Excellence in Risk Management through Enterprise Risk Management Presented by: Joey Page President of Essential Risk Solutions
Learning Objectives Today • What is ERM? • How does it fit within a Public Entity structure? • Public Sector ERM • Why should we expand our thinking? • TRM & ERM: Key comparisons • ERM – Who’s doing it? • Who’s ready for ERM? • ERM tools & resources
Why ERM? Why Today? Why you? Why Me? Why your Entity? • Summed up, Public Entity’s need the concepts of ERM today more than ever to survive-not simply to exist • Why TODAY? Simple, economics will drive you to ERM more than anything else. • Who has unlimited funds to balance your budget? • ERM Process helps you go through processes that helps find funding or unnecessary services.
So What Is Enterprise Risk Management? Enterprise Risk Management defined: “Enterprise Risk Management (ERM) is a process, affected by the organizations leadership, applied in a strategy setting, and across the organization, designedto identify potential events that may affect the organization, and manage risk(s) to be within its risk appetite, to provide reasonable assurance regarding the achievement of the organization’s objectives.”
Let’s Break It Down • Process – ongoing and fluid throughout the organization structure • Affected – every person at every level • Applied in Strategy Setting – you have to have a game plan • Applied Across the Organization – no one is left out • Designed to Identify Events – good and bad • Reasonable Assurance – yes management; it works • Geared to Achieve Objectives – touches every department, every school Sounds good, looks pretty on paper, has all kinds of cool buzz words, and it works. So why this topic???
Reality checking in government: • No one is held accountable for much of anything • More silos in government than grain silos in the Mid-West • Yes, we have a budget, but theoretically we will not be shut down if we run out of money( CA has seen some Entities go belly-up; The whole state is on the brink of financial collapse) • Most organizations see Risk Managers as claims handlers • Most Within The Risk Management Community Are Waiting To Be Told To Look Into ERM
Why Broaden Risk Mgmt? • Yellow Springs, OH – This village near Dayton will lose $140,000 in income tax revenue when Antioch College closes next year due to lack of money, taking with it 160 jobs and 300 students (USA Today – Wednesday, August 8) What revenues does your entity rely upon? Are there “non-essential” services that might be cut? Any potential risks associated with that??
Why Broaden Risk Mgmt? • Pittsburgh, PA – 11 teachers 2 counselors “furloughed” in addition to 160 teachers who retired last year. District is dealing with declining enrollment with student population down by 1,500 from last year (USA Today – Wednesday, August 8) • Dallas, Ft Worth, Plano, Austin, San Antonio had to build in furlough days to help balance budgets this year What happens when you have fewer employees doing more, fewer resources available to employees & declining morale??
Why Broaden Risk Mgmt? • NYC, NY – 3 city traffic enforcement agents were arrested and charge with writing >46 falsified parking tickets, to make it appear they had been busy (but no worries, the bad tickets will be voided) (USA Today – Wednesday, August 8) How long does it take to recover from a bad reputation??
Why Broaden Risk Mgmt? • What if your entity has a great crisis response plan in place to deal with a flu pandemic but you haven’t coordinated it with surrounding entities, the state, local hospitals or private businesses? • How many have had a coordinated discussion of IT risks across your organization? Consider on-line payments, private medical information, sensitive financial data, student records... • Have all of you along the Gulf Coast really sat down and worked thru the logistics of working together before, during, and after a hurricane? FEMA????? (TPCG just entered into inter-local with Monroe)
ERM: A Few Key Issues • Very broad approach to risk • Risks identified by risk owners, not “experts” – mitigated by them, too • Tied to strategic objectives • Risk ownership • ERM “thinks forward”
Real issue for risk managers with ERM today is it is finance and/or internal audits based. • If you are not in one of these two areas, you will probably never see ERM. • RM’s in Public Sector are not involved in the Finance side of the equation unlike their private sector counterparts. • If you have not been provided ERM by your current broker, you will not see it any time soon. • If you have not gone out to bid in a long time, and do not plan on going out to bid soon, you will never see it. • If your risk manager does not get out of their office to investigate accidents, conduct facility audits or visit the troops – they are less inclined to try anything new, including ERM.
