Understanding Enterprise Risk Management - WACUBO Leaders Forum/Feb. 2015...A Few Definitions from...
Transcript of Understanding Enterprise Risk Management - WACUBO Leaders Forum/Feb. 2015...A Few Definitions from...
Learning Objectives• Understand the components of a well-
run ERM program• Review scope and process• Explore the role of the CBO in ERM• Assess your institution’s readiness
Agenda
• What does a successful ERM program look like?
• Five key questions – what, why, who, how and when?
• Roles and responsibilities• Recommendations for next steps
ERM – What’s in a Name?
• 2004 – COSO ERM Framework• 2009 – ISO 31000 (ANSI/ASSE),
the international standard on risk management
• Other references – NACUBO, GRC, AGB
Key Differentiators
• Definition of “risk”• Accountability and ownership• Managing risk is part of every
decision, project and activity• Prioritization of risk is linked to key
objectives & strategy
Defining “Risk”• Risk = the effect of uncertainty on
your objectives (ISO 31000)• The effects can be positive or
negative• Anything that could harm, prevent,
delay or enhance your ability to achieve your objectives = risk
Why Does it Make Sense to Take a Broader Approach to Risk?
• Only 20-30% of all risks are insurable• Global interconnectedness forces us to
think more broadly – for example:o Pandemic fluo Cyber attackso World economy & supply chain risks
• Now more than ever, we need allstakeholders to be risk aware
The Intent of ERM
• To manage risk better to support opportunities
• To identify, assess and prepare for what could go wrong
• To focus on what’s most important to the institution and its stakeholders – and link key risks to key goals & objectives
Profiles of Successful Programs• President endorsed the project• ERM Advisory Committee created to create
lexicon/framework, implementation plan and provide oversight
• Facilitated Risk Assessment processes rolled out – applied broadly
• Software implemented to track progress• Education offered across institution• Management of risk – performance reviews
#1
Profiles of Successful Programs
• CRO hired; Chancellor & Board endorsed program
• Cross functional Risk Council formed• Developed risk portfolio• Biannual review of risk treatment plans by
Risk Council• Good engagement of stakeholders
#2
Risk, in one form or another, is present in virtually all worthwhile endeavors.
We recognize that not all risk is bad, and our goal is not to eliminate all risk,
for by doing so we would cease all productive activity.
Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves
to respond effectively and efficiently when necessary. #3
The reasons we implemented ERM:• Break through operational silos• Identify key exposures• Assess appetite for risk• Identify best practices• Plan proactively• Prioritize resources• NO SURPRISES! #3
Five Key Questions – To Begin (or Improve)
1. What is ERM?2. Why is ERM relevant to my institution?3. Who knows about ERM and What do they
know?4. How can you create a sustainable
framework for managing risk?5. When do you know you’ve succeeded?
When do you stop?
What is ERM?
• How will your institution define ERM?• Do you have an “elevator speech?”• What are the benefits of taking a broader
approach to managing risk?
What is ERM? – from ISO 31000Key outcomes:• The organization has a current, correct and comprehensive
understanding of its risks.• The organization’s risks are within its risk criteria
Attributes:• Continual improvement• Full accountability for risks• Application of risk
management in all decision making
• Continual communication• Full integration into the
organization’s governance structure
What is ERM? – Sample “Elevator Speech”
• Risk management is about supporting opportunities as well as preventing problems
• ERM is tied to business objectives and strategies – and supports them
• ERM works within the institution’s culture and will become integral to decision making
• The initiative will ensure that risk management applies to all levels of the organization and to all activities
The Benefits of Risk Management• Increase likelihood of achieving
objectives• Encourage proactive
management• Be aware of the need to identify
and treat risk throughout the organization
• Improve the identification of opportunities & threats
• Effectively allocate and use resources
• Comply with relevant legal and regulatory requirements and international norms
• Improve mandatory and voluntary reporting
• Improve operational effectiveness & efficiency
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making & planning
• Improve controls• Improve governance
ISO/ANSI/ASSE 31000:2009Risk management – Principles and Guidelines
Why is ERM Relevant to My Institution?
• Bond rating• Better & more thorough decision making• Response to regulatory oversight• Peer influence• Governing board members’ influence• Desire to be a progressive “industry” leader• To manage resources more effectively
Why ERM?Example 1:We strategically manage risk to create greater financial stability and help the university achieve its mission.
Example 2:Our goal is to assume risk judiciously, mitigate it when possible and prepare ourselves to respond effectively and efficiently when necessary.
Who Knows about ERM and What do they Know?
