UnderstandingEnterprise Risk Management

Presented byDorothy GjerdrumArthur J Gallagher

Learning Objectives• Understand the components of a well-

run ERM program• Review scope and process• Explore the role of the CBO in ERM• Assess your institution’s readiness

Agenda

• What does a successful ERM program look like?

• Five key questions – what, why, who, how and when?

• Roles and responsibilities• Recommendations for next steps

ERM – What’s in a Name?

• 2004 – COSO ERM Framework• 2009 – ISO 31000 (ANSI/ASSE),

the international standard on risk management

• Other references – NACUBO, GRC, AGB

Key Differentiators

• Definition of “risk”• Accountability and ownership• Managing risk is part of every

decision, project and activity• Prioritization of risk is linked to key

objectives & strategy

Defining “Risk”• Risk = the effect of uncertainty on

your objectives (ISO 31000)• The effects can be positive or

negative• Anything that could harm, prevent,

delay or enhance your ability to achieve your objectives = risk

Why Does it Make Sense to Take a Broader Approach to Risk?

• Only 20-30% of all risks are insurable• Global interconnectedness forces us to

think more broadly – for example:o Pandemic fluo Cyber attackso World economy & supply chain risks

• Now more than ever, we need allstakeholders to be risk aware

The Intent of ERM

• To manage risk better to support opportunities

• To identify, assess and prepare for what could go wrong

• To focus on what’s most important to the institution and its stakeholders – and link key risks to key goals & objectives

Profiles of Successful Programs• President endorsed the project• ERM Advisory Committee created to create

lexicon/framework, implementation plan and provide oversight

• Facilitated Risk Assessment processes rolled out – applied broadly

• Software implemented to track progress• Education offered across institution• Management of risk – performance reviews

#1

Profiles of Successful Programs

• CRO hired; Chancellor & Board endorsed program

• Cross functional Risk Council formed• Developed risk portfolio• Biannual review of risk treatment plans by

Risk Council• Good engagement of stakeholders

#2

Risk, in one form or another, is present in virtually all worthwhile endeavors.

We recognize that not all risk is bad, and our goal is not to eliminate all risk,

for by doing so we would cease all productive activity.

Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves

to respond effectively and efficiently when necessary. #3

The reasons we implemented ERM:• Break through operational silos• Identify key exposures• Assess appetite for risk• Identify best practices• Plan proactively• Prioritize resources• NO SURPRISES! #3

Five Key Questions – To Begin (or Improve)

1. What is ERM?2. Why is ERM relevant to my institution?3. Who knows about ERM and What do they

know?4. How can you create a sustainable

framework for managing risk?5. When do you know you’ve succeeded?

When do you stop?

What is ERM?

• How will your institution define ERM?• Do you have an “elevator speech?”• What are the benefits of taking a broader

approach to managing risk?

What is ERM? – from ISO 31000Key outcomes:• The organization has a current, correct and comprehensive 

understanding of its risks.• The organization’s risks are within its risk criteria

Attributes:• Continual improvement• Full accountability for risks• Application of risk 

management in all decision making

• Continual communication• Full integration into the 

organization’s governance structure

What is ERM? – Sample “Elevator Speech”

• Risk management is about supporting opportunities as well as preventing problems

• ERM is tied to business objectives and strategies – and supports them

• ERM works within the institution’s culture and will become integral to decision making

• The initiative will ensure that risk management applies to all levels of the organization and to all activities

The Benefits of Risk Management• Increase likelihood of achieving 

objectives• Encourage proactive 

management• Be aware of the need to identify 

and treat risk throughout the organization

• Improve the identification of opportunities & threats

• Effectively allocate and use resources

• Comply with relevant legal and regulatory requirements and international norms

• Improve mandatory and voluntary reporting

• Improve operational effectiveness & efficiency

• Improve stakeholder confidence and trust

• Establish a reliable basis for decision making & planning

• Improve controls• Improve governance

ISO/ANSI/ASSE 31000:2009Risk management – Principles and Guidelines

Why is ERM Relevant to My Institution?

• Bond rating• Better & more thorough decision making• Response to regulatory oversight• Peer influence• Governing board members’ influence• Desire to be a progressive “industry” leader• To manage resources more effectively

Why ERM?Example 1:We strategically manage risk to create greater financial stability and help the university achieve its mission.

Example 2:Our goal is to assume risk judiciously, mitigate it when possible and prepare ourselves to respond effectively and efficiently when necessary.

Who Knows about ERM and What do they Know?

