy neighbors • ‘Risk’ often has a negative meaning or we equate it with danger • Most risk assessment happens at ‘gut level’ • …but your gut is often wrong • Fear of flying • Alligators, snakes and bears, oh my • We need a better way
ERM Expands on Traditional RM • Traditionally, risk management looked at past events like car accidents, workers compensation claims, safety violations, lawsuits and other bad stuff after the event to figure out what needed to be changed to better protect the organization, clients and employees. • ERM doesn’t replace traditional risk management activities. You have to respond when bad things happen and you have to keep doing everything necessary to: • Treat staff, clients & vendors equitably • Keep people safe • Respond to claims & lawsuits • Be prepared for emergencies • But ERM focuses on the future not the past.
A Better Way: ERM Defined • Enterprise Risk Management (ERM) is a coordinated method of performing risk management that considers every aspect of risk that affects agency goals. Successful ERM: • Looks across all agency programs and operations (no more silos) • Requires open communication from all levels of the organization about goals, operations and potential problems • Results in a high-level review of the most severe risks to achieving all agency goals • Provides an easy to use, proven method to evaluate and address risk • Creates a coordinated way to identify and assess opportunities
How ERM Defines ‘Risk’ • Risk: anything that can interrupt the achievement of your goal on time • Opportunity: the ‘flip’ side of risk – anything that results in over-achievement of your goal
The ERM Method: 7 Simple Steps • Clearly state the goal. • List everything that could keep you from meeting the goal on time (the ‘risks’). • Evaluate each risk: • Choose a likelihood rating from 1-5 • Choose animpact rating from 1-5 • Multiply together & ‘Map’ • Prioritize (Pick the most severe risks) • Treat/Mitigate: • Avoid • Accept & Monitor • Transfer • Reduce the likelihood • Reduce the impact • Make a Risk Register that includes: • Treatment Plans • Measures of success • Communicate Results • Gather & share ‘best practices’ • Review & Refine
Step One: State Your Goal • State in the positive • Be specific and precise • Have a time-frame in mind
More on: Goals • Starting with goals fits the public service model and keeps the focus on the future • Tying risks to goals helps you figure out: • which risks you need to do something about • which you should keep an eye on, and • which you can stop worrying about
Step Two: List the Risks • List everything, good and bad, big and small • Include everyone’s ideas, even the ‘negatives’ • You may want to involve others, too: • Put on staff meeting agendas • Send out a survey • Ask ‘Subject Matter Experts’ • Don’t be distracted by ‘cures’ right now
Likelihood (How likely is this risk to happen in my time-frame?) Hardly ever Once or twice Often Frequently Almost always Impact (How would it affect my goal if it happened?) Very little Minor Major Critical Fatal Step Three: Evaluate the Risks It is common to see different words used to describe the scores and even the categories, like ‘Frequency/Severity’ or ‘Likelihood/Consequence’
The Delicate Issue of Control • What ‘control’ means in ERM • High, Medium, Low • Some examples: • Policy/Procedure • Training/Education • Audits/Monitoring • Performance Measures
Step Four: Map the Risks • Why voting works • Multiply your ‘scores’ • Risks can be assessed from 1 to 25 • The most severe risks will fall in the ‘Red Zone’ • Unless you have unlimited resources of people, time and money…pick the most severe risks to work on!
Step Five: Treat Priority Risks • To treat/mitigate a priority risk: • Avoid • Accept & Monitor • Reduce the Likelihood • Reduce the Impact • Transfer • The treatment you choose must: • Fit the risk appetite of your group • Reflect the amount of control you have • Be measurable and time-limited • Scarce resources shouldn’t be wasted on risks that are unlikely or minor in impact.
Pull it All Together With A Risk Register • A Risk Register is a list of priority risks & an overview of how you will handle each • Start with the goal • List priority risks and include for each: • Short description of the risk • (Some registers include ‘h/m/l’ control level) • Root cause(s) of the priority risk • Risk treatment chosen • Brief description of treatment plan • Success measure for treatment plan • Target treatment date(s) • Person responsible (sometimes called the ‘risk owner’)
Risk Registers Are Powerful Tools Your Risk Register: • Serves as a comprehensive and ranked list of critical business issues • Sets clear priorities for action • Provides a defensible basis for decision-making and funding • Improves communication and fosters clarity of purpose • Achieves reconciliation and coordination of competing values • Demonstrates credibility (this method is a recognized international standard for managing risk)
Step 6: Work Your Treatment Plan • Get people involved • Compare results to your success measures • Identify any gaps • Refine your plan
Step 7: Communicate the Results • Celebrate your successes • Refine the results • Share as ‘Best Practices’ • Update your goals • Move forward!
Let’s Try It: Pick a Goal • What would you like to do this spring? • Lose Weight • Clean out the garage • Save money • Spend more time with your family • Travel
Seven Steps Method Reminder • Fine-tune the goal statement • List anything that could keep you from meeting the goal • Assess using a 5 point scale • Likelihood a risk will happen (1-5) • Impact on your goal if it does (1-5) • Multiply for a final score • Prioritize the risks by score • Pick a treatment for the worst one • Make a treatment plan • Set a deadline and tell how you will measure success
All ERM Methods Deliver Real Results • Help you refine goals • Improve communication • Deploy scarce resources where they will do the most good • Repeatable, scalable & defensible • Time-specific • Success Oriented • Recognized world-wide
Find Out More • Drew Zavatsky, 407-8155 • Drew.Zavatsky@des.wa.gov • Kim Haggard, 407-8139 • Kimberly.Haggard@des.wa.gov • Risk and Insurance Management Society (RIMS): http://www.rims.org/ • Public Entity Risk Institute (PERI): http://www.riskinstitute.org/peri/ • Public Risk Management Association (PRIMA): http://www.primacentral.org/