• Internal Audit – from the IIA/COSO ERM Framework
• Governing Board Members – from peers, conferences, AGB
• Compliance – GRC, legal framework• General Counsel – NACUA, governance models• CFO – from financial rating companies, NACUBO
Sources of Information• ANSI/ASSE/ISO 31000 – the only international
standard on risk management – 2009 • COSO ERM Framework – 2004 • “Risk Management – An Accountability Guide for
University and College Boards” by Janice Abraham – AGB & UE – 2013
• Consulting firms – KPMG, Protiviti, Deloitte, PwC & brokerage firms, too
• GRC – Governance, Risk & Compliance (software and consulting)
Source: Committee of Sponsoring Organizations of the Treadway Commission
Control Activities
Four Primary Objectives:Strategic, Operations, Reporting,
Compliance
• Published in 2013 by AGB Press, the Association of Governing Boards of Universities and Colleges and United Educators Insurance, a Reciprocal Risk Retention Group
• www.agb.org or 800.356.6317
$$
Enterprise Risk Management (ERM) is a business process, led by senior leadership, that extends the concepts of risk management and includes:• Identifying risks across the entire enterprise• Assessing the impact of risks to the operations and mission• Developing and practicing response or mitigation plans,
and• Monitoring the identified risks, holding the risk owner
accountable, and consistently scanning for emerging risks
“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham, 2013, AGB Press, Washington DC
RM Accountability Guide• Board and President jointly articulate commitment • Senior management implements• Emphasis on roles and oversight• Sample risk registers• Board committee oversight of key risks by category:
– Strategic – Board governance – Financial – Operational
“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham, 2013, AGB Press, Washington DC
$ 10 Million
Hig
h Fi
nanc
ial I
mpa
ctLo
w F
inan
cial
Impa
ct
LIKELIHOOD OF PROBLEM OCCURRING IN AREALOWMEDIUM
HIGH
33- Pricing Strategy
34-Distribution Strategy
29-Capacity Management
30-Cost Competitiveness
35-Product Innovation
24-Supply Chain Mgmt
27-Complexity
36-Market Share
31-Commodity Pricing
2-DealerTransition
28-Cost of Quality
32-Brand Reputation
14-Regulatory Compliance
19-Cost of Health Care
17-Productivity Improvements1-Working
Capital
20-Retirement Plans
22B-Business Continuity-IT
22A-Business Continuity-Mfg.
16-Record Retention
25-SAPManufacturing
18-Employee Relations
13-Tax
6-Cash Mgmt& Liquidity
3-Corporate Investments
5-Foreign Exchange
4-Derivatives Management
39-Bio/Epidemic Event
9-IT Systems Integration
41-China Strategy
38-Terrorism
15-IntellectualProperty
40-CustomerExperience
8-Data Security12-Sarbanes-Oxley
11-Management Reporting
21-Compensation Strategies
7-Dealer Credit
23-Logistics/Transportation
Yellow: Perceived as moderately well controlled
Light Green: Perceived as medium to good controls
Green:: Perceived as well controlled
Red:Perceived as poorly controlled
• Rectangles represent risks identified as Corporate risks• The numbers present correspond to the Business Risk Inventory chart.
How can you create a sustainable framework?
• Need a common language• Need to tailor processes and structure to your
operations• Need to communicate with and engage
stakeholders• Need to monitor & review and continually
improve
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk management
Monitor and review the framework
Continually improve the framework
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
viewRisk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• Creates value• Integral part of organizational processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured & timely
• Based on best available info
• Tailored• Takes human & cultural factors into account
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Facilitates continual improvement & enhancement of the organization
From ISO 31000
Principles•Creates and protects value• Integral part of organizational processes
•Part of decision making•Explicitly addresses uncertainty•Systematic, structured & timely•Based on best available info•Tailored•Takes human & cultural factors into account
•Transparent & inclusive•Dynamic, iterative & responsive to change
•Facilitates continual improvement & enhancement of the organization
The principles provide guidance on the rationale for managing risk and the characteristics of effective risk
management
These shape the design and structure of your framework for
managing risk
The principles can assist in continual improvement and serve
as a “maturity model” for implementation
Mandate & Commitment
Design framework for managing risk
Framework
Implementrisk management
Monitor and review the framework
Continually improve the framework
Based upon a model of continual improvement, the framework is what will sustain your risk management efforts
This assures that you are consistent, process‐
focused and held accountable
Building the framework includes
planning for implementation, monitoring & review and
communication
ISO 31004 – Guidance for Implementation Annex C – How to express mandate & commitmentC.2.1 Key characteristicsThe expression of the mandate and commitment should meet the following criteria:
a) It should be compatible with the organization’s strategic plan, objectives, policies, styles of communication and management system;
b) It should be compatible with the risk criteria determined by the oversight body;
c) It should meet the principles of ISO 31000 as well as strive for excellence in risk management as outlined in Annex A;
d) It should be easy to communicate and be tested for comprehension inside and outside the organization;
e) It should have reasonable expectations of being successfully implemented; and
f) It should address the responsibilities of risk owners.