Or maybe you looked into it and just cannot imagine ERM working in your entity • QUESTION? • Has anyone in the audience today ever considered ERM for their organization? • Is anyone considering or in process of implementing ERM? • (Will anyone even consider ERM?)
Comparing TRM & ERM TRM • Grew out of safety & insurance purchase • Risk = bad • Framed by mgmt process; focuses on problem solving to reduce & mitigate risk • Focuses on insurable risks ERM • In US, emerged from financial & banking indus. • Risk = bad + good? • Framed by measurement & control processes; focuses on strategic objectives • Wide focus on ALL risk
TRM & ERM TRM • Starts at the bottom?? • Reports to Legal, HR, Finance or Manager • Risk Management Policy across org? • Accident review committee, safety or RM committee ERM • Starts at the top?? • Reports to CEO, audit committee or CFO • ERM mandate established • Interdisciplinary advisory council or RM steering comm.
Hazard Risk Risks that are generally covered by insurance, and that result in non-financial asset impairment. • Natural hazards • Physical damage to tangible assets • Injury to students, faculty, staff and visitors • Environmental impairment • Injury to citizens on parks, in Civic Centers • Automobile accidents • School bus accidents • Workers’ Compensation
Financial Risk Risks related to the financial well-being of the institution. This includes such things as: • Interest rate volatility • Revenue stability • Cash flow • Asset value • Investments • GASB 45 • Auditing Standards by Rating Agency’s
Strategic Risk • The risk that an institution will be unable to fulfill its mission as a result of its failure to adapt to the changing needs of its stakeholders and operating environment, or its failure to implement all or part of its strategic plan. This includes: • Intellectual property • Distance learning • Changes in demographics • Alliances • Competition by other entities for limited Local, State or Federal Programs and resources, including Employee’s (yes, you do have competition) • Economic Climate
Operational Risk Risks related to the operation of the institution and its facilities. This includes: • Information technology • Student activities • Succession planning • Board composition • Purchasing procedures • Accounting practices
ERM: Who’s Implemented COSO? Private Sector • Wal-mart – world’s largest retailer • Unocal Corporation – one of world’s largest oil & gas co’s • General Motors – world’s largest vehicle manufacturer • FirstEnergy Corp – 4th largest investor-owned electric utility in US • Toyota-U.S.A.
ERM – Higher Ed • University of CA system • University of CO system • Maricopa County Community College District • IL State University • UNC – Chapel Hill • NCSU – ERM Initiative • Abilene Christian University
ERM in Public Entities • Maricopa County, AZ • State of WA • Bonneville Power (Portland, OR) • Plano,TX?? Emerging… • NM Association of Counties • Dallas/Ft Worth International Airport I am not aware of anyone in Louisiana public sector practicing ERM at this time
Public Entities “Ripe” for ERM • Looking for “what’s next?” • Want to be visionary, forward thinking about risk • Good upper-level support for RM • Solid, functional RM program with a good leader • Not an organization in turmoil, with strong “silos” and turf issues
A Few ERM Resources • Check out the Australian Standard – http://www.saiglobal.com/shop/script.asp • URMIA Journal & new ERM initiative – www.urmia.org • RIMS ERM Center of Excellence is evolving at www.rims.org • COSO – www.coso.org • IIA (Internal Auditors) www.theiia.org • Develop Your Own Standard
Still not able to get arms around ERM? – Introducing – • PERS or Public Entity Risk Solutions • We took the best of the COSO standard that would or could fit in the Public Entity Framework and created PERS to work from WHY? I can’t even understand all the different Standards out there. Nor is there one applicable to Public Entity’s.