• Internal Audit – from the IIA/COSO ERM Framework

• Governing Board Members – from peers, conferences, AGB

• Compliance – GRC, legal framework• General Counsel – NACUA, governance models• CFO – from financial rating companies, NACUBO

Sources of Information• ANSI/ASSE/ISO 31000 – the only international

standard on risk management – 2009 • COSO ERM Framework – 2004 • “Risk Management – An Accountability Guide for

University and College Boards” by Janice Abraham – AGB & UE – 2013

• Consulting firms – KPMG, Protiviti, Deloitte, PwC & brokerage firms, too

• GRC – Governance, Risk & Compliance (software and consulting)

www.nacubo.orgwww.coso.org

(Download this one free)$$ (Download this one free)

www.asse.org $$

Source: Committee of Sponsoring Organizations of the Treadway Commission

Control Activities

Four Primary Objectives:Strategic, Operations, Reporting, 

Compliance

• Published in 2013 by AGB Press, the Association of Governing Boards of Universities and Colleges and United Educators Insurance, a Reciprocal Risk Retention Group

• www.agb.org or 800.356.6317

$$

Enterprise Risk Management (ERM) is a business process, led by senior leadership, that extends the concepts of risk management and includes:• Identifying risks across the entire enterprise• Assessing the impact of risks to the operations and mission• Developing and practicing response or mitigation plans,

and• Monitoring the identified risks, holding the risk owner

accountable, and consistently scanning for emerging risks

“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham, 2013, AGB Press, Washington DC

RM Accountability Guide• Board and President jointly articulate commitment • Senior management implements• Emphasis on roles and oversight• Sample risk registers• Board committee oversight of key risks by category:

– Strategic – Board governance – Financial – Operational 

“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham, 2013, AGB Press, Washington DC

$ 10 Million

Hig

h Fi

nanc

ial I

mpa

ctLo

w F

inan

cial

Impa

ct

LIKELIHOOD OF PROBLEM OCCURRING IN AREALOWMEDIUM

HIGH

33- Pricing Strategy

34-Distribution Strategy

29-Capacity Management

30-Cost Competitiveness

35-Product Innovation

24-Supply Chain Mgmt

27-Complexity

36-Market Share

31-Commodity Pricing

2-DealerTransition

28-Cost of Quality

32-Brand Reputation

14-Regulatory Compliance

19-Cost of Health Care

17-Productivity Improvements1-Working

Capital

20-Retirement Plans

22B-Business Continuity-IT

22A-Business Continuity-Mfg.

16-Record Retention

25-SAPManufacturing

18-Employee Relations

13-Tax

6-Cash Mgmt& Liquidity

3-Corporate Investments

5-Foreign Exchange

4-Derivatives Management

39-Bio/Epidemic Event

9-IT Systems Integration

41-China Strategy

38-Terrorism

15-IntellectualProperty

40-CustomerExperience

8-Data Security12-Sarbanes-Oxley

11-Management Reporting

21-Compensation Strategies

7-Dealer Credit

23-Logistics/Transportation

Yellow: Perceived as moderately well controlled

Light Green: Perceived as medium to good controls

Green:: Perceived as well controlled

Red:Perceived as poorly controlled

• Rectangles represent risks identified as Corporate risks• The numbers present correspond to the Business Risk Inventory chart.

How can you create a sustainable framework?

• Need a common language• Need to tailor processes and structure to your

operations• Need to communicate with and engage

stakeholders• Need to monitor & review and continually

improve

Principles

Mandate & Commitment

Design framework for managing risk

Framework RM Process

Implementrisk management

Monitor and review the framework

Continually improve the framework

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

viewRisk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

• Creates value• Integral part of organizational processes

• Part of decision making

• Explicitly addresses uncertainty

• Systematic, structured & timely

• Based on best available info

• Tailored• Takes human & cultural factors into account

• Transparent & inclusive

• Dynamic, iterative & responsive to change

• Facilitates continual improvement & enhancement of the organization

From ISO 31000

Principles•Creates and protects value• Integral part of organizational processes

•Part of decision making•Explicitly addresses uncertainty•Systematic, structured & timely•Based on best available info•Tailored•Takes human & cultural factors into account

•Transparent & inclusive•Dynamic, iterative & responsive to change

•Facilitates continual improvement & enhancement of the organization

The principles provide guidance on the rationale for managing risk and the characteristics of effective risk 

management

These shape the design and structure of your framework for 

managing risk

The principles can assist in continual improvement and serve 

as a “maturity model” for implementation

Mandate & Commitment

Design framework for managing risk

Framework

Implementrisk management

Monitor and review the framework

Continually improve the framework

Based upon a model of continual improvement, the framework is what will sustain your risk management efforts

This assures that you are consistent, process‐

focused and held accountable

Building the framework includes 

planning for implementation, monitoring & review and 

communication

ISO 31004 – Guidance for Implementation Annex C – How to express mandate & commitmentC.2.1 Key characteristicsThe expression of the mandate and commitment should meet the following criteria:

a) It should be compatible with the organization’s strategic plan, objectives, policies, styles of communication and management system;

b) It should be compatible with the risk criteria determined by the oversight body;

c) It should meet the principles of ISO 31000 as well as strive for excellence in risk management as outlined in Annex A;

d) It should be easy to communicate and be tested for comprehension inside and outside the organization;

e) It should have reasonable expectations of being successfully implemented; and

f) It should address the responsibilities of risk owners.