ISO 31000:2009Risk management – Principles and guidelines
ISO 31000 – Guidance for Implementation Components of the Framework
• Understanding the organization & its context
• Establishing RM policy• Accountability & Authority• Integration into
organizational processes• Determining appropriate
resources
• Establishing internal communication & reporting mechanisms
• Establishing external communication & reporting mechanisms
ISO 31000: Establishing RM Policy
• Rationale for managing risk• Links between objectives and policies and the risk management policy
• Accountabilities & responsibilities for managing risk• How you’ll deal with conflicting interests• Commitment to provide necessary resources• How you’ll measure & report• Commitment to review & revise
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• The context applies to both the organization as a whole and the specific project, risk or portfolio of risks
• Several elements take stakeholder interest and perceptions into account
• Monitor and review –continually asks: “Do we have this right?”
• Communication and consultation is how the management of risk stays connected and relevant
• The same consistent process used across the organization
RM Process
© 2012 ARTHUR J. GALLAGHER & CO.
A Few Definitions from ISO 31000Risk = the effect of uncertainty on objectives (ISO 31000)
An effect is a deviation from the expected – positive or negativeUncertainty is the state of deficiency of informationRisk is often expressed in terms of a combination of consequences and likelihood.
Risk Management = the coordinated activities to direct and control an organization with regard to risk (ISO 31000)Risk Owner = the person or entity with the accountability and authority to manage risk (ISO 31000)Stakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders’ interests and fears should be taken into account (ISO 31000)
© 2012 ARTHUR J. GALLAGHER & CO.
• Risk is present in everything we do• Risk = the effect of uncertainty on your objectives – Objectives = the outcomes you seek, the highest expression of intent and purpose
– Uncertainty = the state of not knowing, a deficiency of information
• Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk ISO/ANSI/ASSE 31000:2009
Risk management – Principles and Guidelines
When do you know you’ve succeeded?When do you stop?
• Implementation takes time…• You do need to measure success• This is an iterative, continual process
40
Risk ID Description
Actions to Manage Risk
Risk Direction
Strategic Objectives
Interrelated Risks
Risk Ownership
Board CommOversight
1 UG and grad enrollment and aid strategies
Reputation, $$Stability 2,4,6,7,8,9,10 Provost, VP
EnrollmentEnrollment & Marketing
2 Tuition dependency, fundraising strategy
Reputation, $$Stability 1,3,4,6,7,9,10 President, VP
Advancement Advancement
3Tuition dependency, alternative revenue strategies
Stability, Operational Efficiency
1,2,4,7,9,10 Cabinet Academic, Finance
4 Sustainable long‐range $$ plan
Stability, Operational Efficiency
1,2,3,7,8,9,10 Cabinet, CFO Business & Finance
5 IT security & privacy Reputation 6,8,9,10 CIO, GC IT
6 Website Reputation 1,2,5,9 Provost, VP Marketing
Enrollment & Mkting
7 Investment strategy $$ Stability, Reputation 1,2,3,4,9,10 VP Business &
Finance Investment
8 Debt strategy $$ Stability 1,2,3,4,9,10 VP Business & Finance
Business & Finance
9 Safe and secure livingenvironment
$$ Stability, Reputation All Cabinet, VP Stud
Affairs Student Affairs
10 Financial operations & controls
$$ Stability,Operational Efficiency
1,2,3,4,5,7,9 CFO Audit
NACUBO Example
Standard and Poor’s recognized the University of CA for its ERM program.
“The UC has implemented a system‐wide enterprise risk
management information system which, in our opinion, is a credit
strength.”
September 9, 2010 – Ratings Direct Global Credit Portal
Principles of Effective Risk Oversight
1. Understand the company’s key drivers of success
2. Assess the risk in the company’s strategy
3. Define the role of the full board and its standing committees with regard to risk oversight
4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources
5. Work with management to understand and agree on the types (and format) of risk information the board requires
6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions
7. Closely monitor the potential risks in the company’s culture and its incentive structure
8. Monitor critical alignments – of strategy, risk, controls, compliance, incentives & people
9. Consider emerging and interrelated risks: What’s around the next corner?
10. Periodically assess the board’s risk oversight processes
Excerpted from “Risk Governance: Balancing Risk and Reward” 2009, NACD Blue Ribbon Commission
Open Discussion re Roles
• Line of authority• Who’s responsible for the
oversight of risk?• Who are your risk leaders?
Is Your Institution Ready for ERM?
• It can support key management initiatives• Can be implemented without lots of $$$• It instructs and spreads understanding
about risk – and everyone’s role re risk• Think about the why …
ERM Checklist
• Educate yourself• Talk to your peers• Review your answers to the 5 questions• Identify your champions, skeptics and
supporters – engage them to make a plan
How to Implement ERM Using ISO 31000• Three-part training:
• Webinar – How to apply the standard• Workshop – Introduction to ERM & ISO 31000• Workshop – Implementing ERM
• Info at www.primacentral.org or www.urmia.org• PRIMA = Public Risk Management Assoc• URMIA = University Risk Management and
Insurance Association
Thank You!
Dorothy M. GjerdrumSenior Managing Director – Public Sector
& ERM Consultant – Higher EducationArthur J. Gallagher & Co.