PERS – Old Fashion Risk Management • About visiting and working across silos • Helping other departments be better at what they do • Do what you can with what you have • Communicate – Risk is not a vacuum • It is about bringing all the stakeholders together to better manage the entities risk
Why the name change to PERS? Simple: • Public Sector Brass dislikes anything new for the most part and like things they know very little about even less • Plus, if they looked up ERM, they would see more about it pertaining to the private sector… And why should government ever be run like a business???? Remember: With ERM, you must think outside the box
Transactional Traditional Risk Management • Hazard-based risk identification & controls • Compliance issues addressed separately • Safety & emergency mgmt handled separately • Purchases insurance to cover risks • A “siloed” approach – risks are not integrated or managed broadly across the organization • Risk Manager is the insurance buyer Risk is bad – focus is on transferring risk
Integrated Advanced Risk Management • More proactive about preventing and reducing risks • Integrates claims mgmt, contracts review, special event RM, prevention & training, insurance and risk transfer techniques • Cost allocation used for education and accountability • Lowers insurance costs (over time) • More collaboration – as depts. are willing • Risk Manager may be the risk owner Risk is an expense – focus is on managing risk
Strategic Enterprise-wide Risk Management • A wide range of risks are discussed & reviewed, including reputational, human capital, strategic & operational • Aligns RM process with strategy and mission • May include “upside risks” (opportunities) • Helps manage growth, allocate capital & resources • Risks are owned by all & mitigated at the department level • Many risk mitigation tools available • Risk Manager is the risk facilitator & leader Risk is uncertainty – focus is on optimizing risk
How is Risk Management Evolving How is Risk Management Evolving? Strategic Risk is uncertainty – focus is on optimizing risk Integrated • Advanced Risk Management • More proactive about preventing and reducing risks • Integrates claims mgmt, contracts review, special event RM, prevention & training, insurance and risk transfer techniques • Cost allocation used for education and accountability • Lowers insurance costs (over time) • More collaboration – as depts. are willing • Risk Manager may be the risk owner Transactional Risk is an expense – focus is on managing risk • Traditional Risk Management • Hazard-based risk identification & controls • Compliance issues addressed separately • Safety & emergency mgmt handled separately • Purchases insurance to cover risks • A “siloed” approach – risks are not integrated or managed broadly across the organization • Risk Manager is the insurance buyer Risk Management Perspective Risk is bad – focus is on transferring risk
Risk Management Steering Committee • City Manager ,Parish President, Superintendent • Executive Directors, Asst Superintendents • Entity Attorney • Budget Director • Finance Director • Risk Manager
Risk Management Steering Committee • Ad hoc committee originally formed to approve large claim settlements. • Scope expanded to provide direction and oversight, via RM, to treatment of risk throughout the Entity. • Committee meetings have evolved from claims handling to risk tolerance. • Approve Insurance Programs, Self Insured Retentions
Managers Need to Understand under ERM • They are Risk Managers • Accepting and managing risk is their responsibility • The ultimate success of the City, as well as their personal success, depends on how well they accept and manage risk • We don’t just tell them what they can’t do • We help them optimize risk taking • Risk is a partner with Operations
The New Face of Risk • A systematic approach to managing the risks associated with opportunities in a consistent and coordinated manner, across the entire organization.
Stakeholders • Residents • Taxpayers • Citizens • Employees These are the constituencies that entity leaders and management strive to satisfy. An amazing balancing act to say the least.
Goals of ERM • Protect the Entity from risks that prevent it from achieving its objectives • Increase the efficiency and effectiveness of operations by decreasing frictional costs associated with risks and optimizing the allocation of resources • Increase opportunities by treating the associated risks within the entity’s risk appetite • Increase stakeholder value
Implementation Plan – Steps Communicate to ALL appropriate stakeholders • Plan the project • Conduct risk assessments • Rank & prioritize risks • Identify risk owners & mitigation options • Implement mitigation efforts & track results • Monitor & revise as necessary • This needs to be communicated to all appropriate stakeholders
Risk Assessment – What if? • What could happen that would keep you from doing tomorrow the things you are doing today? • What keeps you up at night? • What could go wrong in your area? • What could go wrong in another area that would impact your area? • What little things could go wrong that, taken in the aggregate, could add up to significant problems? • What’s going on outside the City that could go wrong and impact you?
ERM Discovery Questions Operating procedures • Is this operating method being performed at optimum levels? • What steps can be taken to improve operations to better serve its core customers? Service Level • How can services be enhanced or improved considering the importance rankings? • Are services being provided at the most efficient level?
From a “Citizen Service Prioritization Assessment” Staffing • Is staff being provided where it is needed so that customers can be serviced efficiently and quickly? • Are there efficiencies that can be obtained by combining services within or with other departments to better service its core customers? Outsourcing • Are services that are now being outsourced making sense to outsource? • Are there other services that make sense to outsource? Revenues • How can revenues be maximized while maintaining and enhancing service levels? • Identify new revenue streams to offset enhanced service levels