ISO 31000:2009Risk management – Principles and guidelines

ISO 31000 – Guidance for Implementation Components of the Framework

• Understanding the organization & its context

• Establishing RM policy• Accountability & Authority• Integration into

organizational processes• Determining appropriate

resources

• Establishing internal communication & reporting mechanisms

• Establishing external communication & reporting mechanisms

ISO 31000: Establishing RM Policy

• Rationale for managing risk• Links between objectives and policies and the risk management policy

• Accountabilities & responsibilities for managing risk• How you’ll deal with conflicting interests• Commitment to provide necessary resources• How you’ll measure & report• Commitment to review & revise

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

• The context applies to both the organization as a whole and the specific project, risk or portfolio of risks

• Several elements take stakeholder interest and perceptions into account

• Monitor and review –continually asks: “Do we have this right?”

• Communication and consultation is how the management of risk stays connected and relevant

• The same consistent process used across the organization

RM Process

© 2012 ARTHUR J. GALLAGHER & CO.

A Few Definitions from ISO 31000Risk = the effect of uncertainty on objectives (ISO 31000)

An effect is a deviation from the expected – positive or negativeUncertainty is the state of deficiency of informationRisk is often expressed in terms of a combination of consequences and likelihood.

Risk Management = the coordinated activities to direct and control an organization with regard to risk (ISO 31000)Risk Owner = the person or entity with the accountability and authority to manage risk (ISO 31000)Stakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders’ interests and fears should be taken into account (ISO 31000)

© 2012 ARTHUR J. GALLAGHER & CO.

• Risk is present in everything we do• Risk = the effect of uncertainty on your objectives – Objectives = the outcomes you seek, the highest expression of intent and purpose

– Uncertainty = the state of not knowing, a deficiency of information

• Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk ISO/ANSI/ASSE 31000:2009

Risk management – Principles and Guidelines

When do you know you’ve succeeded?When do you stop?

• Implementation takes time…• You do need to measure success• This is an iterative, continual process

40

Risk ID Description

Actions to Manage Risk

Risk Direction

Strategic Objectives

Interrelated Risks

Risk Ownership

Board CommOversight

1 UG and grad enrollment and aid strategies

Reputation, $$Stability 2,4,6,7,8,9,10 Provost, VP 

EnrollmentEnrollment & Marketing

2 Tuition dependency, fundraising strategy

Reputation, $$Stability 1,3,4,6,7,9,10 President, VP 

Advancement Advancement

3Tuition dependency, alternative revenue strategies

Stability, Operational Efficiency

1,2,4,7,9,10 Cabinet Academic, Finance

4 Sustainable long‐range $$ plan

Stability, Operational Efficiency

1,2,3,7,8,9,10 Cabinet, CFO Business & Finance

5 IT security & privacy Reputation 6,8,9,10 CIO, GC IT

6 Website Reputation 1,2,5,9 Provost, VP Marketing

Enrollment & Mkting

7 Investment strategy $$ Stability, Reputation 1,2,3,4,9,10 VP Business & 

Finance Investment

8 Debt strategy $$ Stability 1,2,3,4,9,10 VP Business & Finance

Business & Finance

9 Safe and secure livingenvironment

$$ Stability, Reputation All Cabinet, VP Stud 

Affairs Student Affairs

10 Financial operations & controls

$$ Stability,Operational Efficiency

1,2,3,4,5,7,9 CFO Audit

NACUBO Example

Standard and Poor’s recognized the University of CA for its ERM program. 

“The UC has implemented a system‐wide enterprise risk 

management information system which, in our opinion, is a credit 

strength.”

September 9, 2010 – Ratings Direct Global Credit Portal

Principles of Effective Risk Oversight

1. Understand the company’s key drivers of success

2. Assess the risk in the company’s strategy

3. Define the role of the full board and its standing committees with regard to risk oversight

4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources

5. Work with management to understand and agree on the types (and format) of risk information the board requires

6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions

7. Closely monitor the potential risks in the company’s culture and its incentive structure

8. Monitor critical alignments – of strategy, risk, controls, compliance, incentives & people

9. Consider emerging and interrelated risks: What’s around the next corner?

10. Periodically assess the board’s risk oversight processes

Excerpted from “Risk Governance: Balancing Risk and Reward” 2009, NACD Blue Ribbon Commission

Open Discussion re Roles

• Line of authority• Who’s responsible for the

oversight of risk?• Who are your risk leaders?

Is Your Institution Ready for ERM?

• It can support key management initiatives• Can be implemented without lots of $$$• It instructs and spreads understanding

about risk – and everyone’s role re risk• Think about the why …

ERM Checklist

• Educate yourself• Talk to your peers• Review your answers to the 5 questions• Identify your champions, skeptics and

supporters – engage them to make a plan

How to Implement ERM Using ISO 31000• Three-part training:

• Webinar – How to apply the standard• Workshop – Introduction to ERM & ISO 31000• Workshop – Implementing ERM

• Info at www.primacentral.org or www.urmia.org• PRIMA = Public Risk Management Assoc• URMIA = University Risk Management and

Insurance Association

Thank You!

Dorothy M. GjerdrumSenior Managing Director – Public Sector

& ERM Consultant – Higher EducationArthur J. Gallagher & Co.

Dorothy_Gjerdrum@ajg.com